NCUA proposal would give credit unions 72 hours to report cyber breach

The National Credit Union Administration is considering a rule that would give credit unions a limited time to report cybersecurity incidents to the regulator.

At its monthly meeting Thursday, the NCUA board discussed a proposal that would require federally insured credit unions to notify the agency of a cyber attack within 72 hours after the credit union has formed a “reasonable belief” that it has experienced a reportable incident.

A credit union would be required to report a cyber incident if it leads to a substantial loss of confidentiality, integrity or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services or a serious impact on the safety and resiliency of operational systems and processes. 

The proposal would align with the Cyber Incident Reporting for Critical Infrastructure Act signed into law in March. It would also bring the NCUA’s cyber incident reporting framework into greater alignment with those of other federal banking regulators, board members said.

Banks are required to notify their primary federal regulator of any significant computer-security incident no later than 36 hours after determining that one occurred.

NCUA board chairman Todd Harper said that considering the ongoing geopolitical upheaval caused by Russia’s war on Ukraine and the “countless fraudsters and scammers who lurk in the ether,” the NCUA must remain vigilant to stay ahead of criminals who perpetrate cyberattacks. 

Credit unions

6 topics credit unions are talking about

March 4, 2022 3:42 PM

“As cyberattacks grow in sophistication and scope, we need all hands on deck to protect the credit union system,” he said. 

Board vice chairman Kyle Hauptman said he supports the rule but cautioned that he does not want to see one bad actor cause even more damage in the form of a permanent regulatory burden. 

Hauptman cited the fact that American fliers are required to take their shoes off in airports every day because of one incident that “could have been delivered in a variety of other ways” — a reference to a 2001 incident in which a passenger tried to sneak a homemade bomb onto a flight in his shoes. 

“No other country requires taking shoes off at airports, and we Americans sometimes get made fun of in foreign airports for taking our shoes off even though it’s not required there,” he said.

Board member Rodney Hood said cybersecurity is one of the top concerns he hears when talking to credit union leaders around the country.

“I wish we could all say that, after having focused on this threat for such a long time, we’re making progress toward a real sustainable solution," Hood said. "But unfortunately, that’s simply not the case given the velocity and evolution of cybersecurity threats.”  

The board unanimously voted to approve the rule for a 60-day comment period, after which the board can take action.