July 29, 2022

NAFCU Reg Alert seeks feedback on NCUA’s cyber incident notification proposal

ColumnNAFCU sent members a Regulatory Alert Thursday on the NCUA’s proposal requiring federally-insured credit unions (FICUs) who experience reportable cyber incidents to report the incident to the NCUA as soon as possible, but no later than 72 hours after the FICU believes it has experienced such an incident. 

In the Regulatory Alert, NAFCU highlights:

  • a reportable incident would be defined as a substantial cyber incident that meets threshold conditions for disruption or unauthorized access, as set forth in new regulatory definitions;
  • the NCUA anticipates that a FICU would take some time to recognize it has experienced a reportable cyber incident; and 
  • in terms of reporting, the proposal would not adopt a prescribed form or template, and would only require certain basic information. 

The NCUA published this proposal in response to the increasing frequency and severity of cyber incidents. The 72-hour timeframe aligns with the incident reporting requirement under the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

A post on NAFCU’s Compliance Blog details the proposal, where Senior Regulatory Compliance Counsel Nick St. John states the proposal “gives credit unions some level of discretion in determining when reporting is needed.” 

Comments in response to the proposal are due to NAFCU September 12 and can be submitted through the alert; comments are due to the NCUA September 26. Subscribe to receive Regulatory Alerts in your inbox.