As Prepared for Delivery on October 20, 2022
Thank you, Ernie, Amber, and Kelly, for your presentation.
The cyber landscape continues to evolve with new threats. The current geopolitical situation only adds to the challenge. The fact that bad actors are targeting mid-size businesses underscores that, large or small, credit unions must remain vigilant. No one is exempt, and risk management must be continuous. Since our last update, the NCUA issued a Letter to Credit Unions on the use of distributed ledger technologies.
I know many credit unions were grateful for the clarity that letter provided. As I have noted in the past, traditional finance, or Trad-Fi, is already being disrupted by decentralized finance, or De-Fi. For some, staying ahead of that disruption may mean embracing and deploying elements of De-Fi. While the letter on the use of distributed ledger technology clarified NCUA’s position, it should be noted that the guidance is no substitute for thorough third-party due diligence. It is the credit union’s responsibility to ensure its decentralized finance platform and partners address security, authentication, and other risks.
At our last update, you noted that we were piloting the Information Security Examination (ISE) tool for the field staff. Congratulations on completing that pilot last month. We also learned more about the Automated Cybersecurity Evaluation Toolbox (ACET). I am gratified to learn today that your team continues to work on the alignment between ISE and ACET. The extra effort to align the two tools will not only assist credit unions in building out their cybersecurity systems but also provides them with the elements of what they can expect during an examination.
The need for robust cybersecurity is a fact of life for all of us. I hope more credit unions will take advantage of ACET and other NCUA resources such as webinars, roundtables, cyber alerts, and notifications.
I urge credit unions to check out NCUA’s Cybersecurity Resources webpage for more information.
Thank you, Mr. Chairman. I have no further comments.
Question: You mentioned the NCUA’s proposed cyber incident reporting rule in July 2022. The comment period ended September 26, 2022. In what ways was the proposed rule structured to align with CISA reporting?