Will you be ready when NCUA’s cyber reporting rule takes effect Sept. 1?

Start preparing your incident response plan now.

Cyber incidents are in the news and on the rise.  Now, there is a cyber incident mandatory reporting rule unanimously adopted by the National Credit Union Administration board members scheduled to take effect Sept. 1. It will require any federally insured credit union to report a “reportable cyber incident” to its contact at NCUA as soon as possible—and in no event later than 72 hours after it reasonably believes it has experienced a cyber incident that qualifies as reportable. Alternatively, the rule requires reporting within 72 hours of a credit union being notified by a third-party source of a reportable cyber incident.

NCUA’s focus on cybersecurity as a stated supervisory priority coupled with this new three-day cyber reporting rule signal the importance placed upon safekeeping data of credit union members. The regulator has made clear that credit unions will be held to high standards for cybersecurity and data protection, preservation and privacy.

This rule embodies another layer of compliance requirements addressed to credit unions under NCUA protocols beyond applicable laws at the state level regulating data breaches. The rule applies to ransomware incidents that are disruptions, and equally to network outages and privacy incidents, such as the accessing of member information without authority, whether the incident occurs at the credit union or on the watch of a vendor like a service provider.


continue reading »