Cybersecurity and Credit Union System Resilience Annual Report to Congress

MESSAGE FROM THE CHAIRMAN

On behalf of the National Credit Union Administration (NCUA), I am submitting our annual, statutorily required Cybersecurity and Credit Union System Resilience Report. This report summarizes the current cybersecurity threat landscape, highlights the agency’s key cybersecurity initiatives, and outlines the agency’s ongoing efforts to enhance cybersecurity preparedness and resilience within the credit union industry.

Throughout 2023, our nation—including its financial sector—has faced unprecedented challenges stemming from cyberattacks and other malicious activities targeting critical infrastructure. The credit union system, which serves more than 139 million Americans and plays a vital role in communities across the country, is not immune to these threats. In fact, in the face of an ever-evolving cybersecurity threat landscape, the need for ongoing vigilance in the credit union sector cannot be overstated.

The NCUA is committed to ensuring consistency, transparency, and accountability in its cybersecurity examination program and related activities. Further, over the last several years the NCUA has made major strides in promoting a culture of cybersecurity awareness and resilience among credit unions. Through targeted supervision completed using the NCUA’s recently implemented Information Security Examination program, the development of risk-assessment tools like the agency’s Automated Cybersecurity Evaluation Toolbox, the adoption of a cyber incident notification regulation in 2023, ongoing educational outreach, and grants to eligible credit unions, we have worked diligently to improve cybersecurity practices and mitigate risks.

Looking ahead, the NCUA remains committed to working closely with Congress, other regulatory agencies, industry stakeholders, and other partners to strengthen cybersecurity defenses and ensure the resilience of the credit union system. To that end, I respectfully ask for this Committee’s support in restoring the NCUA’s vendor authority over third-party service providers.

This regulatory blind spot has already had a negative impact on the industry. For example, last years’ third-party core service provider ransomware disruption affecting 60 small credit unions illuminated the NCUA’s challenges as it tried to mitigate issues on behalf of impacted credit unions and their member-owners.

Moreover, independent entities such as the Government Accountability Office, the Financial Stability Oversight Council, the NCUA’s Office of Inspector General, and a growing number of credit unions have identified this deficiency as a significant obstacle to the NCUA’s mission to safeguard credit union members and the financial system. All of them have recommended that Congress provide the NCUA with this authority.

Besides giving credit union members the same protection as bank customers, this sensible statutory change would significantly improve supervisory oversight and bolster our ability to mitigate cybersecurity risks, ultimately enhancing the credit union system’s overall security posture and the protection of critical infrastructure in the United States more broadly.

As we seek to strengthen our cybersecurity resiliency, I want to express my gratitude for your continued support and engagement on this critical issue. Together, we can confront the challenges posed by cybersecurity threats and uphold the safety and soundness of the credit union system for generations to come.

Sincerely,

Todd M. Harper
Chairman
National Credit Union Administration

INTRODUCTION

This report details the measures taken to strengthen cybersecurity within credit unions and the NCUA, per the Consolidated Appropriations Act, 2021.¹ This report:

outlines the NCUA’s policies and procedures to address cybersecurity risks and activities to ensure their effective implementation;
discusses cybersecurity resilience within the credit union system, including the NCUA’s key initiatives to enhance cybersecurity preparedness among credit unions, such as targeted examinations, risk assessments, and educational and outreach efforts;
describes current and emerging threats; and
highlights the NCUA’s collaboration with other federal agencies, industry stakeholders, and cybersecurity experts to address emerging threats and promote a culture of cybersecurity awareness and resilience within the credit union industry.

As the digital and geopolitical landscapes continues to evolve, the threat of cyberattacks against critical infrastructure, of which financial institutions are a vital part, looms larger than ever before. In response to this growing challenge, the NCUA has undertaken a comprehensive examination of cybersecurity resilience within the credit union system through its Information Security Examination (ISE) program.

As a member of the Federal Financial Institutions Examination Council (FFIEC) and the Financial and Banking Information Infrastructure Committee (FBIIC), the NCUA collaborates with other regulatory agencies to develop and implement cybersecurity policies and standards across the financial industry.

In addition, the NCUA Chairman serves as a voting member of the Financial Stability Oversight Council (FSOC). The FSOC identifies and responds to threats to the stability of the financial system. The chairman’s position on this body underscores the NCUA’s integral role in safeguarding the overall financial stability of the nation.

The credit union system relies extensively on third-party vendors to operate and deliver key member services. The NCUA lacks statutory authority over third-party vendors, which hinders the agency’s ability to examine and address cybersecurity risks in the credit union system. As a result, the credit union system—of which more than a third of the American public uses for basic financial services—remains particularly vulnerable to cybersecurity threats to third-party vendors that provide essential services. Because of this regulatory blind spot, the NCUA cannot manage or measure threats within its regulated entities, nor can it warn other government regulators or the Cybersecurity and Infrastructure Security Agency (CISA) of threats the NCUA may identify that may be first used in the credit union system.

By examining the current state of cybersecurity within the credit union system and identifying areas for improvement, this report aims to provide valuable insights and recommendations for enhancing the security and stability of credit unions nationwide. It underscores the NCUA’s ongoing commitment to protecting the financial well-being of credit union members and upholding the integrity of the broader financial system in the face of cybersecurity threats.

POLICIES & PROCEDURES

Information Security and Cybersecurity Regulations

Per the Gramm-Leach-Bliley Act, the NCUA Board established standards for federally insured credit unions relating to administrative, technical, and physical safeguards for credit union member records and information. These standards are incorporate into the NCUA’s regulations at 12 Code of Federal Regulations (C.F.R.) part 748, Appendix A, Guidelines for Safeguarding Member Information.

