Skip to main content

NCUA Board Meeting Coverage: NCUA Approves New Cyber Incident Reporting Rule

02/16/2023 CUToday

ALEXANDRIA, Va.–By a 3-0 vote, the NCUA board has approved a final rule on cyber incident reporting for federally insured credit unions.

The rule requires credit unions to inform NCUA of any “reportable” incident within 72 hours. Such incidents are those where the credit union “reasonably believes” a cyber incident has occurred, with such events defined as those in which the integrity, confidentiality or availability of information has been compromised.

The rule is to go into effect on Sept. 1, 2023.

thumbnail_NCUA Harper at Meeting

Todd Harper

The NCUA board was updated on the rule by Kelly Lay, director of the Office of Examination and Insurance, and Christina Saari, information systems officer in the same office. Both said credit unions had been strongly supportive of such rulemaking in their comment letters.

Harper: Issue ‘Keeps Me Up at Night’

NCUA Chairman Todd Harper, who said cybersecurity “is an issue that often keeps me up at night,” noted the final rule is largely unchanged from the proposed rule approved last July.

“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” said Harper. “This final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”

Harper, who credited Vice Chairman Kyle Hauptman for his suggestion the final rule include language noting NCUA will coordinate with the Cybersecurity and Infrastructure Security Agency on any future credit union cyber incident reporting requirements to avoid duplicative reporting to both agencies, said everyone in the financial system has an obligation to protect the nation’s economic and financial infrastructure. “And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue.”

Harper said the final rule is one of several actions NCUA has recently taken to improve the system’s cyber resiliency, including its earlier launch of the Information Security Examination program (ISE).

‘Fix This Blind Spot’

“While the cyber incident notification final rule and ISE will help in the fight against cyberattacks, we still must confront the regulatory blind spot that continues to exist because the NCUA lacks authority — the same authority that banking regulators have — to exercise a risk- based approach to supervise third-party vendors,” said Harper.

thumbnail_NCUA Hauptman at Meeting

Kyle Hauptman

NCUA has lost several bids in Congress to obtain that supervision authority.

“Unfortunately, cyber risk in the credit union system often lurks in the ether — beyond the NCUA’s purview — within credit union service organizations and third-party service providers that do not have the same level of oversight as bank vendors,” Harper continued. “As a result, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks. The Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to fix this blind spot.”

In response to a question from Harper on the guidance and training that will be made available, agency staff said both will be provided, including scenarios for when a notification is needed and when it is not.

Hauptman: Plan is to Coordinate With CISA

Like Harper, Hauptman called cyber security and incident reporting “critically important,” and said the sooner the agency is aware of an incident, the sooner it can determine whether it is isolated or widespread.

“Today’s rule is about reporting to NCUA only. NCUA is issuing its rule now, rather than waiting until 2025 when the Cybersecurity and Infrastructure Security Agency (CISA) will release its final rule,” said Hauptman. “The board believes it is in the best interest of the credit union system to align the NCUA’s rule with the Cyber Incident Reporting Act to provide uniform and timely cyber incident reporting. It is our intention to coordinate with CISA on any future credit union cyber incident reporting to avoid duplicate reporting to both the NCUA and CISA.”

thumbnail_NCUA Meeting Hood

Rodney Hood

In his remarks, Hauptman also noted:

  • Requirements on notifying credit union members and the public are unchanged
  • Credit unions are being asked to report as soon as possible and not later than 72 hours after the credit union reasonably believes an incident has occurred. The timeframe of 72 hours is consistent with what CISA will require in 2025
  • Credit unions are not required to provide a detailed incident assessment to the NCUA within the 72-hour time frame
  • NCUA will not publicize the name of credit unions that report cyber incidents.

Hood: ‘The Risk is a Moving Target’

Noting the time the agency has invested focusing on cybersecurity, NCUA Board Member Rodney Hood added, “I wish we could say that after having focused on this threat for such a long time, we are making progress toward a real sustainable solution, but unfortunately that's simply not the case given the velocity and evolution of cybersecurity threats.  As such, we have to accept that cybersecurity threats are an ongoing risk both to financial institutions’ operations and to their reputations.  Moreover, we have to accept that the risk is a moving target.”

Hood said every CU must recognize that their institution is “just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the agency's cybersecurity review and supervision capabilities need to be more robust.”

A Patch is No Patch

He further said credit unions can no longer count on vendors to provide a “patch” to address vulnerabilities and then move on, and must instead “rethink” their defenses.

In response to a question from Hood over what responsibilities CUs have related to cyber-incidents ahead of the Sept. 1 implementation of the new rule, staff said rules are in place requiring such reporting.

