NCUA follows banking regulators, proposes cyber incident notification rule

July 25, 2022 by NAFCU Compliance Blog

Last fall, major federal banking regulators issued a final rule that imposed new cyber incident notification requirements on banks. While that rule does not apply to credit unions, cyber incident reporting requirements for credit unions are now on the horizon. Last week the National Credit Union Administration (NCUA) issued their own proposed rule on this topic.

Current Requirements

The NCUA proposal is only in its initial stages and is not a concrete requirement for credit unions – yet. Until the NCUA proposal makes its way through the rulemaking process and becomes an official regulation, the current cyber incident reporting requirements will continue to apply. At the moment, Appendix B of part 748 of the NCUA regulations states that federally-insured credit unions (FICUs) should have an incident response plan which should include notifying the FICU’s NCUA regional office as soon as possible when the FICU “becomes aware” of an incident involving unauthorized access to or use of sensitive member information, and notifying members “when warranted.” Additionally, FICUs must file a catastrophic act report if a disaster (natural or otherwise – which could include cyber incidents) causes interruption to the FICU’s vital member services which is projected to last more than two consecutive business days.

NCUA follows banking regulators, proposes cyber incident notification rule

Stay connected to the credit union community with our free newsletter!

You have Successfully Subscribed!