NCUA's Cybersecurity and Credit Union System Resilience Report
Samantha: Hello, this is Samantha Shares.
This episode covers N C U Aâs
Releases Annual Cybersecurity
and Credit Union System Resilience Report
The following is an audio version
of that advisory and the report.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now the report
MESSAGE FROM THE CHAIRMAN
On behalf of the National Credit
Union Administration (N.C.U.A.), I
am submitting our annual, statutorily
required Cybersecurity and Credit
Union System Resilience Report.
This report summarizes the current
cybersecurity threat landscape,
highlights the agencyâs key cybersecurity
initiatives, and outlines the
agencyâs ongoing efforts to enhance
cybersecurity preparedness and resilience
within the credit union industry.
Throughout 2023, our nationâincluding its
financial sectorâhas faced unprecedented
challenges stemming from cyberattacks
and other malicious activities
targeting critical infrastructure.
The credit union system, which serves more
than 139 million Americans and plays a
vital role in communities across the
country, is not immune to these threats.
In fact, in the face of an ever-evolving
cybersecurity threat landscape, the
need for ongoing vigilance in the credit
union sector cannot be overstated.
The N.C.U.A.
is committed to ensuring consistency,
transparency, and accountability
in its cybersecurity examination
program and related activities.
Further, over the last
several years the N.C.U.A.
has made major strides in promoting
a culture of cybersecurity awareness
and resilience among credit unions.
Through targeted supervision completed
using the N.C.U.A.âs recently implemented
Information Security Examination program,
the development of risk- assessment tools
like the agencyâs Automated Cybersecurity
Evaluation Toolbox, the adoption of a
cyber incident notification regulation in
2023, ongoing educational outreach, and
grants to eligible credit unions, we have
worked diligently to improve cybersecurity
practices and mitigate risks.
Looking ahead, the N.C.U.A.
remains committed to working closely
with Congress, other regulatory
agencies, industry stakeholders,
and other partners to strengthen
cybersecurity defenses and ensure the
resilience of the credit union system.
To that end, I respectfully ask for
this Committeeâs support in restoring
the N.C.U.A.âs vendor authority
over third-party service providers.
This regulatory blind spot has already
had a negative impact on the industry.
For example, last yearsâ third-party
core service provider ransomware
disruption affecting 60 small credit
unions illuminated the N.C.U.A.âs
challenges as it tried to mitigate
issues on behalf of impacted credit
unions and their member-owners.
Moreover, independent entities such as
the Government Accountability Office, the
Financial Stability Oversight Council,
the N.C.U.A.âs Office of Inspector
General, and a growing number of credit
unions have identified this deficiency
as a significant obstacle to the
N.C.U.A.âs mission to safeguard credit
union members and the financial system.
All of them have recommended that
Congress provide the N.C.U.A.
with this authority.
Cybersecurity and Credit Union
System Resilience Report June 2024
â¦
Besides giving credit union members
the same protection as bank customers,
this sensible statutory change would
significantly improve supervisory
oversight and bolster our ability to
mitigate cybersecurity risks, ultimately
enhancing the credit union systemâs
overall security posture and the
protection of critical infrastructure
in the United States more broadly.
As we seek to strengthen our cybersecurity
resiliency, I want to express my
gratitude for your continued support
and engagement on this critical issue.
Together, we can confront the challenges
posed by cybersecurity threats and uphold
the safety and soundness of the credit
union system for generations to come.
Sincerely,
Todd M.
Harper Chairman
National Credit Union Administration
INTRODUCTION
This report details the measures
taken to strengthen cybersecurity
within credit unions and the
N.C.U.A., per the Consolidated
Appropriations Act, 2021.1 This report:
⢠outlines the N.C.U.A.âs policies and
procedures to address cybersecurity
risks and activities to ensure
their effective implementation;
⢠discusses cybersecurity resilience
within the credit union system, including
the N.C.U.A.âs key initiatives to
enhance cybersecurity preparedness
among credit unions, such as targeted
examinations, risk assessments, and
educational and outreach efforts;
⢠describes current and
emerging threats; and
⢠highlights the N.C.U.A.âs collaboration
with other federal agencies, industry
stakeholders, and cybersecurity
experts to address emerging
threats and promote a culture of
cybersecurity awareness and resilience
within the credit union industry.
As the digital and geopolitical
landscapes continues to evolve,
the threat of cyberattacks against
critical infrastructure, of which
financial institutions are a vital
part, looms larger than ever before.
In response to this growing
challenge, the N.C.U.A.
has undertaken a comprehensive
examination of cybersecurity
resilience within the credit union
system through its Information
Security Examination (ISE) program.
As a member of the Federal Financial
Institutions Examination Council
(FFIEC) and the Financial and
Banking Information Infrastructure
Committee (FBIIC), the N.C.U.A.
collaborates with other regulatory
agencies to develop and implement
cybersecurity policies and standards
across the financial industry.
In addition, the N.C.U.A.
Chairman serves as a voting
member of the Financial Stability
Oversight Council (FSOC).
The FSOC identifies and responds
to threats to the stability
of the financial system.
The chairmanâs position on this body
underscores the N.C.U.A.âs integral
role in safeguarding the overall
financial stability of the nation.
The credit union system relies
extensively on third-party vendors to
operate and deliver key member services.
The N.C.U.A.
lacks statutory authority over
third-party vendors, which hinders
the agencyâs ability to examine
and address cybersecurity risks
in the credit union system.
As a result, the credit union systemâof
which more than a third of the American
public uses for basic financial
servicesâremains particularly vulnerable
to cybersecurity threats to third-party
vendors that provide essential services.
