As Prepared for Delivery on February 16, 2022
After all these years, with cybersecurity being top of mind, I wish we could say that after having focused on this threat for such a long time, we are making progress toward a real sustainable solution, but unfortunately, that's simply not the case given the velocity and evolution of cybersecurity threats. As such, we have to accept that cybersecurity threats are an ongoing risk both to financial institutions’ operations and to their reputations. Moreover, we have to accept that the risk is a moving target.
Today's final rule reflects this present reality. Every credit union must recognize that their institution is just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the agency's cybersecurity review and supervision capabilities need to be more robust.
Today's final rule is a step forward in this endeavor. Gone are the days, when you had a vendor provide credit unions with an add-on patch to address a vulnerability and simply move on. Today, we need to rethink defense and depth when it comes to cybersecurity. That means not only addressing vulnerabilities and recognizing threats but also having response plans in place that not only identify vulnerabilities but also catch attacks in real-time and proactively prevent their impact on a credit union.
I do have a few questions:
- Although this rule does not take effect until September, do credit unions have a responsibility now, before the rule’s effective date, if a cyber incident occurs?
- How does this final rule differ from what the banks are doing?
I support today's final rule. I have no further questions or comments at this time other than just thanking you all, for your hard work and to know that this is an issue that's going to remain with ongoing vigilance.