Cyber Incident Notification Requirements
The National Credit Union Administration amended Part 748 of its regulations to require a federally insured credit union (FICU) that experiences a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident. This notification requirement provides an early alert to the NCUA and does not require a FICU to provide a detailed incident assessment to the NCUA within the 72-hour time frame.
When to Report
A federally insured credit union that experiences a reportable cyber incident must report the incident to the NCUA as soon as possible and no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident.
How to Report
To report a cyber incident, federally insured credit unions may notify the NCUA through the following channels:
- Call the NCUA at 1-833-CYBERCU (1-833-292-3728) and leave a voicemail; or,
- Use the National Credit Union Administration Secure Email Message Center (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) to send a secure email to firstname.lastname@example.org.
What to Report
Federally insured credit unions should be prepared to provide the following information, if known, at the time of reporting.
- Reporter Name and Title: Name and title of individual reporting the incident
- Callback Number: Best callback number for the NCUA to contact regarding the incident
- Charter Number: Do not include leading zeros
- Credit Union Name: Name of affected credit union
- Date and Time Identified: The date and time the credit union reasonably believes a reportable cyber incident took place
- Description: A general description of the reportable cyber incident:
- What services were impacted?
- Was sensitive data or member information compromised?
- What impact did it have on operations?
At the time of initial notification, do not send the NCUA:
- Sensitive personally identifiable information;
- Indicators of compromise;
- Specific vulnerabilities; or
- Email attachments.