Connect with us

Hi, what are you looking for?



Federally Insured Credit Unions Required to Report Cyber Incidents Within 3 Days

The National Credit Union Administration is requiring all federally insured credit unions to report cyber incidents within 72 hours of discovery.

The National Credit Union Administration (NCUA) is updating cyberattack reporting rules, requiring all federally insured credit unions to report incidents within 72 hours of discovery.

The new policy, NCUA announced, comes into effect on September 1, and will cover all incidents that impact information systems or the integrity, confidentiality, or availability of data on those systems.

“Beginning on September 1, 2023, all federally insured credit unions must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident,” the NCUA announced.

NCUA defines reportable incidents as those leading to network or system compromise following unauthorized access to or exposure of sensitive information or to the disruption of services or operational systems.

“For example, if a federally insured credit union becomes aware that sensitive data is unlawfully accessed, modified, or destroyed, or if the integrity of a network or member information system is compromised, the cyber incident is reportable,” the NCUA explains.

Incidents involving unauthorized tampering with information systems or erroneous exposure of sensitive data are also reportable, the organization notes.

For incidents that do not trigger reporting under the new regulation, but which involve unauthorized access to user information, credit unions will continue to rely on the previous reporting framework.

Advertisement. Scroll to continue reading.

Under the new regulation, cyberattacks such as distributed denial-of-service (DDoS), which may lead to the disruption of business operations, services, or systems are reportable. Failed attacks, including blocked phishing attempts, however, should not be reported.

Unexpected malfunctions leading to the disruption of member account access for substantial periods of time should also be reported.

The new regulation also requires credit unions to report data breaches and disruptions that have occurred following a cyberattack on third-party service providers, except for those incidents performed by white hat hackers.

“The overall definition of a reportable cyber incident is intended to capture the reporting of substantial cyber incidents. A credit union’s determination of ‘substantial’ depends on a variety of factors, including the size of the credit union, the type and impact of the loss, and its duration,” the NCUA notes.

Per the updated regulation, credit unions are required to report cyber incidents within 72 hours after forming “a reasonable belief a reportable cyber incident has taken place” or after being informed by a third-party of data compromise or disruptions following a cyberattack.

“By following these guidelines and implementing the cyber incident notification requirements, your credit union can enhance its overall cybersecurity posture and improve incident response capabilities,” the NCUA concludes.

Related: UK Think Tank Proposes Greater Ransomware Reporting From Cyberinsurance to Government

Related: FCC Proposes Tighter Data Breach Reporting Rules for Wireless Carriers

Related: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting Mandate

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...