Board Recap: Cybersecurity, Insurance Rules, and Fair Hiring

This week, the National Credit Union Administration (NCUA) board met for its October board meeting. Below is a recap:

Board Briefing: Cybersecurity Update
Staff provided an update on the state of cybersecurity. Based on 2023 Information Security Examinations (ISE), the agency suggests credit unions focus on the following:

• Report information security risk assessment results to the board of directors.
• Provide test results of key or critical controls to their board of directors.
• Provide third-party service provider cybersecurity contract provisions to their board of directors.

As a result of the recently effective Cyber Incident Reporting Rule, 146 incidents have been reported (within the first 30 days since rule implementation as of September 1, 2023), and over 60 percent of reported incidents were due to third-party compromises. Staff noted that the agency is working to develop a web-based reporting form for cyber incidents.

Staff noted several resources available from the Cybersecurity and Infrastructure Security Agency (CISA). These include a free automated scanning of a credit union’s website to assess vulnerabilities. Following the weekly scan, CISA will provide the credit union with a detailed report.

CISA will also provide an aggregate report to the NCUA, allowing the agency to identify certain sector wide issues. Staff made it clear that the NCUA will not receive identifying information for credit unions opting into CISA’s website scan.

Proposed Rule: Simplification of Insurance Rules
The board issued a proposed rule to amend the NCUA’s regulations governing share insurance coverage. Specifically, the proposal would:

• Simplify the share insurance regulations by establishing a “trust accounts” category that would provide for coverage of funds of both revocable trusts and irrevocable trusts deposited at credit unions in the accounts of members or those otherwise eligible to maintain insured accounts.
• Provide consistent share insurance treatment for all mortgage servicing account balances held to satisfy principal and interest obligations to a lender.
• Provide more flexible recordkeeping requirements to explicitly allow the NCUA to look to records held in the normal course of businesses that are maintained by parties other than a credit union and its members on their behalf.

The proposed changes would align with Federal Deposit Insurance Coverage (FDIC) changes scheduled to become effective in April 2024. The NCUA will accept comments on the proposal for 60 days following publication in the Federal Register.

Proposed Rule: Fair Hiring in Banking
The board issued a proposal to incorporate the agency’s “second chance” Interpretive Ruling and Policy Statement (IRPS 19-1) regarding statutory prohibitions imposed by Section 205(d) of the Federal Credit Union Act into NCUA’s regulations.

Section 205(d) prohibits, except with the prior written consent of the board, a person who has been convicted of certain criminal offenses involving dishonesty or breach of trust, or who has entered into a pretrial diversion or similar program, from participating in the conduct of the affairs of a credit union.

The proposed rule would amend the NCUA’s policies and procedures governing an application to rescind a prohibition pursuant to Section 205(d), as currently reflected in IRPS 19-1 and consistent with amendments made by the recent Fair Hiring in Banking Act and with comparable FDIC regulations. The proposed rule would expand certain de minimis offenses included in IRPS 19-1.

The proposed rule would also amend the regulation governing the conditions under which newly chartered or troubled credit unions must notify the NCUA of any proposed changes to the credit union’s board of directors, committee members, or senior executive staff.

The NCUA will accept comments on the proposal for 60 days following publication in the Federal Register.