Skip to main content
close search
site logo
Dive Brief

NCUA cyber breach rule would give credit unions longer reporting window than banks

Published July 25, 2022
Anna Hrushka's headshot
Senior Reporter
A single opened padlock glows red among rows of closed blue padlocks.
JuSun via Getty Images

Dive Brief:

  • Credit unions would have three days to report a cybersecurity incident to the National Credit Union Administration (NCUA) under a proposed rule the regulator issued Thursday.
  • The proposed rule, which was approved during the NCUA’s board meeting last week, would require all federally insured credit unions to notify the regulator within a 72-hour window after they reasonably believe a reportable cyber incident has occurred.
  • The three-day window falls in line with the Critical Infrastructure Act that President Joe Biden signed into law in March, but is twice as long as the reporting window banks have had to comply with since May.

Dive Insight:

NCUA Chairman Todd Harper said the board’s approval for issuing the proposal is a critical step toward increasing cybersecurity awareness and protection within the financial system.

“Federally insured credit unions are not only the system’s first line of defense, but they are also the NCUA’s eyes and ears,” he said in a statement. “When credit unions report these types of incidents, they may very well be helping to keep our nation secure from similar cyberattacks elsewhere.”

Under the proposed rule, credit unions “would be required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.”

The proposal comes as the Biden administration has warned U.S. businesses about the increasing risk of Russian cyberattacks.

The NCUA’s proposed reporting window complies with the new cybersecurity law Biden signed in March, which requires companies to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of learning of a hack. 

Banks regulated by the Federal Deposit Insurance Corp. (FDIC), Office of the Comptroller of the Currency (OCC) and Federal Reserve, however, have a tighter window.

Under a rule that took effect in May, banks are required to notify their primary federal regulator of a cybersecurity incident within 36 hours, a time frame one expert said could be a challenge for some smaller institutions.

“The 36 hours is actually probably one of the tightest rules out there, as far as timeline goes,” David Murphy, cybersecurity manager at accounting firm Schneider Downs, told Banking Dive in April. “But in this case, I think what regulators are trying to do is nail down, ‘How big is this problem?’”

Editors' picks

Company Announcements

View all | Post a press release
interface.ai Reinforces AI Leadership in Financial Services with Industry-Unique Device Biomet…
From Jordan Mitchell
November 21, 2024
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Regulations & Policy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell