Skip to main content

NCUA Board Meeting Coverage: NCUA Approves New Cyber Incident Reporting Rule

02/16/2023 CUToday

ALEXANDRIA, Va.–By a 3-0 vote, the NCUA board has approved a final rule on cyber incident reporting for federally insured credit unions.

The rule requires credit unions to inform NCUA of any “reportable” incident within 72 hours. Such incidents are those where the credit union “reasonably believes” a cyber incident has occurred, with such events defined as those in which the integrity, confidentiality or availability of information has been compromised.

The rule is to go into effect on Sept. 1, 2023.

thumbnail_NCUA Harper at Meeting

Todd Harper

The NCUA board was updated on the rule by Kelly Lay, director of the Office of Examination and Insurance, and Christina Saari, information systems officer in the same office. Both said credit unions had been strongly supportive of such rulemaking in their comment letters.

Harper: Issue ‘Keeps Me Up at Night’

NCUA Chairman Todd Harper, who said cybersecurity “is an issue that often keeps me up at night,” noted the final rule is largely unchanged from the proposed rule approved last July.

“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” said Harper. “This final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”

Harper, who credited Vice Chairman Kyle Hauptman for his suggestion the final rule include language noting NCUA will coordinate with the Cybersecurity and Infrastructure Security Agency on any future credit union cyber incident reporting requirements to avoid duplicative reporting to both agencies, said everyone in the financial system has an obligation to protect the nation’s economic and financial infrastructure. “And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue.”

Harper said the final rule is one of several actions NCUA has recently taken to improve the system’s cyber resiliency, including its earlier launch of the Information Security Examination program (ISE).

‘Fix This Blind Spot’

“While the cyber incident notification final rule and ISE will help in the fight against cyberattacks, we still must confront the regulatory blind spot that continues to exist because the NCUA lacks authority — the same authority that banking regulators have — to exercise a risk- based approach to supervise third-party vendors,” said Harper.

thumbnail_NCUA Hauptman at Meeting

Kyle Hauptman

NCUA has lost several bids in Congress to obtain that supervision authority.

“Unfortunately, cyber risk in the credit union system often lurks in the ether — beyond the NCUA’s purview — within credit union service organizations and third-party service providers that do not have the same level of oversight as bank vendors,” Harper continued. “As a result, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks. The Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to fix this blind spot.”

In response to a question from Harper on the guidance and training that will be made available, agency staff said both will be provided, including scenarios for when a notification is needed and when it is not.

Hauptman: Plan is to Coordinate With CISA

Like Harper, Hauptman called cyber security and incident reporting “critically important,” and said the sooner the agency is aware of an incident, the sooner it can determine whether it is isolated or widespread.

“Today’s rule is about reporting to NCUA only. NCUA is issuing its rule now, rather than waiting until 2025 when the Cybersecurity and Infrastructure Security Agency (CISA) will release its final rule,” said Hauptman. “The board believes it is in the best interest of the credit union system to align the NCUA’s rule with the Cyber Incident Reporting Act to provide uniform and timely cyber incident reporting. It is our intention to coordinate with CISA on any future credit union cyber incident reporting to avoid duplicate reporting to both the NCUA and CISA.”

thumbnail_NCUA Meeting Hood

Rodney Hood

In his remarks, Hauptman also noted:

  • Requirements on notifying credit union members and the public are unchanged
  • Credit unions are being asked to report as soon as possible and not later than 72 hours after the credit union reasonably believes an incident has occurred. The timeframe of 72 hours is consistent with what CISA will require in 2025
  • Credit unions are not required to provide a detailed incident assessment to the NCUA within the 72-hour time frame
  • NCUA will not publicize the name of credit unions that report cyber incidents.

Hood: ‘The Risk is a Moving Target’

Noting the time the agency has invested focusing on cybersecurity, NCUA Board Member Rodney Hood added, “I wish we could say that after having focused on this threat for such a long time, we are making progress toward a real sustainable solution, but unfortunately that's simply not the case given the velocity and evolution of cybersecurity threats.  As such, we have to accept that cybersecurity threats are an ongoing risk both to financial institutions’ operations and to their reputations.  Moreover, we have to accept that the risk is a moving target.”

Hood said every CU must recognize that their institution is “just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the agency's cybersecurity review and supervision capabilities need to be more robust.”

