NCUA Board Meeting: Cyber Incident Reporting Reveals 'Weak Link' in CU System

During its October meeting, NCUA Board members received an update from staff members concerning the state of cybersecurity and cyber incident reporting that has been documented since the agency’s cyber incident notification rule went into effect on Sept. 1, 2023.

In Thursday’s meeting, as part of an annual cybersecurity update, Board members were told since last September through Aug. 31 of this year, credit unions reported 1,072 cyber incidents, of which 742 were related to the use or involvement of a third-party vendor.

NCUA Board Chairman Todd Harper said, “These annual cybersecurity updates at the NCUA Board table are an important reminder that cyberattacks on the financial services industry, including within the credit union system, will remain high for the foreseeable future. Far too often, we see that third-party service providers are a weak link in the financial system, a danger noted in the most recent Annual Report of the Financial Stability Oversight Council. And credit union third-party service providers are no exception.”

During the cybersecurity briefing, staff members made a note to remind credit unions what is reportable under the cyber incident rule. The rule requires federally insured credit unions that experience a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the credit union reasonably believes that it experienced a reportable cyber incident.

“These incidents highlight significant vulnerabilities to the $2.3 trillion federally insured credit union industry and our nation’s interconnected critical financial infrastructure,” Chairman Harper said. “We cannot afford to leave these vulnerabilities unchecked. As such, it’s everyone’s responsibility to maintain good cyber-hygiene — at home and at work.”

CU Charter Modernization Efforts

The NCUA’s Office of Credit Union Resources and Expansion briefed the NCUA Board on the agency’s efforts to modernize the chartering process. The briefing included data on the number of new charters, average days from receipt of a complete application to an approved charter, new charters by field-of-membership type, status of 2024 new charter applications and field-of-membership actions approved in 2024.

“The NCUA has made meaningful strides during the past four years in facilitating the chartering process so that organizers can pursue their visions of people helping people,” Harper said. “Welcoming a new credit union into the system of cooperative credit is good not only for the system but also for the consumer, many of whom have been unbanked and underserved for far too long.”

In addition, staff provided an update on the enhancements to the new charter management system and the provisional charter pilot.

“By facilitating the process through which credit union organizers can access the initial capital needed for capital standards, loss reserves and operating expenses — and streamlining and automating the application process as appropriate — the NCUA is making it easier and supporting promising organizing groups to form a credit union,” Harper added.