March 7, 2023

NCUA Announces New Cyber Threat Reporting Requirement

Dowse Bradwell Rustin, IV, Elizabeth Donaldson, Lashania White

+ Follow Contact

Send

Embed

Nelson Mullins Riley & Scarborough LLP

The National Credit Union Administration (NCUA) recently approved a final rule that obligates credit unions to report all cybersecurity attacks within 72 hours starting this September. The rule’s approval is in line with President Biden’s March 2022 cybersecurity plan and comes just months after the Financial Crimes Enforcement Network declared $1.2 billion worth of ransomware-related filings in 2021.

The NCUA stated the new rule, which was approved on Feb. 16, 2023, aims to mitigate cyber incidents “that [lead] to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.” Additionally, the NCUA claimed the new notification requirement is intended to provide an early alert, rather than a full assessment, of a cyber incident. NCUA Chair Todd Harper noted that “through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector.” The rule does not detail specific reporting measures, however the NCUA is expected to provide reporting guidance ahead of the rule’s enforcement.

This new rule is another measure the NCUA has implemented to regulate cyber security compliance after launching the Information Security Examination program. Harper highlighted the importance of coordination between his administration and the and the Cybersecurity and Infrastructure Security Agency. Harper intends the new rule will extend the NCUA’s purview over credit union service organizations and third-party service providers which control around $2 trillion in assets. Banks regulated by the FDIC and the Federal Reserve currently have a shorter 36 hour cyber incident reporting obligation. Harper anticipates this rule will “give credit union members the same protection that bank customers currently enjoy.”

The full text of the new rule can be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Nelson Mullins Riley & Scarborough LLP

Contact + Follow

Dowse Bradwell Rustin, IV

+ Follow

Elizabeth Donaldson

+ Follow

Lashania White

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Credit Unions

+ Follow

Cyber Incident Reporting

+ Follow

Cybersecurity

+ Follow

Data Breach

+ Follow

Financial Institutions

+ Follow

Financial Services Industry

+ Follow

Information Governance

+ Follow

NCUA

+ Follow

New Regulations

+ Follow

Popular

+ Follow

Regulatory Requirements

+ Follow

Administrative Agency

+ Follow

Consumer Protection

+ Follow

Finance & Banking

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Nelson Mullins Riley & Scarborough LLP on:

NCUA Announces New Cyber Threat Reporting Requirement

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Nelson Mullins Riley & Scarborough LLP on:

"My best business intelligence, in one easy email…"