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

Twenty-Five Years of Showing Up

www.NCOFCU.org/Tucson-AZ-2026    Attendee Registration Schedule at a Glance ...
Post a Comment
Read Complete Article HERE>»

NCUA Issues Final Rule to Revise Record Preservation Requirements

ALEXANDRIA, Va. ― The National Credit Union Administration has issued a final rule revising record preservation requirements for credit unions in the event of a catastrophic act. This rule is codified at 12 CFR 749.   “Maintaining vital records is essential to the safety and soundness of any federally insured credit union’s operations and its ability to best serve members,” NCUA Chairman Kyle Hauptman said in a statement. “But NCUA, unlike other regulators, didn’t have a limit on how long records had to be kept. This led to unnecessary cost, hassle and uncertainty. This final rule will ease unnecessary and overly prescriptive preservation requirements, while ensuring that credit unions retain the critical documents needed in instances of disaster”  According to the agency, the vital records preservation program rule was first created in 1972 to ensure that federally insured credit unions keep duplicate records that can be used for reconstruction purposes in the event of ...
Post a Comment
Read Complete Article HERE>»

Boston Firefighters Credit Union Becomes First Responders Credit Union

New name reflects nearly 80 years of service and a growing commitment to first responders across Massachusetts BOSTON, MA, June 15, 2026 — Boston Firefighters Credit Union today announced that it has officially changed its name to First Responders Credit Union , reflecting the broader first responder community the organization serves while honoring the firefighters who founded it nearly 80 years ago. Founded in 1947 by members of the Boston Fire Department, the credit union was established to serve the financial needs of firefighters and their families. Over the decades, it has grown into a trusted financial institution serving firefighters, law enforcement professionals, EMS personnel, civilian employees of first responder agencies, and their families throughout Massachusetts. Today, more than 12,000 members rely on the credit union for banking, lending, and financial guidance tailored to the unique demands of first responder life. While the name is new, the mission is not. ...
Post a Comment
Read Complete Article HERE>»

Update from TruStage - Forecast for CU, Economic Performance for Remainder of 2026, 2027

MADISON, Wis. — Credit unions are expected to post stronger loan, deposit , and asset growth in 2026 despite a slowing economy, persistent inflation, geopolitical uncertainty, and continued pressure on consumers, according to TruStage’s latest  Credit Union Trends Report . The report, prepared by TruStage Chief Economist Steve Rick and based on December 2025 data, forecasts credit union loan growth will accelerate to 5.5% in 2026 from 4.6% in 2025, while savings growth is projected to increase to 6.5% from 5.5%. Asset growth is expected to improve to 6.2% in 2026 from 5.4% in 2025. Credit union membership growth is forecast to reach 1.8% in 2026 and 2.0% in 2027. The CU Daily has separate reporting on credit union performance by category here .  According to TruStage, a changing global economic environment has altered its outlook for both the U.S. economy and the credit union system. The report noted disruptions stemming from the closing of the Strait of Hormuz have created su...
Post a Comment
Read Complete Article HERE>»

Credit Where Credit's Due

  Credit Where Credit's Due   Credit reports 101 Used to calculate credit scores   and determine creditworthiness, credit reports are comprehensive documents that detail the credit history of a person or business, including current and former lines of credit, bankruptcy records, and more.  Credit assessments actually started in the 1700s   as a way to evaluate businesses’ financial standing rather than consumers’. The early 1800s brought efforts to standardize the credit reporting system as more businesses were started that needed loans, and the labor movement’s success in the second half of the 1800s led to an increased need for standardized c...
Post a Comment
Read Complete Article HERE>»

Just Out! - NCUA Stablecoin Plan Opens Door To Credit Union-Backed Digital Dollar Issuers

ALEXANDRIA, Va.—A sweeping new NCUA proposal to implement the GENIUS Act could open the door for credit union-backed stablecoin issuance, but only through separately licensed subsidiaries operating under an extensive new federal regulatory framework that limits risks to the Share Insurance Fund. The 269-page supplemental proposed rule issued Friday lays out how “permitted payment stablecoin issuers” affiliated with federally insured credit unions would be supervised, examined and regulated by the NCUA, while also establishing rules covering reserves, liquidity, custody, operational risk, cybersecurity, anti-money laundering compliance and disclosure standards. The proposal supplements an earlier February 2026 proposal by the agency focused primarily on licensing and investments in stablecoin issuers. Federally insured credit unions themselves would still be prohibited from directly issuing payment stablecoins under the GENIUS Act. Instead, issuance would have to occur through a separa...
Post a Comment
Read Complete Article HERE>»

47-Second Loan Décisions. Underwriting in Minutes. How AI is Revolutionizing Turnaround Time in Mortgage Lending

May 27, 2026 CU Today TORONTO–While AI has been deployed across a host of back office functions, on the consumer-facing side its promise is increasingly being seen in mortgage lending, where lenders are promising mortgage approval decisions in as little as 47 seconds, reporting that up to a third of inquiries are now being handled by chatbots, and slashing underwriting time to just minutes. Toronto-based TD Bank Group said it has also deployed its first agentic artificial intelligence system in mortgage lending, reducing the time required to prepare applications for underwriting from an average of roughly 15 hours to less than three minutes. According to a statement from TD Bank, the new AI model automates mortgage pre-adjudication — the process that occurs before a human underwriter reviews an application. The bank said the system classifies borrower documents, extracts and validates financial information, calculates income, performs policy and consent checks, identifies discrepancie...
Post a Comment
Read Complete Article HERE>»

How to give back without the drawback webinar!

Post a Comment
Read Complete Article HERE>»