Skip to main content

NCUA Board Meeting Coverage: NCUA Approves New Cyber Incident Reporting Rule

02/16/2023 CUToday

ALEXANDRIA, Va.–By a 3-0 vote, the NCUA board has approved a final rule on cyber incident reporting for federally insured credit unions.

The rule requires credit unions to inform NCUA of any “reportable” incident within 72 hours. Such incidents are those where the credit union “reasonably believes” a cyber incident has occurred, with such events defined as those in which the integrity, confidentiality or availability of information has been compromised.

The rule is to go into effect on Sept. 1, 2023.

thumbnail_NCUA Harper at Meeting

Todd Harper

The NCUA board was updated on the rule by Kelly Lay, director of the Office of Examination and Insurance, and Christina Saari, information systems officer in the same office. Both said credit unions had been strongly supportive of such rulemaking in their comment letters.

Harper: Issue ‘Keeps Me Up at Night’

NCUA Chairman Todd Harper, who said cybersecurity “is an issue that often keeps me up at night,” noted the final rule is largely unchanged from the proposed rule approved last July.

“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” said Harper. “This final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”

Harper, who credited Vice Chairman Kyle Hauptman for his suggestion the final rule include language noting NCUA will coordinate with the Cybersecurity and Infrastructure Security Agency on any future credit union cyber incident reporting requirements to avoid duplicative reporting to both agencies, said everyone in the financial system has an obligation to protect the nation’s economic and financial infrastructure. “And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue.”

Harper said the final rule is one of several actions NCUA has recently taken to improve the system’s cyber resiliency, including its earlier launch of the Information Security Examination program (ISE).

‘Fix This Blind Spot’

“While the cyber incident notification final rule and ISE will help in the fight against cyberattacks, we still must confront the regulatory blind spot that continues to exist because the NCUA lacks authority — the same authority that banking regulators have — to exercise a risk- based approach to supervise third-party vendors,” said Harper.

thumbnail_NCUA Hauptman at Meeting

Kyle Hauptman

NCUA has lost several bids in Congress to obtain that supervision authority.

“Unfortunately, cyber risk in the credit union system often lurks in the ether — beyond the NCUA’s purview — within credit union service organizations and third-party service providers that do not have the same level of oversight as bank vendors,” Harper continued. “As a result, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks. The Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to fix this blind spot.”

In response to a question from Harper on the guidance and training that will be made available, agency staff said both will be provided, including scenarios for when a notification is needed and when it is not.

Hauptman: Plan is to Coordinate With CISA

Like Harper, Hauptman called cyber security and incident reporting “critically important,” and said the sooner the agency is aware of an incident, the sooner it can determine whether it is isolated or widespread.

“Today’s rule is about reporting to NCUA only. NCUA is issuing its rule now, rather than waiting until 2025 when the Cybersecurity and Infrastructure Security Agency (CISA) will release its final rule,” said Hauptman. “The board believes it is in the best interest of the credit union system to align the NCUA’s rule with the Cyber Incident Reporting Act to provide uniform and timely cyber incident reporting. It is our intention to coordinate with CISA on any future credit union cyber incident reporting to avoid duplicate reporting to both the NCUA and CISA.”

thumbnail_NCUA Meeting Hood

Rodney Hood

In his remarks, Hauptman also noted:

  • Requirements on notifying credit union members and the public are unchanged
  • Credit unions are being asked to report as soon as possible and not later than 72 hours after the credit union reasonably believes an incident has occurred. The timeframe of 72 hours is consistent with what CISA will require in 2025
  • Credit unions are not required to provide a detailed incident assessment to the NCUA within the 72-hour time frame
  • NCUA will not publicize the name of credit unions that report cyber incidents.

Hood: ‘The Risk is a Moving Target’

Noting the time the agency has invested focusing on cybersecurity, NCUA Board Member Rodney Hood added, “I wish we could say that after having focused on this threat for such a long time, we are making progress toward a real sustainable solution, but unfortunately that's simply not the case given the velocity and evolution of cybersecurity threats.  As such, we have to accept that cybersecurity threats are an ongoing risk both to financial institutions’ operations and to their reputations.  Moreover, we have to accept that the risk is a moving target.”

