WEBVTT

NOTE
This file was generated by Descript 

00:00:00.480 --> 00:00:02.320
Samantha: Hello, this is Samantha Shares.

00:00:02.920 --> 00:00:06.250
This episode covers the National
Credit Union Administrationâs

00:00:06.250 --> 00:00:10.610
Letter to credit unions 24 dash
C U 2, titled Board of Director

00:00:10.610 --> 00:00:12.830
Engagement in Cybersecurity Oversight

00:00:13.620 --> 00:00:16.020
The following is an audio
version of that letter.

00:00:16.590 --> 00:00:19.770
This podcast is educational
and is not legal advice.

00:00:20.250 --> 00:00:24.240
We are sponsored by Credit Union
Exam Solutions Incorporated, whose

00:00:24.240 --> 00:00:27.310
team has over two hundred and
Forty years of National Credit

00:00:27.310 --> 00:00:29.210
Union  Administration experience.

00:00:29.740 --> 00:00:33.380
We assist our clients with N C
U A so they save time and money.

00:00:33.800 --> 00:00:37.780
If you are worried about a recent,
upcoming or in process N C U A

00:00:37.780 --> 00:00:42.200
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

00:00:42.720 --> 00:00:47.060
Also check out our other podcast called
With Flying Colors where we provide tips

00:00:47.060 --> 00:00:49.620
on how to achieve success with N C U A.

00:00:50.382 --> 00:00:51.252
And now the letter.

00:00:52.018 --> 00:00:55.008
Board of Director Engagement
in Cybersecurity Oversight

00:00:55.819 --> 00:00:56.099
To

00:00:56.816 --> 00:00:58.776
Federally Insured Credit Unions

00:00:59.378 --> 00:00:59.968
Subject

00:01:00.644 --> 00:01:01.554
Cybersecurity

00:01:02.287 --> 00:01:05.357
Dear Boards of Directors and
Chief Executive Officers:

00:01:06.084 --> 00:01:09.514
The frequency, speed, and
sophistication of cyberattacks have

00:01:09.514 --> 00:01:11.344
increased at an exponential rate.

00:01:11.974 --> 00:01:15.994
Foreign adversaries and cyber-fraudsters
continue to target all sectors of

00:01:15.994 --> 00:01:19.284
our nationâs critical infrastructure
â including credit unions and

00:01:19.334 --> 00:01:21.024
other financial institutions.

00:01:21.504 --> 00:01:26.704
From September 1, 2023, the effective
date of the N C U Aâs cyber incident

00:01:26.704 --> 00:01:31.814
notification rule, through August
31, 2024, federally insured credit

00:01:31.814 --> 00:01:34.744
unions reported 1,072 cyber incidents.

00:01:35.014 --> 00:01:39.074
Seven out of ten of these cyber incident
reports were related to the use or

00:01:39.074 --> 00:01:41.024
involvement of a third-party vendor.

00:01:41.780 --> 00:01:45.000
A recent ransomware attack on a
credit union has been attributed

00:01:45.000 --> 00:01:48.680
to  malvertising a relatively new
cyberattack technique that injects

00:01:48.680 --> 00:01:50.700
malicious code within digital ads.

00:01:51.190 --> 00:01:54.970
For this type of attack to work, the user
doesnât even have to physically click on

00:01:54.970 --> 00:01:57.080
a link for the system to become infected.

00:01:57.640 --> 00:02:01.780
Instead, a simple internet search can
result in malvertising that exploits the

00:02:01.780 --> 00:02:03.940
vulnerabilities in an internet browser.

00:02:04.350 --> 00:02:08.550
Credit union cybersecurity teams should
focus on standardizing and securing

00:02:08.550 --> 00:02:12.890
web browsers and deploying ad blocking
software to protect against this threat.

00:02:13.700 --> 00:02:17.760
Given the proliferation of sophisticated
information security threats and the

00:02:17.760 --> 00:02:22.320
importance of safeguarding the assets and
information of your members, the N C U

00:02:22.320 --> 00:02:27.080
A urges credit union boards of directors
to prioritize cybersecurity as a top

00:02:27.120 --> 00:02:29.250
oversight and governance responsibility.

