Credit union regulator proposes 72-hour incident reporting rule, sets requirements for third-party vendors

The National Credit Union Administration has issued a proposal to require firms under its jurisdiction to report cybersecurity incidents within 72 hours, matching the timeline in a new law for certain critical infrastructure operators but deciding to move ahead of a CISA rulemaking to implement the law given the severity of the threat.

“The [NCUA] Board believes that it would be imprudent in light of the increasing frequency and severity of cyber incidents to postpone a notification requirement until after...