Skip to main content
FoxPointe FoxPointe
  • Services
    • Cyber Risk, Assurance and Compliance
    • IT Audit
    • Penetration Testing
    • General Consulting
    • Virtual Chief Information Security Officer (vCISO)
  • About Us
    • Management Team
    • Credentials
    • Careers
  • Resources
    • Events
    • News
    • Videos
    • Whitepapers
  • Blog
  • Contact Us
FoxPointe
  • Services
    • Cyber Risk, Assurance and Compliance
    • IT Audit
    • Penetration Testing
    • General Consulting
    • Virtual Chief Information Security Officer (vCISO)
  • About Us
    • Management Team
    • Credentials
    • Careers
  • Resources
    • Events
    • News
    • Videos
    • Whitepapers
  • Blog

Enter Keywords

  1. Home
  2. Blog

FoxPointe Security Hub

NCUA (National Credit Union Association) Proposes New Cyber Incident Reporting Rule

July 29, 2022

The NCUA has proposed a new Cyber Incident Reporting Rule. This proposal comes on the heels of the Federal Banking Agencies Incident Reporting Rule that went into effect earlier this year.

The proposed NCUA regulation would require federally charted credit unions (also applies to state-chartered, federally insured credit unions) to report within 72 hours any incident that leads to the "substantial loss" of confidentiality, integrity or availability of member information. A cyberattack causing a disruption of business operations would also come under the umbrella of reportable events. So would the compromise of sensitive data or business operations resulting from an incident experienced by a third-party service provider.

According to the proposal, some examples of a “reportable cyber incident” include:

 

  • A computer hacking incident that disables a FICU’s operations.
  • A ransom malware attack that encrypts a core banking system or backup data.
  • Third-party notification to a FICU that they have experienced a breach of a FICU employee’s personally identifiable information (PII).
  • A detected, unauthorized intrusion into a network information system.
  • Discovery or identification of zero-day malware15 in a network or information system.
  • Internal breach or data theft by an insider.
  • A systems compromise resulting from card skimming.
  • Sensitive data exfiltrated outside of the FICU or a contracted third party in an unauthorized manner, such as through a flash drive or online storage account.

 

While the proposal calls for a 72-hour window for incident reporting, the NCUA is asking for industry comment, specifically on if the reporting requirement should be shortened to the current banking standard of 36 hours.

FoxPointe will continue to monitor the proposed rule and send updates with any changes. If you have any questions, we would be happy to have a discussion on this new proposal or any other cybersecurity related topics.

Share
Twitter Facebook LinkedIn
  • Topics
  • Authors
  • Data Security (13)
  • Data Privacy (15)
  • Compliance (4)
  • Risk Management (8)
  • Cybersecurity Alert (7)
  • Cybersecurity (25)
  • Archive (34)
  • Charlie Wood | PCI QSA, CISA, CRISC, CISM
  • Carl Cadregari | CISA, CCSFP, CTPRP
  • Allison Hall | PCIP, CCSFP
  • Courtney Caryl | CCSFP, CHQP
Let us show you how we can help
Request Quote
FoxPointe

171 Sully's Trail
Pittsford, NY 14534

Call 844-726-8869
or Contact Us

Subscribe to the Blog

Services
Cyber Risk, Assurance and ComplianceIT AuditPenetration TestingGeneral ConsultingVirtual Chief Information Security Officer (vCISO)
Company
Management TeamAbout UsBlogCareersPrivacy Policy
©2023 FoxPointe
Website by Corporate Communications, Inc.
We use cookies and other technologies to optimize site functionally, analyze website traffic, and share information with our service and analytics partners. To view our Privacy Policy, which discusses cookies, click here. By continuing to use & browse our services, you agree to our Privacy Policy, our use of cookies, and the Terms and Conditions.