Because of this regulatory
blind spot, the N.C.U.A.
cannot manage or measure threats within
its regulated entities, nor can it
warn other government regulators or the
Cybersecurity and Infrastructure Security
Agency (CISA) of threats the N.C.U.A.
may identify that may be first
used in the credit union system.
By examining the current state of
cybersecurity within the credit union
system and identifying areas for
improvement, this report aims to provide
valuable insights and recommendations for
1 Pub.
L.
No.
116â260, 134 Stat.
2173 (Dec.
27, 2020)
enhancing the security and stability
of credit unions nationwide.
It underscores the N.C.U.A.âs
ongoing commitment to protecting the
financial well-being of credit union
members and upholding the integrity
of the broader financial system in
the face of cybersecurity threats.
POLICIES & PROCEDURES
Information Security and
Cybersecurity Regulations
Per the Gramm-Leach-Bliley
Act, the N.C.U.A.
Board established standards for
federally insured credit unions
relating to administrative, technical,
and physical safeguards for credit
union member records and information.
These standards are incorporate into
the N.C.U.A.âs regulations at 12
Code of Federal Regulations (C.F.R.)
part 748, Appendix A, Guidelines
for Safeguarding Member Information.
In February 2023, the N.C.U.A.
Board approved a final rule that
requires federally insured credit
unions to notify the N.C.U.A.
as soon as possible, within
72 hours, after a credit union
reasonably believes that a reportable
cyber incident has occurred.
Under this rule, federally insured credit
unions must report a cyber incident
that (1) results in a substantial
loss of confidentiality, integrity,
or availability of a network or member
information system(s) because of
unauthorized access to or exposure
of sensitive data, (2) disrupts vital
member services, or (3) causes a serious
impact on the safety and resiliency
of operational systems and processes.
This rule became effective
September 1, 2023.
From September 1, 2023, through
May 1, 2024, credit unions
reported 892 cyber incidents.
Approximately 73 percent of all
reported incidents were related to the
use or involvement of a third party.
Information Security Examination Program
The N.C.U.A.
regularly examines all federally
insured credit unions.2 At
each examination, the N.C.U.A.
performs an information security
review using the ISE program.
The ISE program uses a risk-focused,
scalable approach to examine credit
unionsâ information security programs,
which provides examiners the flexibility
to focus on areas of current or
potential material risk relevant to each
credit unionâs unique business model.
⢠ISE Program.
The objectives of the ISE program include:
o Evaluating managementâs ability
to recognize, assess, monitor,
and manage information technology
(IT) and systems-related risks;
o Assessing whether the credit union
has sufficient expertise to adequately
plan, direct, and manage information
systems and technology operations;
o Evaluating the adequacy of
internal information systems and
technology controls and oversight
to safeguard member information; and
2 The N.C.U.A.âs examination frequency
for federal credit unions is based on risk
but generally may not extend more than
20 months from the previous examination.
Federally insured, state-chartered
credit unions are primarily examined
by the applicable state regulator,
with participation from the N.C.U.A.
based on risk, but no
less than every 5 years.
o Determining whether the board of
directors is providing adequate governance
over information systems and security.
The N.C.U.A.
began using its ISE
procedures in early 2023.
The ISE procedures were designed to be
scalable to enable examiners to tailor
the examination based on asset size and
complexity, standardize the examination
of a credit unionâs information security
and cybersecurity program, and enhance
the identification of control deficiencies
and trends at the industry level.
The ISE procedures also provide
examiners and credit unions with a
well-structured examination workflow.
The ISE procedures are focused on N.C.U.A.
regulations 12 C.F.R.
parts 748 and 749 and align closely with
the Automated Cybersecurity Evaluation
Toolbox (ACET) maturity assessment
application provided by the N.C.U.A.
that credit unions can
voluntarily use to conduct a
cybersecurity maturity assessment.
The ISE also references
guidance from the N.C.U.A.
and the FFIEC, as well as other
industry-accepted best practices
and security frameworks from the
National Institute of Standards
& Technology (NIST), the Center
for Internet Security, and CISA.
⢠Credit Union Service
Organization (CUSO) Reviews.
A CUSO is an entity in which at least
one federally insured credit union(s) has
an ownership interest in or has extended
a loan to and the entity primarily
provides products or services to credit
unions or members of credit unions.
The N.C.U.A.
periodically performs reviews of CUSOs.
While the N.C.U.A.
has access to the âbooks and
recordsâ of a CUSO, the N.C.U.A.
lacks direct authority over CUSOs.
CUSOs, therefore, may reject any of
the N.C.U.A.âs recommendations that
result from a review, including those
recommendations related to cybersecurity.
As noted in the Chairmanâs statement
at the start of this report and
explained more fully below, the
restoration by Congress of the
N.C.U.A.âs vendor authority powers
to examine and supervise third-party
vendors, including those CUSOs subject
to cybersecurity risks, would close
this regulatory blind spot and better
protect our financial system and economy.
ACET Maturity Assessment
The ACET maturity assessment
is a voluntary tool provided
and maintained by the N.C.U.A.
that allows credit unions to
determine the maturity of their
information security programs.
The ACET incorporates appropriate
cybersecurity standards and practices
established for financial institutions.
It also maps each declarative statement
to best practices found in the FFIEC
IT Examination Handbook, regulatory
guidance, and leading industry standards
like the NIST Cybersecurity Framework.
The FFIEC IT Handbook Infobase
offers various resources, from
IT booklets and work programs to
information on IT security-related
laws, regulations, and guidance.
Financial institutions can use
these booklets to align their
information security and cybersecurity
practices with the FFIEC guidelines.
Information Technology
& Cybersecurity Supervisory Guidance
Since June 2023, the N.C.U.A.
has issued the following cybersecurity
alerts and notices to help protect
federally insured credit unions
from cybersecurity exposures:
⢠ATM and Interactive Teller Machine
(ITM) Skimming and Shimming Activities.