In February 2023, the NCUA Board approved a final rule that requires federally insured credit unions to notify the NCUA as soon as possible, within 72 hours, after a credit union reasonably believes that a reportable cyber incident has occurred. Under this rule, federally insured credit unions must report a cyber incident that (1) results in a substantial loss of confidentiality, integrity, or availability of a network or member information system(s) because of unauthorized access to or exposure of sensitive data, (2) disrupts vital member services, or (3) causes a serious impact on the safety and resiliency of operational systems and processes.

This rule became effective September 1, 2023. From September 1, 2023, through May 1, 2024, credit unions reported 892 cyber incidents. Approximately 73 percent of all reported incidents were related to the use or involvement of a third party.

Information Security Examination Program

The NCUA regularly examines all federally insured credit unions.² At each examination, the NCUA performs an information security review using the ISE program. The ISE program uses a risk-focused, scalable approach to examine credit unions’ information security programs, which provides examiners the flexibility to focus on areas of current or potential material risk relevant to each credit union’s unique business model.

ISE Program. The objectives of the ISE program include:

Evaluating management’s ability to recognize, assess, monitor, and manage information technology (IT) and systems-related risks;
Assessing whether the credit union has sufficient expertise to adequately plan, direct, and manage information systems and technology operations;
Evaluating the adequacy of internal information systems and technology controls and oversight to safeguard member information; and
Determining whether the board of directors is providing adequate governance over information systems and security.

The NCUA began using its ISE procedures in early 2023. The ISE procedures were designed to be scalable to enable examiners to tailor the examination based on asset size and complexity, standardize the examination of a credit union’s information security and cybersecurity program, and enhance the identification of control deficiencies and trends at the industry level. The ISE procedures also provide examiners and credit unions with a well-structured examination workflow.

The ISE procedures are focused on NCUA regulations 12 C.F.R. parts 748 and 749 and align closely with the Automated Cybersecurity Evaluation Toolbox (ACET) maturity assessment application provided by the NCUA that credit unions can voluntarily use to conduct a cybersecurity maturity assessment. The ISE also references guidance from the NCUA and the FFIEC, as well as other industry-accepted best practices and security frameworks from the National Institute of Standards & Technology (NIST), the Center for Internet Security, and CISA.

Credit Union Service Organization (CUSO) Reviews. A CUSO is an entity in which at least one federally insured credit union(s) has an ownership interest in or has extended a loan to and the entity primarily provides products or services to credit unions or members of credit unions. The NCUA periodically performs reviews of CUSOs. While the NCUA has access to the “books and records” of a CUSO, the NCUA lacks direct authority over CUSOs. CUSOs, therefore, may reject any of the NCUA’s recommendations that result from a review, including those recommendations related to cybersecurity. As noted in the Chairman’s statement at the start of this report and explained more fully below, the restoration by Congress of the NCUA’s vendor authority powers to examine and supervise third-party vendors, including those CUSOs subject to cybersecurity risks, would close this regulatory blind spot and better protect our financial system and economy.

ACET Maturity Assessment

The ACET maturity assessment is a voluntary tool provided and maintained by the NCUA that allows credit unions to determine the maturity of their information security programs. The ACET incorporates appropriate cybersecurity standards and practices established for financial institutions. It also maps each declarative statement to best practices found in the FFIEC IT Examination Handbook, regulatory guidance, and leading industry standards like the NIST Cybersecurity Framework. The FFIEC IT Handbook Infobase offers various resources, from IT booklets and work programs to information on IT security-related laws, regulations, and guidance. Financial institutions can use these booklets to align their information security and cybersecurity practices with the FFIEC guidelines.

Information Technology & Cybersecurity Supervisory Guidance

Since June 2023, the NCUA has issued the following cybersecurity alerts and notices to help protect federally insured credit unions from cybersecurity exposures:

ATM and Interactive Teller Machine (ITM) Skimming and Shimming Activities. Skimming and shimming fraud involves capturing card information using unauthorized devices. Since September 2023, 44 incidents were reported to the NCUA, peaking in February 2024. NCUA provided cybersecurity guidance and alert notifications reminding credit unions to conduct inspections, install anti-skimming devices, enhance surveillance, educate members, monitor transactions, and update software.
Current Geopolitical Events Increase Likelihood of Cyberattacks on Financial Institutions. Due to evolving geopolitical events, the likelihood of cyberattacks on U.S. financial institutions has increased. The NCUA, CISA, and the Federal Bureau of Investigation (FBI) encouraged credit unions to adopt heightened awareness, reassess business continuity plans, and review CISA’s recommendations to reduce the risk of compromise. Anecdotal warnings from some credit unions indicate that information technology and cybersecurity service providers sometimes have services originating in a foreign country; a significant risk the NCUA cannot manage or measure because the agency does not have third-party vendor authority.
Business Email Compromise. Business email compromise attacks targeting credit unions, involving compromised or spoofed email accounts to initiate fraudulent transactions. The NCUA provided credit unions with cybersecurity guidance and alert notifications to enable multi-factor authentication (MFA), educate employees, use anti-malware, and email filtering software, verify financial transactions, and backup data regularly.
Compromise at an ATM Provider. A third party experienced a cybersecurity attack potentially compromising systems. Credit unions relying on this vendor were advised to assess the impact, activate incident response teams, enhance monitoring, communicate with members, and comply with regulatory obligations. The NCUA subsequently learned the third party experienced a ransomware attack affecting internal systems and some ITMs and ATMs. The incident was contained, and the vendor worked with the FBI. The NCUA sent an updated notice to credit unions advising them to maintain communication with the vendor, consult cybersecurity experts, and visit CISA’s ransomware resources.

