NCUA Adopts Rule to Require Reporting of Cyber Incidents

The National Credit Union Administration ("NCUA") adopted a final rule requiring federally insured credit unions ("FICUs") to report certain cyber incidents.

FICUs will be required to notify the NCUA no later than 72 hours after the earlier of the time that (i) the credit union reasonably believes a "reportable" cyber incident took place or (ii) a third party has informed the credit union that its sensitive data or business operations have been compromised or disrupted as a result of a cyber incident experienced by the third-party.

The NCUA defines a "cyber incident" as "an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system." A "reportable cyber incident" is any substantial (i.e., extensive or significant) cyber incident that causes one or more of the following:

• a substantial loss of confidentiality, integrity or availability of a network or member information system resulting from unauthorized access to or exposure of sensitive data, disruption of vital member services or has a serious impact on the safety and resiliency of operational systems and processes;
• a disruption of business operations, vital member services or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or
• a disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider or other third-party data hosting service provider or supply chain compromise.

The NCUA indicated that it will be providing additional reporting guidance and examples of both reportable and non-reportable incidents prior to the rule’s effective date.

The rule will become effective on September 1, 2023.