Skimming and shimming fraud
involves capturing card information
using unauthorized devices.
Since September 2023, 44 incidents
were reported to the N.C.U.A.,
peaking in February 2024.
N.C.U.A.
provided cybersecurity guidance
and alert notifications reminding
credit unions to conduct inspections,
install anti-skimming devices, enhance
surveillance, educate members, monitor
transactions, and update software.
⢠Current Geopolitical Events
Increase Likelihood of Cyberattacks
on Financial Institutions.
Due to evolving geopolitical events,
the likelihood of cyberattacks on U.S.
financial institutions has increased.
The N.C.U.A., CISA, and the Federal
Bureau of Investigation (FBI) encouraged
credit unions to adopt heightened
awareness, reassess business continuity
plans, and review CISAâs recommendations
to reduce the risk of compromise.
Anecdotal warnings from some credit unions
indicate that information technology and
cybersecurity service providers sometimes
have services originating in a foreign
country; a significant risk the N.C.U.A.
cannot manage or measure
because the agency does not have
third-party vendor authority.
⢠Business Email Compromise.
Business email compromise attacks
targeting credit unions, involving
compromised or spoofed email accounts
to initiate fraudulent transactions.
The N.C.U.A.
provided credit unions with cybersecurity
guidance and alert notifications to enable
multi-factor authentication (MFA), educate
employees, use anti- malware, and email
filtering software, verify financial
transactions, and backup data regularly.
⢠Compromise at an ATM Provider.
A third party experienced a cybersecurity
attack potentially compromising systems.
Credit unions relying on this vendor
were advised to assess the impact,
activate incident response teams, enhance
monitoring, communicate with members,
and comply with regulatory obligations.
The N.C.U.A.
subsequently learned the third party
experienced a ransomware attack affecting
internal systems and some ITMs and ATMs.
The incident was contained, and
the vendor worked with the FBI.
The N.C.U.A.
sent an updated notice to credit
unions advising them to maintain
communication with the vendor,
consult cybersecurity experts, and
visit CISAâs ransomware resources.
This incident is an example of
an unnecessary burden potentially
placed on credit unions during a
crisis when vendors deny N.C.U.A.
requested information on
a cybersecurity event.
If the N.C.U.A.
had third-party vendor authority, the
agency can compel information directly
from the service provider, relieving
impacted credit unions of this burden,
and potentially sharing valuable tactics,
techniques, and procedures information
with other federal and state regulatory
agencies to ensure a whole of government
approach to protecting critical
infrastructure in the United States.
⢠File Transfer solution Zero-Day
Exploitation by Threat Actors.
A zero-day vulnerability in a managed file
transfer solution was actively exploited.
The vendor released an emergency patch
and credit unions using their software
were advised to apply the patch, implement
access controls, and avoid exposing the
administrator console to the internet.
When zero-day exploitations occur
in third-party service provider
operated systems, the N.C.U.A.
cannot ascertain the risk to the system
because of the lack of vendor authority.
The N.C.U.A.
also cannot warn other federal
or state regulators about
the threat that may also be used within
other critical infrastructure regulated
entities because the agency does not
have third-party vendor authority.
⢠Recent Uptick in Cyberattacks
Against Credit Unions and
Third-Party Service Providers.
Cyberattacks against credit unions and
service providers increased, including
incidents with a web application.
Credit unions were advised to patch
vulnerabilities, implement MFA, train
employees, deploy email security
measures, develop incident response
plans, assess vendor risks, segment
networks, maintain data backups,
and monitor security updates.
⢠MFA Vulnerabilities and
Mitigations for Credit Unions.
Credit unions were reminded that MFA
methods could be bypassed through
phishing, social engineering, Subscriber
Identity Module Subscriber Identity
Module swapping, man-in-the-middle,
and brute- force attacks.
Credit unions were advised to educate
users, use strong MFA methods,
implement risk-based authentication,
monitor suspicious activities, update
software, and segment networks.
Anecdotal warnings from some credit
unions indicate that some third-party
service providers do not utilize
basic cybersecurity practices such as
MFA; a significant risk the N.C.U.A.
cannot manage or measure
because the agency does not have
third-party vendor authority.
⢠Phishing Attacks Targeting Credit Unions.
Credit unions were targeted by
phishing schemes spoofing N.C.U.A.
addresses, asking recipients to complete
a web form to avoid email suspension.
Recipients were advised not to click
on links and delete such emails.
Preventative measures included
being cautious of unsolicited
contacts, not revealing personal
information via email, verifying
requests directly, and maintaining
anti-virus software and email filters.
When phishing attacks occur at
third-party service providers, unless
the affected provider volunteers
information to the N.C.U.A., the agency
cannot manage or measure the risk to
the system because the agency does
not have third-party vendor authority.
Agency Cybersecurity Program
The N.C.U.A.
Board has established a low-risk
appetite for technology and information
management for operational IT and IT
systems.3 Additionally, the N.C.U.A.
must comply with mandatory security
standards for federal information
and information systems and must meet
these minimum information security
requirements by using security and
privacy controls recommended by NIST
and Federal Information Security
Modernization Act (FISMA).4,5
The N.C.U.A.
implements applicable statutes,
regulations, and standards using
the NIST Risk Management Framework
and adherence to NIST Special
Publication 800-53 ï Security and
3 N.C.U.A.
Risk Appetite Statement
(October 20, 2022).
The risk appetite for technology and
information management for operational
IT and IT systems is âaverse.â
4 FIPS Publication 199, Standards
for Security Categorization of
Federal Information, and Information
Systems; FIPS Publication 200, Minimum
Security Requirements for Federal
Information, and Information Systems.
