The NCUA Board listens to a briefing on cybersecurity issues facing credit unions and the financial sector during the October 2019 NCUA Board.
As Prepared for Delivery on October 24, 2019
Thank you, Chairman Hood. And thank you, Johnny and Larry, for the cybersecurity landscape overview.
Like my fellow Board Members, I am deeply concerned about the increasing exposure of our financial system to cyber-attacks. Malware, ransomware, distributed denial of service attacks, and other forms of cyber intrusion affect financial institutions of all sizes, and they will require ongoing measures for containment. Credit unions, their vendors and service providers, and the NCUA need to work proactively to protect against cybersecurity threats.
Because cybersecurity is one of my priorities, I am pleased that the NCUA is working diligently to:
- Mature our cybersecurity examination program by advancing consistency, transparency, and accountability;
- Stimulate due diligence of third parties within the credit union system;
- Support credit unions with training, informational resources, and grants aimed at improving operational preparedness and resilience; and
- Ensure the security of the NCUA’s systems and collected information.
As you noted during the briefing, the threat of cyber-attacks is rising and financial institutions like credit unions are increasingly vulnerable given the target-rich financial and personal information they hold.
On page 5 of the slide deck, I see that more than one in four organizations have experienced an advanced persistent threat attack, but I’d like to know whether we have more detailed statistics for federally insured credit unions.
What is the actual credit union experience with cyber-attacks? Is it one in three, one in two, or even higher?
Additionally, I’d like to know how the NCUA stands in comparison to the federal banking agencies in terms of cybersecurity policy staff. Are we on an even footing? Should we commit more resources to this area?
Finally, as I understand, cyber criminals are focusing more on smaller institutions’ websites and supply chain networks. Accordingly, I am a strong supporter of the NCUA having the authority to examine credit unions’ third-party vendors and credit union service organizations.
In contrast to other financial institutions regulators, the NCUA currently may only examine CUSOs and third-party vendors with their permission. Without vendor authority, NCUA cannot accurately assess either the actual risk present in the credit union system or whether the risk-mitigation strategies of CUSOs or third-party vendors are adequate and can effectively protect the system from a propagated contagion.
The Government Accountability Office and the Financial Stability Oversight Council have both repeatedly called on Congress to close this regulatory blind spot, and I very much agree. As such, last week I was pleased to read a discussion draft of legislation in the House of Representatives that would provide the NCUA with vendor authority.
In discussions with staff, I understand why we should request some modifications to the draft legislation, but the concept in this proposal is a solid step forward toward giving the agency the tools needed to better protect the credit union system from cyberthreats.
I am hopeful that the Board will come together to send a letter to the bill’s sponsor expressing our support for moving forward on vendor authority legislation, in addition to requesting changes to the legislation to address the unique nature of the credit union system.
In that respect, Larry, would you outline why the gaps in NCUA’s supervision program created by a lack of vendor authority are material?
Would you also explain how vendor authority would provide a measure of regulatory relief for credit unions?
Thank you, Larry, for those responses.
Regardless of whether Congress acts on vendor authority, financial institutions of all sizes must take a strategic risk-management approach, which includes continual hardening and improving the security of their networks, as well as a thorough review and mitigation of risk with their respective supply chains.
And the NCUA has an obligation to strengthen the readiness of credit unions to respond to cyber-threats through our supervision, training, outreach, and grants. As such, I will continue to make these matters a priority for my work on the NCUA Board.
Thank you again for this important Board briefing on cybersecurity. I’m hopeful that we can have another one in six months to learn about the progress the agency and the credit union system has made.