Harper Reminds Credit Unions About Cyber Reporting Rule

Learn what NCUA Chairman Todd Harper had to say about a cyber incident reporting rule for credit unions set to go into effect in September.

David Baumann


Aug 15



View all posts by 

David Baumann

Articles Posted by

David Baumann

A squiggly pink arrow pointing downward and to the right.

NCUA Chairman outlines notification requirements ahead of implementation next month.

Starting Sept. 1, all federally insured credit unions will be required to notify the NCUA within 72 hours after the institution believes it has suffered a cyber incident or is notified by a third party regarding a cyber incident, NCUA Chairman Todd Harper reiterated Monday.

In a letter to credit union officials, Harper reminded them that the NCUA had adopted the final cyber rule in February.

Defining a ‘Cyber Incident’

Harper explained that the notification rule defines a cyber incident as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.”

He added that the definition has two prongs. The first requires a federally insured credit union to report an incident that “leads to a substantial loss of confidentiality, integrity, or availability of a member information system as a result of the exposure of sensitive data, disruption of vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.”

The second prong requires reporting to the NCUA when a cyber attack disrupts business operations, vital member services or a member information system.

The letter does note, however, that there are legitimate reasons why services may not be available, such as the maintenance of computer servers, and such events are routine.

Backstory and Context

In a speech to the Defense Credit Union Council earlier this month, Harper renewed his plea for Congress to grant the NCUA additional powers to monitor cyber vulnerabilities.

The NCUA currently does not have the authority to examine or monitor credit union third-party service providers, a power the other federal banking regulators do possess.

“This growing regulatory blind spot in the financial system threatens our nation’s economic security, poses risks for the financial well-being of our citizens—and more immediately—potentially threatens the reserves of the NCUA’s Share Insurance Fund, should the problems and losses at a vendor lead to the collapse and failure of a credit union,” he told the council.

NCUA officials have been seeking that power for the past several years, however Congress has yet to enact legislation granting the agency such authority.

Other federal agencies, including the Government Accountability Office and the NCUA’s own Inspector General, have said that the NCUA should have power over vendors, as it once did before the authority expired.

“Restoring the NCUA’s authority over CUSOs and third-party vendors will bolster our nation’s national economic security, and it will save us all time and money in the long term. That’s just good business,” Harper continued in the speech. “And, from a customer service standpoint, it will give credit union members the same protection that bank customers enjoy, which they deserve.”

Pushback from CU Trade Groups

However, credit union trade groups traditionally have opposed giving the NCUA the added authority, saying, among other things, that the agency would have to hire new employees with expertise to conduct cyber examinations at vendors.

That, they have said, would result in an increase in the agency’s budget and, in turn, an increase in the fees paid by credit unions.


No items found.