Three days. Starting September 1, 2023, that is all federally insured credit unions will have to report cyber incidents.

The rule, approved on February 16, 2023, broadly defines cyber incident to include any incident that jeopardizes an information system or the information stored in one. Reportable incidents however are defined by a slightly less broad, but perhaps more complex, three-part definition that also requires a report when a credit union has a “reasonable belief” it has been the victim of a cyber attack:

  • Part one requires a report if the incident causes a substantial loss to an information system. This includes through the exposure of data, disruption of vital services, or as a result of a serious impact to the safety and resiliency of a system.
  • Part two requires a report in the event of an incident that causes a disruption to business operations, vital services, or to an information system.
  • Part three requires a report if a third-party informs a credit union that credit union data or business operations have been compromised. This portion of the rule only applies to third-parties that have a relationship with the credit union.

Procedurally, the report must be provided to the credit union’s designated NCUA’s point of contact no later than 72 hours after it experiences or reasonably believes it has experienced a reportable cyber incident. In the case of third-party notification, the 72 hour period begins to run from the time of the third-party notification. A credit union need not fully assess the incident before making its report.

Putting it into Practice: This rule is another example of a regulator trying to move organizations towards a faster reporting deadline. Federally insured credit unions should organize their incident response plans to respond in kind.