NCUA Vice Chairman Kyle S. Hauptman during a meeting of the NCUA Board in Alexandria, Virginia.
As Prepared for Delivery on February 16, 2023
Thank you, Christina and Kelly, for this presentation and to the whole team for your work on this rule.
There is absolutely no question that cyber security and incident reporting are critically important. The sooner the agency is aware of an incident, the sooner it can determine whether it is isolated or widespread. The comment letters overwhelmingly supported the need for the rule.
As important as this is, we recognize that the crush of regulatory compliance is never-ending – and it is coming from all directions. The weight of regulatory burden is especially heavy for smaller credit unions and is often cited in mergers.
Today’s rule is about reporting to NCUA only. NCUA is issuing its rule now, rather than waiting until 2025, when the Cybersecurity and Infrastructure Security Agency (CISA) will release its final rule. The Board believes it is in the best interest of the credit union system to align the NCUA’s rule with the Cyber Incident Reporting Act to provide uniform and timely cyber incident reporting. It is our intention to coordinate with CISA on any future credit union cyber incident reporting to avoid duplicate reporting to both the NCUA and CISA.
It seems the best way to serve credit unions, CISA, and NCUA is to have credit unions report a cyber incident to one agency – the NCUA. Preferably, credit unions will report to NCUA, and NCUA will forward the reports to CISA. I cannot promise that will be the case, but I can promise we will continue to work on it.
A few other items of note are the following:
- Requirements for notifying credit union members and the public are unchanged.
- Credit unions are being asked to report as soon as possible and not later than 72 hours after the credit union reasonably believes an incident has occurred. The timeframe of 72 hours is consistent with what CISA will require in 2025.
- Credit unions are not required to provide a detailed incident assessment to the NCUA within the 72-hour time frame.
- NCUA does not publicize the name of credit unions that report cyber incidents.
Compliance is easy, especially for the people who do not have to do it. Spending time and money on cyber incidents is inevitable. Wasting time and money is not.
Thank you, Mr. Chairman. I have a couple of questions.
- The rule is expected to take effect in September 2023. What steps are we taking to streamline the reporting process?
- Your presentation outlined three broad situations that could trigger a cyber incident. Where did these provisions come from?