Unified national cybersecurity standard would best serve FIs; NCUA notification requirements take effect soon

While cybersecurity is crucial in safeguarding all types of data against theft and loss, a unified national — as opposed to state — standard would best serve financial institutions, said William J. Mellin, New York Credit Union Association president/CEO, in response to the New York State Department of Financial Services’ proposed amendment on cybersecurity requirements for financial services companies.

In a letter to DFS on Friday, Aug. 11, Mellin stated that cybersecurity will become increasingly more important to the daily operations of financial institutions, but it should not, however, become an unnecessary hinderance to overall operational productivity, particularly when an institution operates and/or services members with locations and residences in numerous states. Mellin’s comments echoed what he previously stated in a January 2023 letter to DFS that proposed cybersecurity amendments in November 2022 posed unrealistic compliance burdens and a lack of objective criteria.

Federal credit unions are already subject to the federal Gramm-Leach-Bliley Act, which seeks to protect consumer financial privacy by requiring financial institutions to fully explain their information-sharing practices to customers and safeguard sensitive data, Mellin said in his letter last week.  “Rather than develop a framework of state-specific cybersecurity regulations, the goal should be to encourage a unified national standard.”

Further, Mellin stated that New York Banking Law requires any credit union operating in New York and acting as a mortgage loan servicer in the state must notify the DFS superintendent and comply with any regulations applicable to mortgage loan servicers. Since mortgage loan servicers will have to comply with New York’s cybersecurity requirements, those federal credit unions who are also acting as mortgage loan servicers in New York, must also comply.  “While exempt entities, such as credit unions, may have not been an intended target, as written, this new regulation ultimately compels most of these institutions to comply as well,” said Mellin.

National cybersecurity standard
Mellin stated that by encouraging a national cybersecurity standard, it would achieve the rigorous protections and reporting obligations sought by New York state, but also maintain uniformity, productivity, and efficiency in daily credit union operations.  The definition of “covered entities” should be modified to specifically exclude exempt federal institutions and/or clarify the obligations of traditionally exempt institutions under the new amendment, Mellin suggested.

Mellin concluded that the New York credit union community is committed to working together in an attempt to reduce cybersecurity risks, however, the goal should be for the states to move toward a national standard, which will not only safeguard data and limit losses, but increase productivity in daily operations.  

NCUA cyber incident notification requirements

The NCUA on Monday reminded credit unions that, beginning on Sept. 1, 2023, that they must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

Read the full NCUA letter here.

Leave a Reply