Skip to main content

NCUA Board Meeting Coverage: NCUA Approves New Cyber Incident Reporting Rule

02/16/2023 CUToday

ALEXANDRIA, Va.–By a 3-0 vote, the NCUA board has approved a final rule on cyber incident reporting for federally insured credit unions.

The rule requires credit unions to inform NCUA of any “reportable” incident within 72 hours. Such incidents are those where the credit union “reasonably believes” a cyber incident has occurred, with such events defined as those in which the integrity, confidentiality or availability of information has been compromised.

The rule is to go into effect on Sept. 1, 2023.

thumbnail_NCUA Harper at Meeting

Todd Harper

The NCUA board was updated on the rule by Kelly Lay, director of the Office of Examination and Insurance, and Christina Saari, information systems officer in the same office. Both said credit unions had been strongly supportive of such rulemaking in their comment letters.

Harper: Issue ‘Keeps Me Up at Night’

NCUA Chairman Todd Harper, who said cybersecurity “is an issue that often keeps me up at night,” noted the final rule is largely unchanged from the proposed rule approved last July.

“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” said Harper. “This final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”

Harper, who credited Vice Chairman Kyle Hauptman for his suggestion the final rule include language noting NCUA will coordinate with the Cybersecurity and Infrastructure Security Agency on any future credit union cyber incident reporting requirements to avoid duplicative reporting to both agencies, said everyone in the financial system has an obligation to protect the nation’s economic and financial infrastructure. “And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue.”

Harper said the final rule is one of several actions NCUA has recently taken to improve the system’s cyber resiliency, including its earlier launch of the Information Security Examination program (ISE).

‘Fix This Blind Spot’

“While the cyber incident notification final rule and ISE will help in the fight against cyberattacks, we still must confront the regulatory blind spot that continues to exist because the NCUA lacks authority — the same authority that banking regulators have — to exercise a risk- based approach to supervise third-party vendors,” said Harper.

thumbnail_NCUA Hauptman at Meeting

Kyle Hauptman

NCUA has lost several bids in Congress to obtain that supervision authority.

“Unfortunately, cyber risk in the credit union system often lurks in the ether — beyond the NCUA’s purview — within credit union service organizations and third-party service providers that do not have the same level of oversight as bank vendors,” Harper continued. “As a result, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks. The Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to fix this blind spot.”

In response to a question from Harper on the guidance and training that will be made available, agency staff said both will be provided, including scenarios for when a notification is needed and when it is not.

Hauptman: Plan is to Coordinate With CISA

Like Harper, Hauptman called cyber security and incident reporting “critically important,” and said the sooner the agency is aware of an incident, the sooner it can determine whether it is isolated or widespread.

“Today’s rule is about reporting to NCUA only. NCUA is issuing its rule now, rather than waiting until 2025 when the Cybersecurity and Infrastructure Security Agency (CISA) will release its final rule,” said Hauptman. “The board believes it is in the best interest of the credit union system to align the NCUA’s rule with the Cyber Incident Reporting Act to provide uniform and timely cyber incident reporting. It is our intention to coordinate with CISA on any future credit union cyber incident reporting to avoid duplicate reporting to both the NCUA and CISA.”

thumbnail_NCUA Meeting Hood

Rodney Hood

In his remarks, Hauptman also noted:

  • Requirements on notifying credit union members and the public are unchanged
  • Credit unions are being asked to report as soon as possible and not later than 72 hours after the credit union reasonably believes an incident has occurred. The timeframe of 72 hours is consistent with what CISA will require in 2025
  • Credit unions are not required to provide a detailed incident assessment to the NCUA within the 72-hour time frame
  • NCUA will not publicize the name of credit unions that report cyber incidents.

Hood: ‘The Risk is a Moving Target’

Noting the time the agency has invested focusing on cybersecurity, NCUA Board Member Rodney Hood added, “I wish we could say that after having focused on this threat for such a long time, we are making progress toward a real sustainable solution, but unfortunately that's simply not the case given the velocity and evolution of cybersecurity threats.  As such, we have to accept that cybersecurity threats are an ongoing risk both to financial institutions’ operations and to their reputations.  Moreover, we have to accept that the risk is a moving target.”

Hood said every CU must recognize that their institution is “just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the agency's cybersecurity review and supervision capabilities need to be more robust.”

A Patch is No Patch

He further said credit unions can no longer count on vendors to provide a “patch” to address vulnerabilities and then move on, and must instead “rethink” their defenses.

