NCUA Publishes Rule Requiring Notification of Reportable Cyber Incidents
The National Credit Union Administration (NCUA) recently published a rule requiring federally insured credit unions (FICU) to notify NCUA of any reportable cyber incidents as soon as possible but no later than 72 hours after the FICU believes a reportable cyber incident has occurred.
A reportable cyber incident is defined as a substantial cyber incident that leads to: (i) a substantial loss of confidentiality, integrity, or availability of a network or member information system that results from unauthorized access or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes; (ii) a disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or (iii) a disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise. The rule defines sensitive data as information which by itself, or in combination with other information, could be used to cause harm to a credit union or credit union member and any information concerning a person or their account which is not public information.
The rule goes into effect September 1, 2023.