Skip to content

TruStage RISK Alert: NCUA’s Incident 72-hour Reporting Rule Goes into Effect

As of September 1, 2023, all federally insured credit unions that experience or reasonably believe that they have experienced a reportable cyber incident must notify the NCUA within 72 hours.

This Cyber Incident Notification Rule also includes credit unions that received notification from a third-party regarding a reportable cyber incident.

In a letter to credit unions, the NCUA stated:

“The Cyber Incident Notification Requirements rule defines a cyber incident as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”

The NCUA letter also summarizes the definition of a “reportable cyber incident” as an any incident that leads to one or more of the following outcomes:

  • Substantial loss of confidentiality, integrity, or availability of a network or member information system that results from unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on safety of operational systems and processes.
  • A disruption of business operations, vital member services or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business or unauthorized access to sensitive data facilitated though, or caused by, a compromise of a credit union services organization (CUSO), cloud service provider, other third-party data hosting provider, or by a supply chain compromise.

For more information and steps to take to file a report, read the full alert at:

(Password and log-in required)

Join Our Mailing List

Keep up with the latest industry info, advocacy updates, member spotlights and upcoming events.