NAFCU writes to NCUA on proposed cyber incident reporting rule

NAFCU Senior Counsel for Research and Policy Andrew Morris wrote to the NCUA to offer recommendations on the agency’s proposed rule establishing a 72-hour period for credit unions to provide notice of a reportable cyber incident.

In the letter, Morris stated the proposed 72-hour timeframe to report a cyber incident to the NCUA would likely increase “administrative burden” for credit unions. To ease the burden of this rule, NAFCU gave nine recommendations:

  • recognize a compliance safe harbor for a credit union that makes good faith efforts to perform a reasonable assessment of a cyber incident;
  • clarify core terminology;
  • streamline communication with supervisory teams;
  • clarify the relationship between overlapping reporting standards;
  • avoid conflict with current and future cyber incident reporting requirements;


continue reading »