Last week, the NCUA released its annual Cybersecurity and Credit Union System Resilience Report to Congress in which it “summarizes the current cybersecurity threat landscape, highlights the agency’s key cybersecurity initiatives, and outlines the agency’s ongoing efforts to enhance cybersecurity preparedness and resilience within the credit union industry.”
In his introduction to the report, NCUA Chairman Todd Harper discussed the rise of cybercrime and cybersecurity incidents in the past year and emphasized the credit union industry’s commitment to keeping a vigilant eye on the growing threats. To that end, he asked Congress for their help and support in restoring the NCUA’s control over third-party vendors, citing it as a regulatory blindspot negatively impacting the entire industry. This move is something credit unions have not historically agreed with but that the NCUA has long strived for.
“Besides giving credit union members the same protection as bank customers,” Harper wrote, “this sensible statutory change would significantly improve supervisory oversight and bolster our ability to mitigate cybersecurity risks, ultimately enhancing the credit union system’s overall security posture and the protection of critical infrastructure in the United States more broadly.”
The remainder of Harper’s comments focused on stressing the importance of gaining that foothold, while in the report itself, third-party risk was listed as the number one current and/or emerging threat to credit unions.
“Vendors typically decline examination requests or refuse to implement recommended actions, exacerbating credit unions’ exposure to operational, cybersecurity, and compliance risks that can arise from these relationships,” The report notes. “Without visibility into these entities and the authority to supervise and enforce corrective actions, the NCUA cannot effectively protect credit unions and their member-owners or provide relevant information to other federal and state regulators of threats encountered in the credit union industry.”
According to data from the report, out of all cyber incident reports submitted by credit unions since September of 2023, 73% of those were related to third-party vendors.
Harper also mentioned various strides the NCUA had taken to defend against those threats and raise credit union protections, such as its recently implemented Information Security Examination program, the development of risk-assessment tools, the adoption of a cyber incident notification regulation in 2023, ongoing educational outreach, and grants to eligible credit unions.
On the topic of the cybersecurity examination program, Harper promised more accountability, transparency, and consistency. The report discusses the Information Security Examination Program—newly launched in 2023—which the NCUA will now use to determine a credit union’s risk factor in regard to their information security programs.
As for the current areas the NCUA is keeping an eye on, the report lists the following. These topics were all issues the NCUA sent out cybersecurity alerts on within the last year, warning federally-insured credit unions of the risk potential.
- ATM and Interactive Teller Machine (ITM) Skimming and Shimming Activities
- Current Geopolitical Events Increase Likelihood of Cyberattacks on Financial Institutions
- Business Email Compromise
- Compromise at an ATM Provider
- File Transfer solution Zero-Day Exploitation by Threat Actors
- Recent Uptick in Cyberattacks Against Credit Unions and Third-Party Service Providers
- MFA Vulnerabilities and Mitigations for Credit Unions
- Phishing Attacks Targeting Credit Unions
The report also delved into the agency’s own cybersecurity education and training as well as interagency coordination efforts and industry-wide efforts. You can read the full report as well as Harper’s comments on the NCUA’s press page.
