On February 16, 2023, the National Credit Union Administration (“NCUA”) Board unanimously approved a final rule requiring federally insured credit unions (“FICUs”) to notify the NCUA as soon as possible, within 72 hours, after an FCIU “reasonably believes” that a reportable cyber incident has occurred.
The final rule, effective September 1, 2023, defines a “cyber incident” as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.” A “reportable cyber incident,” however, includes any substantial cyber incident that leads to (1) a substantial loss of confidentiality, integrity or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services or has a serious impact on the safety and resiliency of operational systems and processes; (2) a disruption of business operations, vital member services or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or (3) a disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider or other third-party data hosting provider or by a supply chain compromise.
In its Board Action Bulletin, the NCUA Board indicated that the 72-hour notification requirement provides an early alert to the NCUA, but does not require FICUs to provide a full incident assessment to the NCUA within the 72-hour timeframe. Board Chairman Todd M. Harper stated that that the final rule “will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act [CIRCIA].” In particular, the final rule incorporates CIRCIA’s 72-hour reporting requirement and the federal banking agencies’ focus on operational disruption. The Board also announced that the NCUA would provide additional reporting guidance prior to the final rule going into effect.