X

NCUA Issues Guidance on Cyber Incident Notifications Requirements

The National Credit Union Administration ("NCUA") notified all federally insured credit unions that as of September 1, 2023, they must report cyber incidents within 72 hours after becoming aware of the event or receiving a notification from a third party regarding a reportable incident.

In the letter, the NCUA provides additional guidance on compliance with implementing amendments to Part 748, the "Cyber Incident Notification Requirements" rule. The NCUA stated that under the new amendments, credit unions must inform the NCUA of any cyber incident involving (i) a "substantial" loss of confidentiality due to the unauthorized access or exposure of sensitive data, (ii) a disruption of business operations due to a cyberattack and/or (iii) a disruption of business operations or unauthorized access to sensitive data caused by a third-party data hosting provider or supply chain provider.

Primary Sources

  1. NCUA Letter 23-CU-07: Cyber Incident Notification Requirements

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Banking Entities
Sub-Entity
Credit Unions
Body of Law
Banking Law
Jurisdiction
US - Federal
Organization
US Banking Regulators
Sub-Author
NCUA