Skip to main content
Promotion: Promotional Banner Image

CUNA is now America’s Credit Unions.
A stronger voice to advance the credit union industry.

Learn More

Is your Credit Union ready for the NEW Cyber Incident Notification Rule effective September 1?

By Kelli Silvernale, CUVM
February 27, 2023

Starting September 1, 2023, federally insured credit unions (FICUs) must comply with the new Cyber Incident Notification Rule recently issued by the NCUA Board. The rule mandates that credit unions report any cyber incident that qualifies as a reportable cyber incident to the NCUA in a timely manner, no later than 72 hours after the incident is detected.

A cyber incident that is substantial is classified as below:

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vial member services, or has a serious impact of the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

It is worth noting that failed attempts to breach systems or unsuccessful malware attacks are not reportable under this rule. For example, a DDoS attack that disrupts member account access would be reportable under this prong. It is the credit union's responsibility to amend its contracts with vendors to include provisions for reportability and accountability.

So, what does this mean for your FICU?

You will need to ensure that you are working to amend your contracts to include language of reportability and accountability to your vendors!

The NCUA is expected to provide more information and examples of reportable incidents before September 1, 2023. It is essential for credit unions to familiarize themselves with the new rule and take necessary measures to comply with it to ensure a secure and stable cyber environment for their members.

About CUVM

Currently serving over 200 credit unions in 36 states, CUVM offers a cost-effective and dependable way to manage vendor regulatory due diligence. It offers a holistic approach to managing contracts that takes the burden off credit unions’ already full plate. The streamlined vendor management process saves time and resources, and may even lower operational expenses for your credit union.