New rules on cybersecurity, MBLs considered by NCUA for 2015

During an October 2014 NCUA examination of Palm Springs Federal Credit Union (FCU), a confidential flash drive went missing. According to Palm Springs FCU President & CEO Debbi Pitigliano, the drive was provided to the NCUA and contained members’ personal information, including names, addresses and social security numbers. Since last check, the drive’s location remains unknown but no unauthorized access to members’ accounts has been reported.

The estimated cost of the breach may seem low – fraud protection for 1,600 members at an estimated total cost of $15,000 to $20,000. But no matter the cost or amount of people affected, it is yet another instance of financial privacy being jeopardized. Target’s late 2013 breach is among the largest in recent memory, affecting over 70 million individuals. Others making the list include Michaels, Neiman Marcus, Jimmy John’s, Home Depot and JPMorgan Chase. In fact, as of Q3 2014, 43% of companies suffered from a data breach in the past year according to a report from the Ponemon Institute – an increase of 10% over the previous year.

While the circumstances surrounding each situation vary, there are ways to reduce the likelihood of future occurrences. In the case of Palm Springs FCU, the NCUA is considering a rule to require the encryption of data provided to examiners, according to Debbie Matz, NCUA Board Chairman.

Matz noted that short of requiring encryption, the NCUA is “struggling trying to figure out how to prevent data breaches” to ensure that member data remains protected if lost or stolen. She also mentioned that the NCUA’s intention is not to over regulate, but rather to figure out how to enhance levels of protection. According to CU Times, how to proceed in this matter will be determined following the NCUA Inspector General’s full investigation. The investigation will review if the NCUA has appropriate measures in place to protect sensitive information.

Enhanced data security measures aren’t the only new rules being considered by the NCUA in 2015. Matz recently stated that a revised risk-based capital rule will be proposed, as well a fixed assets rule that would require the use of a fixed-asset management plan by credit unions.

Another rule being considered surrounds the member business lending (MBL) waiver process that would “eliminate the need for loan-by-loan waivers and blanket waivers on issues such as personal guarantees, loan-to-value ratios and other underwriting criteria.” Matz notes the intent in modernizing MBL regulation is to “essentially remove all limits on MBLs except for those that are imposed by statute.” She added that “decisions on whether to require personal guarantees on minimum collateral on each MBL would be based on policies of each credit union.” Reviewing and updating the MBL regulations could ultimately allow credit unions a better opportunity to extend loans to small businesses, according to J. Mark McWatters, NCUA Board Member.

Credit unions can learn more about member business lending risk by accessing this complimentary whitepaper: Mitigating Top Member Business Lending Risks.