SAN DIEGO–NCUA Chairman told credit union leaders at the CUNA/NASCUS Cybersecurity Conference here the agency has put numerous resources in place to help reduce cyber-threats, and is moving forward—including in concert with other agencies—on additional steps to do the same.
After sharing the wry observation by Robert Morris, the former cryptographer and computer scientist with the National Security Agency, that the three golden rules to ensure computer security are do not own a computer, do not power it on and do not use it, Harper said the takeaway isn’t the defending against cyberthreats is futile, but instead that there is an urgent need to stay ahead of bad actors who perpetrate cyberthreats against credit unions.
As he has noted in earlier remarks, Harper told credit unions here that all the various iterations of cyberattacks and data breaches are the issues that really keep him up at night, including phishing and its variant, smishing, which use email, text messages, and malicious websites and attachments to infect systems and extract personal information by posing as a trustworthy entity.
“Like other regulators in the financial services sector, the NCUA has received increased reports of cyberattacks through phishing, exploitation of remote access vulnerabilities, and other social engineering methods,” Harper said.
In response, he said NCUA has participated in daily calls led by the Treasury Department and the Financial Services Information Sharing and Analysis Center the onset of the pandemic.
State-supported actors have only made the threats more difficult, he added, citing the war in Ukraine by Russia as exacerbating the challenges to CUs.
The Inside Threat
And then there is the other threat, according to Harper.
“The likelihood of threats adversely affecting credit unions and consumers is not only rising because of advances in financial technology and increases in the use of remote workforces and mobile technology for financial transactions, but also because of a lack of cybersecurity awareness, obsolete information technology infrastructure, and cybersecurity policies and procedures,” the NCUA chairman said. “While the U.S. government has not yet detected specific cyber operations directed at the financial sector or our credit union ecosystem, it has observed ‘preparations’ that include scanning websites and probing for known vulnerabilities.”
Harper said NCUA has worked to continue to provide guidance and resources to credit unions to assist in mitigating the threats, and reminded that when attacks, breaches, or other suspicious activity does occur, credit unions and their vendors should report these cyber incidents to their NCUA examiner, the FBI’s Internet Crime Complaint Center at www.ic3.gov, and the Cybersecurity and Infrastructure Security Agency at report@cisa.gov.
Harper reminded that all of the resources, links and more can be found at the agency’s online cybersecurity resource center available at www.ncua.gov/cybersecurity.
Other Points Made
Other points made by Harper to the CUNA/NASCUS meeting included:
- NCUA continues to encourage credit unions to download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET for short.
- As part of its 2022 Community Development Revolving Loan Fund grant round, NCUA is providing eligible low-income credit unions with up to $10,000 in funding to modernize their information technology systems against cyberattacks.
- While the interconnectedness of the credit union system could be targeted for attack, it can also be “used to the system’s advantage. Sharing information and accountability is vital to the credit union system’s cyber resilience.”
- Keeping cybersecurity top of mind is necessary as cyberattacks continue to evolve in sophistication and scope. “Among the most cost-effective measures is adopting best practices in cyber hygiene across the credit union system.”
- Credit unions must ensure software applications are updated, devices and data are encrypted, and data are backed up frequently
- Credit union employees must also be current on the latest threat developments through ongoing education and refresher training, so they will know what to look out for and how to implement appropriate cyber hygiene measures.
- In 2020, the agency began piloting the Information Technology Risk Examination for Credit Unions, also known as InTREx-CU. InTREx-CU sought to harmonize the IT and cybersecurity examination procedures shared by the FDIC, Federal Reserve, and state supervisory agencies.
- There are currently three work program levels of the ISE in testing. The first is the ISE Small Credit Union Examination Program for credit unions with less than $50 million in assets. The second program, known as the ISE Core, is for risk-focused examinations of credit unions greater than $50 million in assets. The third program, known as ISE Core Plus, provides a risk-focused examination for credit unions that need expanded reviews and deeper dives into specific operational areas and security controls.