In response to a question from Hood over what responsibilities CUs have related to cyber-incidents ahead of the Sept. 1 implementation of the new rule, staff said rules are in place requiring such reporting.

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

Growing Your Credit Union Without Expanding Your FOM

For many firefighter and other credit union primarly serving first responders, growth often feels tied to one big decision: expanding the Field of Membership (FOM). But what if you didn’t have to? What if growth could come from within —by deepening relationships, increasing engagement, and capturing more of the financial lives of the members you already serve? The truth is: it can. But it requires a shift in strategy. Rethinking What “Growth” Really Means Most institutions define growth as adding more members. But for single-sponsor credit unions, especially those serving first responders, a more powerful definition is: Growth = more value per member Many members only use one or two products—often a checking account and maybe an auto loan. Meanwhile, larger banks capture mortgages, credit cards, and investments. The opportunity isn’t just new members. It’s: More products per member Higher balances per relationship Greater share of wallet Your Biggest Advantage: The First Responder Life...
Post a Comment
Read Complete Article HERE>»

When Vendors Price for Giants

 Grant Sheehan CCUE | CEO Opinion: When Vendors Price for Giants, They Shrink the Future of Small Credit Unions ! There’s a quiet squeeze happening in the credit union industry, and it’s not coming from regulators or competition from big banks. It’s coming from the very vendors that claim to support the ecosystem. For small credit unions, the problem is increasingly simple and factual: the tools required to compete with digital banking platforms, fraud systems, compliance software, analytics, and payments infrastructure are priced for institutions ten or even 100 times their size. The result is a market where access to essential services is determined not by mission or member need, but by asset size. This isn’t just inconvenient. It’s structurally threatening. Vendors often defend their pricing models as a reflection of complexity or scale. Larger credit unions have more users, more transactions, more integrations, so they pay more, and that seems fair on the surface. But t...
Post a Comment
Read Complete Article HERE>»

Fed still holds off on rate increase | 2015-07-30 | CUNA News

  WASHINGTON (7/30/15)--Citing “moderate” economic expansion, the Federal Open Market Committee continues to do “a balancing act,” said CUNA Senior Economist Perc Pineda. The Federal Reserve’s monetary policy-making body completed its meeting Wednesday without edging up the federal funds interest rate. Fed Chair Janet Yellen has said the committee will opt for an interest-rate increase sometime this fall. The July meeting, however, was not the time. “The Federal Reserve continues to do a balancing act: the U.S. economy is not in a recession and definitely not overheating,” Pineda told News Now . “Changes in monetary policy after all are meant to influence an underperforming or an overheating economy.” Household spending growth has been moderate, and housing has shown additional improvement, the committee said. Labor conditions continue to improve with declining unemployment and solid job gains. Inflation is anticipated to remain near its recent low level in the near term,...
Post a Comment
Read Complete Article HERE>»

Don't say NO to your members anymore!

Does the following scenario occur at your credit union? If it does, we have a solution for you! A member comes in into your credit union and wants to know if you will loan them a couple of hundred thousand $$$ to buy a building, or can you loan him some seed money to start a new business or purchase equipment for the company they currently own, and you say,  “the credit union doesn't do those kinds of loans”.  Does this sound familiar? How many times do you and your staff say NO and literally tell a member to  “go down the street or go somewhere else” ?  Well, now, you have another option.   CU First Responders Finance (CUFR) CU First Responders Finance, LLC (CUFR)  is a partnership between the National Council of Firefighter Credit Unions, Inc.   (NCOFCU) , and Biz Lending & Insurance Center, Inc. to provide business lending origination programs to NCOFCU member credit unions. CUFR  will provide you with a turnkey operati...
Post a Comment
Read Complete Article HERE>»

Credit Union Lending Picks Up in Most Areas

Credit unions were increasing their portfolios in most areas in June, except business lending and new car loans, where portfolios fell for the 24th month in a row after seasonal adjustments, according to a CUNA Mutual Group report released Tuesday. The Madison, Wis., trade group’s Credit Union Trends Report showed new auto loan balances were $141 billion on June 30, falling at a 3.3% seasonally adjusted, annualized rate from May to June, part of the May-through-October peak car-buying season. Credit unions held $252.4 billion in used car loans on June 30, up 1.2% from May without seasonal adjustments. The Trends Report made slight adjustments to CUNA’s Monthly Credit Union Estimates released earlier in the month. In this case, its changes allowed total auto loan balances to show a slight 0.3% un-adjusted May-to-June gain, compared to being flat in the CUNA report. Steve Rick, chief economist for CUNA Mutual Group and the report’s author, said gains were stronger in other areas, includ...
Post a Comment
Read Complete Article HERE>»

What Trump’s ‘one big beautiful’ tax-and-spending package means for your money!

