In the first year the NCUA's cyber incident reporting rule was in effect, credit unions filed more than 1,000 cyber incident reports. A significant share of those incidents traced back to third-party vendors rather than to weaknesses in the credit union's own systems.
The Marquis breach in 2024, which exposed data from hundreds of credit unions and hundreds of thousands of members, is a recent example of a pattern that is accelerating. The Trellance ransomware attack on the day after Thanksgiving 2023, which disrupted services at dozens of credit unions relying on Trellance for core technology, is another. These were not direct attacks on credit unions. They were attacks on vendors that cascaded into the exposure of credit union members' data and operational disruption.
What many credit unions discovered in the aftermath of these incidents is that the regulatory obligations arising from a vendor breach are nearly identical to those arising from a direct breach of their own systems. This guide covers the obligations, triggers, and what credit unions need in place before a vendor incident occurs.
What NCUA Requires When a Vendor Is Breached
The NCUA's cyber incident reporting rule is explicit on this point. The 72-hour reporting obligation is not limited to incidents that originate in the credit union's own systems. When a federally insured credit union receives a notification from a third party that the credit union's sensitive data or business operations have been compromised or disrupted as a result of a cyber incident at that third party, the credit union's 72-hour reporting window begins at the moment it receives that notification.
This provision has significant operational implications. A vendor breach notification that arrives at your credit union on a Friday afternoon starts a 72-hour clock that runs through the weekend. The NCUA does not pause the deadline for business hours or reduced weekend staffing. If you receive notification from a vendor that your member data or operations have been affected by a breach, your incident response process should begin immediately, regardless of when the notification arrives.
The 72-hour clock starts when you receive the vendor notification. Not when your IT team has assessed the impact. Not when your regular incident response team is assembled Monday morning. At the moment of notification.
What Vendor Contracts Should Require
Many credit unions discover their vendor breach notification rights only after a breach has occurred, at which point the vendor's contract - which may have been signed years earlier with little security-specific negotiation - determines what they are entitled to know and when.
Vendor contracts for critical service providers should include breach notification requirements with a specific timeframe - ideally 24 to 48 hours after the vendor discovers an incident that may affect the credit union's data or operations. Notification should go to a named contact at the credit union, not through a general notification process that may be delayed or missed. Contracts should also include audit rights, data-handling specifications that define exactly which data the vendor processes and where it is stored, and termination rights that allow the credit union to exit the relationship without penalty if the vendor has a material security incident or fails to meet security standards.
The Member Notification Analysis
A vendor breach affecting member data triggers not only the NCUA reporting obligation but also the member notification analysis. Under GLBA and Appendix B to NCUA Part 748, credit unions have an obligation to notify members of security incidents involving unauthorized access to or use of member information, even when that access originated with a third-party service provider.
State breach notification laws may impose additional and more stringent obligations. Many states now have comprehensive consumer data privacy laws with breach notification requirements, and not all of them provide full exemptions for federally chartered credit unions that comply with GLBA. Determining which state laws apply to your member base and what their notification requirements are is a legal analysis that should be completed before a breach occurs, not during one.
What a Vendor Incident Response Process Looks Like
An effective vendor incident response process includes a separate, integrated playbook for handling vendor-related incidents. The playbook covers how vendor notifications are received and routed, who is responsible for assessing the impact, the process for determining whether NCUA reporting is triggered, and the process for initiating the member notification analysis.
A vendor contact registry that includes, for each critical vendor, the security incident notification contacts, the contractual notification requirements, and the data the vendor processes on behalf of the credit union. When a breach notification arrives, the person receiving it should be able to immediately identify what data is at risk and what the credit union's contractual rights are.
A pre-established relationship with outside legal counsel who can be engaged quickly to advise on regulatory reporting obligations and state breach notification requirements. The legal analysis in a vendor breach scenario is complex and time-sensitive.
The Vendor Risk Management Program That Reduces Breach Risk
Responding well to vendor breaches is necessary. Reducing the likelihood that vendor relationships create breach exposure in the first place is better. A vendor risk management program that performs genuine security due diligence during onboarding, requires appropriate contractual security obligations, and conducts annual vendor risk assessments of critical vendor security posture, identifies vendors with poor security practices before they cause a breach, not after.