Debbie MatzNCUA Board Chairman Debbie Matz said retailers and other third parties should be responsible for the costs of data breaches on their systems.

"Throughout this year, credit unions and their members have suffered from data breaches they did not cause. However, no matter how far removed a data breach may be from a credit union, that credit union may pay in terms of its balance sheet and its reputation," Matz said in a speech before the Metropolitan Area Credit Union Management Association Monday.

"When breaches occur in third-party data systems, the responsible third parties should be held accountable," she added.

Financial institutions are required by law to protect sensitive information but retailers do not have to pay for data breaches, Matz said.  

"Yet it is financial institutions, not retailers, who must shell out as much as $15 for every new card issued to affected cardholders," she said. "It is financial institutions, not retailers, who must monitor affected accounts and reassure consumers that those accounts are still safe. Retailers should be held to the same high data protection standards. It is time to end the double standard."

Matz indicated that cybersecurity would remain a top supervisory priority for the NCUA in the upcoming year.

"Next year, NCUA will expect credit unions to implement controls to better detect cyber-attacks, to better protect themselves and their members and to better recover from those attacks," she said.

Despite regulatory guidance, Matz said many financial institutions are not taking basic steps to protect information, including applying access controls, testing their systems and encrypting sensitive data before it is transmitted.

"Cyberterrorists are scheming to break into smaller institutions, including credit unions, and use them as an entry point to the entire financial services system," she said.

 

 

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.