Credit unions’ 72-hour cyberattack reporting window to take effect Sept. 1

The National Credit Union Administration unanimously approved a final rule requiring all credit unions to report cybersecurity attacks within 72 hours after they reasonably believe an incident has occurred, the agency announced Thursday.  

The rule will be effective Sept. 1. Additional guidance will be forthcoming. The rule remains largely unchanged from when it was proposed in July. 

Banks regulated by the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve face a tighter reporting window: 36 hours. 

The final rule will go into effect months after the Financial Crimes Enforcement Network said U.S. financial institutions reported $1.2 billion worth of ransomware-related filings in 2021. 

The NCUA’s rule complies with a cybersecurity law President Biden signed in March 2022, requiring companies to provide notification within 72 hours of learning of a cyberattack. 

The 72-hour notification time frame is to provide an early alert and does not require credit unions to give a full assessment of the incident to the NCUA, the board said. 

The rule is aimed at cyber incidents “that [lead] to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes,” the NCUA said.