ALEXANDRIA, Va.—NCUA is again calling for authority over third party vendors to credit unions as part of its Report to the Committee on Financial Services of the House of Representatives and to the Committee on Banking, Housing, and Urban Affairs of the Senate on Cybersecurity and Credit Union System Resilience.
“The actions outlined in this comprehensive report demonstrate the NCUA’s commitment to promoting a secure and resilient environment for credit unions and their members,” NCUA Chairman Todd Harper said in a statement. “Recent agency efforts to address cybersecurity risks, including implementation of the scalable Information Security Examination procedures at credit unions, training and support programs, and the cyber incident notification rule, are described in the report. Additionally, the report to Congress details the significant risks and challenges facing the credit union system and the financial system because of the NCUA’s lack of authority over third-party vendors. I continue to call on Congress to close this growing regulatory blind spot.”
The report states this "blind spot poses a cybersecurity, national security, money laundering, compliance, and reputation risk to the agency from consumer loss of confidence in the industry."
The report furhter suggests that significant risks and challenges remain due to the NCUA’s lack of authority over third-party vendors that provide services to federally insured credit unions.
“Given cyber-related incidents affecting credit unions and credit union members often occur at or through third-party vendors, this growing regulatory blind spot has the potential to trigger cascading consequences throughout the credit union industry and the financial services sector that may result in significant losses to the NCUSIF. For this reason, one of the agency’s top requests of Congress is to restore the authority, which sunset in 2001, enabling the NCUA to examine third-party vendors. The Financial Stability Oversight Council, the Government Accountability Office, and the NCUA Office of the Inspector General have all called on Congress to close this growing regulatory blind spot.”
“The agency supports legislation to restore the authority that expired on Dec. 31, 2001,” the report states.
IT Security
The agency also stressed it investment in IT security.
“The NCUA has invested significant resources in its network and security infrastructure. These investments are designed to deny access or prevent efforts to degrade, disrupt, or destroy any NCUA information and information system or network, or exfiltrate NCUA information from systems or networks without authorization. All basic user accounts are required to use multi-factor, certificate-based authentication to access network resources. Elevated privilege accounts (system and network administrators and engineers) are issued session-based credentials with specific expiration timeframes. To mitigate vulnerabilities, NCUA network users remotely accessing network services and resources are protected by encrypted virtual private network (VPN) tunnels, and internal and external network traffic is managed and monitored. VPN connectivity on NCUA laptops is mandatory for all users. This continually enforces technical policies and ensures traffic and data are encrypted and secure,” the report states.
NCUA noted the Cybersecurity & Credit Union Resilience Report is required by the Consolidated Appropriations Act, 2021 and provides:
- Information on the policies and procedures to address cybersecurity risks
- Activities to ensure effective implementation
- Current or emerging threats
“For 2023, the NCUA will continue to promote cybersecurity best practices in credit unions, and reviews of credit union information systems and assurance programs remain a supervisory priority for the agency. Building upon its industry outreach efforts, the NCUA will continue to provide guidance and resources to assist credit unions with strengthening their cyber defenses throughout the year,” NCUA stated.
The agency is also funding cybersecurity grants as part of its 2023 grant initiative, which closes on June 30.
Click here for the full report.