The NCUA has proposed a new Cyber Incident Reporting Rule. This proposal comes on the heels of the Federal Banking Agencies Incident Reporting Rule that went into effect earlier this year.

The proposed NCUA regulation would require federally charted credit unions (also applies to state-chartered, federally insured credit unions) to report within 72 hours any incident that leads to the "substantial loss" of confidentiality, integrity or availability of member information. A cyberattack causing a disruption of business operations would also come under the umbrella of reportable events. So would the compromise of sensitive data or business operations resulting from an incident experienced by a third-party service provider.

According to the proposal, some examples of a “reportable cyber incident” include:

• A computer hacking incident that disables a FICU’s operations.
• A ransom malware attack that encrypts a core banking system or backup data.
• Third-party notification to a FICU that they have experienced a breach of a FICU employee’s personally identifiable information (PII).
• A detected, unauthorized intrusion into a network information system.
• Discovery or identification of zero-day malware15 in a network or information system.
• Internal breach or data theft by an insider.
• A systems compromise resulting from card skimming.
• Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.

While the proposal calls for a 72-hour window for incident reporting, the NCUA is asking for industry comment, specifically on if the reporting requirement should be shortened to the current banking standard of 36 hours.

FoxPointe will continue to monitor the proposed rule and send updates with any changes. If you have any questions, we would be happy to have a discussion on this new proposal or any other cybersecurity related topics.