Hood said every CU must recognize that their institution is “just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the agency's cybersecurity review and supervision capabilities need to be more robust.”

A Patch is No Patch

He further said credit unions can no longer count on vendors to provide a “patch” to address vulnerabilities and then move on, and must instead “rethink” their defenses.

In response to a question from Hood over what responsibilities CUs have related to cyber-incidents ahead of the Sept. 1 implementation of the new rule, staff said rules are in place requiring such reporting.

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

The NCOFCU Podcast: Clear Insight. No Jargon.

Every week, we cover the latest trends and developments within the credit union industry. At NCOFCU, we are dedicated to providing you with insightful discussions that cut through the clutter. Our podcast features expert opinions, in-depth analyses, and an exploration of the challenges and opportunities that credit unions, directors, and staff face today. Join us as we navigate the evolving industry and empower associations with the knowledge they need to thrive. https://ceohp.podbean.com/ ================================================= Remember, you're not alone with  NCOFCU.org Join/Upgrade Check out some of NCOFCU's additional features: First Responder Credit Union Academy Financial Literacy Podcasts YouTube Mini's Blog Job Board
Post a Comment
Read Complete Article HERE>»

Sunday Reading - Year of the Fire Horse

        Year of the Fire Horse   Lunar New Year celebrations kick off  tomorrow, ushering in the Year of the Fire Horse in the Chinese zodiac. The 15-day festivities, observed by billions worldwide, start with the new moon and end with the Lantern Festival. China anticipates a record 9.5 billion trips during the 40-day travel rush around the holiday, the world’s largest annual human migration. The horse is the seventh animal in the 12-year zodiac cycle and symbolizes energy, independence, and ambition. Those born in horse years are seen as dynamic, courageous, and charismatic. Many see the Year of the Fire Horse as a time to tak...
Post a Comment
Read Complete Article HERE>»

Letter to Credit Unions (24-CU-03) Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practice

      Letter to Credit Unions (24-CU-03) Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices Dear Boards of Directors and Chief Executive Officers: If your credit union assesses overdraft or non-sufficient funds (NSF) fees that your members cannot reasonably anticipate or avoid, your credit union may be exposing itself to heightened reputational, consumer compliance,...
Post a Comment
Read Complete Article HERE>»

Sunday Reading - Budweiser 101

Draft Horses   Budweiser 101 Perhaps best known for its Super Bowl Clydesdale ads, Budweiser   is among the world’s most popular beer brands. It was among the first beers to achieve national distribution in the late 19th century, thanks to its revolutionary refrigeration and pasteurization techniques, setting the stage for the modern US beer industry.   Founded in the 1850s as the “Bavarian Brewery,” the company was acquired in 1860 by Eberhard Anheuser. He sold half of it to his son-in-law,  Adolphus Busch ,   in 1869, forming the partnership that would become Anheuser-Busch in St. Louis, Missouri.   In the 1870s, Carl Conrad , a St. Louis distributor, traveled through a Bohemian town called “Budweis” in German and drank a pale lager. Upon returning home, he worked with Anheuser-Busch to brew its own light lager, marketing it under the ...
Post a Comment
Read Complete Article HERE>»

Eight Credit Unions Pay $42 Million in Special Dividends to 1.1 Million Members

  By  Jim DuPlessis   | January 05, 2026 at 04:00 PM So far this season, CU Times has tallied 19 credit unions, which have announced $160.3 million in special dividends for members.       Eight more credit unions have reported special dividends, paying their 1.1 million members $42.1 million in December and January. The bulk of the dividends came from Police and Fire Federal Credit Union of Philadelphia and Eastman Credit Union of Kingsport, Tenn., which each announced $16 million in rewards approved by their boards. The late January payout from Eastman ($9.7 billion, 356,492 members) will bring its total special dividends to $225 million since 1998. A news release from the credit union said “the Extraordinary Dividend is never guaranteed, but the strong financial performance of ECU in 2025 enabled the Board of Directors to approve this year’s $16 million payout.” Eastman’s $16 million payout represents about $47 per member and 19 basis points of its averag...
Post a Comment
Read Complete Article HERE>»

