Effective September 1, 2023, any institution under the National Credit Union Administration (NCUA) will be required to report significant cyber incidents within 72 hours. This includes information or notification from a third-party service provider of such incidents as well. The Cyber Incident Notification Requirements rule, as it’s known, amends part 748 of NCUA regulations.

This rule defines a reportable incident as having one or more of the following:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

The “substantial” determination is left to the institution to decide and depends on various factors. Institutions are expected to exercise reasonable judgement on what constitutes a reportable event. Some examples of a reportable incident include:

• Ransomware attacks impacting critical systems or data.
• Unauthorized access to an information system containing a substantial amount of sensitive member/employee information.
• Distributed denial of service attack causing significant downtime.
• Phishing attack resulting in successful installation of malware.
• Unauthorized alteration or destruction of financial data.

Some examples that would not require reporting include:

• Phishing email caught in spam filter.
• Unsuccessful login attempts without access gained.
• Short-term, minor technical issues.
• Isolated incidents of fraud not caused by cyberattacks.
• Loss of availability due to a physical event.

These examples are not all inclusive and institution management should use their best judgement when deciding whether or not to report an incident under this rule. When in doubt, overreporting is the safer bet.

If reporting an incident, the only two options are calling the NCUA at 833-CYBERCU (292-3728) or sending a secure message using their secure email system. When reporting an incident include name of the credit union, charter number, name and title of reporting individual with contact information, when the incident took place, and a basic description of what happened. Do not include sensitive personally identifiable information, indicators of compromise, specific vulnerabilities, or email attachments.

Institutions should update their response plans to include this new requirement, review contracts to ensure vendors can meet this requirement, train staff on reporting requirement, monitor and review both vendors and staff, and document all incidents even if not reported.

This rule is similar to what the federal banking regulators (FDIC, OCC, and FRB) implemented in April 2022 which has a 36-hour time to report.

luded three hurricanes, wildfires, and drought conditions.  The FDIC is expanding efforts to understand climate-related financial risks in an analytical risk-based approach and collaboration with other supervisors in the industry. 

In summary, the 2023 Risk Review identifies the FDIC’s assessment of risk related to conditions in the US economy, financial markets, and the banking industry. It pays particular attention to risks that may affect community banks since they have a unique perspective on these institutions.