ALEXANDRIA, Va.–With its new Information Security Examination (ISE) procedures scheduled to go live for all credit unions before year-end, the NCUA board got an update on cybersecurity risks to both the agency and credit unions during its meeting here.
The board heard from Kelly Lay, director of the Office of Examination and Insurance; Ernie Chambers, Critical Infrastructure Division director in the OEI, and Amber Gravius, director of the Office of Business Innovation.
In comments to the board, Chambers said the war in Ukraine has state-sponsored actors more active than ever in cybercrimes. Moreover, he reminded that each time a new server or device is added to a network, a new potential risk is also added.
“Credit unions should continually measure and monitor their risk,” Chambers said. “Prudent risk management is not a one and done activity.”
Chambers focused his remarks around ransomware and cloud migration, including DDoS tactics and techniques (he pointed credit unions to www.CISA.gov/stopransomware); Decentralized Finance (De-Fi), which was outlined in NCUA Letter to Credit Unions 22-CU-07 in May, and cyber hygiene (he pointed credit unions to resources available at NCUA.gov/cybersecurity.)
In terms of the ISE program, pilot testing ended Sept. 30. Chambers said the program is scalable for CUs of all sizes and complexity, aligns with the ACET toolbox, and will be deployed by the end of this year.
Harper: There is a Golden Rule, But It’s Not Exactly Applicable
In his comments, NCUA Chairman Todd Harper shared the darkly humorous observation by the computer scientist Robert Morris that, “The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.”
“If it were only that simple,” said Harper, “Today’s modern, global, and interconnected financial services sector relies on the power of information technology and systems, and shutting those systems down is not feasible because nearly every federally insured credit union relies on computers, has a website, or interacts electronically with third-party vendors."
Harper cautioned that phishing, ransomware, and distributed denial of service attacks are just some of the many ways cybercriminals exploit vulnerabilities within the credit union industry and the financial system.
“I’ve often said the credit union system cannot and must not be the soft underbelly that endangers the broader financial system and our economy. Each of us — the NCUA, state supervisory authorities, vendors, and credit unions — has a responsibility to protect our systems, improve our ability to recover from incidents, educate our teams, share information, and report and address potential vulnerabilities,” Harper said. “Our chain is only as strong as our weakest link, so we all must be hypervigilant to prevent a catastrophic failure.
ISE Set to Launch
Harper noted NCUA will soon launch its new Information Security Examination procedures (ISE), which he said offers flexibility for credit unions of all asset sizes and complexity levels, while “providing examiners with standardized review steps to facilitate advanced data collection and analysis. These new ISE procedures will assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats.”
Hauptman: ‘Trade-Fi’ Being Disrupted by ‘De-Fi’
Vice Chairman Kyle Hauptman noted no credit union is “exempt and risk management must be continuous, and he pointed out NCUA has issued a Letter to Credit Unions on the use of distributed ledger technologies.
“As I have noted in the past, traditional finance – or Trad-Fi – is already being disrupted by decentralized finance or De-Fi. For some, staying ahead of that disruption may mean embracing and deploying elements of De-Fi,” he said. “While the letter on the use of distributed ledger technology clarified NCUA’s position, it should be noted that the guidance is no substitute for thorough third-party due diligence. It is the credit union’s responsibility to ensure their decentralized finance platform and partners address security, authentication, and other risks.”
Hood: Many Threats, But Some Good News
NCUA Board Member Rodney Hood noted news reports have indicated credit unions in Florida, New Mexico and across Canada, among others, have been targeted in cybercrime attacks.
“In an interconnected world, we simply can’t take cybersecurity for granted,” Hood said. “October is Cybersecurity Awareness Month, which is a good time for credit unions and the NCUA to review cyber plans and procedures to ensure institutions are prepared to face a cyber event.”
Hood further noted that cybercriminal networks have evolved and become increasingly sophisticated, while a particular threat to financial institutions is insider attacks.
“The good news is that while the threats continue to grow and evolve, so does our ability to counter those threats,” said Hood. “Finally, open communication is critical. The NCUA board is considering a proposed rule requiring credit unions to report substantial cyber incidents within a reasonable period of time. Such requirements are not intended to punish credit unions or create a reporting burden, but to give us a better understanding of the frequency and severity of threats, so we can work with credit unions more effectively in developing responses.”
New Program
Hood also announced NCUA is building a cybersecurity career development program for high school and college students in order to create a “pipeline of talent,” not just in credit unions but across industry.