Skip to Main Content

The Vault

March 7, 2023

NCUA Announces New Cyber Threat Reporting Requirement

By Dowse Bradwell "Brad" Rustin, IV, Elizabeth Donaldson, Lashania White

The National Credit Union Administration (NCUA) recently approved a final rule that obligates credit unions to report all cybersecurity attacks within 72 hours starting this September. The rule’s approval is in line with President Biden’s March 2022 cybersecurity plan and comes just months after the Financial Crimes Enforcement Network declared $1.2 billion worth of ransomware-related filings in 2021.

The NCUA stated the new rule, which was approved on Feb. 16, 2023, aims to mitigate cyber incidents “that [lead] to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.” Additionally, the NCUA claimed the new notification requirement is intended to provide an early alert, rather than a full assessment, of a cyber incident. NCUA Chair Todd Harper noted that “through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector.” The rule does not detail specific reporting measures, however the NCUA is expected to provide reporting guidance ahead of the rule’s enforcement.

This new rule is another measure the NCUA has implemented to regulate cyber security compliance after launching the Information Security Examination program. Harper highlighted the importance of coordination between his administration and the and the Cybersecurity and Infrastructure Security Agency. Harper intends the new rule will extend the NCUA’s purview over credit union service organizations and third-party service providers which control around $2 trillion in assets. Banks regulated by the FDIC and the Federal Reserve currently have a shorter 36 hour cyber incident reporting obligation. Harper anticipates this rule will “give credit union members the same protection that bank customers currently enjoy.”

The full text of the new rule can be found here.