NCUA Vice Chairman Kyle S. Hauptman Statement Following the Semi-Annual Cybersecurity Briefing

As Prepared for Delivery on April 20, 2023

Thank you, Ernie, for your presentation, and Kelly and Todd, for being available for questions.

We cannot overstate the significance of cybersecurity. Highly sensitive information and systems are of great value to bad actors. The explosive growth of digital information accessibility through wired and wireless networks and the swiftly evolving technological landscape have made cybersecurity a constant and dynamic challenge.

It’s gratifying to hear that the bad actors earned less money with ransomware attacks in 2022. That said, we shouldn’t be surprised that the problem reappeared in a different form, with extortion operations becoming more prevalent in 2023. The game “Whack-A-Mole” comes to mind.

Social engineering, defined here as criminals using personal information to impersonate someone else, remains a considerable risk. The staggering amount of data available on individuals through social media and the internet is making social engineering even easier for criminals. Artificial Intelligence is helping many companies, including credit unions and CUSOs, fight fraud, but AI is also helping criminals to fine-tune phishing emails and improve malware source code.

More and more businesses, including credit unions and the NCUA, are moving to the cloud environment – and so are the bad actors. As was pointed out in the presentation, cloud misconfigurations are a new source of data breaches, theft, and exploitation. Misconfiguration can result in an organization inadvertently exposing unencrypted data and sensitive information. It can also provide unauthorized access to system functionality.

Thank you for the reminder that the industry and its regulators have resources to help credit unions stay ahead of the threats. I’d like to congratulate the Office of Examination and Insurance (E&I) on the official deployment of the Information Security Examination (ISE) program for examiners. ISE is a risk-focused approach intended to tailor examinations to the size and complexity of the credit union.

In past updates, we heard about the agency’s Automated Cybersecurity Evaluation Toolbox (ACET) for credit unions. The ACET is a resource intended to help credit unions assess their level of cybersecurity preparedness. The alignment between ACET and ISE assists credit unions in building out their cybersecurity systems. It also provides them with the elements of what they can expect during an examination.

The need for robust cybersecurity is undeniable. It can also be overwhelming for some. I urge credit unions to check out NCUA’s Cybersecurity Resources webpage for more information.

Thank you, Mr. Chairman; that concludes my remarks. I do have a couple of questions.