NCUA Chairman Todd M. Harper during a meeting of the NCUA Board.
As Prepared for Delivery on October 24, 2024
Thank you, Todd and Dave, for that informative briefing. October is cybersecurity awareness month. During this annual observance, the National Credit Union Administration seeks to shine a light on the many cybersecurity issues currently confronting credit union members, the credit union system, the agency, and the financial services sector more broadly. But, the reality is that we must remain laser focused on these issues year round.
That’s because foreign and domestic cyber-fraudsters — including some of our international adversaries — continue to target financial services providers and their vendors. The credit union system is a critical part of the financial services sector. And, these annual cybersecurity updates at the NCUA Board table are an important reminder that cyberattacks on the financial services industry, including within the credit union system, will remain high for the foreseeable future.
Far too often, we see that third-party service providers are a weak link in the financial system, a danger noted in the most recent Annual Report of the Financial Stability Oversight Council.1 And, credit union third-party service providers are no exception. In fact, as shown on slide 6, from September 1, 2023, when the NCUA’s cyber incident notification rule became effective, through August 31 of this year, credit unions reported nearly 1,100 cyber incidents. Seven out of ten of these reports related to the use or involvement of a third-party service provider.
Moreover, approximately 90 percent of the industry’s assets are managed by third-party service providers with no NCUA oversight. Last November, a single third-party service provider’s cybersecurity incident disrupted the daily operations of 60 credit unions. In June, a credit union with almost $10 billion in assets, reported that the personal information of more than one million current and former members and employees had been accessed during a ransomware attack. The breach initially occurred on May 23, but the ransomware the hackers used did not shut down the credit union’s online and mobile banking systems until June 29.
What’s more, ransomware attacks attributed to “malvertising,” a relatively new cyberattack technique that injects malicious code within digital ads, are on the rise. For this type of attack to work, the user doesn’t even have to physically click on a link for the system to become infected. Instead, a simple internet search can result in malvertising that exploits the vulnerabilities in an internet browser. Credit union cybersecurity teams should focus on standardizing and securing web browsers and deploying ad blocking software to protect against this real-world threat.
These incidents highlight significant vulnerabilities to the $2.3 trillion federally insured credit union industry and our nation’s interconnected critical financial infrastructure. We cannot afford to leave these vulnerabilities unchecked. As such, it’s everyone’s responsibility to maintain good cyber-hygiene — at home and at work. Keeping software updated, using strong passwords or passkeys, reporting phishing attempts, and enforcing the use of multi-factor authentication are just a few examples of the measures anyone can adopt to strengthen our collective defenses.
Education and training are also critical to raising and maintaining awareness of cyber threats. Early this week, the NCUA issued a Letter to Credit Unions that provides boards of directors clear guidance on their roles and responsibilities for bolstering their credit union’s cyber defenses.2 These responsibilities include:
- Providing recurring training;
- Approving the credit union’s information security program;
- Overseeing operational matters related to the credit union, including third-party service providers and other technology systems; and
- Ensuring appropriate incident response and resiliency plans are in place.
Dave, of the several recommendations outlined in the recent guidance letter, if you could emphasize one piece of advice or action a credit union board should take, what would that be?
Thank you for emphasizing the need for training. Cyberthreats and technology are rapidly advancing, and all of us must keep pace. It’s why we require periodic cybersecurity training here at the NCUA and conduct exercises to test that knowledge.
Despite the efforts to strengthen the system’s cyber defenses, we still have blind spots. For example, the NCUA’s ability to analyze and assess the risk in the entire credit union system remains limited because the agency lacks the same level of oversight of third-party service providers as the federal banking regulators.
Stakeholders must understand that the risks resulting from the NCUA’s lack of vendor authority are real, expanding, and affect all of us. As the NCUA is not just the regulator of federal credit unions, but also an insurer, the NCUA Board may need to consider changes to the normal operating level of the Share Insurance Fund given the additional risk of insuring an industry that, more and more, outsources core business operations to unregulated third-party service providers.
As Todd and Dave discussed, most of the cyber incidents reported to the NCUA involve those third-party service providers. Until this growing regulatory blind spot is closed, thousands of federally insured credit unions, more than 140 million consumers who use those credit unions, and trillions in assets are exposed to higher levels of risk.
Credit union leaders must also understand that their institutions are a significant part of our nation’s critical infrastructure — something that the U.S. government has a solemn obligation to protect. We cannot do that without the ability to assess and analyze risk and that is what vendor supervision would provide us the ability to do.
It’s heartening to hear that more and more credit union leaders understand the value of the NCUA having the same vendor supervisory authority as the federal banking agencies. They understand that their industry is worthy of the same protections as the banking industry. And, they understand that if the NCUA had vendor authority, we could then provide summary reports of those vendor exams for credit unions to use in their due diligence. This statutory change, in other words, would eliminate a competitive advantage that banks have over credit unions.
During my travels and meetings with credit union leagues and officials, more CEOs and leaders have told my team and me they see the value and benefits of restoring the NCUA’s third-party service provider authority, because they cannot manage all the potential risks and liabilities associated with their service providers. I very much agree.
Restoring the NCUA’s ability to oversee these entities would bolster our national economic security, improve safety and soundness, and enhance consumer financial protection and anti-money laundering compliance. It would also save credit unions time and money in the long term, so it’s common sense and good business. Plus, it will give credit union members the same protection that bank consumers have.
That concludes my remarks. I now recognize Vice Chairman Hauptman.
1 Financial Stability Oversight Council 2023 Annual Report at 9. https://home.treasury.gov/system/files/261/FSOC2023AnnualReport.pdf
2 Letter to Credit Unions, 24-CU-02, “Board of Director Engagement in Cybersecurity Oversight” issued in October 2024, available at https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/board-director-engagement-cybersecurity-oversight.