Compliance Blog

Aug 21, 2023

NCUA Letter to Credit Unions Addresses Cyber Incident Notification Requirements

I attended NAFCU’s Risk Management Seminar this past week where one of the topics discussed was cyber security risk. With that in mind, September 1st is right around the corner and with that a major NCUA cyber security rule becomes effective.

The NCUA’s Cyber Incident Notification rule requires federally-insured credit unions to either notify NCUA as soon as possible or no later than 72 hours once the credit union reasonably believes it has experienced a reportable cyber incident or a third party has notified the credit union of an incident. NAFCU’s compliance team wrote a helpful compliance blog on the Cyber Incident Notification rule that reviews what is considered a “reportable cyber incident.”

NCUA recently released its Letter to Credit Unions 23-CU-07 (NCUA Letter) to complement the final rule and to color in some of the requirements. One interesting point I found reading the final rule and the additional Letter to Credit Unions is what happens if the cyber incident is self-inflicted. Of course, most cyber incidents are the result of external bad actors attacking a credit union’s networks resulting in the exposure of sensitive data and disruption to member services. However, accidents do happen, and mistakes are made that can result in the same type of consequences that occur when a credit union’s cyber networks are attacked. So, what does a credit union do in that situation?

Generally, a federally-insured credit union is required to file a report if there is “any substantial cyber incident.

If the credit union becomes aware that a member information system has been unlawfully modified and/or sensitive data has been left exposed to an unauthorized person, process, or device, that cyber incident is also reportable, irrespective of intent.

There are many technological reasons why services may not be available at any given time as, for example, computer servers are offline, or systems are being updated. Such events are routine and thus would not be reportable to the NCUA. However, a failed system upgrade or change that results in unplanned widespread user outages for FICU members and employees would be reportable.

Emphasis added.

The final rule maintains that an internal upgrade or internal issue that causes widespread repercussions for the members and exposure of sensitive data is still considered a substantial cyber incident even if malicious intent does not exist. The final rule also suggests that reporting is based on how widespread the effects of an outage are more than the cause of the outage, saying: “By using the term substantial, the Board seeks to convey an expectation that the agency will be notified of cyber incidents that are extensive or significant to the FICU or its members (or both), rather than minor or inconsequential.” The recent NCUA Letter provides measuring the substantiality of a cyber incident may “depend[] on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration.” In other words, a credit union may have to make a risk-based decision in determining whether to report an incident.

The NCUA Letter also offered clarity on the notification framework, including the reporting timeframe, how to report, and what information to report. A credit union is required to report an incident to the NCUA within 72 hours. The NCUA Letter provides the “timeframe starts from the moment the credit union receives the notification from the third party or when the credit union forms a reasonable belief that such an incident has occurred, whichever is sooner.”

A federally-insured credit union may report this to or NCUA may be reached at 1-833-292-3728. In its communication to NCUA, a federally-insured credit union is required to provide the following information:

·       Credit union name;

·       Credit union charter number;

·       Name and title of individual reporting the incident;

·       Telephone number and email address;

·       When the credit union reasonably believed a reportable cyber incident took place; and

·       A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

At the time of initial notification, do not send the NCUA:

·       Sensitive personally identifiable information;

·       Indicators of compromise;

·       Specific vulnerabilities; or

·       Email attachments.

NCUA’s letter also offers additional guidance in how a credit union may implement the rule. If there are any questions about the information in this blog, please do not hesitate to contact NAFCU’s compliance team at

☀️ Summer Flash Sale on two popular On-Demand conferences! ☀️ 

Unprecedented offer! Save $200.00 on BSA School On-Demand and Risk Management Seminar On-Demand when you’re one of the first 20 people to use the codes BSAONDEMAND and RISKONDEMAND!