Asset & Supervision Threshold, Cyber Incidents, & 2022 Budget

NCUA logo

This week, the National Credit Union Administration (NCUA) board met for its July board meeting. This was the last meeting before the summer break, with the next board meeting occurring in September, where NCUA Board Chairman Todd Harper hopes to resume in-person.

Key takeaways are addressed below:

Final Rule: Asset & Supervision Threshold for Determining Appropriate Supervisory Office (Parts 700, 701, 708a, 708b, 750, & 790)
The board adopted a final rule that increases the threshold for supervision by NCUA’s Office of National Examinations and Supervision (ONES) from $10 billion to $15 billion in total assets. Credit unions with between $10 billion and less than $15 billion will be supervised by their Regional Office. The rule does not alter any regulatory requirements (i.e., stress testing and capital planning) for credit unions with at least $10 billion in total assets. Absent this rule change, the number of credit unions supervised by ONES would almost double in 2023.

The final rule becomes effective Jan. 1, 2023.

Proposed Rule: Cyber Incident Notification Requirements (Part 748)
The board issued a proposed rule to require federally insured credit unions that experience a “reportable cyber incident” to report the incident to the NCUA within 72 hours after the credit union reasonably believes that it has experienced such an incident. The proposed notification requirement provides an early alert to the NCUA and does not require credit unions to provide a detailed incident assessment to the NCUA within the 72-hour time frame.

The proposed rule defines “cyber incident” as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.

The proposal is consistent with the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which also provides a 72-hour time frame. A cyber incident notification rule adopted by the federal banking regulators requires notification within 36 hours.

NCUA will accept comments on the proposal for 60 days following publication in the Federal Register.

Other Board Actions
The board was also briefed on the 2022 mid-session budget.

A draft 2023 budget is expected to be available by the end of September.

Pin It