What Is a Reportable Cyber Incident?

The rule requires credit unions to notify the NCUA no later than 72 hours after it reasonably believes a reportable cyber incident has occurred. A reportable cyber incident is defined as any substantial cyber incident that leads to:

A substantial loss of confidentiality, integrity or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes;
A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; and/or
A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a CUSO, cloud service provider, managed service provider, or other third-party data hosting provider or a supply chain compromise.

Examples of Reportable Incidents

The NCUA's final rule contained some examples of what may constitute a reportable cyber incident, including, without limitation:

If a member information system has been unlawfully modified and/or sensitive data has been left exposed to an unauthorized person, process or device;
A failed system upgrade or change that results in unplanned widespread user outages for credit union members and employees; or
A distributed denial of service (DDoS) attack that disrupts member account access.

The rule does state that incidents such as unsuccessful malware attacks or failed attempts to gain access to systems do not have to be reported. In addition, third-party incidents that are unknown to a credit union and hold information about individuals who happen to be credit union members or employees do not impose a notification requirement.

Instant Insights /

What CUs Need to Know About the New Cyber Incident Reporting Requirements

Related Stories

Recommended For You