As Prepared for Delivery on July 21, 2022
Cyber security is one of the top concerns I hear when I’m talking to credit union leaders around the country. It is also one of the top concerns I hear when talking with my NCUA colleagues. I wish we could all say that, after having focused on this threat for such a long time, we’re making progress toward a real sustainable solution. But unfortunately, that’s simply not the case given the velocity and evolution of cybersecurity threats.
As such, we have to accept that cybersecurity threats are an ongoing risk, both to financial institutions' operations and to their reputations. Moreover, we have to accept that the risk is a moving target. Today’s rule before the board reflects this reality.
Every credit union must recognize that their institution is just one wrong email or malicious link away from being on the front pages. Given those realities, even those of us who favor a more balanced approach to regulatory matters, we must recognize that the Agency’s cybersecurity review and supervision capabilities will necessarily have to be more robust in the days ahead. Today’s rule is a step forward in that endeavor.
Gone are the days when you can have a vendor provide you with an add-on patch to address a vulnerability and simply move on. Today, we need to be thinking "defense in depth" when it comes to cybersecurity. That means not only addressing vulnerabilities and recognizing threats but also having response plans in place that not only identify vulnerabilities but also catch attacks in real time and proactively prevent their impact on an institution.
I support today’s proposed rule and look forward to receiving comments.