CUNA is now America's Credit Unions.
A stronger voice to advance the credit union industry.
NCUA issued a Letter to Credit Unions (23-CU-07) on the cyber incident notification requirements that go into effect Sept. 1. Credit unions will be required to notify the NCUA no later than 72 hours after the credit union reasonably believes it has experienced a reportable cyber incident or has received a notification from a third party regarding a reportable cyber incident.
The rule rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.
To report a cyber incident, credit unions should notify NCUA through one of the following channels:
When providing notification of a cyber incident to NCUA, credit unions should provide as much of the following information as is known at the time of reporting:
Credit unions should not send sensitive personally identifiable information, indicators of compromise, specific vulnerabilities, or email attachments at the time of initial notification.
The letter also lays out a number of steps credit unions should take to ensure they are prepared for compliance with this requirement on Sept. 1. The full rule can be accessed here.