ALEXANDRIA, Va.–Members of the NCUA board were given an update on cybersecurity related risks and issues within credit unions and the agency itself, while CUs were offered a checklist for better “cyber-hygiene.”
Ernie Chambers, Critical Infrastructure Division director in the agency’s Office of Examination and Insurance, told the board during its October meeting NCUA is working to address the range of cybersecurity threats, and provided a list of resources and tools credit unions can use.
Chambers expressed particular concern over threats from ransomware, phishing and supply chain attacks, and he urged CUs to take steps to address each.
Among the points touched on by Chambers in his remarks to the board:
- Third party/supply chain risk will dominate threat landscape discussions, which greatly increases risk, “especially for smaller credit unions.”
- Business email-compromise attacks led to 19,369 complaints to the FBI in 2020 and losses of more than $1.8 billion.
- NCUA’s Information and Cybersecurity Assessment Program remains a priority, and the agency will be providing training in June 2022 with rollout in September 2022.
- Chambers stressed credit unions take advantage of NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET). ACET is to credit unions and will be available later this month at www.ncua.gov/cybersecurity. It is a self-administered tool and is not administered by an examiner.
- The cyber resources web page also includes other resources, Chambers reminded, as does the web page of the FFIEC.
Harper: Everyone Must Act to Boost Security
NCUA Chairman Todd Harper said he remains “deeply concerned about the risks that cyber-attacks pose to our financial system,” and said the agency is “committed to maintaining the resilience and readiness of the credit union system in responding to evolving cybersecurity risks. In that regard, the NCUA continues to mature and strengthen our cybersecurity program.”
Harper said it isn’t just NCUA that needs to take steps, but state supervisory authorities, vendors, and credit unions also have a “responsibility to protect our systems, improve our ability to recover from incidents, educate our staff, share information, and report and address potential vulnerabilities.”
Hauptman: ‘Finding Problems and Fixing Them’
Noting that no one at NCUA or in credit unions wants to be the “weak link when it comes to cybersecurity,” NCUA Vice Chairman Kyle Hauptman observed, “While I understand that the responsibility for cybersecurity rests with each individual credit union, I’d like to suggest that credit unions who make the effort to assess their level of readiness with ACET – or some other comparable tool -- get some sort of credit for it. I realize the examiner can’t exempt a credit union if there is a problem but using ACET or some other tool can help the credit union find and close those gaps sooner. Finding problems and fixing them is the goal.”
Hood: What About Risks From Working From Home?
NCUA Board Member Rodney Hood said “cybersecurity is a top priority both for credit unions and for us at the NCUA; I know it’s something that keeps me up at night. So, we must keep working to protect members’ data and to harden our systems against the various cyber threats. I also believe the collective spirit of the industry must do more to help the smallest of credit unions address cybersecurity issues.”
Hood asked Chambers if, given the remote work posture because of the COVID-19 pandemic, there are specific cyber hygiene best practices that he might recommend smaller credit unions implement.
Best Practices
Chambers said there are several best practices NCUA recommends to improve cyber-hygiene, including:
- Install reputable anti-virus and anti-malware software
- Use network firewalls, which he called the “first line of defense” against bad cyber-actors
- Update software regularly and install patches
- Set strong passwords for all devices that are unique and complex, including being at least 12 characters in length
- Use multi-factor authentication