The National Credit Union Administration (NCUA) Board recently approved a final rule regarding cyber incident notification requirements. The NCUA requires a federally insured credit union (FICU) that experiences a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident. This notification requirement provides an early alert to the NCUA and does not require a FICU to provide a detailed incident assessment to the NCUA within the 72-hour time frame.
The effective date of this final rule is September 1, 2023. To view the final rule in its entirety, please visit this link.