This incident is an example of an unnecessary burden potentially placed on credit unions during a crisis when vendors deny NCUA requested information on a cybersecurity event. If the NCUA had third-party vendor authority, the agency can compel information directly from the service provider, relieving impacted credit unions of this burden, and potentially sharing valuable tactics, techniques, and procedures information with other federal and state regulatory agencies to ensure a whole of government approach to protecting critical infrastructure in the United States.
File Transfer solution Zero-Day Exploitation by Threat Actors. A zero-day vulnerability in a managed file transfer solution was actively exploited. The vendor released an emergency patch and credit unions using their software were advised to apply the patch, implement access controls, and avoid exposing the administrator console to the internet. When zero-day exploitations occur in third-party service provider operated systems, the NCUA cannot ascertain the risk to the system because of the lack of vendor authority. The NCUA also cannot warn other federal or state regulators about the threat that may also be used within other critical infrastructure regulated entities because the agency does not have third-party vendor authority.
Recent Uptick in Cyberattacks Against Credit Unions and Third-Party Service Providers. Cyberattacks against credit unions and service providers increased, including incidents with a web application. Credit unions were advised to patch vulnerabilities, implement MFA, train employees, deploy email security measures, develop incident response plans, assess vendor risks, segment networks, maintain data backups, and monitor security updates.
MFA Vulnerabilities and Mitigations for Credit Unions. Credit unions were reminded that MFA methods could be bypassed through phishing, social engineering, Subscriber Identity Module Subscriber Identity Module swapping, man-in-the-middle, and brute-force attacks. Credit unions were advised to educate users, use strong MFA methods, implement risk-based authentication, monitor suspicious activities, update software, and segment networks. Anecdotal warnings from some credit unions indicate that some third-party service providers do not utilize basic cybersecurity practices such as MFA; a significant risk the NCUA cannot manage or measure because the agency does not have third-party vendor authority.
Phishing Attacks Targeting Credit Unions. Credit unions were targeted by phishing schemes spoofing NCUA addresses, asking recipients to complete a web form to avoid email suspension. Recipients were advised not to click on links and delete such emails. Preventative measures included being cautious of unsolicited contacts, not revealing personal information via email, verifying requests directly, and maintaining anti-virus software and email filters. When phishing attacks occur at third-party service providers, unless the affected provider volunteers information to the NCUA, the agency cannot manage or measure the risk to the system because the agency does not have third-party vendor authority.

Agency Cybersecurity Program

The NCUA Board has established a low-risk appetite for technology and information management for operational IT and IT systems.³ Additionally, the NCUA must comply with mandatory security standards for federal information and information systems and must meet these minimum information security requirements by using security and privacy controls recommended by NIST and Federal Information Security Modernization Act (FISMA).^{4, 5}

The NCUA implements applicable statutes, regulations, and standards using the NIST Risk Management Framework and adherence to NIST Special Publication 800-53 − Security and Privacy Controls for Information Systems and Organizations.⁶ The NCUA complies with binding operational directives, emergency directives, and cybersecurity coordination, assessment, and response directives issued by CISA.

The NCUA documents, categorizes, and authorizes all information systems in the agency, including internally hosted federal systems, contractor-hosted systems, and services provided by other third parties. The NCUA is adopting a zero-trust security model based on the principle of maintaining strict access controls. As part of system authorization, the NCUA considers:

information types, assets, and systems;
the roles and privileges of those who manage and operate them; and
the interconnection of systems and data.

Based on information and system sensitivity, the NCUA selects and implements the security controls necessary to protect the confidentiality, integrity, and availability of the organizational systems and critical infrastructure. The security control implementation statements are documented, reviewed, and tested to ensure they produce the desired outcome.

Once authorized, systems are continuously monitored using automated and manual processes with regular testing of controls to validate their continued efficacy. System authorization data is stored in the NCUA’s governance, risk, and compliance repository, which aggregates and analyzes enterprise information security risk information. This provides seamless reporting to NCUA’s senior management and CISA.

In addition to technology, the NCUA strengthens information security by designing and disseminating fully developed agency-wide and program-specific policies and procedures to establish appropriate practices for collecting, securing (data is encrypted in transit and at rest), retaining, and destroying data. These policies and procedures are based on applicable requirements in information security laws, or are otherwise mandated by NIST, the Office of Management and Budget, CISA, or the National Archives and Records Administration.

ACTIVITIES TO ENSURE EFFECTIVE INFORMATION TECHNOLOGY SECURITY

Appointing Qualified Staff

The NCUA has hired staff focused on cybersecurity and privacy. IT security staff include cybersecurity operations and incident responders, cloud security architects, application security architects, and network security engineers. In addition, the agency uses contract staff with specialized skills to support its work in the areas of:

Computer forensics;
Defensive cyber operations;
Malware analysis and mitigation;
Security information and event management;
Configuration management;
Threat hunting; and
Incident handling and response.

The NCUA’s Enterprise Risk Management Council, a Cybersecurity Council, and IT Oversight Council are comprised of senior executives within the agency with diverse backgrounds, including information technology and security, and are tasked with monitoring, measuring, managing, and prioritizing risks and related investments, including IT security. These internal agency councils meet as often as monthly and are briefed regularly on cybersecurity matters that relate to credit unions, financial services, or the agency.

The NCUA also has staff with the requisite national security clearances to support the dissemination of classified information to appropriately cleared staff members on a need-to-know basis, as well as other federal agencies to share relevant information that may be used to warn or proactively mitigate threats in their regulated entities. The Chief Information Officer, the Senior Agency Information Security/Risk Officer, and the Senior Agency Official for Privacy collaborate to ensure compliance with regulations and drive security performance. An executive-level Cybersecurity Advisor and Coordinator position was established in 2021 to organize, coordinate, and advise on cybersecurity and critical infrastructure matters across all NCUA offices. The Cybersecurity Advisor and Coordinator provides advice directly to the NCUA Board and senior leadership on cybersecurity matters.

