Skip to main content
United States flag An official website of the United States government
Show

NCUA Board Approves Final Rule on Cyber Incident Reporting Requirements

February 2023
NCUA Board Approves Final Rule on Cyber Incident Reporting Requirements

Board Action Bulletin

Proposed Rule on Chartering and Field of Membership Approved

ALEXANDRIA, Va. (Feb. 16, 2023) – The National Credit Union Administration Board held its second open meeting of 2023 and approved two items:

  • A final rule on cyber incident reporting requirements; and
  • A notice of proposed rulemaking to amend the NCUA’s federal credit union chartering and field-of-membership rules.

In addition, the NCUA’s Chief Financial Officer briefed the NCUA Board on the performance of the National Credit Union Share Insurance Fund during the fourth quarter of 2022.

Final Rule on Reportable Cyber Incidents Approved by Board

The NCUA Board unanimously approved a final rule that requires a federally insured credit union to notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred.

“Each of us in the financial system has an obligation to protect our nation’s economic and financial infrastructure. And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue,” Chairman Todd M. Harper said. “Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector. This final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”

Under the final rule, federally insured credit unions are required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes. Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack.

The 72-hour notification requirement provides an early alert to the NCUA and does not require credit unions to provide a full incident assessment to the NCUA within the 72-hour timeframe.

The effective date of this final rule is September 1, 2023. The NCUA will provide additional reporting guidance prior to the final rule going into effect.

Board Approves Proposed Rule on Chartering and Field of Membership

The NCUA Board unanimously approved a proposed rule that would amend the chartering and field-of-membership rules through nine changes to enhance consumer access to safe, fair and affordable financial services, especially in under-resourced communities.

“Ultimately, it’s Congress’s decision whether to amend the Federal Credit Union Act’s field-of-membership requirements to achieve greater parity with the rules in many states,” Chairman Harper said. “However, where we can within our existing rules and the law’s current requirements, the NCUA Board should take appropriate and tailored action to simplify, streamline, and strengthen federal chartering options.”

The proposed amendments would also reduce duplicative or unnecessary paperwork and administrative requirements. These proposed amendments result from the agency’s experience in reviewing field-of-membership changes, community charter conversions, and adding underserved areas, along with its study of chartering and field-of-membership issues as part of the Advancing Communities through Credit, Education, Stability, and Support (ACCESS) initiative.

Specifically, the proposed rule would:

  • Make four changes to the rules for underserved areas that multiple common-bond federal credit unions may seek to add to their fields of membership. The changes would streamline existing application requirements and clarify the role of data and criteria that other federal agencies provide relating to underserved areas.
  • Eliminate the business and marketing plan requirement for certain federally insured, state-chartered credit unions that seek to convert to a federal charter while serving the same community field of membership.
  • Expand the community-based field-of-membership affinities — relationships between a person and the geographic community — to recognize the growth of telecommuting and remote work for companies headquartered in a community.

The proposed rule includes a provision to allow all federal credit unions to better capture the ongoing bond between individuals within a field of membership and their immediate family members following the death of a member.

The Board is also proposing a technical clarification and correction on the process for the NCUA to review and approve the character and fitness of a prospective federal credit union’s management and officials.

Comments on the proposed rule must be received no later than 90 days following publication in the Federal Register.

Share Insurance Fund Equity Ratio Stands at 1.30 Percent

The Chief Financial Officer briefed the NCUA Board on the performance of the Share Insurance Fund and the status of the fund’s equity ratio, noting that the fund reported a net income of $118.7 million and a net position of $20.4 billion for 2022. Additionally, the Share Insurance Fund’s assets declined to $20.4 billion at the end of the year from $20.7 billion at the end of 2021.

“During 2022, we experienced high levels of economic uncertainty and a rising interest rate environment. Yet, overall, the credit union system and the Share Insurance Fund performed well during the year. As noted earlier, the rise in interest rates increased the Share Insurance Fund’s income, a welcome departure from the low earnings we have seen during the last decade,” Chairman Harper said.

As of Dec. 31, 2022, the Share Insurance Fund’s calculated equity ratio was 1.30 percent, an increase from 1.26 percent reported as of June 30, 2022. The equity ratio was calculated on an insured share base of $1.69 trillion. The equity ratio was lower than the Board-approved normal operating level of 1.33 percent.

For the fourth quarter of 2022:

  • The number of CAMELS codes 4 and 5 credit unions rose to 122 from 120 in the third quarter of 2022. Assets for these credit unions rose $1.8 billion from the third quarter of 2022, to $5.6 billion from $3.8 billion.
  • The number of CAMELS code 3 credit unions rose to 769 from 768 in the third quarter of 2022. Assets for these credit unions rose $23.5 billion from the third quarter of 2022, to $71.4 billion from $47.9 billion.

Six credit union failures incurred a loss to the Share Insurance Fund in 2022, compared to seven credit union failures in 2021. The cost of the 2022 failures was $9.8 million.

The Chief Financial Officer also reported the agency’s four funds — the Share Insurance Fund, the Operating Fund, the Central Liquidity Facility, and the Community Development Revolving Loan Fund — each received an unmodified, or “clean,” audit opinion for 2022 from the agency’s independent auditor, KPMG LLP.

Said Chairman Harper, “It’s also worth acknowledging the NCUA’s sustained achievement of unmodified audit opinions for more than 40 years. This record underscores the NCUA’s commitment to sound financial management and the careful stewardship of the resources entrusted to the agency.”

Follow @TheNCUA on Twitter, and access Board Action Memorandums and NCUA rule changes at www.ncua.gov. The NCUA also live streams, archives and posts videos of open Board meetings online.

Last modified on