Get Started
All Services Managed IT Cybersecurity Ransomware Remediation Infrastructure & Low Voltage Who We Serve Why DC Plus Resources & Case Studies Areas We Serve Get a free assessment
Home / Resources / Blog
For Credit Unions · Compliance

The NCUA 72-Hour Rule, Explained

What credit union executives actually need to know about the NCUA's cyber incident notification requirement — what counts, when the clock starts, and where most credit unions trip up.

7 min read

In September 2023, the NCUA's cyber incident notification rule went live. The headline is well-known: federally insured credit unions must notify the NCUA within 72 hours of a "reportable cyber incident."

The headline is the easy part. What we hear most often from credit union CEOs and CISOs is a different set of questions:

  • What actually counts as reportable?
  • When does the clock start — when something happens, or when we find out?
  • Who calls whom?
  • What happens if we report something that turns out not to be reportable?

This guide answers those. If you want the full primer, we've written a 17-page Compliance Guide for Credit Unions that covers this rule alongside everything else in Part 748. This post focuses on the 72-hour rule specifically.

What the rule actually says

The rule, codified at 12 CFR § 748.1(c), requires federally insured credit unions to notify the NCUA "as soon as possible and no later than 72 hours after the credit union reasonably believes a reportable cyber incident has occurred."

Two phrases carry the weight here: "reasonably believes" and "reportable cyber incident."

What counts as a "reportable cyber incident"

The NCUA's definition has three pieces. An incident is reportable if it:

  1. Substantially disrupts the credit union's ability to deliver products or services to a substantial number of members, or
  2. Substantially disrupts business operations, or
  3. Discloses sensitive data to an unauthorized party — which includes "sensitive customer information" as defined in Part 748 Appendix B.

A few things this list does include that many credit unions don't expect:

  • Third-party incidents that affect you. If your core processor, card processor, ACH provider, or any vendor has an incident that disrupts your service to members or exposes your member data, you are on the clock — even if the incident happened at the vendor's facility. The NCUA's analysis of the rule estimated roughly 70% of first-year incidents would originate at vendors. Plan accordingly.
  • Ransomware that doesn't successfully encrypt anything. If an attacker had system access sufficient to cause harm, that's reportable even if recovery was clean.
  • Member-facing service outages from cyber causes. If online banking is down for an extended period because of a denial-of-service attack or ransomware, that's reportable.

A few things this list does not include:

  • Individual member account fraud (covered separately by other regulations).
  • Routine phishing attempts that nobody clicked.
  • Failed login attempts or scanning activity that didn't result in access.
  • A single compromised employee mailbox that the credit union contained quickly with no data exposure (probably — see "reasonable belief" below).

The key word in everything reportable is substantial. A two-hour outage of an internal HR system isn't substantial. A two-hour outage of the member-facing online banking platform during business hours probably is.

When does the clock start

This is where most credit unions get it wrong, in either direction — too eager, or too cautious.

The 72 hours begin when the credit union "reasonably believes" a reportable incident has occurred. Not when it actually started. Not when it's fully understood.

That phrase matters. It means:

  • You don't have to wait for a complete forensic investigation to conclude before reporting. If, three days into an investigation, the picture starts to look reportable, report.
  • You also don't have to report every alert that comes through the SOC. A spike in failed logins isn't a reasonable belief that something reportable has happened.
  • "Reasonable belief" is a judgment call, made in good faith, by people who are competent to make it. The NCUA wants prompt notification, but it doesn't want noise.

Practical translation: the moment your incident response team says, in writing, "this looks like it might meet the criteria of a reportable incident under § 748.1(c)," you've crossed the threshold. Note the time. Your 72 hours starts there.

How you notify the NCUA

The notification itself is straightforward. Email CyberIncident@ncua.gov with:

  • Your credit union's name and charter number
  • A brief description of the incident — what you know so far is enough
  • The date and time you reasonably believed the incident occurred
  • A point of contact for follow-up

Notification at this stage is a heads-up, not a complete report. The NCUA does not expect a forensic conclusion within 72 hours. You're flagging your status; you'll provide more detail as investigation progresses.

Who notifies whom

Inside the credit union, the question of who has authority to make the notification call should be answered before an incident, not during one. We see this go wrong when:

  • The CEO is on vacation and nobody knows who else can make the call.
  • The IT person is reluctant to escalate because they're hoping it turns out to be nothing.
  • The board chair hears about it from a member before hearing about it from the CEO.

Best-practice approach:

  • Name the incident response decision-maker in your written IR plan. Usually this is the CEO, but for incidents discovered after hours it might be a designated alternate.
  • Define clear escalation triggers — what level of incident triggers what level of board notification, and on what timeline.
  • Make sure at least two people know the password to your NCUA reporting email account, so a single person's unavailability doesn't delay reporting.

What about other notifications?

The 72-hour NCUA notification is one piece of a larger notification picture. Depending on the incident:

  • Cyber-insurance carrier: Most policies require notification within hours, not days. Read your policy. Their incident hotline is one of the first calls you make.
  • Members: Triggered by state law and Part 748 Appendix B in cases of sensitive customer information exposure. Timing varies by state — generally days to weeks, with specifics depending on jurisdiction. Coordinate with breach counsel.
  • Law enforcement: Voluntary for most incidents but useful in many cases. The FBI's Internet Crime Complaint Center (IC3) and your local field office are the points of contact.
  • State regulators: State-chartered credit unions may have additional state-level notification requirements that run on different clocks.
  • Vendors and downstream partners: If the incident affects shared systems or data, contractual obligations may require notification.

Your breach counsel is the right party to map all these obligations against the specific facts of your incident.

Common mistakes credit unions make

A few patterns we've seen.

Mistake #1: Treating "no member data exposed" as automatic non-reportability. The rule has three triggers. Data exposure is only one of them. A serious operational disruption to member services is reportable even if no data left the building.

Mistake #2: Assuming a vendor incident isn't your problem. If a vendor's incident disrupts your service to members or exposes member data, you're on the clock. Your contracts should require the vendor to notify you within a window short enough that you can still meet your own 72-hour obligation.

Mistake #3: Waiting until the investigation is complete to report. The notification is a heads-up, not a complete report. If you wait for full investigation findings, you'll miss the window. Notify on reasonable belief; update as facts develop.

Mistake #4: Not documenting the timeline. When did the incident occur? When was it discovered? When did the IR team reasonably believe it was reportable? When was the NCUA notified? Without a clear timeline in writing, you have nothing to demonstrate compliance if questions arise later.

Mistake #5: Treating notification as the only obligation. Notification is the start, not the end. Follow-on activities include member notification (if data was exposed), law enforcement coordination, insurance documentation, root-cause analysis, and remediation. The 72-hour rule is one item on a long list.

What good preparation looks like

The credit unions that handle this well share a few characteristics:

  • They have a written incident response plan that names the reporting decision-maker and the alternates.
  • They've reviewed their vendor contracts to ensure timely notification flows their way.
  • They've identified who their breach counsel is before needing one.
  • They've talked with their cyber-insurance carrier about expectations.
  • They've practiced — at least a tabletop exercise once a year, where the leadership team walks through a realistic scenario.

None of this is glamorous work. All of it is what makes the difference between handling an incident professionally and learning the lessons the hard way.

Want the full 17-page playbook? Download our Credit Union Compliance Guide — it covers the 72-hour rule alongside the broader Part 748 expectations every NCUA-supervised institution needs to understand.

More from DC Plus

Keep reading.

All resources & case studies Credit Union Compliance Guide

Let's make your IT the thing you never have to think about.

Free assessment. No obligation. A real conversation with a local team.

Schedule your free assessment