00:02:29.700 --> 00:02:33.610
Credit union board directors like you
must ensure that a credit unionâs senior

00:02:33.610 --> 00:02:38.210
leadership is highly focused on managing
cyber risks and that your credit union

00:02:38.210 --> 00:02:42.670
has the necessary resources to maintain
an effective cybersecurity program that

00:02:42.670 --> 00:02:46.860
aligns with the products, services,
and risk profile of your institution.

00:02:47.534 --> 00:02:51.334
The following are four key areas your
board of directors should focus on:

00:02:52.080 --> 00:02:53.750
Provide for Recurring Training

00:02:54.407 --> 00:02:58.327
Your board should engage in ongoing
education about current cybersecurity

00:02:58.327 --> 00:03:00.617
threats, trends, and best practices.

00:03:01.137 --> 00:03:05.797
The N C U A provides various resources
to assist, including training webinars,

00:03:06.047 --> 00:03:09.577
web-based learning resources(Opens
new window), and written guidance.

00:03:10.067 --> 00:03:14.067
Your credit union board needs to stay
aware of the specific cyber risks that

00:03:14.067 --> 00:03:18.197
pertain to your credit unionâs operations
and the implications of these risks.

00:03:18.667 --> 00:03:22.377
Board members donât need to be technical
experts, but they must know enough

00:03:22.377 --> 00:03:26.767
about cybersecurity to provide effective
oversight and direction for the executive

00:03:26.767 --> 00:03:28.807
team and subject matter experts.

00:03:29.497 --> 00:03:33.227
Furthermore, your board should ensure
the credit unionâs employees receive

00:03:33.227 --> 00:03:36.927
regular cybersecurity education
to maintain high awareness and

00:03:36.927 --> 00:03:38.927
preparedness across the organization.

00:03:39.427 --> 00:03:42.877
This education should emphasize
the importance of a security-minded

00:03:42.877 --> 00:03:46.737
culture and adherence to important
information security practices to

00:03:46.737 --> 00:03:48.877
mitigate the risk of cyber incidents.

00:03:49.561 --> 00:03:51.791
Approve Information Security Program

00:03:52.432 --> 00:03:56.302
Your board must approve a comprehensive
information security program that

00:03:56.302 --> 00:04:01.372
meets the requirements of part 748of
the N C U Aâs regulations, which

00:04:01.372 --> 00:04:05.772
includes risk assessments, security
controls, and incident response plans.

00:04:06.262 --> 00:04:09.812
Your credit union board should review
the program at least annually to

00:04:09.812 --> 00:04:13.532
ensure it adapts to the evolving
threat landscape and incorporates

00:04:13.532 --> 00:04:15.532
lessons learned from past incidents.

00:04:16.217 --> 00:04:18.007
Oversee Operational Management

00:04:18.775 --> 00:04:23.395
Your board is responsible for overseeing
management of the credit union, focusing

00:04:23.395 --> 00:04:25.495
on the following cybersecurity areas:

00:04:26.278 --> 00:04:27.628
â¢	Third-Party Due Diligence.

00:04:28.238 --> 00:04:31.328
Your board should set clear
expectations for management about the

00:04:31.328 --> 00:04:35.348
due diligence of third-party vendors
with respect to information security.

00:04:36.038 --> 00:04:40.038
The credit union must ensure that
contracts with third-party vendors include

00:04:40.038 --> 00:04:44.308
specific cybersecurity requirements,
like timely notification to the credit

00:04:44.308 --> 00:04:49.188
union of any incidents, and clauses that
protect credit union and member data.

00:04:49.891 --> 00:04:52.951
â¢	Embed Cybersecurity and
Operational Resilience into

00:04:52.951 --> 00:04:54.401
the Organizational Culture.

00:04:54.971 --> 00:04:58.781
Your board and management should ensure
that cybersecurity is a core value

00:04:58.781 --> 00:05:02.591
within the credit union, influencing
decision-making at all levels.

00:05:03.277 --> 00:05:04.107
â¢	Resources.

00:05:04.547 --> 00:05:08.827
Your board must provide management
access to cybersecurity expertise and an

00:05:08.877 --> 00:05:13.107
adequate budget to implement and maintain
a cybersecurity posture commensurate

00:05:13.107 --> 00:05:15.097
with the credit unionâs risk profile.

