As Prepared for Delivery on July 21, 2022
Thank you, Yvonne and team, for this presentation. The weight of regulatory compliance continues to grow. Large and small credit unions bear this burden with the consequences effecting staffing, services, and support of members. Regulatory burden is an issue often cited during mergers – especially with smaller credit unions.
There is no doubt, cyber security is critically important, but we must be realistic about what is necessary.
We don’t want a bad actor to cause even more damage via a permanent regulatory burden. One somewhat-imperfect example is that millions of Americans take their shoes off in airports every day because 21 years ago, one guy happened to use his shoes to take on-board what could have been delivered in a variety of other ways.
No other country requires taking shoes off at airports, and we Americans sometimes get made fun of in foreign airports for taking our shoes off even though it’s not required there. You can do the math on what that costs in time and energy. Not to mention, travelers say the shoes-off policy is one of the most-disliked aspects of American airports, thus pushing more folks to drive instead – a method of transportation that causes far more fatalities than flying.
All of this is to say we don’t want cyber incidents to result in permanent regulatory changes that wind up causing more damage than necessary.
Compliance is always easier for the people who do not have to do the complying. Credit unions should spend time and money on cyber security, not waste time and money on cyber security.
I appreciate that you and the team approached this proposed rule with that in mind.
- This proposed rule is about reporting to NCUA only, although additional reporting may be required by the Cybersecurity and Infrastructure Security Agency (CISA) once they promulgate their rules.
- It’s important to note that NCUA does not publicize the name of credit unions that report cyber incidents.
- Requirements on notifying credit union members and the public are not changing or being considered.
- In this proposed rule, we are asking for comment on what should/should not be considered a reportable incident. As it is proposed the definition follows the Cyber Incident Reporting for the Critical Infrastructure Act of 2022, part of the Consolidated Appropriations Act of 2022.
- CUs are being asked to report as soon as possible and not later than 72 hours after the CU reasonably believes an incident has occurred. The timeframe of 72 hours is what CISA will require in 2025.
- I should add that NCUA itself faces similar requirements. This is something I asked about since it is so important the government understand what it’s like to live under the same rules. NCUA is required to report information security incidents to CISA within one hour of being identified by the agency’s top level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department.
- CUs are not required to provide a detailed incident assessment to the NCUA within the 72-hour time frame. This is the initial notification once they reasonably believe an incident has occurred. The earlier NCUA is notified, the faster the agency can assess whether the incident is isolated or widespread. This should benefit credit unions because NCUA can alert credit unions about the type of recent cyber incidents, without mentioning the name of the credit union that reported it.
- No timelines for providing a detailed incident assessment are being considered or changed by this NPR.
- This NPR contemplates a single point of contact at NCUA for reporting incidents, although there is a question in the NPR asking for input on this issue.
The need for robust cyber security is the new normal and this NPR is asking for input on a number of requirements. We take your comments seriously. I urge stakeholders to help us make this rule as effective as possible without asking credit unions to “take off their shoes.”
I have a couple of questions:
- How much leeway does NCUA have with regard to what is considered a reportable incident?
- What happens if the agency is notified of a cyber incident?
- Vague regulation is bad regulation. We want it to be as clear as possible when credit unions should, and should not, report to NCUA. I understand there are three broad situations that could trigger a cyber incident. Where did these provisions come from, and can you describe these?