5 NIST Special Publication 800-53,
Security and Privacy Controls for Federal
Information Systems and Organizations.
Privacy Controls for Information
Systems and Organizations.6 The N.C.U.A.
complies with binding operational
directives, emergency directives, and
cybersecurity coordination, assessment,
and response directives issued by CISA.
The N.C.U.A.
documents, categorizes, and authorizes
all information systems in the agency,
including internally hosted federal
systems, contractor-hosted systems, and
services provided by other third parties.
The N.C.U.A.
is adopting a zero-trust security
model based on the principle of
maintaining strict access controls.
As part of system
authorization, the N.C.U.A.
considers:
⢠information types, assets, and systems;
⢠the roles and privileges of those
who manage and operate them; and
⢠the interconnection of systems and data.
Based on information and system
sensitivity, the N.C.U.A.
selects and implements the security
controls necessary to protect the
confidentiality, integrity, and
availability of the organizational
systems and critical infrastructure.
The security control implementation
statements are documented,
reviewed, and tested to ensure
they produce the desired outcome.
Once authorized, systems are continuously
monitored using automated and manual
processes with regular testing of controls
to validate their continued efficacy.
System authorization data is stored
in the N.C.U.A.âs governance, risk,
and compliance repository, which
aggregates and analyzes enterprise
information security risk information.
This provides seamless reporting to
N.C.U.A.âs senior management and CISA.
In addition to technology, the N.C.U.A.
strengthens information security by
designing and disseminating fully
developed agency-wide and program-specific
policies and procedures to establish
appropriate practices for collecting,
securing (data is encrypted in transit and
at rest), retaining, and destroying data.
These policies and procedures are based
on applicable requirements in information
security laws, or are otherwise mandated
by NIST, the Office of Management
and Budget, CISA, or the National
Archives and Records Administration.
ACTIVITIES TO ENSURE EFFECTIVE
INFORMATION TECHNOLOGY SECURITY
Appointing Qualified Staff
The N.C.U.A.
has hired staff focused on
cybersecurity and privacy.
IT security staff include cybersecurity
operations and incident responders,
cloud security architects,
application security architects,
and network security engineers.
In addition, the agency uses contract
staff with specialized skills to
support its work in the areas of:
6 In addition to NIST standards
and guidelines, the N.C.U.A.
is subject to federal statutes such as the
Federal Information Security Modernization
Act of 2014, the E-Government Act of
2002, the Privacy Act of 1974, and
various Office of Management and Budget
policies and guidance concerning federal
information management and privacy.
⢠Computer forensics;
⢠Defensive cyber operations;
⢠Malware analysis and mitigation;
⢠Security information and event management;
⢠Configuration management;
⢠Threat hunting; and
⢠Incident handling and response.
The N.C.U.A.âs Enterprise Risk Management
Council, a Cybersecurity Council, and
IT Oversight Council are comprised of
senior executives within the agency with
diverse backgrounds, including information
technology and security, and are tasked
with monitoring, measuring, managing,
and prioritizing risks and related
investments, including IT security.
These internal agency councils meet
as often as monthly and are briefed
regularly on cybersecurity matters
that relate to credit unions,
financial services, or the agency.
The N.C.U.A.
also has staff with the requisite
national security clearances to
support the dissemination of classified
information to appropriately cleared
staff members on a need-to- know basis,
as well as other federal agencies to
share relevant information that may be
used to warn or proactively mitigate
threats in their regulated entities.
The Chief Information Officer, the
Senior Agency Information Security/Risk
Officer, and the Senior Agency
Official for Privacy collaborate to
ensure compliance with regulations
and drive security performance.
An executive- level Cybersecurity Advisor
and Coordinator position was established
in 2021 to organize, coordinate, and
advise on cybersecurity and critical
infrastructure matters across all N.C.U.A.
offices.
The Cybersecurity Advisor and Coordinator
provides advice directly to the N.C.U.A.
Board and senior leadership
on cybersecurity matters.
N.C.U.A.
Staff Training
⢠All Staff.
All agency staff receive
general and role-based training
on information security and
cybersecurity at least annually.
This training addresses staffâs legal,
reputational, and ethical obligations
to protect sensitive information.
The N.C.U.A.
provides mandatory privacy and security
awareness training to all N.C.U.A.
system users.
The training addresses appropriate
information security practices, rules
of behavior for access and use of
data systems, responsibilities for
protecting personally identifiable
information, and ethics rules prohibiting
unauthorized information disclosures.
Staff are trained on policies regarding:
o Collecting information necessary
to perform their planned review;
o Collecting information in a secure
manner using a hierarchy of secure
methods that best suit the situation;
o Transferring and storing any sensitive
information only where there is an
identified, authorized need to retain
such information, and in a manner
consistent with agency instructions
for handling sensitive information; and
o Destroying or returning all
other non-public sensitive
or personally identifiable
information after the examination
or review, per applicable laws.
⢠Staff with Elevated Access.
Staff who have elevated access
to systems or have management
responsibility for systems and data
take mandatory role-based training.
For N.C.U.A.
staff serving in cybersecurity roles,
individual development plans are
developed collaboratively with managers
to build domain-specific skills.
⢠Field Staff.
The N.C.U.A.âs training for
examiners and others that examine
or supervise credit unions includes
special training on the ISE program.
The training program provides
instruction on topics including N.C.U.A.
regulations parts 748 and 749, agency
guidance, and industry best practices
related to measuring, monitoring,
reporting, and controlling IT risks.
Examiner training is designed to maintain
and update knowledge of standards,
tools, and practices to identify, detect,
prevent, and mitigate IT and cybersecurity
risks, threats, and vulnerabilities.
This training includes classroom,
online, and on-the-job training.