NCUA Staff Training

All Staff. All agency staff receive general and role-based training on information security and cybersecurity at least annually. This training addresses staff’s legal, reputational, and ethical obligations to protect sensitive information. The NCUA provides mandatory privacy and security awareness training to all NCUA system users. The training addresses appropriate information security practices, rules of behavior for access and use of data systems, responsibilities for protecting personally identifiable information, and ethics rules prohibiting unauthorized information disclosures. Staff are trained on policies regarding:

Collecting information necessary to perform their planned review;
Collecting information in a secure manner using a hierarchy of secure methods that best suit the situation;
Transferring and storing any sensitive information only where there is an identified, authorized need to retain such information, and in a manner consistent with agency instructions for handling sensitive information; and
Destroying or returning all other non-public sensitive or personally identifiable information after the examination or review, per applicable laws.

Staff with Elevated Access. Staff who have elevated access to systems or have management responsibility for systems and data take mandatory role-based training. For NCUA staff serving in cybersecurity roles, individual development plans are developed collaboratively with managers to build domain-specific skills.

Field Staff. The NCUA’s training for examiners and others that examine or supervise credit unions includes special training on the ISE program. The training program provides instruction on topics including NCUA regulations parts 748 and 749, agency guidance, and industry best practices related to measuring, monitoring, reporting, and controlling IT risks. Examiner training is designed to maintain and update knowledge of standards, tools, and practices to identify, detect, prevent, and mitigate IT and cybersecurity risks, threats, and vulnerabilities. This training includes classroom, online, and on-the-job training. The training is designed to specifically address competencies in the areas of IT, information security, and cybersecurity. The courses are designed to introduce ISE procedures and expand examiners’ understanding of cybersecurity concepts found in the FFIEC IT Booklets, NIST guidance, and industry best practices.

Specialists. The NCUA has a cadre of examiners specially trained in IT security. These regional specialist and subject matter examiners have the technical knowledge and skills necessary to perform in-depth information security examinations for the more complex institutions. The NCUA has recently added the role of Director of Specialist Resources (DSR) in each of the NCUA’s three regions. The DSRs are tasked with overseeing the Regional Information Systems Officers and other specialists. These new supervisory positions facilitate better communication and coordination among NCUA’s cybersecurity teams and contribute to the formulation of policies and operational strategies that significantly impact the safety and soundness of the credit union system. The addition of the DSR role reflects the agency’s proactive approach to cybersecurity management and aligns with its broader goals of protecting the interests of credit union members while promoting systemic financial stability. The NCUA also has specialized personnel in the Office of Examination and Insurance to develop and maintain examination policies and tools, supervisory guidance, and examiner training.

Credit Union Training and Support

The NCUA’s Office of Credit Union Resources and Expansion provides training for credit unions. The NCUA maintains an online system available to credit unions at no cost with over 200 courses available on various topics, including information security. This office also hosts webinars that deliver timely and meaningful information to help credit union professionals stay current on relevant topics affecting the credit union community. These webinars provide credit union management with important information on how to protect their credit unions and members.

The NCUA provides credit unions additional resources through its website and by offering technical assistance grants and low-interest loans to low-income designated credit unions.

ACET. As noted previously, the NCUA provides credit unions with free access to the ACET maturity assessment. This tool helps a credit union determine its risk exposure by identifying the type, volume, and complexity of the institution’s operations, and enables the credit union to assess the adequacy of corresponding controls. ACET is based on the U.S. Department of Homeland Security (DHS) Cyber Security Evaluation Tool. It provides a multitude of cybersecurity standards and other resources for a credit union to conduct self-assessments, including the Ransomware Readiness Assessment.
NCUA.gov. The NCUA website provides cybersecurity resources for research and informational purposes. Specifically, the Cybersecurity Resources page centralizes and contains applicable references to NCUA regulations and guidance, federal government requirements and guidelines, information sharing, cybersecurity threats, best practices, and privacy and protection.
Grants and Loans. The NCUA provides technical assistance grants and low-interest loans to support credit unions’ efforts to improve and expand service through the Community Development Revolving Loan Fund. Year after year, demand for this funding continues to exceed supply. During the 2023 grant round, the agency received 316 applications totaling more than $10.3 million, and awarded more than $3.5 million in technical assistance grants to 146 low-income-designated credit unions. Of that amount, 79 grants totaling nearly $800,000 were specifically earmarked for digital services and cybersecurity projects.

Agency Investment in Information Technology Security

The NCUA has invested significant resources in prioritizing agency cybersecurity resiliency and adopting Zero-Trust Architecture (ZTA). These investments are designed to identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated cyber campaigns. The aim is to meet and exceed the standards outlined in the latest Office of Management and Budget directives advocating for a robust ZTA across federal agencies.

All basic user accounts must use multi-factor, certificate-based authentication to access network resources. Elevated privilege accounts (system and network administrators and engineers) are issued session-based credentials with specific expiration timeframes. To mitigate vulnerabilities, NCUA network users remotely access network services and resources protected by encrypted virtual private network (VPN) tunnels. Internal and external network traffic is managed and monitored. VPN connectivity on NCUA laptops is mandatory for all users. This system continually enforces technical policies and ensures traffic and data are encrypted and secure.

The NCUA uses a security information and event management solution to enhance visibility, investigative, and remediation capabilities. This solution provides insights, automated analytics, and actionable intelligence through correlation and machine learning to efficiently identify anomalous behavior in agency networks, infrastructure, and applications.

