Cut Through the Confusion: Know the 3 Cyber Incidents the New NCUA Rule Requires You to Report

Maple Street is aware that, as of September 1st, the NCUA requires federally insured credit unions to notify them as soon as possible (within 72 hours) after reasonably believing their credit union or one of its vendors has experienced a cyber incident. We have reviewed the NCUA requirements and want to provide you with a brief guide to reportable risks as part of vendor management best practices.

Reportable Incidents

The NCUA defines these incidents three ways:

  1. Sensitive system data breach. A substantial loss of confidentiality, integrity or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety of operational systems and processes.
  2. Cyberattack and interruption to member services. A disruption of business operations, vital member services or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  3. Vendor-experienced breaches, cyberattacks and disruptions. A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization (CUSO), cloud service provider other third-party data hosting provider or by a supply chain compromise.

For more detailed information about the guidance, examples of the substantial incidents and examples of non-reportable incidents, we recommend you go directly to the NCUA’s website here.

How to Report an Incident

  1. Call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail; or
  2. Use the National Credit Union Administration Secure Email Message Center to send a secure email to

Unfortunately, cyber-attack risk is becoming more prevalent and a greater threat to your credit union than ever before. While not all can be prevented, cyber incidents and other risks can be managed—especially in #3, “Vendor-experienced breaches, cyberattacks, and disruptions.”

If your vendor contract has no specific language protecting you and your members, you may be held responsible for the breach with no remedies from your vendor. And, without proper vetting, you may have hired the wrong vendor in the first place. Third-party vendor security is your security.

We can help you manage risk as well as reduce expenses and improve vendor performance. Give us a call at 800-513-6839 or email at