The training is designed to specifically
address competencies in the areas of IT,
information security, and cybersecurity.
The courses are designed to introduce
ISE procedures and expand examinersâ
understanding of cybersecurity concepts
found in the FFIEC IT Booklets, NIST
guidance, and industry best practices.
⢠Specialists.
The N.C.U.A.
has a cadre of examiners
specially trained in IT security.
These regional specialist and subject
matter examiners have the technical
knowledge and skills necessary to perform
in-depth information security examinations
for the more complex institutions.
The N.C.U.A.
has recently added the role of Director
of Specialist Resources (DSR) in
each of the N.C.U.A.âs three regions.
The DSRs are tasked with overseeing
the Regional Information Systems
Officers and other specialists.
These new supervisory positions facilitate
better communication and coordination
among N.C.U.A.âs cybersecurity teams
and contribute to the formulation of
policies and operational strategies
that significantly impact the safety and
soundness of the credit union system.
The addition of the DSR role reflects
the agencyâs proactive approach to
cybersecurity management and aligns
with its broader goals of protecting the
interests of credit union members while
promoting systemic financial stability.
The N.C.U.A.
also has specialized personnel in the
Office of Examination and Insurance
to develop and maintain examination
policies and tools, supervisory
guidance, and examiner training.
Credit Union Training and Support
The N.C.U.A.âs Office of Credit
Union Resources and Expansion
provides training for credit unions.
The N.C.U.A.
maintains an online system available
to credit unions at no cost with
over 200 courses available on various
topics, including information security.
This office also hosts webinars that
deliver timely and meaningful information
to help credit union professionals
stay current on relevant topics
affecting the credit union community.
These webinars provide credit
union management with important
information on how to protect
their credit unions and members.
The N.C.U.A.
provides credit unions additional
resources through its website and
by offering technical assistance
grants and low-interest loans to
low-income designated credit unions.
⢠ACET.
As noted previously, the N.C.U.A.
provides credit unions with free
access to the ACET maturity assessment.
This tool helps a credit union
determine its risk exposure by
identifying the type, volume, and
complexity of the institutionâs
operations, and enables the credit
union to assess the adequacy
of corresponding controls.
ACET is based on the U.S.
Department of Homeland Security
(DHS) Cyber Security Evaluation Tool.
It provides a multitude of
cybersecurity standards and other
resources for a credit union to
conduct self-assessments, including
the Ransomware Readiness Assessment.
⢠N.C.U.A..gov.
The N.C.U.A.
website provides cybersecurity resources
for research and informational purposes.
Specifically, the Cybersecurity
Resources page centralizes and contains
applicable references to N.C.U.A.
regulations and guidance, federal
government requirements and
guidelines, information sharing,
cybersecurity threats, best
practices, and privacy and protection.
⢠Grants and Loans.
The N.C.U.A.
provides technical assistance grants
and low-interest loans to support
credit unionsâ efforts to improve and
expand service through the Community
Development Revolving Loan Fund.
Year after year, demand for this
funding continues to exceed supply.
During the 2023 grant round, the
agency received 316 applications
totaling more than $10.3 million,
and awarded more than $3.5 million
in technical assistance grants to 146
low-income-designated credit unions.
Of that amount, 79 grants totaling
nearly $800,000 were specifically
earmarked for digital services
and cybersecurity projects.
Agency Investment in
Information Technology Security
The N.C.U.A.
has invested significant
resources in prioritizing agency
cybersecurity resiliency and adopting
Zero-Trust Architecture (ZTA).
These investments are designed to
identify, deter, protect against, detect,
and respond to persistent and increasingly
sophisticated cyber campaigns.
The aim is to meet and exceed the
standards outlined in the latest
Office of Management and Budget
directives advocating for a robust
ZTA across federal agencies.
All basic user accounts
must use multi-factor,
certificate-based authentication
to access network resources.
Elevated privilege accounts (system and
network administrators and engineers)
are issued session-based credentials
with specific expiration timeframes.
To mitigate vulnerabilities, N.C.U.A.
network users remotely access
network services and resources
protected by encrypted virtual
private network (VPN) tunnels.
Internal and external network
traffic is managed and monitored.
VPN connectivity on N.C.U.A.
laptops is mandatory for all users.
This system continually enforces
technical policies and ensures traffic
and data are encrypted and secure.
The N.C.U.A.
uses a security information and
event management solution to
enhance visibility, investigative,
and remediation capabilities.
This solution provides insights,
automated analytics, and actionable
intelligence through correlation and
machine learning to efficiently identify
anomalous behavior in agency networks,
infrastructure, and applications.
The N.C.U.A.
uses a threat intelligence platform
to automate threat analysis
and identify threat exposure.
This platform enables better
decision-making and improves
security capabilities to
reduce the risk of compromise.
In support of national efforts
to remove barriers to threat
information sharing, the N.C.U.A.
leverages automated
indicator sharing from DHS.
The N.C.U.A.
also leverages DHSâs Protective
Domain Name System and Trusted
Internet Connection 3.0 to
enhance cybersecurity analysis,
situational awareness, and
security response in internet
traffic and connections.
To support cybersecurity resiliency
and mitigate risks resulting from
infrastructure failure, the N.C.U.A.
has redundant data center facilities
that are failovers for essential N.C.U.A.
network resources and services.
Essential public-facing web services
have been migrated to cloud- based
infrastructure to leverage both
inherent geographic dispersion and
infrastructure failure risk mitigation.
For critical business
productivity and collaboration
client resilience, the N.C.U.A.
migrated to Microsoftâs Office
365 government cloud environment.
The N.C.U.A.âs approach to data
loss prevention limits local
downloading of business information;
however, when necessary due to
limited network connectivity, any
downloads are to centrally tracked
and managed encrypted devices.
