- Phishing e-mail caught by spam filters not acted upon by employees.
- Unsuccessful login attempts without evidence of an unauthorized access.
- Short-term minor system outages due to technical issues.
- Malware detected and removed by antivirus software without causing harm.
- Isolated incidents of fraud not involving cyberattacks.
- Lost paper copies of member statements.1
- Security incidents involving only non-sensitive or public information.
- Denial of service attack with minimal impact on service availability.
- Password reset attempts without evidence of unauthorized access.
- Suspicious emails reported by employees but not leading to compromise.
- Failed social engineering attempt without any impact.
- Employee’s unauthorized use of non-critical software without data access or exfiltration.
- Isolated incidents of a misdirected email with no significant impact.
- Isolated incidents of accidental disclosure, with no significant impact.
- Loss of availability due to a physical event, such as a natural disaster.2
Footnotes
1 Appendix B to Part 748 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . Federally insured credit unions would use the reporting guidelines in Appendix B to part 748.
2 Catastrophic Act Reporting (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . Federally insured credit unions are required to notify the NCUA within five business days of any catastrophic act occurring at its office(s).