ALEXANDRIA, Va.–The NCUA board got an update on the state of cybersecurity and threats to credit unions during its meeting here.
Offering the update were Ernie Chambers, director, Critical Infrastructure Division, Office of Examination and Insurance, and Kelly Lay, director of the Office of Examination and Insurance.
All three board members stressed the need by credit unions to be vigilant to current and emerging threats, while NCUA Chairman Todd Harper again lamented the lack of third-party oversight authority by NCUA, unlike its banking counterparts. He added such authority could actually lift the regulatory burden on small credit unions.
According to Chambers, the key threats to the credit unions include:
- Ransomware and extortion operations
- Social engineering and pen AI platforms
- External facing application vulnerabilities
- Misconfiguration of cloud environments
- Distributed denial of service attacks
- Geopolitical issues
The Specifics
Speaking specifically to some of those issues, Chambers noted:
- There are indications ransomware attacks have slowed, as cybercriminals earned less money on ransomware attacks in 2022. However, extortion operations that threaten to expose data publicly is likely to become more prevalent in 2023, Chambers said, adding that to protect themselves CUs should segment networks, implement tighter access controls, and have backups in place (which protects against ransomware only).
- Social engineering and open AI platform remain a considerable threat, including spear phishing , false job offers and fake CU and bank websites. AI is being used to generate malicious content and create personalized phishing emails, while phone verification is also vulnerable now.
- With external facing app vulnerabilities, including online banking portals and mobile banking apps, Chambers said CUs must regularly conduct vulnerability assessments and penetration tests, implement multi-factor authentication for sensitive data access; ensure software applications are updated, and implement strong passwords.
- He called for CUs and CU organizations to prioritize cloud security.
Chambers said NCUA examiners are using the Information Security Examination (ISE) program in its exams of credit unions around cybersecurity. He urged CUs to visit the agency’s cybersecurity resources webpage for additional information.
Vendor Oversight Authority
In response to a question from Harper over what the potential implications are for credit unions as NCUA continues to lack oversight of third-party providers, Chambers said there is a “plurality” of risks in the market and the lack of oversight is among the things that keep him up at night.
“So many of our regulated entities are not in a position to have someone on staff to manage information technology with a dedicated cyber security operations center like many organizations do,” said Chambers. “For this reason they contract these types of services out and there exists a great deal of reporting confirming that, indeed, there have been in the past and there remain foreign intelligence service connected operatives who masquerade under a guise of being legitimately, U.S.-owned and operated, but who in fact provide those managed cyber security services from locations outside of the United States.”
Harper then asked about smaller credit unions and whether NCUA, if it had vendor oversight authority, could provide some level of some regulatory relief as the agency would be conducting cybersecurity reviews and would be able to share the reports with smaller CUs.
Chamber answered succinctly: “Yes.”
Hauptman: ‘Cannot be Overstated’
NCUA Vice Chairman Kyle Hauptman said during the board meeting “We cannot overstate the significance of cybersecurity. Highly sensitive information and systems are of great value to bad actors. The explosive growth of digital information accessibility through wired and wireless networks, and the swiftly evolving technological landscape have made cybersecurity a constant and dynamic challenge.”
Hauptman said he remains concerned over social engineering threats and the “staggering amount of data available on individuals through social media and the Internet (that) is making social engineering even easier for criminals. Artificial Intelligence is helping many companies, including credit unions and CUSOs, fight fraud, but AI is also helping criminals to fine-tune phishing emails and improve malware source code.”
Hauptman urged CUs to take advantage of NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET) for credit unions.
Hood: ‘An Ongoing Commitment’
NCUA Board Member Hood cautioned credit unions “cannot rest on our laurels.” That means that credit unions, and the NCUA, must be prepared.
“The good news is that, while the threats continue to grow and evolve, so does our ability to counter those threats. Additionally, open communication is critical. To that end, the NCUA recently sent a few cyber alerts to the industry using a new gov delivery platform. How can credit unions make sure they receive these alerts?” said Hauptman. “Unfortunately, cybersecurity isn’t one of those areas where you can just set it and forget it. It’s an ongoing commitment. That requires constant due diligence as well to keep up with the latest ways to best harden your systems to limit attacks. Due to the nature of the threat, we all need to make cybersecurity a top priority to protect credit unions and their employees and the member-owners. Credit unions should expect more regulation in this area–as I often say, regulations should be effective and not excessive, and this is an area where more effective regulation is likely needed.”