The NCUA uses a threat intelligence platform to automate threat analysis and identify threat exposure. This platform enables better decision-making and improves security capabilities to reduce the risk of compromise. In support of national efforts to remove barriers to threat information sharing, the NCUA leverages automated indicator sharing from DHS. The NCUA also leverages DHS’s Protective Domain Name System and Trusted Internet Connection 3.0 to enhance cybersecurity analysis, situational awareness, and security response in internet traffic and connections.

To support cybersecurity resiliency and mitigate risks resulting from infrastructure failure, the NCUA has redundant data center facilities that are failovers for essential NCUA network resources and services. Essential public-facing web services have been migrated to cloud-based infrastructure to leverage both inherent geographic dispersion and infrastructure failure risk mitigation. For critical business productivity and collaboration client resilience, the NCUA migrated to Microsoft’s Office 365 government cloud environment.

The NCUA’s approach to data loss prevention limits local downloading of business information; however, when necessary due to limited network connectivity, any downloads are to centrally tracked and managed encrypted devices. For email data loss and exfiltration, the NCUA uses a third-party technology that monitors, notifies, logs, and prevents business information from malicious and inadvertent transfer to external email domains. The NCUA uses Domain-based Message Authentication, Reporting, and Conformance to combat spam, phishing, and spoofing of NCUA email domains.

To mitigate the risk of endpoint malware-based data exfiltration, the NCUA uses a robust real-time Endpoint Detection and Response tool with integrated open-source intelligence feeds, creating opportunities for malware auto-response at the user and server endpoints. The NCUA has enhanced the security of mobile devices by hardening the devices and implementing an adaptable mobile security solution to detect and protect against mobile threats, including phishing, malicious mobile apps, device compromise, and risky connections.

Finally, the NCUA evaluates new systems and services to determine if they are candidates for the Office of Management and Budget’s Cloud Smart initiative. As part of the initiative to move to a ZTA and accelerate movement to secure cloud services, the NCUA is carefully evaluating the need for additional investment in both technology and personnel.

Audits and Reviews of the NCUA’s Cybersecurity Program

The NCUA’s Office of the Inspector General (OIG) conducts independent audits, investigations, and other activities to verify the NCUA’s compliance with applicable laws, regulations, and standards, including those related to privacy and information security, to determine whether the NCUA effectively implemented all appropriate security and privacy controls.

There are five FISMA maturity levels, and the NCUA was evaluated as Maturity Level 4 “Managed and Measurable” as of fiscal year 2023. This rating reflects that the NCUA implemented an effective information security program and substantially complied with information security and privacy practices, policies, and procedures. In addition, as indicated in the financial statement audits, the NCUA complies with the requirements of the Federal Managers’ Financial Integrity Act of 1982. Credit unions and their members can review OIG audit reports, semiannual reports, and letters to Congress on the NCUA’s OIG reports page.

NCUA senior leadership are briefed on the status of open findings every quarter, and resources are allocated as appropriate to ensure mitigation.

Binding Operational Directive 18-02 requires the federal government to identify high value assets and submit to a DHS-led assessment once every 3 years. The NCUA’s General Support System was assessed by a CISA-led team during the week of February 26, 2024 – March 1, 2024. After a review of the General Support System documentation, an in-depth technical exchange meeting with NCUA subject matter experts, and a targeted penetration test, CISA determined that the NCUA has a thorough and well-documented risk management program that includes participation, involvement, and awareness from the system-level up to senior leadership. The NCUA received no critical or high reportable findings. The NCUA will continue to report quarterly the status and compliance of its high-value assets.

Interagency Coordination Efforts

The NCUA coordinates with other federal and state regulatory agencies to strengthen cybersecurity, including the development and dissemination of best practices and sharing threat information. Examples include the:

FFIEC. In particular, the NCUA participates on the FFIEC’s Information Technology Subcommittee. This group addresses information systems and technology policy issues as they relate to financial institutions and their technology service providers. The NCUA also participates on the Cybersecurity Critical Infrastructure Subcommittee. This group addresses policy relating to cybersecurity, critical infrastructure security, and the resilience of financial institutions and technology service providers.
FSOC. Because a weakness in the information security of financial systems or data could lead to an incident that could potentially threaten the stability of the U.S. financial system, cybersecurity falls under the charge of FSOC. In its 2023 annual report, FSOC provides several cybersecurity related recommendations focused on maintaining and improving the cyber resilience of the financial system, including that Congress provide the NCUA with third-party vendor authority.
FBIIC. The NCUA is one of the 18 FBIIC member organizations from across the financial regulatory community, both federal and state. Through monthly meetings, staff from FBIIC member organizations work on operational and tactical issues related to critical infrastructure matters, including cybersecurity, within the financial services industry. The FBIIC also leads the financial sector’s cybersecurity exercises, of which the NCUA regularly participates.
Financial Services Sector Coordinating Council. The NCUA collaborates and coordinates with the private sector through the Financial Services Sector Coordinating Council (FSSCC). The FSSCC works collaboratively with key government agencies to protect the nation’s critical infrastructure from cybersecurity and physical threats. The FSSCC is comprised of more than 70 members from financial trade associations, financial utilities, and the most critical financial firms. Through government relationships, the FSSCC directly assists the sector’s response to natural disasters.
U.S. Department of Treasury and CISA. As a federal agency, the NCUA follows CISA and the U.S. Department of the Treasury’s direction during government-wide incident response activities. In addition, the NCUA identifies potential, actual, and emerging threats, issues, or challenges to analyze underlying causes and develop innovative short- and long-term solutions. This analysis supports the shaping of the NCUA’s internal policies and procedures related to cybersecurity, critical infrastructure protection, supply chain risks, national security, insider threats, counterintelligence, continuity of operations, and emergency response. The NCUA’s staff also participate in the following interagency initiatives:
- CISA security operations center information and collaboration sessions;
- Treasury sector cybersecurity collaboration and information sessions;
- The Federal Chief Information Security Officer Council; and
- The Small Agency Chief Information Security Officer collaboration forum.

