Cyber Incidents and the NCUA - WST

Effective September 1, 2023, federally insured credit unions must notify the NCUA within 72 hours, after it reasonably believes that a reportable cyber incident has occurred. The NCUA Board recently approved the final rule with a unanimous vote.

According to the NCUA press release dated February 16, 2023, “federally insured credit unions are required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes. Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack.”

To ensure you are ready by September 1, 2023, all credit unions should:

review your business continuity plan,
update your incident response procedures, and
shceudle your institution's tabletop exercise to ensure you are ready to go.

To review the final rule in its entirety, go to
https://ncua.gov/files/agenda-items/cyber-incident-notification-requirements-final-rule-20230216.pdf.

Authored by: Brad Goetsch