Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

New NCUA Rule Requires Credit Unions to Report Cyberattacks Within 3 Days

The updated cybersecurity reporting rule from the National Credit Union Administration takes effect Sept. 1.

Edge Editors, Dark Reading

August 22, 2023

1 Min Read
a person in a blue shirt holding a marker and checking off a box with a red checkbox
Source: Worawut via Adobe Stock Photo

All federally insured credit unions must report cyber incidents within 72 hours of discovery, according to the National Credit Union Administration's (NCUA) updated cyberattack reporting policy. The countdown begins after forming "a reasonable belief a reportable cyber incident has taken place," after being informed by a third party of a data compromise, or some kind of disruptions caused by an attack.

The policy covers all incidents that impact information systems or the integrity, confidentiality, or availability of data on those systems. Reportable incidents include those leading to network or system compromise following unauthorized access to or exposure of sensitive information or to the disruption of services or operational systems, the NCUA said.

Examples of incidents that should be reported include:

  • Distributed denial-of-service attacks, which may disrupt business operations, service, or systems.

  • Unexpected malfunctions resulting in customers' inability to access their accounts for a block of time.

  • Unauthorized tampering of systems and accidental exposures of sensitive data.

  • Data breaches and disruptions that occur as a result of a cyberattack on third-party service providers.

"The overall definition of a reportable cyber incident is intended to capture the reporting of substantial cyber incidents. A credit union's determination of 'substantial' depends on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration," the NCUA said.

Failed attacks, such as phishing attempts that were successfully blocked, should not be reported.

The revised rule goes into effect Sept. 1. Credit unions should continue to follow the previous reporting framework for incidents that involve unauthorized access to user data but don't fall under the new rules, the agency said.

About the Author

Edge Editors

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights