Skip to main content
United States flag An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NCUA Chairman Todd M. Harper Statement on the Semi-Annual Cybersecurity Briefing

April 2022
NCUA Chairman Todd M. Harper Statement on the Semi-Annual Cybersecurity Briefing
Todd M. Harper

NCUA Chairman Todd M. Harper at the NCUA's headquarters in Alexandria, Virginia.

As Prepared for Delivery on April 21, 2022

Ernie, thank you for your timely and informative cybersecurity update. Today, more than ever, the NCUA and credit unions must maintain a heightened state of alert posture against malicious cyber activity.

In public appearances, I am often asked what keeps me up at night. The answer, almost always, is the risks that cyber-attacks pose to our financial system. As Ernie and others have often noted, the COVID-19 pandemic has increased cybersecurity exposures for all, including federally insured credit unions. Additionally, the escalating Russian war on Ukraine has implications far beyond Eastern Europe. There remains the potential for imminent cyberattacks from Russia in retaliation for U.S. support of Ukraine’s government. Those include attacks on our homeland’s critical infrastructure, like our financial services sector.

As a result, all credit unions and vendors, regardless of size, are targets for cyberattacks. We must all remain vigilant and take actions to safeguard our systems.

And, when attacks occur, credit unions and their vendors should report any cyber incidents to their NCUA examiner, the FBI’s Internet Crime Complaint Center at, and the Cybersecurity and Infrastructure Security Agency at

Through its Shields Up initiative, the Cybersecurity and Infrastructure Security Agency is providing real-time updates on cyber threats. I also encourage credit unions to download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET. This tool is an excellent resource — especially for small credit unions or credit unions with limited resources — to understand cybersecurity preparedness levels. The ACET is available at no cost and credit unions can find the tool on the NCUA’s website at

Additionally, as part of our 2022 Community Development Revolving Loan Fund Grant program, the NCUA is providing eligible low-income credit unions with up to $10,000 in funding to modernize their information technology against cyberattacks. The application period for the Revolving Loan Fund opens on May 2 and runs until June 24. I encourage all eligible institutions to apply for these digital services and the other grants that are available.

The NCUA is also working to improve the credit union system’s cyber resiliency through our examination program. Specifically, the NCUA is revising its cybersecurity examination procedures with the goal of completing this revamp by the end of the year. We must stay focused on meeting the goal of finalizing the implementation of the Information Security Exam program in the fourth quarter. The new procedures also will be scaled to the size and complexity of a credit union and will assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats.

Ernie, I now have three questions. What are the three most important actions a credit union — especially a small credit union — can take to improve its cyber-resilience? Which resources should they utilize?

Thank you. I urge all credit unions to follow Ernie’s advice to protect themselves and their members.

Additionally, many people would not immediately think that credit unions, especially small ones, could be potential targets of a foreign adversary. Could you please explain the reasons why bad actors may target credit unions?

Finally, this question may be better answered by Kelly Lay who has also joined us to answer questions. Late last year, the federal banking agencies finalized a rule requiring a bank to notify its primary regulator of any significant computer-security incident no later than 36 hours after identifying the problem. Kelly, would you tell us a bit more about that rulemaking and what NCUA staff is now exploring with respect to adopting a similar rule that meets the needs of the credit union system?

In closing, briefings like this one today are a critical part of the NCUA’s communications efforts to promote cybersecurity best practices and raise awareness about the threats credit unions face. Each of us — the NCUA, state supervisory authorities, credit unions, and vendors — has a responsibility to protect our IT systems, improve our collective ability to recover from incidents, educate our employees, share information, and report and address potential vulnerabilities. All of us must do our part and be cybersmart.

That concludes my remarks. I now recognize Vice Chairman Hauptman.

Todd M. Harper Cybersecurity
Last modified on