by Amy Kleinschmit, Chief Compliance Officer
Letter to Credit Unions 23-CU-05 The National Credit Union Administration (NCUA) recently issued a letter to credit unions that included an Interagency Policy Statement on Prudent Commercial Real Estate Loan Accommodations and Workouts (Statement), which can be found here. This Statement is an update on the previously issued guidance from 2009 and incorporates recent policy and accounting changes. To highlight a couple of the points in the updated Statement, it identifies short-term loan accommodations as a tool that could be used to mitigate adverse effects on borrowers and encourages financial institutions to work prudently with borrowers who are, or may be, unable to meet their contractual payment obligations during periods of financial stress. The Statement was also updated to reflect changes in GAAP, such as CECL. NCUA Final Rule – Cyber Incident Notification As a reminder, earlier this year the NCUA finalized a rule to require a federally insured credit unions that experience a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident. This final rule is effective September 1, 2023 and can be found here. These new requirements will be found under Part 748, which already discusses requirements for a credit union’s security program, suspicious transactions, catastrophic acts, and bank secrecy act compliance. As with any rule/regulation understanding the new vocab is key. This final rule includes definitions for “compromise,” “confidentiality,” “cyberattack,” “disruption,” “integrity” and “sensitive information.” However, understanding the scope of this rule starts with looking at what is a “reportable cyber incident.” First, “Cyber incident” means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system. The final rule defines, “reportable cyber incident” to be “any substantial cyber incident that leads to one or more of the following:
With regard to the first provision, the NCUA explains in the preamble of the final rule that “there are many technological reasons why services may not be available at any given time as, for example, computer servers are offline, or systems are being updated. Such events are routine and thus would not be reportable to the NCUA. However, a failed system upgrade or change that results in unplanned widespread user outages for FICU members and employees would be reportable.” An example of the second provision would be a distributed denial of service (DDoS) attack that disrupts member account access and would therefore be reportable. Blocked phishing attempts, failed attempts to gain access to systems, or unsuccessful malware attacks do not have to be reported. The final rule provides that a reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system. Each federally insured credit union must notify the appropriate NCUA designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe. The NCUA will be providing more detailed reporting guidance before the effective date of the final rule. The cyber incident report must be received by the NCUA as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident or within 72 hours of being notified by a third-party, whichever is sooner. NCUA – Cyber Incident Reporting Rule Webinar In anticipation of the effective date of its new cyber incident reporting rule, the NCUA will be hosting a free webinar on August 2. NCUA has announced that online registration and details about the presentation will be available soon. The webinar will be archived on the NCUA’s Learning Management System following the live event. A Learning Management System account is required to view the archived webinar, and it also provides access to NCUA’s other training and educational materials. InfoSight Highlight The Q2 Compliance Update Video is now available on InfoSight. Michael Christians provides details around the CFPB Circular on Reopening Deposit Accounts, Fraud Prevention and Detection, Proposed Guidance from Joint Agencies on ROVs (reconsideration of value), the Proposed Rule on AVM Quality Control Standards, and looks ahead at InfoSight’s Q3 Compliance Calendar. As always, DakCU members may contact Amy Kleinschmit with any compliance related questions. Comments are closed.
|
The MemoThe Memo is DakCU's newsletter that keeps Want the Memo delivered straight to your inbox?
Archives
September 2024
Categories
All
|