Board Action Bulletin
ALEXANDRIA, Va. (Oct. 24, 2024) – The National Credit Union Administration Board held its seventh open meeting of 2024 and received briefings on:
- Cybersecurity and the Information Security Examination Program
- New charters and field of membership
Cybersecurity, Hacking Economics, ISE Program Briefing
Employees from the NCUA’s Office of Examination and Insurance and Office of the Executive Director briefed the Board on cybersecurity, hacking economics, cyber incident reporting, and the NCUA’s Information Security Examination program. The briefing noted that trends across the credit union system include outages caused by ransomware attacks and third-party service providers.
Staff reported that from September 1, 2023, when the NCUA’s cyber incident notification rule became effective, through August 31 of this year, credit unions reported 1,072 cyber incidents, of which 742 — nearly 7 in 10 — were related to the use or involvement of a third-party vendor.
“These annual cybersecurity updates at the NCUA Board table are an important reminder that cyberattacks on the financial services industry, including within the credit union system, will remain high for the foreseeable future,” Chairman Harper said. “Far too often, we see that third-party service providers are a weak link in the financial system, a danger noted in the most recent Annual Report of the Financial Stability Oversight Council. And credit union third-party service providers are no exception.”
In addition, the briefing provided a description of what is reportable under the cyber incident reporting rule; a status of the Information Security Examination Program, including its strengths and opportunities for improvement; and an update on the number of third-party provider and ransomware incidents.
“These incidents highlight significant vulnerabilities to the $2.3 trillion federally insured credit union industry and our nation’s interconnected critical financial infrastructure,” Chairman Harper said. “We cannot afford to leave these vulnerabilities unchecked. As such, it’s everyone’s responsibility to maintain good cyber-hygiene — at home and at work.”
The NCUA continues to encourage credit union staff and boards of directors to review their third-party service provider and vendor relationships, assess and mitigate any potential risk associated with their products and services, and strengthen their institution’s cyber vigilance and preparedness efforts. Chairman Harper noted in his remarks that a Letter to Credit Unions was issued earlier this week that provides boards of directors guidance on their roles and responsibilities for ensuring their credit union’s cyber defenses.
The NCUA’s Cyber Incident Notification Requirements rule requires a federally insured credit union that experiences a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the credit union reasonably believes that it experienced a reportable cyber incident.
To report a cyber incident, credit unions may contact the NCUA by calling 1.833.CYBERCU (1.833.292.3728) or by using the NCUA’s Secure Email Message Center to send a secure email to cybercu@ncua.gov.
Cybersecurity-related information, including regulations, guidance, and resources to help protect credit unions and their members from cyberthreats, is available on the NCUA’s cybersecurity resources webpage.
Board Briefed on Charter Modernization Efforts
The NCUA’s Office of Credit Union Resources and Expansion briefed the NCUA Board on the agency’s efforts to modernize the chartering process. The briefing included data on the number of new charters, average days from receipt of a complete application to an approved charter, new charters by field-of-membership type, status of 2024 new charter applications, and field-of-membership actions approved in 2024.
“The NCUA has made meaningful strides during the past four years in facilitating the chartering process so that organizers can pursue their visions of people helping people,” NCUA Chairman Todd M. Harper said. “Welcoming a new credit union into the system of cooperative credit is good not only for the system but also for the consumer, many of whom have been unbanked and underserved for far too long.”
In addition, staff provided an update on the enhancements to the new charter management system and the provisional charter pilot.
“By facilitating the process through which credit union organizers can access the initial capital needed for capital standards, loss reserves, and operating expenses — and streamlining and automating the application process as appropriate — the NCUA is making it easier and supporting promising organizing groups to form a credit union,” Chairman Harper said.
Information on starting a new federal credit union and the chartering process is available on the NCUA’s website.
Follow @TheNCUA on X, and access Board Action Memorandums and NCUA rule changes at www.ncua.gov. The NCUA also live streams, archives, and posts videos of open Board meetings online.