NCUA Boardroom. (Photo: NCUA)
With a unanimous vote Thursday, NCUA board members approved the cyber incident reporting requirement final rule in which federally insured credit unions must report to the agency when a "reportable cyber incident has occurred." The incident must be reported to the NCUA within 72 hours.
According to the final rule, "federally insured credit unions are required to report a cyber incident that leads to a substantial loss of confidentiality, integrity or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes."
Recommended For You
Cyberattacks that cause a disruption of credit union services and/or business operations must be reported back to the NCUA within 72 hours once there is a reasonable belief that the credit union has experienced a cyberattack.
NCUA Board Chairman Todd Harper said, "Each of us in the financial system has an obligation to protect our nation's economic and financial infrastructure. And, credit unions must be included in conversations about critical infrastructure, as a whole. This final rule will facilitate such dialogue. Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector. This final rule will also align the NCUA's reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act."
According to the NCUA, the 72-hour notification requirement window will help give the agency an early alert to the issue. NCUA officials clarified that during the early warning requirement window of 72 hours, credit unions do not need to give a full incident assessment to the agency at that time.
While the NCUA will be providing more reporting guidance to this new rule in the coming months, the final rule goes into effect on Sept. 1, 2023.
Chartering & Field of Membership Proposed Rule
The NCUA board also approved, with a 3-0 vote, a proposed rule to amend the field-of-membership and chartering rules to "streamline and strengthen" the process in order to serve more members, especially those in unbanked or under-banked communities.
The proposed changes would reduce duplicative or superfluous documentation and administrative requirements.
According to the NCUA, the proposed rule would do the following:
- Make four changes to the rules for underserved areas that multiple common-bond federal credit unions may seek to add to their fields of membership. The changes would streamline existing application requirements and clarify the role of data and criteria that other federal agencies provide relating to underserved areas.
- Eliminate the business and marketing plan requirement for certain federally insured, state-chartered credit unions that seek to convert to a federal charter while serving the same community field of membership.
- Expand the community-based field-of-membership affinities — relationships between a person and the geographic community — to recognize the growth of telecommuting and remote work for companies headquartered in a community.
Harper said, "Ultimately, it's Congress's decision whether to amend the Federal Credit Union Act's field-of-membership requirements to achieve greater parity with the rules in many states," Chairman Harper said. "However, where we can within our existing rules and the law's current requirements, the NCUA board should take appropriate and tailored action to simplify, streamline, and strengthen federal chartering options."
The proposal includes a provision to allow all federal credit unions to better capture the ongoing bond between individuals within a field of membership and their immediate family members following the death of a member, according to the NCUA.
Comments on the proposed rule are due no later than 90 days following publication in the Federal Register.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Michael Ogden
Editor-in-Chief at CU Times. To connect, email at [email protected]. As Editor-in-Chief of CU Times since 2016, Michael Ogden has led the editorial team in all aspects of content strategy and execution, including the creation of the publication’s exclusive and proprietary research database of the credit union industry’s economic landscape. Under Michael’s leadership, CU Times has successfully shifted to an all-digital editorial product with new focuses on the payments, fraud, lending and regulatory beats. Most recently, he introduced a data-focused editorial product for subscribers that breaks down credit union issues into hard data, allowing for a deeper and more factual narrative for readers. In 2024, he launched the "Shared Accounts With CU Times" podcast, which offers a fresh, inside-the-newsroom perspective through interviews with leaders from the credit union industry and the regulatory world. He dives into pressing credit union issues, while revealing the personalities working behind-the-scenes to push the credit union world forward. His background includes years as a radio and TV anchor/reporter and a public relations and digital/social media manager, where he covered the food and music industries, as well as cooperatives and credit unions. Over the years, he has launched numerous exclusive video and podcast series, including a successful series of interactive backstage interviews with musicians at music festivals, showcasing his social media and live streaming production skills.
