ALEXANDRIA, Va.–They may hail from different political parties and have different philosophies, but all three NCUA board members agreed the one issue that keeps them up at night is cyber-threats to credit unions. A member of NCUA’s staff said they have reason to lie awake.
The comments came during the Semi-Annual Cybersecurity Briefing provided to the board.
Ernie Chambers, director of critical infrastructure inside the agency’s Office of Examination and Insurance, outlined numerous threats that continue to grow and affect credit unions, financial institutions and consumers in general.
He noted, for example, there are five-billion pilfered credentials availableon the dark web, according to McAfee, at a cost of approximately $15 per credentials. The cost for banking credentials specifically, including user names and passwords, is $71 on the dark web.
Chambers also outlined other issues that make credit unions vulnerable to cyberattacks, including weaknesses in suppliers’ systems and from members themselves.
Chambers also reviewed NCUA’s ISE Cybersecurity program, which is overviewed in the slide below.
Chambers said there are also three programs being piloted, as seen in the slide below. Plans call for rolling out ISE testing fully in the fourth quarter of 2022. That program is being tested with approximately 100 examiners from all NCUA regions and from state regulatory agencies.
Harper: ‘We Must Remain Vigilant’
NCUA Chairman Todd Harper said that in his travels and meetings with credit unions he is often asked what keeps him awake at night, and the answer is almost always the risks that cyber-attacks pose to our financial system. Harper said both the COVID-19 pandemic and Russian war on Ukraine have only increased that risk.
“As a result, all credit unions and vendors, regardless of size, are targets for cyberattacks. We must all remain vigilant and take actions to safeguard our systems,” said Harper, asking credit unions to report any cyber incidents to their NCUA examiner, the FBI’s Internet Crime Complaint Center at www.ic3.gov, and the Cybersecurity and Infrastructure Security Agency at report@cisa.gov.
Harper also urged credit unions to pay attention to updates from the Shields Up initiative from the Cybersecurity and Infrastructure Security Agency (CISA), and to also download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET, which can be found at www.ncua.gov/cybersecurity.
Grants Available
“Additionally, as part of our 2022 Community Development Revolving Loan Fund Grant program, the NCUA is providing eligible low-income credit unions with up to $10,000 in funding to modernize their information technology against cyberattacks,” Harper continued, noting the application period for the Revolving Loan Fund opens on May 2 and runs until June 24.
Harper said NCUA is also working to improve the credit union system’s cyber resiliency through its examination program, specifically by revising its cybersecurity examination procedures with the goal of completing this revamp by the end of the year.
We must stay focused on meeting the goal of finalizing the implementation of the Information Security Exam program in the fourth quarter,” Harper said. “The new procedures also will be scaled to the size and complexity of a credit union and will assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats.”
The Q&A
In response to a question from Harper, Chambers urged CUs to conduct a good and in-depth risk assessment of their cybersecurity using a variety of tools that are available, including, in addition to the tools outlined above, resources available from the Department of Homeland Security.
In response to a second question from Harper related to risks from foreign adversaries to CUs, including smaller credit unions, Chambers said there are numerous reasons those CUs should not feel safe.
“One of the soft-power tools of our economy has been sanctions including on Russian oligarchs, which could lead to a tactical tit-for-tat response in the form of a cyber attack on financial institutions,” said Chambers. “These folks are not run-of-the-mill cybercriminals trying to steal money. They are highly skilled foreign adversaries seeking to sew political discord within the United States by potentially cutting off millions of Americans from their money.”
Hauptman: Dollars Well Spent
NCUA Vice Chairman Kyle Hauptman praised Chambers and NCUA cybersecurity staff for developing the Automated Cybersecurity Evaluation Toolbox (ACET) and for the fact there have been 2,500 downloads since October. He said the tools being made available have proven to be resources well worth it to credit unions.
"The reason I bring this up is that every dollar a credit union must spend to comply with a rule or regulation is a dollar that isn’t available to its members. When those rules and regulations are right-sized, that dollar is well spent," he said. "Credit unions aren’t government agencies; they can’t just keep adding stuff and adding staff—they often have to subtract & reduce, whether in terms of time, money, and staff."
Hood: Ongoing Risk and a ‘Moving Target’
Like Harper, NCUA Board Member Rodney Hood also said cybersecurity is the one issue that keeps him up at night.
“I wish we could say that, after having focused on the threat for so long, we’re making progress toward a solution – but unfortunately that’s simply not the case, given the evolution of cyber threats,” Hood said.“As such, we have to accept that cyber security threats are an ongoing risk, both to financial institutions’ operations and to their reputations. Moreover, we have to accept that the risk is a moving target. For example, a few years ago most of us worried more about data breaches than ransomware attacks, in which a threat actor seizes control of a system and demands a ransom to be paid. But according to IBM Security’s Intelligence Threat Index for 2022, ransomware attacks were the most common type of cybersecurity incursion last year.”
Hood added the “unfortunate downside to our system of greater connectivity is that it does create more points of vulnerability. And while we see a great deal of focus on cyber threats from nation-state actors, those make up a relatively smaller percentage of cyber attacks. The most serious threats are more likely to come from cybercriminals or from internal security threats, which can be either malicious or inadvertent. Every credit union must recognize that their institution is just one wrong email or malicious link away from being on the front pages.”
One Area Where Supervision Can’t Wait
Hood, who has been consistent in his policy statements that he believes in limited regulation and supervision, said that cyber security reviews and supervision are one area that require a more “robust” approach from NCUA.
“When it comes to data protection and data security, credit unions need to lead the way, so don’t wait until your institution is compromised and your members are victims,” said Hood. “I urge you to make use of the resources that are already available, and as a starting point I recommend the cybersecurity assessment software that the NCUA released in December. We all have to accept that cyber security will be an ongoing responsibility. Gone are the days when you can have a vendor provide you with an add-on patch to address a vulnerability and move on.
“Today we need to be thinking ‘defense in depth’ when it comes to cyber security,” Hood continued. “That means not only addressing vulnerabilities and recognizing threats, but also response plans should be in place that not only identify vulnerabilities but also catch attacks in real time and proactively prevent their impact on an institution. It also means focusing on hardening and constantly upgrading systems against not only external but also internal threat actors; and working to educate and train employees and managers on a full range of potential threats.”