CYBER SECURITY PRIORITY AT NCUA – AN INTERVIEW IN A RECENT BLOG

As you are well aware, cyber security is a major supervisory priority at NCUA.  Indeed, it has even become a regulatory priority as there have been two cyber security rules passed unanimously by the NCUA Board over the past 24 months, with the likelihood of several others to come as the agency responds to congressional pressure to prioritize data protection at the credit unions they regulate.

NCUA has established a cyber security examination program as a part of its supervisory priorities for the 2023-24 exam years.  While they are hiring a number of subject matter experts in cyber security directly to the NCUA examination staff, they are primarily using outside contractors with cyber expertise to get this program up and running.

This is going to be a major emphasis at the agency and, because of that, it is naturally well on its way to becoming a high priority at the credit unions regulated and insured by NCUA.

More budget dollars will be required and more fiduciary reporting to the Board of Directors is going to be required as well.  Simply saying we contracted for a firewall and email monitoring program five years ago and we haven’t yet had a breach of any significance is not going to satisfy the examiners with this new focus going forward.

There are, according to reports, over 7000 firms offering cyber security protection products in the American business marketplace today.  Credit unions are going to have to answer their examiners as to why they are still using and have not shopped the cyber program the credit union purchased in 2015.

Even if you are still using the same program, NCUA is going to want to see that you compared it with others for effectiveness and thoroughness – not just cost.

Every credit union should do a due diligence analysis at least biannually of its cyber security program and vendor.  And it should be documented for the examiners.  This will help carry the day that your credit union is not just hoping that the legacy system you have had for years is still current – but that you have validated that it is.

I’ve used the water heater analogy before when talking about cyber security.

As long as hot water comes out of the faucet when we turn on the handle, we don’t think about whether the water heater is fifteen years old, perhaps rusting and subject to a disastrous overflow at any time.

And we certainly don’t go shopping for the newest technology in water heaters such as tankless water heaters or one with greater efficiency.

It is only when the heater goes out and leaves our basement flooded do we decide we need to look at a newer, more robust water heater.

Carry this analogy over to cyber security.

As long as we have not had a major leak, we assume our cyber protection program is working and meeting our needs.  We don’t look for more efficiency or an improved product.  Why?  The old one is working just fine.

Until it isn’t.  A major cyber incident will cost much more in corrective action and reputation impact than an enhanced system would have.

NCUA examiners are going to want to know that you’ve checked out the water heater (cyber security program) for rust, efficiency and maximum protection.  They are not going to accept a reply that the water is still hot every morning when we turn on the faucet.

Of the 7000 cyber security firms in the American market today, there are less than twenty that are considered among the most robust.  These are the cyber programs where the hacker has to be right more than once to get into the data.  The hacker has to be right over a dozen times to get in.

And then, those best cyber programs not only catch the hacker’s intrusion attempt and stop it – but they fix it in real time 24/7 so that it this hole will not be unfilled next time.

Most cyber security programs stop most intrusions and then leave a report for your CIO to have his team fix the hole.  Kinda like a dentist that identifies the cavity but doesn’t fill the tooth – that’s someone else’s job.

Credit unions should look to find the most robust program available in the cyber security arena and, although they are almost always more expensive, weigh whether that cost is less than a major data breach would be.

That all said, one of the nation’s leading cyber security firms, SEI Sphere, has an incredible educational blog that many credit unions follow.

Because we have done some regulatory work for SEI Sphere and because of my role as a former NCUA Chairman, they did an extensive interview with me several weeks ago about where NCUA regulation and supervision is headed in the cyber security arena.

I thought you might find the blog interesting.  Therefore, below is a link to the blog and the interview.  It might be worth putting in the hands of your compliance person and technology officer.

There may not be anything in there that you don’t already know or that was not covered in this or previous Client Updates.  But the exams our credit union clients are seeing already in 2023 clearly tell us that cyber security is not an area to be ignored in exam preparation.

https://www.seic.com/cyber-protection/sphere-blog/new-ncua-cybersecurity-rule-proposals-credit-unions?utm_source=dd&utm_medium=billboard&utm_campaign=230008_ITS23_US_seisphere-blog-april2023-dollarqanda&utm_content=dollar

It would be worth checking the water heater in the basement before your examiner goes down there to do so.

Until next time.

Dennis Dollar