As Prepared for Delivery on July 21, 2022
Thank you very much, Yvonne, Christina, and Ian, for your presentation on the proposed rule about cyber incident notification requirements for federally insured credit unions. I know that cybersecurity is not only a priority for me, but also for my fellow Board members.
This proposed rule is important because of rapidly evolving cybersecurity threats and the urgent need to maintain a heightened state of awareness and vigilance across the credit union and broader financial services systems. Considering the ongoing geopolitical upheaval caused by Russia’s war on Ukraine, our increasingly interconnected world, and the countless fraudsters and scammers who lurk in the ether, the National Credit Union Administration — and all credit unions — must stay ahead of bad actors who perpetrate cyberattacks. As cyberattacks grow in sophistication and scope, we need all hands on deck to protect the credit union system.
Therefore, the NCUA Board’s approval for issuing the proposed rule before us today is a critical step to increasing cybersecurity awareness and protection within the financial system. Federally insured credit unions are not only the system’s first line of defense, but they are also the NCUA’s eyes and ears.
To that end, the proposed rule would set parameters for what constitutes a reportable incident and the minimum notification requirements. By doing so, the proposal would align with the Cyber Incident Reporting for Critical Infrastructure Act signed into law in March. The proposed rule would also bring the NCUA’s cyber incident reporting framework into greater alignment with those of other federal banking regulators.
Last November, our sister agencies finalized their computer security incident reporting rule. That rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident no later than 36 hours after the banking organization determines a reportable cyber incident occurred.
We expect credit unions to exercise their best judgment in determining whether a substantial cyber incident is reportable to the agency. The NCUA Board anticipates a credit union would need sufficient time to form a reasonable belief that it has experienced a reportable incident. Under this proposal, the 72-hour clock starts only once the credit union has formed a reasonable belief that it has experienced a reportable cyber incident.
Given the frequency and severity of cyber incidents within the financial services industry, the Board would encourage credit unions to contact the agency if they are uncertain about whether a cyber incident is reportable. And, this point bears underscoring, the proposed rule emphasizes the earliest possible initial report of an incident, instead of a comprehensive forensic analysis which takes longer to report.
As more incidents are reported, a reservoir of knowledge, experience, and best practices will be developed, from which every credit union stands to benefit. This information has potentially wide-ranging impact beyond the credit union system.
For example, additional data points on cyber incidents can help law enforcement and intelligence agencies provide advanced warning to other organizations within our nation’s critical infrastructure sector. When credit unions report these types of incidents, they may keep our nation secure from similar cyberattacks elsewhere.
With that, I do have a few questions.
Yvonne, one difference between the proposed rule before us today and the federal banking regulators’ reporting requirement is the timeframe in which institutions are required to report. Could you please explain why our time frame is 72 hours and different from the bank regulators’ 36-hours reporting timeframe?
Thank you, Yvonne. That is an important clarification.
And, in terms of reportable incidents, can you please explain if something as simple as a phishing email — which credit unions may receive many times per day — would be an example of a reportable incident? In other words, what do we mean by a “substantial” cyber incident?
Thank you, and could a cyber intrusion, which does not at the time of discovery include the loss of member shares or render an information technology system inoperable, be reportable? If so, why?
Thank you, that is helpful context for all of us to understand what is and what is not reportable.
With respect to burdens, how have we sought to minimize any costs associated with complying with this proposed rule?
Finally, some have raised questions about the cybersecurity reporting requirements that apply to the NCUA. Would you please explain some of the reporting requirements that the agency is subject to, and who sets those reporting requirements? Why must the NCUA adhere to those cyber reporting standards?
Thanks, again, everyone. That concludes my remarks. I now recognize Vice Chairman Hauptman.