NCUA Vice Chairman Kyle S. Hauptman during a meeting of the NCUA Board.
As Prepared for Delivery on October 24, 2024
The mission of securing cyberspace is a constant challenge. The financial services sector is the 5th most targeted sector of the nation’s 16 critical infrastructure sectors. Because we know it is not an “if,” but a “when,” it is imperative credit unions continually evolve their cybersecurity. Make no mistake, every one of us is vulnerable. Boards, management, and staff must remain engaged and vigilant.
The massive amount of sensitive private data stored digitally, and the prospect for significant monetary gain from data breaches, makes financial institutions especially attractive. At the same time, the use of advanced technologies like artificial intelligence (AI) are not only expanding the sophistication of cyber-attacks, but also making it easier. It sounds like the perfect storm.
Over the past 30 years, credit unions have built significant interconnected systems making it possible to compete with much larger financial institutions. Credit unions have over 30 years of experience in addressing security gaps of these networks. However, we must remember that the interconnectedness of systems creates more entry points for potential cyber-attacks.
Last Monday, October 21, the NCUA released Letter to Credit Unions, 24-CU-02, “Board of Director Engagement in Cybersecurity Oversight.” The letter lists four key areas of focus:
- Recurring (Board) training – The agency is not asking Boards to be technical experts, but Boards must be aware of the cyber risks that pertain to their credit union’s operations.
- Approve information security program annually – This is not new. The Board should review the program annually to ensure it is adapting to the evolving threat landscape.
- Oversee operational management – Again, no one is asking Board Members to be technical experts, but there are areas of focus they are responsible for overseeing. Third-party due diligence is one of them. In 2024, seven in ten cyber incidents at credit unions involved a third-party vendor. Cybersecurity requirements, including clauses to protect member data, should be included in contracts. Third-party vendors often have best practices that address cybersecurity; it may be helpful to understand those best practices.
- Incident response planning and resilience – No one wants to believe it can happen to them, but the possibility of a cyber-attack is our new reality. Internal and external communication channels should be addressed before a cyber-attack incident, not during. The NCUA requires credit unions to notify the Agency within 72 hours of a cybersecurity incident. The team in the Office of Examination and Insurance (OEI) put together a cheat sheet and a wallet card for credit unions to have handy in the event they need to report an incident.
Franz, would you mind putting up the slide showing the cheat sheet and wallet card?
In September 2023, OEI deployed the Information Security Examination (ISE) program for examiners. We have more than a year of experience tailoring examinations to the size and complexity of the credit unions. The ISE program is providing a clearer picture of the state of credit union cybersecurity readiness. I am encouraged by the level of preparedness examiners are finding in all sizes of credit unions, but the presentation showed there is still much to do.
Finally, I urge credit unions to check out the NCUA’s Cybersecurity Resources webpage for more information.