Understanding the NCUA’s Cyber Incident Reporting Rule

For credit unions – and particularly those with less than $500 million in assets under management – protecting against cyber threats is more critical than ever. Financial institutions, including credit unions, are prime targets for cybercriminals due to the sensitive financial and personal data they handle.

Ransomware attacks are increasingly costly to financial organizations, with the average cost reaching $5.13 million in 2024. (1) According to CrowdStrike’s 2024 Global Threat Report phishing, ransomware, and third-party breaches remain the top cyber threats facing credit unions today. (2) Additionally, the NCUA has warned that smaller credit unions are particularly vulnerable, as they often lack the dedicated cybersecurity resources of larger financial institutions.

Recognizing these growing risks, the National Credit Union Administration (NCUA) implemented a new rule requiring all federally insured credit unions to report significant cyber incidents within 72 hours. This rule, which took effect on September 1, 2023, is designed to enhance regulatory oversight, improve threat intelligence sharing, and help mitigate systemic risks to the financial sector. By understanding this regulation and implementing strong cybersecurity measures, credit unions can better protect their members and maintain compliance. (3)

Key Components

1. Definition of a Reportable Cyber Incident: The rule defines a reportable cyber incident as one that leads to substantial loss of confidentiality, integrity, or availability of a network or information system; a disruption of business operations, vital member services, or a member information system; or has a significant impact on the credit union’s operations.
2. Reporting Timeframe: Credit unions must notify the NCUA as soon as possible, but no later than 72 hours after forming a reasonable belief that a reportable cyber incident has occurred. This timeframe also applies if a third-party notifies the credit union of such an incident.
3. Notification Content: The initial notification should include basic information about the incident, such as the nature of the incident, its potential impact, and any immediate response actions taken. A full incident assessment is not required within the 72-hour timeframe.

Rationale Behind the Rule

The increasing frequency and sophistication of cyberattacks targeting financial institutions prompted the NCUA to implement this rule. By mandating timely reporting, the NCUA aims to:

• Enhance Situational Awareness: Early notification allows the NCUA to monitor emerging threats and assess their potential impact on the credit union system.
• Facilitate Prompt Assistance: Timely reports enable the NCUA to provide guidance and support to affected credit unions, mitigating potential damages.
• Strengthen Systemic Resilience: Collecting data on cyber incidents helps the NCUA identify trends and develop strategies to bolster the overall cybersecurity posture of credit unions.

Reporting Process

When a reportable cyber incident occurs, credit unions should follow these steps to notify the NCUA:

1. Determine Reportability: Assess whether the incident meets the criteria of a reportable cyber incident as defined by the NCUA.
2. Prepare Initial Notification: Gather pertinent information about the incident, including:
   • A brief description of the incident
   • The date and time of occurrence
   • The impact on operations and member services
   • Immediate response measures implemented
3. Submit Notification: Choose one of the following methods to report the incident:
   • Online Form: Use the Cyber Incident Credit Union Reporting System Online Form available at cyberreports.ncua.gov.
   • Phone: Call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail with the necessary details.
   • Secure Email: Send a secure email via the NCUA Secure Email Message Center to cybercu@ncua.gov.

It’s essential to report the incident as soon as possible, even if all details are not yet available. The initial notification can be supplemented with additional information as it becomes known.

Compliance

To effectively incorporate the NCUA’s 72-hour cyber incident reporting rule into your credit union’s incident response plan, it is essential to establish clear internal protocols for identifying, assessing, and escalating potential cyber threats. First, ensure that your IT and security teams are trained to recognize what constitutes a reportable incident under the NCUA’s guidelines. Designate a response team responsible for evaluating cyber incidents and making a rapid determination on whether notification is required. Implement a structured workflow that includes immediate internal reporting to senior leadership, legal counsel, and compliance officers to facilitate a swift decision-making process. Additionally, update your incident response playbooks with predefined steps for gathering necessary information and submitting reports through the NCUA’s designated channels—whether via phone, secure email, or the online reporting form. Conduct regular cybersecurity drills and tabletop exercises to test your credit union’s ability to meet the 72-hour reporting requirement under real-world conditions, ensuring that your institution remains prepared and compliant.

Dynamic Edge Can Help

Since 1999, Dynamic Edge has helped hundreds of small and mid-sized businesses maximize the return on their technology investment. Contact us today for a free network assessment, so that we may help you implement cost-effective security solutions to keep your organization and its clients safe and productive. Our Help Desk features friendly, experienced engineers who answer calls live and solve more than 70% of issues on the first call.