NCUA RELEASES CYBERSECURITY AND CREDIT UNION SYSTEM RESILIENCE REPORT
Wednesday, July 26, 2023
In late June 2023, NCUA released its “Cybersecurity and Credit Union System Resilience” report to the House and Senate committees as required by law. This is one of a number of required actions that all federal financial industry regulatory agencies have been mandated to perform as a part of the congressional legislation passed into law over the past five years on cybersecurity.
In previous Client Updates we have emphasized that NCUA is on a march to be quite activist in the cybersecurity arena. Their supervisory priorities for 2023 and 2024 have a significant section focusing on the cybersecurity preparations of credit unions.
Part of this is driven by these congressional mandates. But much of it is driven by the NCUA Board itself that has unanimously – and on a bipartisan basis – been outspoken about their concerns that credit unions think they are better prepared for a cyberattack than they truly are.
In fact, the NCUA Board has approved two final rules on cybersecurity within the past eighteen months. They have also included the development of a cybersecurity division with significant staff in the NCUA budget for the next two years.
This cybersecurity report is another indication that this issue is on “high alert” at NCUA and will therefore be an absolute exam focus in the credit union exams you will face in the next few years.
The following link takes you to the “Cybersecurity and Credit Union System Resilience” report:
From my earlier Client Updates on this subject, several of you have asked if we at Dollar Associates have a checklist of the type things a sound, solid and exam proof cybersecurity program at a credit union should include.
We are not cybersecurity experts and, therefore, we are not the best source to develop such a checklist. And I’m not sure there is any checklist that could make your credit union “exam proof” with all of the emphasis this issue is receiving at NCUA these days.
However, we have come across a checklist that has been developed and published by a firm with which we have done some regulatory work and have confidence in their credentials in the cybersecurity arena.
SEI is an international Fortune 500 company that has been developed and published by a fi through their SEI Sphere division one of the most robust cybersecurity platforms in the market today. They work with all types of multi-national corporations from insurance to technology to financial services to industry to utilities to agriculture.
They began a few years ago offering their cyber programs in the credit union space. Knowing themselves of the increased regulator focus on cybersecurity, they hired us a couple of years back to help them ensure their compliance and to make sure their product would meet the growing expectations of credit union regulators.
While working with them, we found that they had developed a checklist that seemed to us to be very solid as any business – but particularly a credit union – self-evaluates whether it should indeed declare that it “feels good” about its cybersecurity program.
Understand that we are not on their sales team and recognize that you may or may not do business with them. But we asked SEI for permission to share their checklist with our credit union clients. They told us that we could do so with no strings attached. Naturally, they feel they have the best program in the overall cyber market and would like to have a greater presence in the credit union space.
That said, the fact that they offer cybersecurity products to credit unions does not make their checklist any less valid in our view. In fact, several of our clients have found it helpful to spur discussions at their credit unions about where they stand on cybersecurity heading into their next exam. So, look it over and see if there might be value for your credit union. It may well serve to give a credit union a much greater sense of confidence in their existing program. Or it may lead a credit union to do some more due diligence to find other avenues to strengthen its cybersecurity.
Either way, we found it to be a very good checklist and thought we would respond to the request from so many of you for a cyber checklist by providing you access to this one from SEI as one worthy of consideration for your credit union’s cybersecurity “self evaluation” process.
If nothing else, it can be used as a part of your ongoing due diligence process to show your examiner that you are not just sitting back with your fingers crossed when it comes to cybersecurity.
A link to the SEI checklist is provided below:
https://www.seic.com/sites/default/files/2023-07/SEI%20Sphere%20CU%20Checklist.pdf
In particular, I call your attention to checklist items number two, number six and number eight as areas we have heard from our clients who have had NCUA exams thus far in 2023 that are in the sights of examiners and were areas of focus in their credit union exams.
The location of the storage of data and access, as specified in checklist item number two, has been an area of focus for examiners. Likewise, there has been a lot of emphasis on number eight which asks the question if a credit union’s cybersecurity program is versatile and nimble enough to keep up with the sophistication of the ever-changing cyber threat world in which we live. NCUA fears that many programs do not keep up with emerging and yet unidentified threats, even though they may be great at protecting against threats that have already been identified and built into the system.
And number six has been an area of examiner focus that has forced a lot of credit unions to do a real comparison of existing cybersecurity programs versus some of the more advanced systems being developed and enhanced every week, month and year.
There is a growing expectation from credit union examiners that a robust cybersecurity program should have the ability to not only identify new cyber risks – but a credit union should have a program that both identifies and fixes cyber breach attempts in real time 24/7, 365 days a year.
It is not enough today to have a program that identifies the potential breach and then sends a email telling the CIO at your credit union that he or she better fix this hole. The examiners are looking for systems that both identify, stop the breach and repair the hole automatically in real time.
There are not but a handful of the 7000 cybersecurity programs in the market today that have this capability to do real time identification, protection and repair. Of course, there will be more over the course of time.
You may not need to change your provider and program as they may check all the boxes. Or you may need to supplement in some of the areas of focus. Or you may need to bring in a new provider and program after due diligence.
Either way. This is an area of focus for examiners that should likewise be a focus of yours.
Indications are that a congressional hearing is likely to be scheduled in both the House and Senate committees overseeing the financial regulatory agencies to add additional emphasis on this report, which is an annual requirement under the law now.
Anytime a congressional hearing is in play, regulators have their examiners focus on the subject of the hearing so that they can tell the members of Congress that they are on top of things.
Cybersecurity is the 2023 successor to Enron, Riggs Bank, Madoff, AIG, FTX and the focus of the ever-changing congressional attention span that seems to go where the headlines are year by year.
And where Congress focuses, the regulatory and examination attention follows.
Until next time.
Dennis Dollar