NAFCU Senior Counsel for Research and Policy Andrew Morris wrote to the NCUA to offer recommendations on the agency’s proposed rule establishing a 72-hour period for credit unions to provide notice of a reportable cyber incident.
In the letter, Morris stated the proposed 72-hour timeframe to report a cyber incident to the NCUA would likely increase “administrative burden” for credit unions. To ease the burden of this rule, NAFCU gave nine recommendations:
- recognize a compliance safe harbor for a credit union that makes good faith efforts to perform a reasonable assessment of a cyber incident;
- clarify core terminology;
- streamline communication with supervisory teams;
- clarify the relationship between overlapping reporting standards;
- avoid conflict with current and future cyber incident reporting requirements;
continue reading »