NCUA: ENCRYPTING DATA AT REST

Has anyone experienced an examiner writing a finding for not encrypting data "at rest"? We read the sited regulation as a 'consideration' and not a 'requirement'. Anyone experience the same?