NCUA Board Member Todd M. Harper Statement on Cybersecurity Board Briefing

As Prepared for Delivery on October 15, 2020

Thank you, Chairman Hood, for agreeing to hold this informative briefing, which I requested earlier this year.  And thank you, Johnny, for your presentation on cybersecurity policy issues and the COVID-19 pandemic.

Like each of my fellow Board Members, I am deeply concerned that the risk of cyber-attacks on our financial system is increasing, not decreasing. Because cybersecurity is one of my priorities, I am pleased that the NCUA in recent years has made progress in:

• Maturing our cybersecurity examination program through advances in consistency, transparency, and accountability;
• Stimulating due diligence of third parties within the credit union system;
• Supporting credit unions with training for staff, informational resources, and grants aimed at improving operational preparedness and resilience; and
• Ensuring the security of the NCUA’s systems and collected information.

As noted on slide 2 of your presentation, the current pandemic has increased cybersecurity vulnerabilities for federally insured credit unions, which hold target-rich financial and personal information. Phishing, credential stuffing, ransomware, remote desktop protocol targeting, and distributed denial of service attacks are some of the ways that cyber fraudsters are currently exploiting vulnerabilities within the credit union system.

• Johnny, in light of the pandemic and the increased reliance of credit unions on operating remotely, how has the NCUA adjusted the scope of its cybersecurity supervisory priorities? I’d like to explore this issue a little more.  During prior briefings, you have highlighted the cybersecurity issues regularly identified during NCUA exams.  It would be helpful for you to remind our stakeholders about those issues today. 
• Johnny, would you summarize for us the top five cybersecurity problems that NCUA examiners typically find during supervisory contacts?  And, what is your advice for credit union leaders who want to get out in front of these issues and mitigate potential problems, especially those credit unions with less than $100 million in assets?
• With 2020, quickly and thankfully, nearing its end, what are the NCUA’s tentative cybersecurity examination plans and supervisory focus for 2021?
• Johnny, what are some resources on the NCUA website, or elsewhere, that could help a credit union manager to improve business continuity planning?
• On slide 3, you note that federally insured credit unions need to have sufficient personnel to achieve their cybersecurity priorities, yet we know that it is very difficult to hire and retain cybersecurity experts. Johnny, what three tips would you give to credit unions interested in improving their ability to hire and retain cybersecurity experts?

The lesson that I take away from today is that credit unions, their vendors and service providers, and the NCUA need to work together, proactively to protect against cybersecurity threats. As noted during today’s briefing and during past briefings, the threat of cyber-attacks is rising and financial institutions like credit unions are increasingly vulnerable. That is why I am a strong supporter of the NCUA having the authority to examine credit unions’ third-party vendors and credit union service organizations. In contrast to other financial institutions regulators, the NCUA currently may only examine CUSOs and third-party vendors with their permission.

Without vendor authority, the NCUA cannot accurately assess either the actual risk present in the credit union system or whether the risk-mitigation strategies of CUSOs or third-party vendors are adequate and can effectively protect the system. The Government Accountability Office and the Financial Stability Oversight Council have both repeatedly called on Congress to close this regulatory blind spot. And, in early September, NCUA’s Inspector General issued a report on the oversight of CUSOs and vendors. The OIG report determined that the NCUA needs statutory authority over CUSOs and vendors to effectively identify and reduce the risks vendor relationships pose to credit unions and protect the Share Insurance Fund against losses.

I very much agree with the GAO, FSOC, and the NCUA Inspector General.  Vendor authority would equip the agency with the tools it needs to better protect the credit union system from cyber-threats and safeguard the Share Insurance Fund. Regardless of when Congress acts on vendor authority, financial institutions of all sizes must take a strategic risk-management approach, which includes continual hardening and improving the security of their networks, as well as a thorough review and mitigation of risk with their respective supply chains.

The NCUA also must continually strengthen the footing of credit unions to respond to cyber-threats through our supervision, training, outreach, and grants. As such, I will continue to make cybersecurity and vendor authority two priorities for my work on the NCUA Board.

Thank you again, Johnny, for your cybersecurity briefing.  Mr. Chairman, I have no further comments at this time.