Security Program: FAQs

Last Reviewed: May, 2018

Must a federally insured credit union notify the National Credit Union Administration (NCUA) every time it identifies a possible security breach?

No. NCUA's Part 748 (security program) and accompanying guidance (Appendix B) require credit unions to conduct a risk-based evaluation of security breaches, but don't require notice to the agency in every instance.

According to an NCUA legal opinion letter (April 2006), when an incident occurs, the first step of any response program should be to assess the nature and scope of the incident and the likelihood of harm to the member whose information is affected. When an incident—even one involving sensitive member information—involves little or no likelihood of harm to the member, a credit union need not notify NCUA.

If it's possible that sensitive member information was compromised, credit unions should notify NCUA "as soon as possible." NCUA expects to be notified about each discrete incident involving unauthorized access to or use of sensitive member information.

So, credit unions should provide a separate notice for each separate incident. In addition, credit unions should consider providing a follow-up notice to keep NCUA apprised of any significant developments related to previously reported incidents.
 

Source: Credit Union Magazine, August 2008, Compliance Q & A