I searched for an answer to this question but wasn't able to find anything. Is a brute force/BIN attack reportable to NCUA under the Cyber Incident Reporting guidance they have issued? A card number and sometimes an expiration or CVV2 is tested by the fraudsters, but there is no personal information on the cardholder taken. I am hoping it is not because it occurs with more frequency than I would like.

If I understand you correctly, the fraudsters are just trying to push transactions through using numbers generated off your BIN with the hope of getting some money. IMO, it's not reportable as a cyber incident as it's not disrupting your system like a DDOS attack nor does it sound like any of your data is compromised.