Industry Efforts

Credit union participation in the following initiatives reflect the credit union system’s proactive engagement with the broader information security community to enhance cybersecurity and resilience.

Information Sharing and Analysis Centers & Organizations. Credit unions actively participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), where the financial sector shares intelligence, knowledge, and practices. The National Credit Union Information Sharing and Analysis Organization was established to tailor these efforts to the unique needs of credit unions and provides security coordination and collaboration to identify, protect, detect, respond, and recover from threats and vulnerabilities.
Sheltered Harbor. Comprised of financial institutions, core service providers, national trade associations, alliance partners, and solution providers dedicated to enhancing financial sector stability and resiliency, Sheltered Harbor is a subsidiary of the FS-ISAC. It developed standards to assist financial institutions prepare for catastrophic events. The standards are designed to help institutions to plan for and recover from catastrophic events, and to be able to continue to provide essential services until normal operations can be reestablished.
Hamilton Series Exercises. The NCUA supports the Hamilton Series exercises through its membership on the joint FSSCC − FBIIC Exercise Committee. These one-day exercises simulate various cyberattack scenarios to enhance cybersecurity threat responses within the U.S. financial sector. They also aim to improve public-private coordination strategies by including diverse participants from both sectors.⁷
CISA Cyber Hygiene Services. Over 200 credit unions have engaged with CISA’s Cyber Hygiene Services program, which offers vulnerability scanning and web application scanning to help institutions mitigate cybersecurity threats.

CURRENT & EMERGING THREATS

In today’s digital age, the financial sector faces an increasingly sophisticated array of cybersecurity threats that demand vigilance. The rapid evolution of technology, coupled with escalating geopolitical tensions, has expanded the threat landscape significantly. Financial institutions, including credit unions, are particularly vulnerable due to their increasing reliance on technology and third-party service providers that the NCUA has no authority to examine, supervise, or regulate.

The NCUA remains concerned about the risks cyberattacks pose to the financial system. Cybersecurity risks grow as threats evolve, become more sophisticated, and cause greater damage to a variety of industries. Geopolitical tensions increase the possibility of nation-states and other sophisticated actors conducting malicious cyberattacks against U.S. critical infrastructure, of which credit unions are a significant part. To ensure the industry’s long-term success, credit unions must deliver member services using appropriate controls.

The evolving array of cybersecurity threats that require continued vigilance by credit unions include:

Third-Party Risk. Credit unions’ dependency on third-party vendors and the integral nature of the supply chain introduces considerable risk as cyber actors continue to exploit the vulnerabilities of third-party providers. The absence of third-party vendor authority limits the NCUA’s ability to assess and mitigate potential risks associated with these vendors. Vendors typically decline examination requests or refuse to implement recommended actions, exacerbating credit unions’ exposure to operational, cybersecurity, and compliance risks that can arise from these relationships. Without visibility into these entities and the authority to supervise and enforce corrective actions, the NCUA cannot effectively protect credit unions and their member-owners or provide relevant information to other federal and state regulators of threats encountered in the credit union industry.

Based on cyber incident reports submitted by credit unions since September 1, 2023, compromises within third-party services have led to systemic risks across the credit union ecosystem. In fact, incidents related to third-party vendors accounted for approximately 73 percent of total reported incidents.

A recent cyber incident has underscored the importance of the NCUA obtaining vendor authority to address these risks. On November 26, 2023, a major service provider for the credit union industry was targeted by a ransomware attack, resulting in a prolonged service outage that affected 60 credit unions. This incident exposed significant challenges in the agency’s ability to respond effectively due to the lack of vendor authority. During the incident, the NCUA faced substantial difficulties in obtaining crucial information from third-party vendors, which hindered response efforts. Due specifically to the NCUA’s lack of vendor authority, the NCUA encountered delays in communication and inability to obtain data. These obstacles could have been mitigated if the NCUA had the authority to demand timely and reliable information from all relevant parties.