For email data loss and
exfiltration, the N.C.U.A.
uses a third-party technology
that monitors, notifies, logs,
and prevents business information
from malicious and inadvertent
transfer to external email domains.
The N.C.U.A.
uses Domain-based Message Authentication,
Reporting, and Conformance to combat
spam, phishing, and spoofing of N.C.U.A.
email domains.
To mitigate the risk of
endpoint malware-based data
exfiltration, the N.C.U.A.
uses a robust real- time Endpoint
Detection and Response tool with
integrated open-source intelligence
feeds, creating opportunities
for malware auto-response at
the user and server endpoints.
The N.C.U.A.
has enhanced the security of mobile
devices by hardening the devices
and implementing an adaptable mobile
security solution to detect and protect
against mobile threats, including
phishing, malicious mobile apps, device
compromise, and risky connections.
Finally, the N.C.U.A.
evaluates new systems and services
to determine if they are candidates
for the Office of Management and
Budgetâs Cloud Smart initiative.
As part of the initiative to move
to a ZTA and accelerate movement to
secure cloud services, the N.C.U.A.
is carefully evaluating the need
for additional investment in
both technology and personnel.
Audits and Reviews of the
N.C.U.A.âs Cybersecurity Program
The N.C.U.A.âs Office of the Inspector
General (OIG) conducts independent audits,
investigations, and other activities
to verify the N.C.U.A.âs compliance
with applicable laws, regulations,
and standards, including those related
to privacy and information security,
to determine whether the N.C.U.A.
effectively implemented all appropriate
security and privacy controls.
There are five FISMA maturity
levels, and the N.C.U.A.
was evaluated as Maturity Level 4 âManaged
and Measurableâ as of fiscal year 2023.
This rating reflects that the N.C.U.A.
implemented an effective
information security program
and substantially complied with
information security and privacy
practices, policies, and procedures.
In addition, as indicated in the
financial statement audits, the N.C.U.A.
complies with the requirements
of the Federal Managersâ
Financial Integrity Act of 1982.
Credit unions and their members can
review OIG audit reports, semiannual
reports, and letters to Congress
on the N.C.U.A.âs OIG reports page.
N.C.U.A.
senior leadership are briefed on
the status of open findings every
quarter, and resources are allocated
as appropriate to ensure mitigation.
Binding Operational Directive 18-02
requires the federal government to
identify high value assets and submit to
a DHS-led assessment once every 3 years.
The N.C.U.A.âs General Support System was
assessed by a CISA-led team during the
week of February 26, 2024 â March 1, 2024.
After a review of the General Support
System documentation, an in-depth
technical exchange meeting with N.C.U.A.
subject matter experts, and a
targeted penetration test, CISA
determined that the N.C.U.A.
has a thorough and well-documented
risk management program that includes
participation, involvement, and
awareness from the system-level
up to senior leadership.
The N.C.U.A.
received no critical or
high reportable findings.
The N.C.U.A.
will continue to report quarterly
the status and compliance
of its high-value assets.
Interagency Coordination Efforts
The N.C.U.A.
coordinates with other federal and
state regulatory agencies to strengthen
cybersecurity, including the development
and dissemination of best practices
and sharing threat information.
Examples include the:
⢠FFIEC.
In particular, the N.C.U.A.
participates on the FFIECâs
Information Technology Subcommittee.
This group addresses information systems
and technology policy issues as they
relate to financial institutions and
their technology service providers.
The N.C.U.A.
also participates on the Cybersecurity
Critical Infrastructure Subcommittee.
This group addresses policy
relating to cybersecurity, critical
infrastructure security, and the
resilience of financial institutions
and technology service providers.
⢠FSOC.
Because a weakness in the
information security of financial
systems or data could lead to an
incident that could potentially
threaten the stability of the U.S.
financial system, cybersecurity
falls under the charge of FSOC.
In its 2023 annual report, FSOC
provides several cybersecurity related
recommendations focused on maintaining
and improving the cyber resilience
of the financial system, including
that Congress provide the N.C.U.A.
with third-party vendor authority.
⢠FBIIC.
The N.C.U.A.
is one of the 18 FBIIC member
organizations from across the
financial regulatory community,
both federal and state.
Through monthly meetings, staff
from FBIIC member organizations work
on operational and tactical issues
related to critical infrastructure
matters, including cybersecurity,
within the financial services industry.
The FBIIC also leads the
financial sectorâs cybersecurity
exercises, of which the N.C.U.A.
regularly participates.
⢠Financial Services Sector
Coordinating Council.
The N.C.U.A.
collaborates and coordinates
with the private sector through
the Financial Services Sector
Coordinating Council (FSSCC).
The FSSCC works collaboratively with
key government agencies to protect the
nationâs critical infrastructure from
cybersecurity and physical threats.
The FSSCC is comprised of more than
70 members from financial trade
associations, financial utilities,
and the most critical financial firms.
Through government relationships, the
FSSCC directly assists the sectorâs
response to natural disasters.
⢠U.S.
Department of Treasury and CISA.
As a federal agency, the N.C.U.A.
follows CISA and the U.S.
Department of the Treasuryâs
direction during government-wide
incident response activities.
In addition, the N.C.U.A.
identifies potential, actual, and emerging
threats, issues, or challenges to analyze
underlying causes and develop innovative
short- and long-term solutions.
This analysis supports the shaping of
the N.C.U.A.âs internal policies and
procedures related to cybersecurity,
critical infrastructure protection, supply
chain risks, national security, insider
threats, counterintelligence, continuity
of operations, and emergency response.
The N.C.U.A.âs staff also participate in
the following interagency initiatives:
o CISA security operations center
information and collaboration sessions;
o Treasury sector cybersecurity
collaboration and information sessions;
o The Federal Chief Information
Security Officer Council; and
o The Small Agency Chief Information
Security Officer collaboration forum.
