NCUA · Incident Reporting
72 hours is shorter than it sounds
The reporting clock starts at 'reasonable belief,' not at confirmation — and it will land on a Friday. Your program needs decision criteria, drafted notifications, and a rehearsed path to the regulator.
The rule
What §748.1(c) requires
Federally insured credit unions must report a reportable cyber incident to NCUA within 72 hours of forming a reasonable belief that one occurred — including substantial incidents at third-party providers that affect the credit union. The threshold language does the heavy lifting: 'reasonable belief' means the clock starts during the fog of an active incident, not after forensics closes.
That interacts with everything else on your incident timeline: Appendix B member-notification obligations, law-enforcement coordination, cyber-insurance carrier notice, and — if you have one — your MSSP's escalation chain. Without pre-made decisions, 72 hours evaporates in conference calls.
Our approach
Decide now, so you don't decide at 2 a.m.
We define your reportability criteria in advance — worked examples included — draft the notification templates, wire the escalation tree (including vendor-incident intake), and then run tabletop exercises against realistic scenarios until the 72-hour path is muscle memory. When a real event hits, your team executes a rehearsed play instead of improvising one.
How it runs
The engagement
Delivered fixed-scope, or operated continuously through our vCISO and Resident Engineering models.
What you get
- Reportability decision criteria with worked examples
- Escalation tree and notification templates (NCUA, members, carriers, law enforcement)
- Third-party incident intake process for vendor-originated events
- Tabletop exercise with documented results — governance evidence included
- 01
Criteria & templates
Weeks 1–2Reportability thresholds defined against §748.1(c); notifications pre-drafted for the realistic scenarios.
- 02
Escalation wiring
Weeks 2–3Who decides, who drafts, who calls NCUA — with vendor incidents routed into the same tree.
- 03
Tabletop
Week 4A realistic scenario run against the clock, with leadership at the table and gaps documented.
- 04
Refresh cadence
OngoingAnnual re-exercise and criteria updates as guidance and your environment evolve.
Your next exam is already on the calendar.
A 45-minute conversation tells you where you stand — and what to fix first.
Explore
Also from Principle Security
ISE / ACET Readiness
Walk into the Information Security Examination with your maturity already measured, gaps a…
NCUA programPart 748 Program
The written, board-approved security program 12 CFR 748 Appendix A requires — designed aro…
Case studyFrom no CISO to examiner-ready
A federal credit union's four-quarter program, delivered by resident engineers.