A Patch is No Patch

He further said credit unions can no longer count on vendors to provide a “patch” to address vulnerabilities and then move on, and must instead “rethink” their defenses.

In response to a question from Hood over what responsibilities CUs have related to cyber-incidents ahead of the Sept. 1 implementation of the new rule, staff said rules are in place requiring such reporting.

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

NCOFCU Newsletter

The Bucket Coach is a financial advice book designed by Fire Services Credit Union, Tronto, Canada. and written exclusively for Fire Fighters It's a practical guide for household financial management, including investments, credit and mortgages, and retirement. Developed with contributions from Fire Fighters," NCOFCU Newsletter : " Kevin Connolly Chief Executive Officer    Fire Services Credit Union Phone: 416-440-1294 ext 301  Toll Free: 1-866-833-3285 E-mail:  kevin@firecreditunion.ca 1997 Avenue Rd Toronto, ON M5M 4A3 
Post a Comment
Read Complete Article HERE>»

Vought: ‘We’re Closing Down The CFPB’ — White House Budget Chief Says Agency Will Shut Down Within Months

  10/16/2025 09:03 am         WASHINGTON—White House Budget Director Russell Vought said Wednesday he plans to shut down the CFPB, PYMNTS reported. Russell Vought Speaking on  The Charlie Kirk Show , Vought said only a handful of employees remain at the CFPB’s Washington headquarters “while we close down the agency,” adding that he expects the process to be completed “within the next two or three months.” Vought’s remarks come amid a series of legal challenges targeting the Administration’s attempts to scale back or dismantle the CFPB. The Administration is currently facing lawsuits from a CFPB labor union and consumer advocacy groups, which argue that Trump lacks the authority to dismiss most of the Bureau’s staff or eliminate the agency altogether. On Wednesday, Vought repeated long-standing Republican criticisms that the CFPB has exceeded its authority and imposed unfair burdens on smaller financial institutions, PYMNTS noted. “All they want to do is wea...
Post a Comment
Read Complete Article HERE>»

AI Meets Retail: Walmart Lets Shoppers Buy Directly Through ChatGPT Using Sparky Instant Checkout

  10/15/2025 07:10 pm         BENTONVILLE, Ark.— Walmart is teaming up with OpenAI to introduce Sparky AI-driven shopping experiences that let customers and Sam’s Club members complete purchases directly through ChatGPT using its new Instant Checkout feature, PYMNTS reported. The collaboration broadens Walmart’s use of artificial intelligence across its retail ecosystem and underscores a wider industry move toward conversational, predictive commerce. Through the integration, shoppers can plan meals, restock household essentials, or discover new products simply by chatting with ChatGPT—while Walmart manages the entire transaction process seamlessly in the background, PYMNTS explained. “For many years now, eCommerce shopping experiences have consisted of a search bar and a long list of item responses,” Doug McMillon, president and CEO of Walmart Inc., stated in the PYMNTS report. “That is about to change. There is a native AI experience coming that is multi-media...
Post a Comment
Read Complete Article HERE>»

Government Shutdown? Credit Unions Know The Drill.

  With three complete government shutdowns and repeated trips to the precipice in the past 25 years, credit unions have had plenty of opportunity to refine how they approach helping members during work stoppages. Read the complete article HERE __ ______________________________________________ Check out NCOFCU's additional features: First Responder Credit Union Academy Podcasts YouTube Mini's Blog Job Board
Post a Comment
Read Complete Article HERE>»

Understanding the Fed’s Balance Sheet

Chair Jerome H. Powell Monetary policy is more effective when the public understands what the Federal Reserve does and why. With that in mind, I hope to enhance understanding of one of the more arcane and technical aspects of monetary policy: the Federal Reserve's balance sheet. A colleague recently compared this topic to a trip to the dentist, but that comparison may be unfair—to dentists. 1 Today, I will discuss the essential role our balance sheet played during the pandemic, along with some lessons learned. I will then review our ample reserves implementation framework and the progress we have made toward normalizing the size of our balance sheet. I will conclude with some brief remarks on the economic outlook. Background on the Fed's Balance Sheet One of the primary purposes of a central bank is to provide the monetary foundation for the financial system and the broader economy. This foundation is made of central bank liabilities. On the Fed's balance sheet, the liabili...
Post a Comment
Read Complete Article HERE>»