As Prepared for Delivery on February 16, 2023
Thank you, Kelly, Christina, and Gira, for your presentation to the NCUA Board on the final rule on cyber incident notification requirements for federally insured credit unions. My heartfelt thanks goes out to the teams from the Office of Examination and Insurance, the Office of General Counsel, and others across the agency. Their joint efforts in finalizing this measure will fortify and strengthen the cyber defenses of our nation’s financial services sector.
Cybersecurity is an issue that often keeps me up at night. I suspect others have the same reason for sleeplessness, including my fellow Board members. As such, I want to express my gratitude to Vice Chairman Hauptman and Board Member Hood for their support of this rulemaking and their contributions to this final rule.
This final rule is largely unchanged from the proposed rule approved last July. It sets the parameters for what constitutes a reportable incident and the minimum notification requirements. Under this rule, a credit union must notify the NCUA as soon as possible, but no later than 72 hours, after it reasonably believes a reportable cyber incident has occurred.
Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector. This final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.
On this point, I want to thank Vice Chairman Hauptman for his suggestion that the final rule include language noting that the NCUA will coordinate with the Cybersecurity and Infrastructure Security Agency on any future credit union cyber incident reporting requirements to avoid duplicative reporting to both agencies. I’ve long believed that we should work to improve the efficiency of agencies by streamlining rules and regulations, when possible. So, this addition was much appreciated.
Each of us in the financial system has an obligation to protect our nation’s economic and financial infrastructure. And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue.
Additionally, this final rule is just one of several actions the NCUA has recently taken to improve the system’s cyber resiliency. Earlier this year, for example, the agency launched the Information Security Examination program, or ISE for short. ISE standardizes the examination of credit union information security and cybersecurity programs and enhances the NCUA’s ability to identify deficiencies. ISE is also flexible and can adapt to all credit union asset sizes and complexity levels to assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats.
While the cyber incident notification final rule and ISE will help in the fight against cyberattacks, we still must confront the regulatory blind spot that continues to exist because the NCUA lacks authority — the same authority that banking regulators have — to exercise a risk-based approach to supervise third-party vendors.
Unfortunately, cyber risk in the credit union system often lurks in the ether — beyond the NCUA’s purview — within credit union service organizations and third-party service providers that do not have the same level of oversight as bank vendors. As a result, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks. The Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to fix this blind spot.
I agree with these experts. Restoring the NCUA’s authority over credit union service organizations and third-party vendors will bolster our nation’s national economic security. It will also give credit union members the same protection that bank customers currently enjoy. As such, the NCUA will continue to engage with Congress on this important legislative issue.
Before concluding my remarks, I do have one question. I know that the Office of Examination and Insurance plans to develop guidance and training on this new rule. Will these materials outline scenarios for when a notification is needed and when it is not?
Thank you for those insights, and thank you again Kelly, Christina, and Gira, for your excellent work on this final rule. I now recognize Vice Chairman Hauptman.
Thank you, Board Member Hood. I do have two follow-up questions. This final rule helps to narrow the regulatory blind spot that the NCUA has with identifying and mitigating risks within the industry. For clarification to those who question how exactly the NCUA would exercise third-party vendor authority, Kelly, would you explain the risk-focused approach examiners would take when deciding to use this authority?
Thank you. When it comes to the level of experience that NCUA examiners have, do you believe they have the skills necessary to identify risks, problems, and violations of regulation or law within the areas of safety and soundness, consumer financial protection, cybersecurity, and BSA/AML compliance?
Thank you. That concludes my additional questions. Is there a motion?