Compliance: NCUA issues letter on cyber incident reporting notification requirements

NCUA issued a Letter to Credit Unions (23-CU-07) on the cyber incident notification requirements that go into effect Sept. 1. Credit unions will be required to notify the NCUA no later than 72 hours after the credit union reasonably believes it has experienced a reportable cyber incident or has received a notification from a third party regarding a reportable cyber incident.

The rule rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.

To report a cyber incident, credit unions should notify NCUA through one of the following channels:

• Call NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail; or
• Use the National Credit Union Administration Secure Email Message Center to send a secure email to cybercu@ncua.gov.

When providing notification of a cyber incident to NCUA, credit unions should provide as much of the following information as is known at the time of reporting:

• Credit union name;
• Credit union charter number;
• Name and title of individual reporting the incident;
• Telephone number and email address;
• When the credit union reasonably believed a reportable cyber incident took place; and
• A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

Credit unions should not send sensitive personally identifiable information, indicators of compromise, specific vulnerabilities, or email attachments at the time of initial notification.

The letter also lays out a number of steps credit unions should take to ensure they are prepared for compliance with this requirement on Sept. 1. The full rule can be accessed here.