NCUA Part 748: cybersecurity compliance for credit unions

• Board-approved written information security program
• Designated senior official responsible for implementation
• Comprehensive risk assessments covering all member information systems
• Administrative, technical, and physical safeguards
• Regular testing and monitoring of key controls

• Role-based access controls with least privilege
• Multi-factor authentication for remote and privileged access
• Encryption of member information in transit and at rest
• Network segmentation, firewalls, and intrusion detection
• Endpoint protection (EDR) and timely patch management

• Risk-based due diligence before engagement
• Contracts requiring security safeguards and 72-hour breach notification
• SOC reports or equivalent assessments reviewed annually
• Ongoing monitoring of provider compliance

• Notify NCUA Regional Office within 72 hours of a reportable cyber incident
• Covers both direct incidents and third-party reported incidents
• Reportable = substantial loss of confidentiality, integrity, or availability
• Separate from member notification obligations

• Response program for unauthorized access to member information
• Risk assessment to determine if member notification is warranted
• Notification content: what happened, what's at risk, what to do
• Credit monitoring or identity protection for significant breaches

• Security awareness training for all staff upon hire and annually
• Role-specific training for IT and management
• Business continuity plans covering cyber scenarios
• Annual BCP testing with documented results

How is the 72-hour rule different from the banking 36-hour rule?

Banks (OCC/FDIC) must notify their primary federal regulator within 36 hours under the 2021 Computer-Security Incident Notification Rule. Credit unions must notify NCUA within 72 hours under the September 2023 rule (§748.6). The NCUA notification is to the Regional Office. Both rules cover incidents that materially affect or are reasonably likely to materially affect the institution, but the NCUA rule uses 'substantial loss' language while the banking rule uses 'material disruption or degradation.'

What counts as a 'reportable cyber incident' under §748.6?

An incident that leads to, or is reasonably likely to lead to, a substantial loss of confidentiality, integrity, or availability of a member information system. This includes ransomware, unauthorized access to member data, DDoS attacks that affect service availability, and incidents reported by third-party service providers. When in doubt, notify — NCUA would rather receive a notification that turns out to be less severe than miss one entirely.

Do we need both NCUA Part 748 and FFIEC IT compliance?

Yes. Part 748 establishes the regulatory requirements specific to credit unions. The FFIEC IT Examination Handbook provides the examination procedures that NCUA examiners use to evaluate your IT practices. Think of Part 748 as the law and FFIEC as the examination standard. BlackSheep tracks both together.

Is Appendix A being updated?

Yes. NCUA has proposed moving Appendix A from the CFR to a Letter to Credit Unions format, which would allow more efficient updates. The substantive requirements are expected to remain similar but may be modernized to reflect current threat landscape and technology practices. BlackSheep will be updated when the new guidance is finalized.

How should small credit unions approach Part 748?

Part 748 requires safeguards 'appropriate to the size and complexity of the credit union.' A small credit union doesn't need the same controls as a $5 billion institution, but the core requirements still apply: written program, risk assessment, board oversight, access controls, incident response, and the 72-hour notification. Focus on the fundamentals and document everything.