ALEXANDRIA, Va.–The NCUA board was given a detailed overview on cybersecurity-related issues during its meeting, with all three board members using the update to again state their support for the agency being given third-party vendor oversight authority.
The board was received the cybersecurity update from Johnny E. Davis, who was recently appointed by Chairman Rodney Hood as special advisor to the chairman on cybersecurity. As CUToday.info reported here, Davis has more than 25 years’ experience in information security and infrastructure operations in the military, federal government, and private sector.
Davis' remarks, in the accompanying PowerPoint presentation that can be found here, covered the nature of threats to financial institutions, attack methods, IT spending, talent management, critical security controls, NCUA’s priorities and more.
Davis said there is a challenge for NCUA and credit unions in finding talent for the “hunt teams” that look for threats inside systems and then reverse engineering those attacks for use in predictive protection in the future.
Asked his primary takeaways for credit unions, Davis responded that credit unions unsure where to start should begin with critical security controls, and if the CU has progressed past those, to never lose sight of those controls.
Three Points of Emphasis
Moreover, Davis said:
- Credit unions should take risk assessment seriously
- Credit unions should never underestimate inherent risks, because “if controls fail, that’s the environment they’ll be operating in”
- Credit unions need to know what’s normal and what’s not and have the ability to react quickly
Why Is Authority Needed?
Asked by Board Member Todd Harper why third-party vendor authority—which the other federal regulators have but which NCUA lacks—is important, Davis responded, “We have a unique dependence on third parties. Our smaller institutions cannot do this work on their own. Once they leverage CUSOs and other environments, they find themselves having very minimal influence in getting the vendor to participate in the cybersecurity practices they need to be successful.
“I couch this in a long answer because we can give responsibility to our third-party partners, but we cannot give accountability to our partners,” he continued. “We hear credit unions say vendors tell them, ‘No other customer has asked us about what you’re asking us about.’ Smaller institutions need assistance.”
NCUA Director of the Office of Examination and Insurance Larry Fazio added, “As a vendor providing core data processing, as well as with the ubiquitous Internet of Things and other services, from their perspective you can understand why they might now want to be completely forthcoming with what they view as proprietary or confidential information. (But having the) ability to have better insight into the cybersecurity controls those vendors have in place and how that intersects with CUs’ cybersecurity risk would be enhanced.”
Fazio noted some CU vendors represent thousands of credit unions and a breach would mean exposure of significant member data.
Control of Market
Davis pointed out five core vendors control 85% of the credit union market. “So, when you look at the fact bad actors have gotten smart about this, why go look at 100 credit unions and attack them individually when I can attack the source?” he asked.
Hood asked how giving the agency third-party vendor authority might actually provide a “measure of relief” for credit unions.
“It would have a net positive impact for the credit union system,” said Fazio. “Credit unions might see it as an additional burden for them, but it would be a net positive for the system. Instead of us trying to go through a thousand different credit unions, we can go to a source in a more efficient way.”
Do You Want to Write a Big Check?
NCUA Board Member J. Mark McWatters said he often hears from various people that giving NCUA third-party vendor authority would decrease safety and soundness. But he disagrees.
“If there is a cybersecurity breach and NCUA has to write huge checks out of the NCUSIF, guess who has to pay to replenish the fund?” McWatters observed. “People need to say, ‘Vendor authority for NCUA is in my best interest.”