As Prepared for Delivery on October 19, 2023
Thank you, Todd and Ernie, for that informative briefing on the many cybersecurity issues confronting the credit union system, the NCUA, and the financial services sector more broadly. It’s appropriate that your briefing takes place just before Halloween, as much of what you discussed is frightening and may keep us up at night.
All kidding aside, these cybersecurity briefings are an important reminder that the potential for cyberattacks in the financial services industry, including within the credit union system, is high and will likely continue to stay that way for the foreseeable future. All of us, therefore, must improve our cybersecurity hygiene and practices.
As noted in the briefing, the financial services sector, which credit unions are an integral part of, is uniquely vulnerable for two reasons. The first reason is, to borrow a famous phrase, “that’s where the money is.”1 And, the second reason is because the financial services marketplace is one of the most internet-facing sectors in the economy. These two factors mean that bad actors have an incentive to exploit vulnerabilities at financial institutions of all types and sizes for their own gain.
That is why the NCUA, along with other financial regulators, the Cybersecurity and Infrastructure Security Agency, and other government agencies, are taking part in the National Cybersecurity Awareness Month campaign this month. The NCUA’s theme for this year’s campaign is “Stronger Together” because it’s our shared responsibility — the NCUA, state regulators, vendors, credit unions, and members — to safeguard our systems. Afterall, cybersecurity within the financial system is only as strong as our weakest link.
For its part, the NCUA has made considerable investments in protecting its systems and strengthening its cybersecurity defenses. This year, approximately $13 million in the NCUA’s budget is for cybersecurity-related costs. If you include the resources to support the NCUA’s Information Security Examination Program, maintain the Automated Cybersecurity Evaluation Toolbox, fund cybersecurity grants, and provide training to credit unions, that figure increases to approximately $22 million. That is a good-size portion of the NCUA’s overall budget, just over 6 percent in fact.
Slide 6 also shows the costs of not making those investments. As Todd noted, the MoveIT vulnerability affected more than 2,000 organizations and 60 million individuals. Because of its scale, we will likely never know the total cost of the MoveIT vulnerability, but it’s likely in the billions of dollars.
For many credit unions, especially small, low-income, and MDI credit unions, making cybersecurity investments can be difficult. Thankfully, there are free resources available to help. First, I again encourage all credit unions to download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET for short. This tool is an excellent resource — especially for small credit unions or credit unions with limited resources — to understand their cybersecurity preparedness levels. The ACET is available at no cost and can be found online on the NCUA’s website.
Second, the Cybersecurity and Infrastructure Security Agency, or CISA, has regional offices with specialists available to help. Todd, would you discuss the resources available to credit unions through these regional offices?
Thank you, Todd, for providing information on the free resources.
My next question focuses on our recent cybersecurity incident reporting rule. As Ernie noted, in the first 30 days after the rule went into effect, the NCUA received 146 incident reports. Before the rule, we only received roughly the same number of reports in an entire year. That’s notable.
Ernie, would you elaborate on the information we receive from credit unions? Do we often see attacks or incidents across the system occur in real-time through this reporting? And, how does this new rule help the credit union industry?
Thank you for that response. It’s important that stakeholders see the benefit we are already seeing with the rule’s implementation. My last question is again for Ernie. With this rule in place, would you preview some of the improvements and next steps the industry might expect from the NCUA?
Thank you, Ernie, for that helpful information and the preview of things to come in 2024. I also want to thank you for the solid work of you and your team in implementing the Information Security Examination program. Since the program began this year, the NCUA has completed 1,100 such examinations. The results we are seeing are positive and demonstrate that, overall, credit unions are taking important steps to secure their data and systems.
Unfortunately, the NCUA’s ability to analyze and assess the risk in the entire credit union system remains limited. That’s because CUSOs and credit union third-party service providers do not have the same level of oversight as bank vendors, as the NCUA lacks the statutory authority to directly examine or supervise these entities.
Stakeholders must understand that the risks resulting from the NCUA’s lack of vendor authority are real, expanding, and impact all of us. As Todd and Ernie reported, more than 60 percent of the cyber incidents reported to the NCUA involve third-party service providers and CUSOs. Until this growing regulatory blind spot is closed, thousands of federally insured credit unions, tens of millions of consumers who use credit unions, and trillions in assets are exposed to high levels of risk.
Moreover, the Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to provide the NCUA with this examination authority. I agree with these independent experts.
That’s why it’s heartening to hear that more and more credit union leaders understand the value of the NCUA having the same vendor authority as federal banking agencies. During my travels and meetings with credit union leagues and officials, more CEOs and leaders have told me they see the value and benefits of restoring the NCUA’s vendor authority because they cannot manage all the potential risks and liabilities associated with their vendors.
These benefits include credit union access to NCUA examination information when conducting due diligence, fewer requests from the NCUA to credit unions to intervene with vendors experiencing problems, and fewer losses to the Share Insurance Fund when losses at CUSOs roll onto credit union ledgers and lead to liquidations. That last point isn’t theoretical. It has happened.
Restoring the NCUA’s vendor authority would bolster our national economic security and save time and money in the long term. It’s just common sense and good business. This authority would also ensure proper oversight of the CUSOs and third-party vendors poised to capitalize on financial institutions’ growing appetite for artificial intelligence and real-time payment services. Plus, from a customer service standpoint, it will give credit union members the same protection that bank customers enjoy, which they rightly deserve.
That concludes my remarks. I now recognize Vice Chairman Hauptman.
1 This phrase is attributed to bank robber Willie Sutton, who supposedly said it in response to a question from a reporter. The saying has since morphed into the principle known as Sutton’s law, which states that when diagnosing, one should first consider the obvious first. The phrase is also used in managerial accounting. Known as the “Willie Sutton rule,” it stipulates that activity-based costing (in which activities are prioritized by necessity, and budgeted accordingly) should be applied where the greatest costs occur, because that is where the greatest savings can be found.