NCUA provides clarity on cyber incident reporting requirements

In a new Letter to Credit Unions sent Monday, the NCUA summarized its amendments to part 748 – which take effect Sept. 1 – requiring all federally-insured credit unions to notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident.

The letter offers additional commentary surrounding the definitional components of a substantial cyber incident and provides specific information about how to report an incident to the NCUA.

The NCUA instructs credit unions to either call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail or use the NCUA Secure Email Message Center to send a secure email to

In addition, the letter describes what content should be included in the cyber incident report and highlights that sensitive personally identifiable information, indicators of compromise, specific vulnerabilities, or email attachments should not be sent to the NCUA.


continue reading »