  Trump’s megabill will bring sweeping changes for household finances. President  Donald Trump  signed his “one big beautiful” tax-and-spending package on July 4 — legislation that will bring sweeping changes to Americans’ finances.  After the  Senate passed its version  on July 1, the House Republicans on July 3  voted to approve  the multi-trillion-dollar domestic policy legislation and send it to Trump’s desk for signature. The final bill makes permanent Trump’s  2017 tax cuts  while adding new relief, including a senior “bonus” to  offset Social Security taxes  and a  bigger state and local tax deduction . The plan also has tax breaks for  tip income , overtime pay and  auto loans , among other provisions.  The GOP’s marquee legislation will also enact deep spending cuts to social safety net programs such as  Medicaid  and food stamp benefits,  end tax credits tied to clean energy  an...
Post a Comment
Read Complete Article HERE>»

Boston Firefighters Credit Union sets up fund

Posted Mar. 27, 2014 @ 7:35 pm ROSLINDALE The Boston Firefighters Credit Union has created a fund to help support the families of Lieutenant Ed Walsh and Firefighter Michael Kennedy. "In difficult times like these, I am so proud to be mayor of a city that comes together to help our neighbors in need," said Boston Mayor Martin J. Walsh. "Since yesterday's tragic events, we've experienced an outpouring of support from across the city, state, and country. So many people have expressed a willingness to help, in some way, as we grieve the loss of Lieutenant Walsh and Firefighter Kennedy." "Although no donation can heal the wounds suffered by the Walsh and Kennedy families, we are grateful to the Boston Firefighter's Credit Union for helping us create a focal point for peoples’ generosity, and to the people of Boston, of Massachusetts, and of the United States, who have once again shown the power of a community to help healing process begin." ...
Post a Comment
Read Complete Article HERE>»

2 Historical Moments: CUNA Mutual Officially Changes Name Today, As Union Also Calls Strike

MADISON, Wis.–One of the most iconic names in credit unions and credit union history in the U.S. will officially change today when CUNA Mutual Group begins operating under the TruStage brand across the enterprise. All enterprise, business-to-business and consumer brands are now unified under the single brand name of TruStage, which the company has been using for some of its products for a number of years. The new brand is being introduced at the same time approximately 450 employees represented by Office & Professional Employees Local 39 have gone on strike. It is the first strike in the company and the union's history. As CUToday.info has been reporting, the company and the union have been at an impasse since February of 2022, when t...
Post a Comment
Read Complete Article HERE>»

Sunday Reading - How were the National Parks started?

  America's 'Best Idea'       How were the National Parks started? America's National Park System includes roughly 85 million acres of US territory, equal to the size of Germany, set aside by federal law for preservation. There are 63 areas officially designated as national parks—including the Grand Canyon, the Great Smoky Mountains, and Acadia—and more than 400 additional smaller units ( see map ). In 1872, Yellowstone was established   as the first national park dedicated to public enjoyment and recreation, though its foundation also  displaced several Native American tribes . By 1916, the growing system required the creation of the National Park Service to preserve its lands for future generations. Eventually, hunting and logging were banned in the parks, though regulated extractive activity is still permitted in nati...
Post a Comment
Read Complete Article HERE>»

2015 "Best Credit Unions to Work For"

Our congratulations to Bernie Winne CEO Boston Firefighters Credit Union for making CU Journals “Best Credit Unions to Work For” list CREDIT UNIONS WITH ASSETS MORE THAN $200 MILLION AND LESS THAN $500 MILLION Rank Credit Union 1 Infinity Federal Credit Union 2 Belvoir Federal Credit Union 3 Granite Credit Union 4 Town & Country Federal Credit Union 5 OMNI Community Credit Union 6 Boston Firefighters Credit Union 7 Atomic Credit Union 8 Icon Credit Union 9 Deseret First Credit Union 10 Nymeo Federal Credit Union 11 First Credit Union 2015 "Best Credit Unions to Work For" - Best Credit Unions to Work for
Post a Comment
Read Complete Article HERE>»