Effective September 1, 2023, the final rule requires federally insured credit unions to notify NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred. Reportable cyber incidents include those that lead to a substantial loss of confidentiality, integrity, or availability of a network or member information system. Cyber attacks that disrupt business operations, critical member services, or a member information system must be reported within 72 hours. The 72-hour notification rule does not require credit unions to provide a full incident assessment, and additional reporting guidance will be provided by NCUA prior to the final rule effective date.
BTG recommends a review and revision of credit union information security policies and incident response plans to ensure compliance with the cyber incident reporting requirements. Additionally, members of Management, the Incident Response Team, and Board of Directors should be aware of the final rule requirements and responsibilities.
For more information or help in revising your incident response plans and policies, contact Elisabeth Esposito, Vice President of Professional Services, at firstname.lastname@example.org or (800) 355-4550.