Credit union regulator finalizes incident reporting rule with references on CISA regime alignment

The National Credit Union Administration has finalized an incident reporting rule with a 72-hour reporting requirement and details on what should be considered “substantial” in comparison to CISA’s upcoming regime for critical infrastructure.

“The National Credit Union Administration (NCUA or agency) is amending Part 748 of its regulations to require a federally insured credit union (FICU) that experiences a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after...