Industry Efforts
Credit union participation in the
following initiatives reflect the credit
union systemâs proactive engagement with
the broader information security community
to enhance cybersecurity and resilience.
⢠Information Sharing and Analysis
Centers & Organizations.
Credit unions actively participate
in the Financial Services Information
Sharing and Analysis Center (FS-ISAC),
where the financial sector shares
intelligence, knowledge, and practices.
The National Credit Union Information
Sharing and Analysis Organization was
established to tailor these efforts to the
unique needs of credit unions and provides
security coordination and collaboration
to identify, protect, detect, respond, and
recover from threats and vulnerabilities.
⢠Sheltered Harbor.
Comprised of financial institutions,
core service providers, national
trade associations, alliance partners,
and solution providers dedicated to
enhancing financial sector stability
and resiliency, Sheltered Harbor
is a subsidiary of the FS-ISAC.
It developed standards to
assist financial institutions
prepare for catastrophic events.
The standards are designed to help
institutions to plan for and recover
from catastrophic events, and to
be able to continue to provide
essential services until normal
operations can be reestablished.
⢠Hamilton Series Exercises.
The N.C.U.A.
supports the Hamilton Series exercises
through its membership on the joint
FSSCC ï FBIIC Exercise Committee.
These one-day exercises simulate
various cyberattack scenarios
to enhance cybersecurity threat
responses within the U.S.
financial sector.
They also aim to improve public-private
coordination strategies by including
diverse participants from both sectors.7
⢠CISA Cyber Hygiene Services.
Over 200 credit unions have engaged
with CISAâs Cyber Hygiene Services
program, which offers vulnerability
scanning and web application
scanning to help institutions
mitigate cybersecurity threats.
https://www.fsisac.com/hubfs/Resources/FS-ISAC_ExercisesOverview.pdf
CURRENT & EMERGING THREATS
In todayâs digital age, the financial
sector faces an increasingly
sophisticated array of cybersecurity
threats that demand vigilance.
The rapid evolution of technology,
coupled with escalating geopolitical
tensions, has expanded the
threat landscape significantly.
Financial institutions, including
credit unions, are particularly
vulnerable due to their increasing
reliance on technology and third-party
service providers that the N.C.U.A.
has no authority to examine,
supervise, or regulate.
The N.C.U.A.
remains concerned about the risks
cyberattacks pose to the financial system.
Cybersecurity risks grow as
threats evolve, become more
sophisticated, and cause greater
damage to a variety of industries.
Geopolitical tensions increase the
possibility of nation-states and
other sophisticated actors conducting
malicious cyberattacks against U.S.
critical infrastructure, of which
credit unions are a significant part.
To ensure the industryâs long-term
success, credit unions must deliver member
services using appropriate controls.
The evolving array of cybersecurity
threats that require continued
vigilance by credit unions include:
⢠Third-Party Risk.
Credit unionsâ dependency on third-party
vendors and the integral nature of the
supply chain introduces considerable risk
as cyber actors continue to exploit the
vulnerabilities of third-party providers.
The absence of third-party vendor
authority limits the N.C.U.A.âs ability
to assess and mitigate potential
risks associated with these vendors.
Vendors typically decline examination
requests or refuse to implement
recommended actions, exacerbating
credit unionsâ exposure to operational,
cybersecurity, and compliance risks
that can arise from these relationships.
Without visibility into these entities
and the authority to supervise and
enforce corrective actions, the N.C.U.A.
cannot effectively protect credit
unions and their member-owners or
provide relevant information to other
federal and state regulators of threats
encountered in the credit union industry.
Based on cyber incident reports submitted
by credit unions since September 1,
2023, compromises within third-party
services have led to systemic risks
across the credit union ecosystem.
In fact, incidents related to third-party
vendors accounted for approximately 73
percent of total reported incidents.
A recent cyber incident has underscored
the importance of the N.C.U.A.
obtaining vendor authority
to address these risks.
On November 26, 2023, a major service
provider for the credit union industry
was targeted by a ransomware attack,
resulting in a prolonged service
outage that affected 60 credit unions.
This incident exposed significant
challenges in the agencyâs ability
to respond effectively due to
the lack of vendor authority.
During the incident, the N.C.U.A.
faced substantial difficulties
in obtaining crucial information
from third-party vendors, which
hindered response efforts.
Due specifically to the N.C.U.A.âs
lack of vendor authority, the N.C.U.A.
encountered delays in communication
and inability to obtain data.
These obstacles could have
been mitigated if the N.C.U.A.
had the authority to demand
timely and reliable information
from all relevant parties.
Moreover, the lack of vendor
authority also impacts the nationâs
critical economic infrastructure
and national security, as the
interconnectedness of financial services
expands with other industries
and national infrastructure.
Currently, more than one in three
Americans use a credit union for basic
financial services, and there are many
credit unions with fields of membership
that are tied to high-risk populations
such as congressional staff, the U.S.
military, the State Department,
and members of the U.S.
Intelligence Community.
Many of these credit unions use
third-party service providers to
provide critical member services.
A sophisticated cyberattack against a
vendor can have measurable impacts on the
personnel who are critical to government
operations and national security.
By current estimates, roughly 90
percent (or approximately $1.9 trillion)
of industry assets are in some way
managed or affected by unregulated
third-party service providers.
⢠State-Sponsored Cyber Activities.
Over the past year, U.S.
government organizations, including
CISA, the National Security Agency,
and the FBI produced a joint advisory
to alert the public that cyber actors
sponsored by the Peopleâs Republic
of China are seeking to pre-position
themselves on IT networks for disruptive
or destructive cyberattacks against U.S.
critical infrastructure in the event
of a major crisis or conflict with
the United States or its allies.
