ALEXANDRIA, Va.–With an “unprecedented surge” in cyberattacks taking place, the NCUA board has been given an update on what the agency has learned from cyber-related exams, where attacks are coming from, and what steps are being taken.
Offering the update to the board were Ernie Chambers, director of Critical Infrastructure Division in NCUA’s Office of Examination and Insurance, and Todd Finkler, cybersecurity advisor and coordinator in the Office of the Executive Director.
Chambers told the NCUA board credit unions and other organizations have seen an “unprecedented surge” in cyberattacks and in the number of third-party vendors falling prey to such attacks.
Specifically, he said the attacks have targeted one critical and two highly critical vulnerabilities within the movement, including upon the transfer web application.
“This vulnerability and its associated linkages led to a series of targeted attacks on financial institutions jeopardizing the integrity, confidentiality and availability of sensitive data,” said Chambers.
According to Finkler, financial institutions of all types have lost an average of $5.9 million per data breach to date during 2023. He outlined trends in attacks in the slide, below.
Finkler said one objective in cybersecurity is to “raise the adversary’s cost,” including by implementing multi-factor authentication, by following guidance from CISA’s Shields Up program, by increasing training and anti-phishing training, and by engaging in other high-impact, low-cost activities.
Following a 2021 Presidential Executive Order, Finkler said NCUA has improved its encryption and multi-factor authentication, reviewed contract language, examined threats in the software supply chain, and invested in zero trust architecture, among other steps.
With NCUA board members again calling for third party vendor oversight for the agency, Finkler shared the graphic below to illustrate the threat.
The board was told that implementation of the information security examination program (ISE) will involve all credit unions going forward as part of examinations.
Finkler said the ISE program is tailored to credit unions of less than $50 million in assets, and that approximately 1,000 ISE assessments have taken place to date, which he called a “real win for our supervised institutions.”
Chambers noted that since NCUA’s cyber-incident reporting rule went into effect on Sept. 1, the agency has received nearly 150 such reports (see related story here).
Harper: ‘An Important Reminder’
NCUA Chairman Todd Harper called the cybersecurity briefings “an important reminder that the potential for cyberattacks in the financial services industry, including within the credit union system, is high and will likely continue to stay that way for the foreseeable future.”
Harper urged all parties to improve their cybersecurity hygiene and practices. He said credit unions are “uniquely vulnerable” for two reasons:
- “That’s where the money is”
- The financial services marketplace is one of the most Internet-facing sectors in the economy
He noted NCUA has joined with other financial regulators and the Cybersecurity and Infrastructure Security Agency in taking part in the National Cybersecurity Awareness Month campaign this month, and said that when resources to support the NCUA’s Information Security Examination Program, maintain the Automated Cybersecurity Evaluation Toolbox, fund cybersecurity grants, and provide training to credit unions are totaled, it comes to approximately $22 million, or 6% of NCUA’s budget.
Free Resources Available
Harper urged credit unions to leverage a number of free resources from the agency, including:
- NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET. “This tool is an excellent resource — especially for small credit unions or credit unions with limited resources — to understand their cybersecurity preparedness levels. The ACET is available at no cost and can be found online on the NCUA’s website.”
- Resources from the Cybersecurity and Infrastructure Security Agency (CISA), which has regional offices with specialists available to help.
Need for Vendor Oversight
Harper touched on a point he has often raised, as have other members of the board, stating, “Unfortunately, the NCUA’s ability to analyze and assess the risk in the entire credit union system remains limited. That’s because CUSOs and credit union third-party service providers do not have the same level of oversight as bank vendors, as the NCUA lacks the statutory authority to directly examine or supervise these entities. Stakeholders must understand that the risks resulting from the NCUA’s lack of vendor authority are real, expanding, and impacting all of us.”
He pointed to the 60% of the cyber incidents reported to the NCUA that involve third-party service providers and CUSOs, and again called on NCUA to be given vendor authority.
Hauptman: ‘The Data is Paying Off’
Saying “developing and implementing tailored cybersecurity plans and processes is key to protecting credit union operations,” NCUA Vice Chairman Kyle Hauptman called for “vigilance” at all levels.
Hauptman said the information gathered as part of the Information Security Examination (ISE) program is valuable for examiners and “the data is paying off.”
“The information gathered from the ISE program provides a clearer picture of the state of credit union cybersecurity readiness,” Hauptman said. “There is good news in this update, and I am encouraged by the level of preparedness examiners are finding in all sizes of credit unions. Today’s update also outlines additional simple, yet significant recommendations to enhance credit union cybersecurity preparedness.”
Hauptman noted basic “blocking and tackling” when it comes to cybersecurity pays enormous dividends, and reminded that NCUA and the FTC will be hosting a joint webinar, Protect Your Credit and Identity with Cybersecurity Awareness on Oct. 26 at 1 p.m. ET.
What About Agency Itself?
In response to a question from Hauptman on how NCUA is doing with its own cybersecurity, Finkler said the agency uses consultants on an annual or more frequent basis to review its own cybersecurity.
“I think we are doing an excellent job in protecting our data,” Finkler said.
Hauptman noted he had earlier called on NCUA to make it easy for credit unions to comply with the cyber-incident reporting rule, and the agency responded with a simple form in PDF format that has been distributed to credit unions. He urged credit unions to physically print that form in the event systems are ever down.
Hood: Board Members Need to Know, Too
NCUA Board Member Rodney Hood said he joins with his fellow board members in having “deep concerns” over cybersecurity, and said it is the one issue that “keeps me awake at night. I often say that we can mitigate a lot of risks, such as interest rate risk, but cyber security breaches are difficult to mitigate once systems are penetrated.”
He suggested NCUA consider sending a Letter to Credit Unions to ensure management is sharing the results of cybersecurity exams with the board.