This week, the National Credit Union Administration (NCUA) Board received a comprehensive briefing on the latest regarding cybersecurity (including the current threat landscape), as well as the agency's diversity, equity and inclusion (DEI) program.

Staff also discussed the agency’s information security examination (ISE) program, which is a scalable assessment currently being tested by examiners throughout the country. In addition, staff provided an update on ACET (Automated Cybersecurity Evaluation Toolbox), which is a voluntary tool intended to allow credit unions determine and measure their own cybersecurity preparedness over time.

Board Chairman Todd Harper asked staff about the agency's effort to pursue an incident reporting rule similar to that recently finalized by the federal banking regulators. That rule requires banking organizations to, among other things, notify regulators of “any significant computer-security incident” as soon as possible and no later than 36 hours after determining such an incident has occurred. Staff said the agency is looking at the bank regulators’ rule as well as the recently enacted Cyber Incident Reporting for Critical Infrastructure Act to inform NCUA’s rulemaking in this area.

NCUA’s Diversity, Equity, and Inclusion (DEI) Update
The board also received a comprehensive briefing on the latest regarding DEI. The presentation focused primarily on NCUA’s Minority Depository Institution Program and NCUA’s DEI efforts, including the agency’s workforce diversity.

Harper asked about the NCUA’s efforts to protect small minority depository institutions (MDIs) facing financial difficulty. Staff noted that the regional offices work closely with MDIs contemplating a merger, and in some instances provide the MDI with additional time to find a merger partner. Harper indicated that the Federal Deposit Insurance Corp. (FDIC) seems to do more in this area and suggested the NCUA take a look at the FDIC to see if there might be more that can be done.

Harper pointed out how the other bank regulators do not use peer metrics to assess MDIs since they are so different from non-MDIs and asked if NCUA might be able to do the same. Staff indicated that the agency is working to update its examination policies to reflect the unique nature of MDIs.

In response to a question from Board Member Rodney Hood, staff noted that unlike low-income designated credit unions, MDI credit unions do not receive any beneficial regulatory treatment. However, staff noted that 81 percent of low income credit unions (LICUs) are MDIs; thus, those MDIs do receive regulatory flexibility given their LICU designation.

Tweet