Briefings look at cybersecurity, reg relief

(April 23, 2021) Meanwhile, the NCUA Board did hear two briefings during its Thursday meeting: on cybersecurity and on an interim final rule (IFR) it adopted late last week on regulatory relief due to savings surges at credit unions.

Regarding the IFR, the board on April 16 announced it had adopted, by notation vote, the IFR that reduces the earnings retention requirement for credit unions classified as adequately capitalized, and permits an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth during the coronavirus crisis. The rule is substantially similar to a rule adopted in May 2020 but that lapsed at year-end. The rule took effect immediately and remains in place until March 31, 2022.

In a release last week, the agency said that, due to the pandemic’s continued financial and economic disruptions, it was necessary to reintroduce the two temporary relief measures.

Under the first provision of the IFR (reducing the earnings retention requirement for credit unions classified as adequately capitalized), NCUA said those credit unions unable to meet the requirement will not have to submit a written application requesting approval to decrease their earnings retention amount.

Under the second provision (permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth due to the crisis), if a credit union becomes less than adequately capitalized for reasons other than share growth, it must still submit a net worth restoration plan under the current requirements in NCUA’s regulations.

A 60-day comment period, ending June 18, is also open for the IFR.

The briefing on cybersecurity provided a status update (including threats and mitigation trends). Johnny Davis, the agency’s top cybersecurity expert, focused on supply chain risk management in his presentation, noting the agency will host a table-top exercise on the issue in August. He said the agency is looking for credit unions to volunteer to participate in the exercise, to gauge if there are additional items for due diligence consideration by the agency.

Davis noted that NCUA will be working with the Treasury Department, the Department of Homeland Security, and other law enforcement and intelligence agencies to carry out the planned exercise with credit unions.

NASCUS President and CEO Lucy Ito said the association looks forward to the inclusion of state supervisory authorities in this effort and other NCUA table-top exercises to more fully capture the totality of the national credit union environment in modeling supply chain attacks and other possible cyber intrusions.

At the end of the conversation at the meeting, Board Member Hood made a pitch for NCUA to procure examination authority over vendors to credit unions. Davis, in response to Hood’s query, said doing so would require an additional eight to 11 agency staff members, and an annual budget of up to $2 million (although Hood indicated that if NCUA obtains vendor exam authority, he would favor the FDIC’s model of not increasing its budget, at least initially).

“It’s important to note that NCUA would focus only on those significant service providers in core processing and payment arenas that are not already covered in the work that we do jointly with the FFIEC and our banking (regulatory) counterparts,” Davis said.

He added that “selected entities” subject to oversight would need to pose a significant concentration risk to credit unions in regard to service and products being consumed. “Exams would not be on an annual basis; likely a three to five year life cycle,” he said, calling that “very similar to collective audit spread of security controls.”

Davis said that “lifecycle” would also give the agency a chance to continuously monitor effectiveness, noting that “operational efficiencies would occur over time.”

Regarding vendor exam authority for NCUA, NASCUS supports the agency obtaining the power over technology service providers (TSPs) that provide services to federally insured credit unions — provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level. Further, NASCUS supports efforts to strengthen state regulatory exam and supervision of third parties providing services to state-chartered credit unions.

Later this year, NASCUS, in partnership with the Credit Union Natl. Assn. (CUNA), hosts the Sept. 3-Nov. 9 Cybersecurity eSchool, a multi-week, virtual program developed to explore latest popular and important cybersecurity topics, including strategies and tactics on how to keep credit union data safe.

Temporary Regulatory Relief in Response to COVID-19 – Prompt Corrective Action

April 2021 NCUA Board Presentation: Cybersecurity Update (Current Events and Trends)

Cybersecurity eSchool, in Partnership with CUNA