This advisory was published
following months of observations and
incident response activities at U.S.
critical infrastructure organizations
which had been compromised.
State-sponsored cyber activities
against critical infrastructure are
a real threat to the credit union
systemâdue, primarily, to the number
of Americans that can be impacted
and the resulting effects on the U.S.
economy.
Along with CISA, the FBI, and the
National Security Agency, the N.C.U.A.
has encouraged credit unions of all
sizes to adopt a heightened state
of awareness and to proactively hunt
threats to defend against this risk.
Additionally, the N.C.U.A.
provided guidance and resources to credit
unions to assist in mitigating this
threat and specifically recommended credit
unions report cyber incidents to CISA.
The N.C.U.A.
has also directed credit unions
to CISAâs Shields Up website for
additional guidance, reporting
options, and mitigation measures.
⢠Ransomware Attacks.
Ransomware is an increasingly
serious threat to credit unions.
Ransomware attacks continue across
all sectors, including the financial
sector, and have left victims without
the data they need to operate.
Over the past year, ransomware
attacks and payments have escalated
in frequency, scope, and volume across
all critical infrastructure sectors.
One of the primary causes of this sharp
growth is the increase in cyber actors
using ransomware to carry out attacks
and, in turn, profit from their actions.
Ransomware as a service is a cybercrime
business model in which a ransomware
group sells its code or malware to
other hackers, who then use it to
carry out their own ransomware attacks.
This has made it easier for bad actors
to carry out ransomware attacks.
Designed to help public and private
organizations defend against the rise in
ransomware cases, CISAâs StopRansomware
provides a whole-of-government approach
to tackle ransomware more effectively
and serves as one central location
for ransomware resources and alerts.
⢠Quantum Computing and Cryptographic Risks.
The U.S.
government remains concerned with the
development and trajectory of quantum
information technologies and products
that could compromise existing encryption
and other cybersecurity controls
across critical infrastructure sectors.
⢠Artificial Intelligence
(AI)-enabled Attacks.
Generative AI creates new text,
images, video, and other content.
Generative AI has gone mainstream and
is increasingly being used by cyber
actors to create complex malware and
advanced social engineering attacks,
including phishing and spoofing.
By making these attacks more
effective, they are also
harder to detect and prevent.
In addition to generative AI being
used for initial attack vectors,
it can also amplify threats once
an initial breach has occurred.
AI tools can be used to
modify code at scale, quickly
giving control to attackers.
These tools can also be trained on
a dataset of known vulnerabilities
and used to automatically generate
new exploit code to target multiple
vulnerabilities in rapid succession.
Cyber actors can also use generative
AI to scan massive amounts of company
data, summarizing it to identify
employees, relationships, and assets,
potentially leading to further
social engineering attacks via user
impersonation, blackmail, or coercion.
However, generative AI is not used
exclusively by bad actorsâorganizations
are increasingly using the same technology
to build better cybersecurity defenses.
The evolving nature of cybersecurity
threats demands a dynamic and
informed response strategy from
both credit unions and the N.C.U.A..
By focusing on third-party
vulnerabilities, geopolitical risks,
advanced cybercrime tactics, and
by maintaining robust communication
channels, credit unions can enhance
their resilience against a broad
spectrum of cybersecurity threats.
This integrated approach not only
addresses current threats but also
positions the credit union sector to adapt
to future challenges, ensuring long-term
security and operational success.
CONCLUSION
The N.C.U.A.
is committed to fortifying
cybersecurity resilience within the
agency and the credit union system.
Through targeted examinations,
comprehensive risk assessments,
and robust educational outreach
initiatives, the N.C.U.A.
is working diligently to
strengthen cybersecurity
practices and mitigate potential
vulnerabilities across the industry.
Within the limits of its current
statutory authorities, the N.C.U.A.
remains proactive in furthering
effective IT security within
the credit union system.
By leveraging partnerships with other
federal agencies, industry stakeholders,
and cybersecurity experts, the N.C.U.A.
continues to foster a collaborative
environment conducive to information
sharing and coordination.
This collaborative approach
enables the N.C.U.A.
to stay abreast of current and
emerging threats, enhancing its
ability to anticipate and respond
effectively to cybersecurity risks.
However, challenges persist,
particularly concerning the lack of
authority over third-party vendors.8
The reliance of credit unions on
third-party vendors for essential
services exposes them to additional
cybersecurity risks and is a growing
regulatory blind spot for the N.C.U.A..
As the digital landscape
continues to evolve, the N.C.U.A.
remains committed to adapting its
cybersecurity approach to effectively
address emerging threats and challenges.
By remaining vigilant and
proactive, the N.C.U.A.
aims to defend the security and
stability of the credit union system,
promoting the financial well-being of
credit union members, and safeguarding
the integrity of the broader financial
system for generations to come.
In order to achieve these
worthy goals, the N.C.U.A.
will continue to request that
Congress provide the long
overdue ability for the N.C.U.A.
to supervise and examine
third-party service providers
in the credit union industry.
This authority is needed to manage,
measure, and proactively mitigate risks
within the credit union system, and to be
able to share relevant information with
government partners to add to the whole of
government approach to protecting critical
infrastructure in the United States.
8 Independent entities such as the
Government Accountability Office, the
Financial Stability Oversight Council,
and the N.C.U.A.âs Office of Inspector
General have identified this deficiency
as a significant obstacle to the
N.C.U.A.âs mission to safeguard credit
union members and the financial system.
All of them have recommended that
Congress provide the N.C.U.A.
with this authority.
This concludes the NCUA Letter to
credit unions on Annual Cybersecurity
and Credit Union System Resilience Report
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.
