Skip to main content

NCUA Board Meeting Coverage: NCUA Approves New Cyber Incident Reporting Rule

02/16/2023 CUToday

ALEXANDRIA, Va.–By a 3-0 vote, the NCUA board has approved a final rule on cyber incident reporting for federally insured credit unions.

The rule requires credit unions to inform NCUA of any “reportable” incident within 72 hours. Such incidents are those where the credit union “reasonably believes” a cyber incident has occurred, with such events defined as those in which the integrity, confidentiality or availability of information has been compromised.

The rule is to go into effect on Sept. 1, 2023.

thumbnail_NCUA Harper at Meeting

Todd Harper

The NCUA board was updated on the rule by Kelly Lay, director of the Office of Examination and Insurance, and Christina Saari, information systems officer in the same office. Both said credit unions had been strongly supportive of such rulemaking in their comment letters.

Harper: Issue ‘Keeps Me Up at Night’

NCUA Chairman Todd Harper, who said cybersecurity “is an issue that often keeps me up at night,” noted the final rule is largely unchanged from the proposed rule approved last July.

“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” said Harper. “This final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”

Harper, who credited Vice Chairman Kyle Hauptman for his suggestion the final rule include language noting NCUA will coordinate with the Cybersecurity and Infrastructure Security Agency on any future credit union cyber incident reporting requirements to avoid duplicative reporting to both agencies, said everyone in the financial system has an obligation to protect the nation’s economic and financial infrastructure. “And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue.”

Harper said the final rule is one of several actions NCUA has recently taken to improve the system’s cyber resiliency, including its earlier launch of the Information Security Examination program (ISE).

‘Fix This Blind Spot’

“While the cyber incident notification final rule and ISE will help in the fight against cyberattacks, we still must confront the regulatory blind spot that continues to exist because the NCUA lacks authority — the same authority that banking regulators have — to exercise a risk- based approach to supervise third-party vendors,” said Harper.

thumbnail_NCUA Hauptman at Meeting

Kyle Hauptman

NCUA has lost several bids in Congress to obtain that supervision authority.

“Unfortunately, cyber risk in the credit union system often lurks in the ether — beyond the NCUA’s purview — within credit union service organizations and third-party service providers that do not have the same level of oversight as bank vendors,” Harper continued. “As a result, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks. The Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to fix this blind spot.”

In response to a question from Harper on the guidance and training that will be made available, agency staff said both will be provided, including scenarios for when a notification is needed and when it is not.

Hauptman: Plan is to Coordinate With CISA

Like Harper, Hauptman called cyber security and incident reporting “critically important,” and said the sooner the agency is aware of an incident, the sooner it can determine whether it is isolated or widespread.

“Today’s rule is about reporting to NCUA only. NCUA is issuing its rule now, rather than waiting until 2025 when the Cybersecurity and Infrastructure Security Agency (CISA) will release its final rule,” said Hauptman. “The board believes it is in the best interest of the credit union system to align the NCUA’s rule with the Cyber Incident Reporting Act to provide uniform and timely cyber incident reporting. It is our intention to coordinate with CISA on any future credit union cyber incident reporting to avoid duplicate reporting to both the NCUA and CISA.”

thumbnail_NCUA Meeting Hood

Rodney Hood

In his remarks, Hauptman also noted:

  • Requirements on notifying credit union members and the public are unchanged
  • Credit unions are being asked to report as soon as possible and not later than 72 hours after the credit union reasonably believes an incident has occurred. The timeframe of 72 hours is consistent with what CISA will require in 2025
  • Credit unions are not required to provide a detailed incident assessment to the NCUA within the 72-hour time frame
  • NCUA will not publicize the name of credit unions that report cyber incidents.

Hood: ‘The Risk is a Moving Target’

Noting the time the agency has invested focusing on cybersecurity, NCUA Board Member Rodney Hood added, “I wish we could say that after having focused on this threat for such a long time, we are making progress toward a real sustainable solution, but unfortunately that's simply not the case given the velocity and evolution of cybersecurity threats.  As such, we have to accept that cybersecurity threats are an ongoing risk both to financial institutions’ operations and to their reputations.  Moreover, we have to accept that the risk is a moving target.”

Hood said every CU must recognize that their institution is “just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the agency's cybersecurity review and supervision capabilities need to be more robust.”

A Patch is No Patch

He further said credit unions can no longer count on vendors to provide a “patch” to address vulnerabilities and then move on, and must instead “rethink” their defenses.

In response to a question from Hood over what responsibilities CUs have related to cyber-incidents ahead of the Sept. 1 implementation of the new rule, staff said rules are in place requiring such reporting.

Comments

Popular posts from this blog

Ramp Up Cyber Spending As AI Reshapes Industry Priorities

NEW YORK—Artificial intelligence is rapidly becoming the defining force shaping banking strategy, with 80% of banking executives now expecting AI to significantly disrupt their business and operating models within the next three to five years, according to KPMG's 2026 Banking Technology Survey. The survey of 200 U.S. banking executives found institutions are responding by accelerating investments in cybersecurity, payments modernization and technology-driven acquisitions. "AI, payments modernization, cybersecurity, and tech-driven M&A are no longer separate agendas," said Peter Torrente, KPMG's U.S. Banking Sector Leader, who said banks are increasingly being challenged to keep pace across technology, risk and growth simultaneously. Cybersecurity remains a top concern. More than three-quarters (76%) of banking leaders reported an increase in cyberattacks over the past year, while 92% said they are boosting cybersecurity budgets. In addition, 84% are increasing cyb...

