« Back to The Blog

Cyber Incident Notification Requirements

Beginning Friday, September 1, 2023, the NCUA’s new Cyber Incident Notification Requirements Rule goes into effect. All federally insured credit unions will need to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

The Rule amends 12 CFR 748, now titled, Security Program, Report of Suspected Crimes, Suspicious Transactions, Catastrophic Acts, Cyber Incidents, and Bank Secrecy Act Compliance. Credit Unions should review their policies and procedures for updates.

The NCUA recommends, among other steps, to update the credit union’s response plan:

Update Response Plan
Review the existing incident response plan and update it to align with the new rule. This includes incorporating the reporting requirement timeframes and procedures for notifying the NCUA. Ensure the plan includes clear guidelines for identifying reportable incidents and escalation procedures for notifying management and the NCUA.

Contracts
Review contracts with critical service providers to determine if there are provisions requiring timely notification of cyber incidents.

Train Employees
Provide training to all employees, emphasizing the importance of reporting cyber incidents and the potential consequences of noncompliance. Ensure that employees understand their role in identifying and reporting incidents and provide them with necessary resources and guidance.

Monitor and Review
Regularly monitor and review the cyber incident reporting process to validate its effectiveness. Conduct periodic tests and exercises to evaluate the efficiency of the incident response plan and reporting procedures. Use lessons learned from these exercises to make improvements and update the plan.

Document All Incidents
Document all cyber incidents, regardless of whether they meet the reporting criteria, and maintain records in accordance with the organization’s retention policies. This documentation is essential and serves as a valuable resource for future incident response and reporting efforts. Documentation also provides an audit trail to support management’s reporting decisions.

The NCUA has also provided:

§ 748.1 Filing of reports.

* * * * *

(c) Cyber incident report. Each federally insured credit union must notify the appropriate NCUA-designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe. The NCUA must receive this notification as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident or, if reporting pursuant to paragraph (c)(1)(i)(C) of this section, within 72 hours of being notified by a third-party, whichever is sooner.

(1) Reportable cyber incident. (i) A reportable cyber incident is any substantial cyber incident that leads to one or more of the following:

(A) A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes.

(B) A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.

(C) A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

(ii) A reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.

(2) Definitions. For purposes of this part:

Compromise means the unauthorized disclosure, modification, substitution, or use of sensitive data or the unauthorized modification of a security-related system, device, or process in order to gain unauthorized access.

Confidentiality means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Cyber incident means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.

Cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

Disruption means an unplanned event that causes an information system to be inoperable for a length of time.

Integrity means guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Sensitive data means any information which by itself, or in combination with other information, could be used to cause harm to a credit union or credit union member and any information concerning a person or their account which is not public information, including any non-public personally identifiable information.

***

Please be advised that CSG provides financial services compliance audit and consulting services to our clients.  The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers.  Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services.  Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest.  Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.

 

   

Compliance Services Group Copyright 2026.© All Rights Reserved | Privacy Policy

No Legal Advice Intended

The information on this website is provided as a service to our clients and visitors. The contents of this website, and the posting and viewing of the information on this website may convey information that can be characterized as “law related services” as defined by Rule 5.7 of the Rules of Professional Conduct (“RPC”) governing lawyers, but should not be construed as, and is not intended to be legal services, legal advice, or forming a client-lawyer relationship. Since CSG is not engaged in the practice of law, neither our services nor our relationship will be governed by the RPCs governing lawyers including, but not limited to, specific RPC rules applicable to privileged communications and prohibitions of conflicts of interest. While CSG uses reasonable efforts to include accurate, up-to-date information on this website, CSG makes no warranties or representations as to its accuracy and assumes no liability or responsibility for any errors or omissions in the content of this website or any third-party websites accessed through links from this website.

Formal Agreement Required for Services

You cannot engage CSG to render services for you through e-mail. CSG is not committed to provide services of any kind to you unless a formal services agreement has been executed by both you and CSG. CSG makes no commitment to you to maintain the confidentiality of any e-mail you send to us nor to respond to any e-mail.

Copyrights

Except for information in the public domain, or whether other ownership is acknowledged, CSG owns the copyright to this web site and all of its content. You may not copy or distribute materials from this web site except for personal, noncommercial use.

Links

Links provided by this web site are to assist our clients and visitors in identifying other useful resources and are not intended to state or imply that CSG sponsors or is associated with these resources or endorses or recommends any of the third party information, products, or services found there.

Compliance Services Group
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.