Moreover, the lack of vendor authority also impacts the nation’s critical economic infrastructure and national security, as the interconnectedness of financial services expands with other industries and national infrastructure. Currently, more than one in three Americans use a credit union for basic financial services, and there are many credit unions with fields of membership that are tied to high-risk populations such as congressional staff, the U.S. military, the State Department, and members of the U.S. Intelligence Community. Many of these credit unions use third-party service providers to provide critical member services. A sophisticated cyberattack against a vendor can have measurable impacts on the personnel who are critical to government operations and national security. By current estimates, roughly 90 percent (or approximately $1.9 trillion) of industry assets are in some way managed or affected by unregulated third-party service providers.
State-Sponsored Cyber Activities. Over the past year, U.S. government organizations, including CISA, the National Security Agency, and the FBI produced a joint advisory to alert the public that cyber actors sponsored by the People’s Republic of China are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States or its allies. This advisory was published following months of observations and incident response activities at U.S. critical infrastructure organizations which had been compromised. State-sponsored cyber activities against critical infrastructure are a real threat to the credit union system—due, primarily, to the number of Americans that can be impacted and the resulting effects on the U.S. economy. Along with CISA, the FBI, and the National Security Agency, the NCUA has encouraged credit unions of all sizes to adopt a heightened state of awareness and to proactively hunt threats to defend against this risk. Additionally, the NCUA provided guidance and resources to credit unions to assist in mitigating this threat and specifically recommended credit unions report cyber incidents to CISA. The NCUA has also directed credit unions to CISA’s Shields Up website for additional guidance, reporting options, and mitigation measures.
Ransomware Attacks. Ransomware is an increasingly serious threat to credit unions. Ransomware attacks continue across all sectors, including the financial sector, and have left victims without the data they need to operate. Over the past year, ransomware attacks and payments have escalated in frequency, scope, and volume across all critical infrastructure sectors. One of the primary causes of this sharp growth is the increase in cyber actors using ransomware to carry out attacks and, in turn, profit from their actions. Ransomware as a service is a cybercrime business model in which a ransomware group sells its code or malware to other hackers, who then use it to carry out their own ransomware attacks. This has made it easier for bad actors to carry out ransomware attacks. Designed to help public and private organizations defend against the rise in ransomware cases, CISA’s StopRansomware provides a whole-of-government approach to tackle ransomware more effectively and serves as one central location for ransomware resources and alerts.
Quantum Computing and Cryptographic Risks. The U.S. government remains concerned with the development and trajectory of quantum information technologies and products that could compromise existing encryption and other cybersecurity controls across critical infrastructure sectors.
Artificial Intelligence (AI)-enabled Attacks. Generative AI creates new text, images, video, and other content. Generative AI has gone mainstream and is increasingly being used by cyber actors to create complex malware and advanced social engineering attacks, including phishing and spoofing. By making these attacks more effective, they are also harder to detect and prevent. In addition to generative AI being used for initial attack vectors, it can also amplify threats once an initial breach has occurred. AI tools can be used to modify code at scale, quickly giving control to attackers. These tools can also be trained on a dataset of known vulnerabilities and used to automatically generate new exploit code to target multiple vulnerabilities in rapid succession. Cyber actors can also use generative AI to scan massive amounts of company data, summarizing it to identify employees, relationships, and assets, potentially leading to further social engineering attacks via user impersonation, blackmail, or coercion. However, generative AI is not used exclusively by bad actors—organizations are increasingly using the same technology to build better cybersecurity defenses.

The evolving nature of cybersecurity threats demands a dynamic and informed response strategy from both credit unions and the NCUA. By focusing on third-party vulnerabilities, geopolitical risks, advanced cybercrime tactics, and by maintaining robust communication channels, credit unions can enhance their resilience against a broad spectrum of cybersecurity threats. This integrated approach not only addresses current threats but also positions the credit union sector to adapt to future challenges, ensuring long-term security and operational success.

CONCLUSION

The NCUA is committed to fortifying cybersecurity resilience within the agency and the credit union system. Through targeted examinations, comprehensive risk assessments, and robust educational outreach initiatives, the NCUA is working diligently to strengthen cybersecurity practices and mitigate potential vulnerabilities across the industry.

Within the limits of its current statutory authorities, the NCUA remains proactive in furthering effective IT security within the credit union system. By leveraging partnerships with other federal agencies, industry stakeholders, and cybersecurity experts, the NCUA continues to foster a collaborative environment conducive to information sharing and coordination. This collaborative approach enables the NCUA to stay abreast of current and emerging threats, enhancing its ability to anticipate and respond effectively to cybersecurity risks.

However, challenges persist, particularly concerning the lack of authority over third-party vendors.⁸ The reliance of credit unions on third-party vendors for essential services exposes them to additional cybersecurity risks and is a growing regulatory blind spot for the NCUA.

As the digital landscape continues to evolve, the NCUA remains committed to adapting its cybersecurity approach to effectively address emerging threats and challenges. By remaining vigilant and proactive, the NCUA aims to defend the security and stability of the credit union system, promoting the financial well-being of credit union members, and safeguarding the integrity of the broader financial system for generations to come.

In order to achieve these worthy goals, the NCUA will continue to request that Congress provide the long overdue ability for the NCUA to supervise and examine third-party service providers in the credit union industry. This authority is needed to manage, measure, and proactively mitigate risks within the credit union system, and to be able to share relevant information with government partners to add to the whole of government approach to protecting critical infrastructure in the United States.

APPENDIX: RESOURCES

Laws, Regulations, and Reports

Source	Reference	Impact
NCUA	Part 748 – Security Program	IT Examination
NCUA	Part 749 – Records Preservation Program	IT Examination
FTC	Standards for Safeguarding Customer Information	IT Examination
OIG Report	OIG-17-08, Audit of the NCUA Information Technology Examination Program	Cybersecurity
OIG Report	OIG-19-07, Audit of the NCUA Office of National Examinations and Supervision Oversight of Credit Union Cybersecurity Programs	Cybersecurity
OIG Report	OI G-20-07, Audit of the NCUA’s Examination and Oversight Authority Over Credit Union Service Organizations and Vendors	Cybersecurity

Recent NCUA Letters to Credit Unions

Year	Letter	Letters to Credit Unions
2023	23-CU-07	Cyber Incident Notification Requirements
2022	22-CU-07	Federally Insured Credit Union Use of Distributed Ledger Technologies
2021	21-CU-16	Relationships with Third Parties that Provide Services Related to Digital Assets
2021	21-CU-15	Automated Cybersecurity Evaluation Toolbox

