The National Credit Union Administration (NCUA) requires all Federally Insured Credit Unions (FICUs) to report certain cyber incidents to the agency within 72 hours. The rule, effective September 1, 2023, is designed to give regulators early visibility into threats that could impact credit union operations, member services, or the broader financial system.
This requirement applies to:
- Federal credit unions
- Federally insured state‑chartered credit unions
- Credit union service organizations (CUSOs) when acting as service providers to FICUs
⭐ What Must Be Reported?
A credit union must notify the NCUA when it experiences a “reportable cyber incident.”
The NCUA defines this as:
A substantial cyber incident that leads to a meaningful loss of confidentiality, integrity, or availability of a credit union’s information system or member data, or that has a serious impact on operations.
A reportable incident includes:
- Substantial Cyber Incidents
Events that materially disrupt:
- Critical operations
- Member account access
- Payment systems
- Online banking
- Core processing systems
- Unauthorized Access or Intrusion
Incidents involving:
- Compromise of sensitive member information
- Unauthorized access to systems or networks
- Malware or ransomware infections
- Data exfiltration or attempted exfiltration
- Significant Third‑Party Incidents
If a vendor or service provider experiences a cyber event that materially affects the credit union, it must be reported—even if the credit union itself was not directly attacked.
📅 Reporting Timeline
Credit unions must notify the NCUA within 72 hours
The 72‑hour clock begins when the credit union reasonably believes a reportable cyber incident has occurred.
This is intentionally flexible:
- The credit union does not need full forensic confirmation.
- The NCUA expects notification once the credit union has a reasonable basis to conclude the incident is significant.
📄 How to Report
Credit unions must notify the NCUA as soon as possible, using one of the approved channels:
- NCUA’s secure reporting portal
- Email to the designated NCUA incident reporting address
- Telephone notification to the appropriate NCUA supervisory office
The initial report should include:
- A brief description of the incident
- Date/time of discovery
- Systems and operations affected
- Whether member data may be involved
- Initial mitigation steps
- Contact information for follow‑up
The NCUA does not require a full forensic report at the time of notification.
🔍 Examples of Reportable Incidents
- Ransomware that disables online banking or core systems
- DDoS attacks causing prolonged service outages
- Unauthorized access to member data
- Compromise of a third‑party service provider affecting credit union operations
- System outages caused by cyberattacks
- Malware infections that spread across critical systems
⚠️ What Is Not Reportable?
The NCUA does not require reporting of:
- Minor phishing attempts
- Routine malware blocked by security tools
- Incidents that do not materially impact operations or data
- Failed attacks with no operational or data impact
The focus is on substantial incidents.