The National Credit Union Administration is considering a rule that would give credit unions a limited time to report cybersecurity incidents to the regulator.
At its monthly meeting Thursday, the NCUA board discussed a proposal that would require federally insured credit unions to notify the agency of a
A credit union would be required to report a cyber incident if it leads to a substantial loss of confidentiality, integrity or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services or a serious impact on the safety and resiliency of operational systems and processes.
The proposal would align with the Cyber Incident Reporting for Critical Infrastructure Act signed into law in March. It would also bring the NCUA’s cyber incident reporting framework into greater alignment with those of other federal banking regulators, board members said.
Banks are required to notify their primary federal regulator of any significant computer-security incident no later than
NCUA board chairman
“As cyberattacks grow in sophistication and scope, we need all hands on deck to protect the credit union system,” he said.
Board vice chairman Kyle Hauptman said he supports the rule but cautioned that he does not want to see one bad actor cause even more damage in the form of a permanent regulatory burden.
Hauptman cited the fact that American fliers are required to take their shoes off in airports every day because of one incident that “could have been delivered in a variety of other ways” — a reference to
“No other country requires taking shoes off at airports, and we Americans sometimes get made fun of in foreign airports for taking our shoes off even though it’s not required there,” he said.
Board member Rodney Hood said cybersecurity is one of the top concerns he hears when talking to credit union leaders around the country.
“I wish we could all say that, after having focused on this threat for such a long time, we’re making progress toward a real sustainable solution," Hood said. "But unfortunately, that’s simply not the case given the velocity and evolution of cybersecurity threats.”
The board unanimously voted to approve the rule for a 60-day comment period, after which the board can take action.