White Paper from WOCCU Examines How Stablecoins are Reshaping Financial Infrastructure

WASHINGTON– World Council of Credit Unions (WOCCU) has released a new white paper that examines how stablecoins are reshaping the financial infrastructure that credit unions and other cooperative financial institutions rely on to serve their members.  According to WOCCU, the white paper, How Digital Money Is Impacting Credit Unions, Part 1: Focus on Stablecoins , is the first in a planned three-part series exploring how emerging forms of digital money are affecting the global credit union movement.  “The report begins by noting that stablecoins are no longer a niche fintech development, but part of a broader structural shift in how money is stored, moved and regulated,” WOCCU explained. “As commercial banks, payment networks, technology firms and retailers build stablecoin offerings or integrate stablecoin rails into their platforms, credit unions must consider how these changes could affect deposits, payments, member relationships and long-term institutional relevance.” For ...

Half of Credit Union & Bank CEOs are Now Older Than 65, Up From 20% Two Decades

NEW YORK — At a time when there are some generational changes in credit union leadership taking place, a new analysis has found the nation’s bank CEOs are getting older, with half of the chief executives leading banks now older than 65, compared with fewer than 20% two decades ago. The KBW Bank Index from Truist Securities found that the median age of bank CEOs has increased by 10 years since the early 2000s, mirroring a broader aging trend among corporate leaders across the United States. However, bank executives remain older on average than their counterparts in many other industries, according to the analysis by Truist Securities Managing Director John McDonald and associates Peter Nicolo and John Manahan. One reason is tenure. Bank CEOs typically remain in their positions longer than executives in many other sectors. According to data from CristKolder Associates cited in the report, financial-services CEOs average nine years in the role, compared with 5.4 years in the energy secto...

What Credit Unions Can—And Can't—Do With New Trump Accounts

07/02/2026 09:36 am         WASHINGTON--With Trump Accounts set to officially launch July 4, America’s Credit Unions updated its frequently asked questions document to clarify the role of credit unions now and in the future. Credit unions do not have a role to play yet, as the Treasury has not announced steps to transition accounts from initial provider BNY Mellon to other authorized institutions, ACU noted. Trump Accounts are tax-deferred accounts that can be established on behalf of a child under the age of 18. Account contributions begin after July 4, with contributions up to $5,000 a year allowed. Created by H.R. 1, the law also established a pilot program to deposit a one-time $1,000 grant into accounts of children born between Jan. 1, 2025 and Dec. 31, 2028. Once the child turns 18, the account funds are available for educational expenses, home ownership, entrepreneurship, and other designated purposes. Once guidance is available from Treasury, credit unions ...

Sunday Reading - We Hold These Truths to Be Self-Evident

We Hold These Truths to Be Self-Evident .  The Declaration of Independence is the founding document that formally announced the American Colonies' break from British rule. Adopted on July 4, 1776, it laid the philosophical and moral foundation for American self-governance, asserting that individuals possess inherent rights and that governments must be accountable to the people. While it didn't create a government or legal framework, the Declaration marked the birth of the United States as a sovereign nation. >  Hear why the Continental Congress decided to declare independence, how the text took shape...

What You Might Not Know About July 4th.

NCUA Tells FICUs Crypto Trading is OK — If Big Exchanges Provide the Service

When it comes to reading between the lines of financial regulators’ advisory letters, tone matters. Take last week’s letter from the National Credit Union Administration (NCUA) which gave the federally insured credit unions (FICUs) it oversees permission to partner with digital asset providers to allow retail customers to buy, sell and trade in cryptocurrencies. Now compare it to the one issued by Comptroller of the Currency Michael Hsu’s agency to the national banks and federal savings associations it regulates a month earlier. On the surface, both said much the same thing: Financial institutions can provide cryptocurrency services (albeit with some notable differences: the OCC’s letter dealt with more back-end services, including custody services as well as holding and using dollar-pegged stablecoins for transaction settlement). Neither was enthusiastic. The NCUA’s letter said it “does not prohibit FICUs from establishing these relationships” — which is not as enthusiastic as “are a...

Emerging Risks and How to Mitigate Them

5 Emerging Risks and How to Mitigate Them With each technological advance emerges new risk. Think about it: Every technology upgrade, new mobile device and new payment method brings exposure that wasn’t identified previously. The real threat occurs when these risks aren’t anticipated or communicated within your organization. Here are five emerging risks every credit union should have on their radar right now: Social media. Employees posting comments on social media that are inaccurate or appear incomplete or disparaging can threaten your organization’s reputation. Be careful when taking disciplinary action, as the National Labor Relations Board can classify social media activity as “protected concerted activity.” Mistakes here can lead to retaliation, wrongful termination claims and expensive litigation. Internet of Things (IoT) era . The IoT offers new tools and technologies that provide constant connectivity. It also creates new opportunities for data compromises. Workplace ...

Twenty-Five Years of Showing Up

www.NCOFCU.org/Tucson-AZ-2026    Attendee Registration Schedule at a Glance ...

The Federal Open Market Committee (FOMC) voted to raise the target range for federal funds

WASHINGTON–Although debate has increased recently over whether it should do so, as expected, the Fed has moved to raise interest rates. The Federal Open Market Committee (FOMC) voted to raise the target range for the federal funds rate to 2%-2.25% to 2.25%-2.50%. “Information received since the Federal Open Market Committee met in November indicates that the labor market has continued to strengthen and that economic activity has been rising at a strong rate,” said the FOMC in a statement following today’s meeting. “Job gains have been strong, on average, in recent months, and the unemployment rate has remained low. Household spending has continued to grow strongly, while growth of business fixed investment has moderated from its rapid pace earlier in the year. On a 12-month basis, both overall inflation and inflation for items other than food and energy remain near 2%. Indicators of longer-term inflation expectations are little changed, on balance.” Fed watchers have bee...