The NCUA published its final rule on the federally insured credit unions’ obligations to report cyber incidents on February 16, 2023. Depending on who eventually has responsible for sending the warning, compliance teams may not be feeling the pain, while IT teams may require a hug.
According to the new regulation, which was unanimously approved, “a federally insured credit union shall notify the NCUA as soon as practicable and within 72 hours after it reasonably thinks that a reportable cyber incident has occurred.” On September 1, 2023, the rule—which updates NCUA Regulation Part 748—will go into effect.