- Credit unions would have three days to report a cybersecurity incident to the National Credit Union Administration (NCUA) under a proposed rule the regulator issued Thursday.
- The proposed rule, which was approved during the NCUA’s board meeting last week, would require all federally insured credit unions to notify the regulator within a 72-hour window after they reasonably believe a reportable cyber incident has occurred.
- The three-day window falls in line with the Critical Infrastructure Act that President Joe Biden signed into law in March, but is twice as long as the reporting window banks have had to comply with since May.
NCUA Chairman Todd Harper said the board’s approval for issuing the proposal is a critical step toward increasing cybersecurity awareness and protection within the financial system.
“Federally insured credit unions are not only the system’s first line of defense, but they are also the NCUA’s eyes and ears,” he said in a statement. “When credit unions report these types of incidents, they may very well be helping to keep our nation secure from similar cyberattacks elsewhere.”
Under the proposed rule, credit unions “would be required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.”
The proposal comes as the Biden administration has warned U.S. businesses about the increasing risk of Russian cyberattacks.
The NCUA’s proposed reporting window complies with the new cybersecurity law Biden signed in March, which requires companies to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of learning of a hack.
Banks regulated by the Federal Deposit Insurance Corp. (FDIC), Office of the Comptroller of the Currency (OCC) and Federal Reserve, however, have a tighter window.
Under a rule that took effect in May, banks are required to notify their primary federal regulator of a cybersecurity incident within 36 hours, a time frame one expert said could be a challenge for some smaller institutions.
“The 36 hours is actually probably one of the tightest rules out there, as far as timeline goes,” David Murphy, cybersecurity manager at accounting firm Schneider Downs, told Banking Dive in April. “But in this case, I think what regulators are trying to do is nail down, ‘How big is this problem?’”