Ransomware does not announce itself at a convenient time. The documented pattern is that attacks surface on Friday evenings, Saturday mornings, and holiday weekends - precisely when staffing is reduced, and response capacity is at its lowest. The Patelco Credit Union ransomware attack in June 2024 surfaced on a Saturday at the start of a holiday weekend, after an attacker had been inside their network for more than five weeks. The timing was not accidental.

For credit unions, a ransomware attack is not just an IT crisis. It is a member service crisis, a regulatory reporting obligation with a hard 72-hour deadline, and potentially a member notification event. Managing all three simultaneously, with reduced weekend staffing and systems that may be partially or fully offline, requires preparation that must happen before the attack, not during it.

The 72-Hour NCUA Reporting Obligation

Since September 1, 2023, all federally insured credit unions must notify the NCUA as soon as possible and no later than 72 hours after the credit union reasonably believes it has experienced a reportable cyber incident. This is a hard deadline with no grace period.

What constitutes a reportable incident is broader than many credit unions realize. A reportable cyber incident includes a substantial loss of confidentiality, integrity, or availability of a member information system resulting from unauthorized access to or exposure of sensitive data, disruption of vital member services, or any cyberattack with a serious impact on the safety and resiliency of operational systems. Ransomware that encrypts production systems and disrupts member access to accounts is reportable.

Critically, the 72-hour clock is not triggered solely by incidents originating in your systems. When a federally insured credit union receives a notification from a third party that sensitive data has been compromised or business operations have been disrupted due to a cyber incident at that third party, the credit union has 72 hours from the moment of that notification to report to the NCUA. The third-party reporting trigger runs from the moment of notification, not from when the credit union has assessed the full impact.

How to Report to the NCUA

Notification to the NCUA is made through the NCUA Cyber Incident Credit Union Reporting portal, by phone, or by secure email to the NCUA's designated point of contact. The initial notification does not need to be comprehensive. The NCUA expects prompt notification based on what is known at the time, with updates as the investigation develops.

The First 72 Hours: What Actually Needs to Happen

Hour 0 to 4: Containment and Command

The moment ransomware is suspected - not confirmed - activate your incident response team and establish incident command. Name an incident commander with decision-making authority and open a secure communication channel separate from email and other channels that may be compromised. Notify IT leadership, security leadership, your CEO, legal counsel, and your cyber insurance carrier in the first two hours. Most cyber insurance policies have notification requirements that affect coverage if they are not met promptly.

The critical decision in the first hours is whether to shut down the entire network or attempt surgical containment. For incidents where ransomware is actively encrypting files and lateral movement is underway, a full network shutdown stops the spread. For incidents in which a single endpoint is compromised before lateral movement occurs, surgical containment may preserve more operational capacity. This decision requires judgment and should be planned, not improvised.

Hours 4 to 24: Investigation and Parallel Workstreams

While containment is in progress, begin the investigation workstream. If you have an incident response retainer with an external forensics firm, engage them immediately. If you do not have a retainer, finding and onboarding a forensics firm during an active incident wastes critical hours. The forensic investigation will tell you what was accessed, what was exfiltrated, and how the attacker got in - all of which you need to know before you can complete your regulatory notifications or decide whether to pay a ransom.

In parallel with the investigation, begin preparing your regulatory notification. You do not need to wait for the investigation results to notify the NCUA. Notify based on what you know and update as you learn more. Also begin the legal analysis of state breach notification requirements. State law obligations vary significantly, and some states do not provide exemptions for federally chartered credit unions that comply with GLBA.

Hours 24 to 72: Member Impact and Communication

By the 24-hour mark, you should have a clearer picture of what systems are affected, whether member data was accessed or exfiltrated, and what member-facing services are disrupted. Use this information to finalize your NCUA notification and begin the member communication planning process.

Member communication during a ransomware attack requires balancing the legal obligation to notify affected members with the operational reality that your communication systems may be partially compromised. Pre-drafted communication templates that can be adapted and deployed through backup communication channels are a component of incident response preparation that most credit unions have not completed.

The Ransom Payment Question

The decision to pay or not pay a ransom is the most consequential in a ransomware response, and it should never be made under time pressure without legal and insurance counsel. Key considerations include whether backups exist and can be restored in an operationally acceptable timeframe, whether the attacker has exfiltrated data that they are threatening to release, whether paying the ransom would violate OFAC sanctions if the threat actor is a sanctioned entity, and what your cyber insurance policy covers.

If a ransom payment is made, NYDFS-regulated entities must notify DFS within 24 hours of making the payment and provide a full written explanation within 30 days. Credit unions should also ensure they have current legal advice on federal reporting obligations for ransomware payments under CIRCIA before making any payment.

What Preparation Makes the Difference

The credit unions that manage ransomware incidents most effectively share several common traits. They have a written incident response plan with ransomware-specific procedures that specify who does what, in what order, within what timeframes, and how the 72-hour NCUA notification obligation gets triggered and fulfilled. They have a pre-engaged incident response firm. They have tested backup restoration, so they know their actual recovery time. They have current, offline backup copies that a ransomware attack cannot reach. And they have a communication plan with pre-drafted templates that do not depend on systems that may be compromised.

None of these preparations can be completed during an active incident. They require deliberate investment before the attack.