ALEXANDRIA, Va.–Members of the NCUA board were given an update on the status of cybersecurity in credit unions, including where the greatest threats lie and what a CU should do in the event of a ransomware attack.
One board member also used the update as an opportunity to call for NCUA to have third-party vendor oversight.
Johnny E. Davis Jr., special advisor to the chairman for cybersecurity and division director, Critical Infrastructure, told the board the top threats are similar to the historical threats, as outlined in the slide below.
The newest development has been “pandemic-themed” attacks, said Davis.
Davis also referenced the Solar Winds breach that has reportedly hit thousands of businesses, government agencies and credit unions themselves, but did not reference anything specific to the agency or CUs.
Davis said breach and attack simulations remain important and should be conducted by every CU.
“I can’t stress enough, don’t be an easy target,” he said.
Supply Chain Attacks
Supply chain attacks also remain a concern, including one such attack on a virtual private network this week, said Davis.
“The difference in the supply chain attacks is it really attacks the global ecosystem and vulnerabilities in the entire supply chain where you procure products and services,” said Davis, noting NCUA has posted related resources on its website.
In August, as part of a table-top exercise, Davis said NCUA will focus on supply chain attacks. He added NCUA will be reaching out to the CU trade associations to identify credit unions to participate in the exercise.
Davis also pointed credit unions to NCUA’s web statement on due-diligence related to data collection. Additional information can be found here.
NCUA Chairman Todd Harper said he is “deeply concerned about the risks that cyber-attacks pose to our financial system,” and that NCUA and other supervisory authorities, vendors, and credit unions have a responsibility to protect systems, improve our ability to recover from incidents, educate our staff, share information, and report and address potential vulnerabilities.
“For many credit unions that are balancing several priorities, it may seem that resources are not available to help improve cyber preparedness,” said Harper. “However, as part of the NCUA’s 2021 Community Development Revolving Loan Fund grant initiative, low-income credit unions can apply for up to $7,000 to strengthen their cyber defenses. The application period runs May 3 through June26, and I encourage all eligible credit unions to consider applying for these grants.”
In response to a question about why malware continues to be so effective against credit unions and other organizations, Davis responded, “I believe state actors and organized crime members who use this method know the root causes that continue to make this successful continue to be a challenge. And that is maintaining cyber-hygiene, which requires ongoing diligence and ongoing monitoring. That has eluded us for quite some time."
Davis urged data to be backed up and tested for restoration.
Pay the Ransom?
As for ransom requests, Davis recommended credit unions respond with a “great deal of caution,” and said even if payments are made to fraudsters in order to return data or system functionality, it may not mean the end of the threat.
“Theoretically, the attacker should return system functionality,” said Davis. “But there is no honor among thieves and this doesn’t always happen. In many cases the attacker will use that information further…and may sell it themselves to another organization that will commit a similar attack. This is why we say become a harder target. Most law enforcement agencies will tell you not to pay the ransom. The best practice is to have your systems and data in a resilient posture that will allow you to recover from an attack.”
When asked what are some low-cost tools credit unions can use to boost their cybersecurity, Davis responded, “Without mentioning any specific companies, I would suggest with the understanding training isn’t just in the classroom, that the Department of Homeland Security, NCUA and NIST have a wealth of information on their websites. The credit union trade associations offer a great deal of training. I believe the information-sharing organizations you can find on ISO.org have a good deal of information that could assist in resilience awareness. And believe it or not local community colleges and trade schools are a wealth of resources."
’10 Years Accelerated Into One’
NCUA Vice Chairman Kyle Hauptman said there is “no going back.”
“You’ve heard me say this before, the pandemic took ten years of digital evolution and accelerated it in to one year. Although we are inching back to a more normal way of life, the digital transformation continues, and there is no going back. In the coming years, we will look at 2020 as the moment that changed everything,” said Hauptman.
As an example, Hauptman noted of the nearly 125 million credit union members in the U.S. today, 71 million utilize their credit unions’ online services.
Support For Vendor Authority
Board Member Rodney Hood, who while serving as chairman elevated Davis’ role to special advisor to the chairman, said that with the current remote posture for the NCUA and many credit unions, it “requires an even greater focus on resiliency, especially for cybersecurity issues.”
Hood also repeated a position for which he advocated while he was chairman.
“The NCUA Office of Inspector General has called on Congress to give the NCUA vendor authority. I am supportive of NCUA gaining vendor authority," said Hood. "Indeed, I supported vendor authority during my last tenure on this board. Vendor authority has also been called upon by the Federal Stability Oversight Council and the Government Accountability Office, so I think it is a tool that we need in our toolbox, but we should be especially mindful of how we use this tool if we are granted this authority by Congress. Vendor authority is not a silver bullet, and as an agency we must humbly recognize it is not a silver bullet if we ever do build out our supervisory program to include vendor authority. Additionally, considering the current crisis with COVID-19, I believe it is best for Congress to consider giving us vendor authority post-recovery. Right now, in my view, we do not have the bandwidth to build out a new examination activity as we juggle competing priorities with the COVID-19 fallout."
Additional Costs
Hood asked Davis for an estimate of what the agency would need to budget were it granted third party vendor oversight authority by Congress, saying he is supportive of following the FDIC’s model and not increasing the budget to get this new authority, especially initially.
Davis estimated such oversight would require the creation of eight-to-11 new positions at a cost of between $1.7 million and $2 million annually.
Davis said that more important than the cost would be the agency’s approach, which he said would be to concentrate on major vendors to CUs that are not currently covered by other regulators that belong to the FFIEC. In that case he estimated such reviews of companies would occur every three-to-five years.