Recent NCUA Risk Alerts & Notices

Year	Reference	Alert
2022	22-RISK-01	Heightened Risk of Social Engineering and Phishing Attacks
2021	21-RISK-01	Business Email Compromise through Exploitation of Cloud-Based Email Services
2020	20-RISK-02	Cybersecurity Considerations for Remote Work
2019	19-RISK-01	Business Email Compromise Fraud
2024	*Alert	Automated Teller Machine and Interactive Teller Machine Skimming and Shimming Activities
2023	*Notification	Upcoming Webinar with FBI on Ransomware Trends and Mitigation Recommendations
2023	*Alert	Update to Ransomware Compromise at Significant ATM and Banking Equipment Provider
2023	*Alert	Compromise at ATM Provider QSI – Immediate Action Required if Your Credit Union Uses Equipment provided by QSI
2023	*Notification	MOVEit Cybersecurity Incident Considerations
2023	*Alert	Recent Uptick in Cyberattacks Against Credit Unions and Third-Party Service Providers
2023	*NCUA Express	MOVEit Transfer Web Application Vulnerability
2023	*Alert	Business Email Compromise – Targeting Credit Unions
2023	*Alert	Multi-Factor Authentication Vulnerabilities and Mitigations for Credit Unions
2023	*Alert	Forta GoAnywhere Zero-Day Exploitation by Threat Actors
2023	*Information	Information Security Examination Beginning in 2023
2022	*Notification	FFIEC Industry Outreach Webinar: Critical Infrastructure Security and Resilience Multifactor Authentication (MFA)
2022	*Information	Cybersecurity Month – “Ransomware in the Financial Sector” Webinar
2022	*Alert	FFIEC Releases Cybersecurity Resource Guide for Financial Institutions
2022	*NCUA Express	NCUA Express: Sign Up to Receive Call Report and Cybersecurity Information
2022	*Alert	Recent Phishing Email Targeting Credit Unions
2022	*Alert	Unpatched VMware Vulnerabilities Being Exploited for Full System Control
2022	*Alert	Register for the Ransomware Outreach Event
2022	*Alert	Current Geopolitical Events Increase Likelihood of Imminent Cyberattacks on Financial Institutions
2022	*Alert	Current Geopolitical Events Increase Likelihood of Cyberattacks

* Denotes GovDelivery Notices that have limited distribution and are not linked to a public facing website.

NCUA Supervisory Priorities

Year	Letter	Reference
2024	24-CU-01	NCUA’s 2024 Supervisory Priorities
2023	23-CU-01	NCUA’s 2023 Supervisory Priorities
2022	22-CU-02	NCUA’s 2022 Supervisory Priorities
2021	21-CU-02	NCUA’s 2021 Supervisory Priorities
2020	20-CU-22	Update to NCUA’s 2020 Supervisory Priorities
2020	20-CU-01	2020 Supervisory Priorities
2019	19-CU-01	Supervisory Priorities for 2019

Interagency Cybersecurity Statements and Press Releases

Date	Statements and Press Releases
8/11/2021	Authentication and Access to Financial Institution Services and Systems
3/29/2021	Agencies Seek Wide Range of Views on Financial Institutions’ Use of Artificial Intelligence
4/30/2020	FFIEC Issues Statement on Risk Management for Cloud Computing Services
3/6/2020	FFIEC Highlights Pandemic Preparedness Guidance
11/14/2019	Financial Regulators Revise Business Continuity Management Booklet to Stress to Examiners the Value of Resilience to Avoid Disruptions to Operations
8/28/2019	FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness
11/5/2018	FFIEC Releases Statement on OFAC Cyber-Related Sanctions
4/10/2018	FFIEC Issues Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs

FFIEC Cybersecurity Awareness: Resources

FFIEC Cybersecurity Resource Guide for Financial Institutions

FFIEC Authentication and Access to Financial Institution Services and Systems Guidance

FFIEC Statement on Security in a Cloud Computing Environment

FFIEC Office of Foreign Assets Control Cyber-Related Sanctions Program Risk Management

FFIEC Statement on Cyber Insurance and Its Potential Role in Risk Management Programs

FFIEC Cybersecurity Assessment Tool Frequently Asked Questions

Cybersecurity of Interbank Messaging and Wholesale Payment Networks

FFIEC Cybersecurity Assessment Tool Presentation

FFIEC Statement on Destructive Malware

FFIEC IT Examination Handbook InfoBase

Introduction to the FFIEC’s Cybersecurity Assessment

FFIEC Cybersecurity Assessment General Observations

Cybersecurity of Interbank Messaging and Wholesale Payment Networks

FFIEC Cybersecurity Assessment Tool Presentation

Webinar: Executive Leadership of Cybersecurity

FFIEC IT Booklets: Audit, Architecture, Infrastructure, and Operations, Business Continuity Management, Information Security, Retail Payment Systems, Management, Supervision of Technology Service Providers, Outsourcing Technology Services, Development and Acquisition, Wholesale Payment Systems

¹ Pub. L. No. 116–260, 134 Stat. 2173 (Dec. 27, 2020)

² The NCUA’s examination frequency for federal credit unions is based on risk but generally may not extend more than 20 months from the previous examination. Federally insured, state-chartered credit unions are primarily examined by the applicable state regulator, with participation from the NCUA based on risk, but no less than every 5 years.

³ NCUA Risk Appetite Statement (October 20, 2022). The risk appetite for technology and information management for operational IT and IT systems is “averse.”

⁴ FIPS Publication 199, Standards for Security Categorization of Federal Information, and Information Systems; FIPS Publication 200, Minimum Security Requirements for Federal Information, and Information Systems.

⁵ NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.

⁶ In addition to NIST standards and guidelines, the NCUA is subject to federal statutes such as the Federal Information Security Modernization Act of 2014, the E-Government Act of 2002, the Privacy Act of 1974, and various Office of Management and Budget policies and guidance concerning federal information management and privacy.

⁷ https://www.fsisac.com/hubfs/Resources/FS-ISAC_ExercisesOverview.pdf

⁸ Independent entities such as the Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Office of Inspector General have identified this deficiency as a significant obstacle to the NCUA’s mission to safeguard credit union members and the financial system. All of them have recommended that Congress provide the NCUA with this authority.