Firefighters First Credit Union Sweeps Chili Challenge

SAN DIEGO, CA  August 7, 2017 Firefighters First Credit Union on Saturday dominated the fifth annual Xpress Data, Inc. 2017 Credit Union Chili Challenge, winning First Place and the People’s Choice award with  Second place being awarded to New Orleans Firemen’s FCU “Fire Watch smoked the competition at the Credit Union Chili Challenge,” said Firefighters First Senior Vice President of Marketing Kelly Ramsay. “Congratulations to our dedicated chili team: Tim and Noemi Watkins, Stacey Miller, Crystal Jauregui, Chantel Perez, Kimberly Tobias and Pedro Quintanilla. We are so proud, and that was some darn good chili!” The $1.2 billion credit union brought home two trophies from Del Mar Thoroughbred Club racetrack, $7,000 in prize money they will donate to the Fire Family Foundation and an entry to compete in the International Chili Society World Championships Oct. 20-22 in Reno, Nev. “Congratulations to Firefighters First Credit Union for their strong showing this...
Post a Comment
Read Complete Article HERE>»

Why First Responder Credit Unions Are Built to Adopt Blockchain Faster

  For years, blockchain in financial services lived mostly in the world of experimentation—proofs of concept, pilot programs, and innovation labs that rarely touched day-to-day operations. That era is ending. Today, blockchain adoption is moving from experimentation to scale. Across payments, capital markets, and banking infrastructure, financial institutions are beginning to operate on new rails—powered by tokenized money, programmable assets, and always-on settlement models. For credit unions serving first responders, this shift presents not just a technology opportunity, but a strategic one. Blockchain Is Becoming Core Infrastructure The most important change isn’t the technology itself—it’s how it’s being used. Blockchain is no longer about testing what might work. It’s increasingly being deployed as infrastructure to solve long-standing problems in financial services, including slow settlement, trapped liquidity, manual reconciliation, and limited operating hours. Cr...
Post a Comment
Read Complete Article HERE>»

Chairman Hauptman’s Remarks for FLEC Public Meeting (Trump Accounts)

  As Prepared for Delivery on February 6, 2026 Meeting Focus: Implementation and Outreach for Trump Accounts Good morning and thank you to our colleagues at the U.S. Department of the Treasury and members of the Financial Literacy and Education Commission for convening today’s important discussion. I also want to express my appreciation for this body’s leadership in encouraging savings and advancing the broader goal we all share—ensuring that every American has a meaningful opportunity to build financial capability, resilience, and long-term financial security. There’s a lot to like about Trump Accounts, including how easy it is to start the process when filing your taxes. These accounts were clearly designed with behavioral economics in mind. That is to say, things that are easier to do are more likely to get done. Trump accounts also turn all these kids into investors. The more Americans that identify as investors, the better off we are. Investing done by regular people turns Mar...
Post a Comment
Read Complete Article HERE>»

Leasing Set To Surge In 2026?—Credit Unions May Miss Out If They Don’t Move

  CINCINNATI—As credit unions look to revive auto lending in 2026 after a sluggish year, one lending tool may become indispensable: vehicle leasing. With new-car prices still historically high, negative equity rising, and manufacturers fighting for market share, leasing is poised for a major rebound this year—and credit unions that remain on the sidelines risk losing out on strong, recurring loan volume. That’s the message from Scot Hall, executive vice president at  Swapalease.com , who says the economic and market dynamics heading into 2026 are aligning in ways that make leasing not only attractive, but essential. “Prices are up and they’re not coming down anytime soon,” Hall said, noting that inflation, tariffs, supply volatility, and chip-related uncertainty continue to push vehicle pricing higher. “Leasing is a great way to combat that. It’s also a great way to get somebody out of negative equity in a relatively short period of time.” Market Conditions Are Setting the Sta...
Post a Comment
Read Complete Article HERE>»