September 27, 2022

NAFCU writes to NCUA on proposed cyber incident reporting rule

NCUANAFCU Senior Counsel for Research and Policy Andrew Morris wrote to the NCUA to offer recommendations on the agency’s proposed rule establishing a 72-hour period for credit unions to provide notice of a reportable cyber incident.

In the letter, Morris stated the proposed 72-hour timeframe to report a cyber incident to the NCUA would likely increase “administrative burden” for credit unions. To ease the burden of this rule, NAFCU gave nine recommendations:

  • recognize a compliance safe harbor for a credit union that makes good faith efforts to perform a reasonable assessment of a cyber incident;
  • clarify core terminology;
  • streamline communication with supervisory teams;
  • clarify the relationship between overlapping reporting standards;
  • avoid conflict with current and future cyber incident reporting requirements;
  • recognize a credit union has the final say to report any third-party cyber incident;
  • calibrate reporting thresholds to avoid requiring a credit union to report incidents that happen outside the credit union’s domain;
  • ensure proper coordination exists with other federal regulators; and
  • clearly state that any cyber incident notifications given to the NCUA are confidential.

NAFCU believes these recommendations would improve clarity and reduce overlap if the NCUA decides to proceed with a final rule. The association also requests the agency use the information it collects from credit unions to “improve the security and resilience of the industry,” as well as hold more cybersecurity briefings for credit unions.

NAFCU will continue to engage the NCUA and update credit unions on the latest from the agency.