Credit unions’ 72-hour cyberattack reporting window to take effect Sept. 1

The National Credit Union Administration unanimously approved a final rule requiring all credit unions to report cybersecurity attacks within 72 hours after they reasonably believe an incident has occurred, the agency announced Thursday.

The rule will be effective Sept. 1, but the agency will lay out additional guidance before then.

The rule remains largely unchanged from when it was proposed in July, NCUA Chair Todd Harper said, emphasizing the importance of coordination between the NCUA and the Cybersecurity and Infrastructure Security Agency to avoid duplicate reporting.

“Each of us in the financial system has an obligation to protect our nation’s economic and financial infrastructure. And, credit unions must be included in conversations about critical infrastructure, as a whole,” Harper said in a statement.

Banks regulated by the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve face a tighter reporting window: 36 hours.

“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” Harper said.

The final rule will go into effect months after the Financial Crimes Enforcement Network said U.S. financial institutions reported $1.2 billion worth of ransomware-related filings in 2021.

The NCUA’s rule complies with a cybersecurity law President Joe Biden signed in March 2022, requiring companies to provide notification within 72 hours of learning of a cyberattack.

The 72-hour notification time frame is to provide an early alert and does not require credit unions to give a full assessment of the incident to the NCUA, the board said.

The rule is aimed at cyber incidents “that [lead] to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes,” the NCUA said.

"The sooner the agency is aware of an incident, the sooner it can determine whether it is isolated or widespread,” NCUA Vice Chair Kyle Hauptman said Thursday.

The rule is one of the many steps the NCUA has taken to improve cyber resiliency, including the Information Security Examination program launched this year, Harper said.

The NCUA does not supervise third-party vendors, and as such, around $2 trillion in assets are exposed to potential risks, Harper said.

“Unfortunately, cyber risk in the credit union system often lurks in the ether — beyond the NCUA’s purview — within credit union service organizations and third-party service providers that do not have the same level of oversight as bank vendors,” he said.

By restoring the NCUA’s authority over credit union service organizations and third-party vendors, the country’s economic security would receive a boost, Harper said.

“It will also give credit union members the same protection that bank customers currently enjoy,” Harper said, adding that the agency will continue to engage with Congress on the issue.