March 21, 2023

Volume XIII, Number 80


March 20, 2023

Subscribe to Latest Legal News and Analysis

72 hours: The NCUA’s New Cyber Incident Reporting Requirement

Three days. Starting September 1, 2023, that is all federally insured credit unions will have to report cyber incidents.

The rule, approved on February 16, 2023, broadly defines cyber incident to include any incident that jeopardizes an information system or the information stored in one. Reportable incidents however are defined by a slightly less broad, but perhaps more complex, three-part definition that also requires a report when a credit union has a “reasonable belief” it has been the victim of a cyber attack:

  • Part one requires a report if the incident causes a substantial loss to an information system. This includes through the exposure of data, disruption of vital services, or as a result of a serious impact to the safety and resiliency of a system.
  • Part two requires a report in the event of an incident that causes a disruption to business operations, vital services, or to an information system.
  • Part three requires a report if a third-party informs a credit union that credit union data or business operations have been compromised. This portion of the rule only applies to third-parties that have a relationship with the credit union.

Procedurally, the report must be provided to the credit union’s designated NCUA’s point of contact no later than 72 hours after it experiences or reasonably believes it has experienced a reportable cyber incident. In the case of third-party notification, the 72 hour period begins to run from the time of the third-party notification. A credit union need not fully assess the incident before making its report.

Putting it into Practice: This rule is another example of a regulator trying to move organizations towards a faster reporting deadline. Federally insured credit unions should organize their incident response plans to respond in kind.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XIII, Number 76

About this Author


Charles Glover is an associate in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Charles' practice focuses on breach response, data privacy law, and intellectual property disputes. His representations cover a variety of clients, including national banks, domestic airlines, and entertainment companies.

Charles’ solutions-oriented focus and diverse experience allow him to develop and implement dynamic strategies tailored to meet his clients’ needs. He has helped clients of all sizes and stages...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....