ALEXANDRIA, Va.—During its open board meeting Thursday, NCUA said it may consider adjusting the normal operating level of the NCUSIF due to the growing risk third-party cyber incidents present to the fund.
Chairman Todd Harper emphasized the move may be necessary because NCUA lacks oversight of third parties that work with credit unions.
“Despite our efforts to strengthen the system’s cyber defenses, we still have a blind spot,” Harper said. “NCUA’s ability to analyze and assess the (cybersecurity) risk in the entire credit union system remains limited because the agency lacks the same level of oversight of third-party service providers as other federal banking regulators. Stakeholders must understand the risks resulting from the NCUA's lack of vendor authority are real…The board may need to consider changes to the normal operating level of the Share Insurance Fund given the additional risk of ensuring an industry that more and more outsources core business operations to unregulated third-party service providers.”
1,072 Incidents
Harper, during a cybersecurity briefing from staff, emphasized that most cyber incidents reported to NCUA have involved third-party service providers. Since the NCUA cyber incident notification rule took effect last September, through Aug. 31, there were 1,072 cyber incidents reported involving credit unions, and 742 were related to third parties.
“Until this growing regulatory blind spot is closed, thousands of federally insured credit unions with more than 140 million consumers who use those credit unions and trillions of dollars in assets are exposed to higher levels of risk,” Harper said. “Credit union leaders must also understand that their institutions are a significant part of our nation's critical infrastructure, something that the U.S. government has a solemn obligation to protect. We cannot do that without the ability to assess and analyze risk, and that is what vendor supervision would provide us.”
Vice Chairman Kyle Hauptman agreed, noting that seven in 10 cyber incidents reported this year from credit unions involved a third party. The agency, Thursday, said it will be introducing a new, web-based cyber incident reporting form that will help simplify reporting. It will include instructions and a quick reference guide. The web form will complement the other existing reporting methods, which include voicemail, the agency said.
Hauptman stressed that cyber-incident reporting is not difficult, with the existing process and with the new form. Hauptman, during the meeting, called the NCUA cyber-incident reporting line and played the call to help credit unions understand the process is easy.
Hauptman said he believes many credit unions are not reporting cyber incidents due to fear of the process.
“The process is not hard,” Hauptman. “Just get the call in. It’s easy and no one will ding you if you don’t get all the information in.”
During the briefing NCUA staff outlined the key areas of risk impacting credit unions: third parties, web applications, social engineering and ransomware. The board also referred to its Oct. 21 Letter (24-CU-02) that addresses board engagement in cybersecurity oversight.
Other Business
During the briefing on field of membership and chartering of new credit unions, staff noted the average review and approval time for a new charter in 2023 was 152 days compared with 215 in 2024. The agency attributed the additional time to greater complexity of the new CUs.
Harper said NCUA is making sure it is helping “promising organizing groups form a credit union. However, obtaining a credit union charter is not supposed to be easy or simplistic. With the charter comes the responsibility to promote financial well-being of members, and it also comes with certain compliance requests, like anti money laundering. This delicate balance requires us to be both purposeful and careful.”
Hauptman pointed out the new credit union charter process has been a priority of his since his first board meeting in December 2020.
“For over 90 years, forming a credit union in the United States has been the answer to financial inclusion for hundreds of thousands of immigrants, religious groups, factory workers and more,” he said. “On June 21, 1934, Franklin Delano Roosevelt signed into law the Federal Credit Union Act in part to address the financial challenges facing rural America following the Great Depression. The newly created Federal Credit Union Division was placed under the Farm Credit Administration. On Oct. 1, 1934 – less than three months later – the first federally chartered credit union was formed in Texas. So, right or wrong, it was easier to start a credit union because you only dealt with your state government, and you didn’t need to apply for federal deposit insurance—because it didn’t exist yet. The first 2,400 credit unions had zero interaction with anyone in the Washington, D.C., region.
“Things were a lot simpler in 1934 than they are today,” Hauptman continued. “Today, getting to a completed charter application can take years. While the complexity of financial services has changed, what hasn’t changed is the importance of financial services to people of modest means. Access to financial services and credit can improve the economic trajectory of a family for generations.”