00:05:15.677 --> 00:05:19.037
Your board should also encourage
needed investment in cybersecurity

00:05:19.037 --> 00:05:22.577
technologies and tools to enhance
the credit unionâs defenses.

00:05:23.338 --> 00:05:26.168
â¢	Vulnerability/Patch Management
and Threat Intelligence.

00:05:26.708 --> 00:05:30.708
Your board must ensure that operational
management places high emphasis on

00:05:30.708 --> 00:05:34.838
diligent vulnerability management,
including timely software updates,

00:05:34.948 --> 00:05:39.228
patch management, and whitelisting
and blacklisting U R Ls, websites,

00:05:39.348 --> 00:05:41.048
and software to mitigate risks.

00:05:41.628 --> 00:05:44.938
The credit union should use threat
intelligence to stay informed about

00:05:44.938 --> 00:05:48.648
emerging threats and vulnerabilities
that could impact the credit union.

00:05:49.138 --> 00:05:53.038
Government resources such as the
Cybersecurity and Infrastructure Security

00:05:53.038 --> 00:05:57.078
Agencyâs cyber hygiene service for
vulnerability management and the U.S.

00:05:57.078 --> 00:06:01.788
Treasuryâs automated threat information
feed are free to credit unions.1

00:06:02.586 --> 00:06:03.536
â¢	Audit Function.

00:06:04.026 --> 00:06:08.336
Consistent with the size and risk profile
of the credit union, your board should

00:06:08.336 --> 00:06:12.296
ensure management engages external
parties with the requisite expertise

00:06:12.296 --> 00:06:16.326
to conduct audits of the cybersecurity
program, to receive an objective

00:06:16.326 --> 00:06:18.376
assessment of program effectiveness.

00:06:19.074 --> 00:06:19.744
â¢	Reporting.

00:06:20.264 --> 00:06:24.044
Your board should establish a framework
for periodic reporting by management

00:06:24.044 --> 00:06:27.834
to the board on cybersecurity audits,
incidents, and the effectiveness

00:06:27.834 --> 00:06:29.474
of the cybersecurity program.

00:06:30.144 --> 00:06:33.244
This reporting should include
cybersecurity risk assessments,

00:06:33.454 --> 00:06:36.724
including the identification of
threats, vulnerabilities, and

00:06:36.724 --> 00:06:38.344
the effectiveness of controls.

00:06:38.944 --> 00:06:42.244
These reports should describe the
overall status of the program.

00:06:42.554 --> 00:06:46.954
Reports should also outline material
matters related to the program, including

00:06:46.954 --> 00:06:50.714
risk assessments, risk-management
and control decisions, service

00:06:50.714 --> 00:06:54.724
provider arrangements, results of
testing, and any recommendations for

00:06:54.724 --> 00:06:56.884
changes in the cybersecurity program.

00:06:57.612 --> 00:06:59.422
â¢	Protecting and Managing Backups.

00:07:00.072 --> 00:07:03.932
In the face of increasing ransomware
threats, credit unions must implement

00:07:03.932 --> 00:07:07.862
robust backup strategies to safeguard
credit union and member data.

00:07:08.452 --> 00:07:12.542
Your board should ensure management
regularly backs up all critical data and

00:07:12.542 --> 00:07:14.562
that these backups are securely stored.

00:07:15.232 --> 00:07:18.872
Implementation of access controls
will also prevent unauthorized

00:07:18.872 --> 00:07:20.402
access to backup data.

00:07:21.143 --> 00:07:25.383
In addition, the credit union needs
clear, documented procedures for restoring

00:07:25.383 --> 00:07:29.643
data from backups in the event of a
ransomware attack or data loss incident.

00:07:30.173 --> 00:07:34.293
This process should include identifying
which data is critical for operations

00:07:34.293 --> 00:07:36.163
and prioritizing its restoration.

00:07:36.703 --> 00:07:40.053
Backup systems should be tested
regularly to ensure that data can

00:07:40.053 --> 00:07:42.043
be restored quickly and effectively.

00:07:42.383 --> 00:07:45.973
Conducting routine drills will help
identify any gaps in the backup

00:07:45.973 --> 00:07:50.153
process and ensure that staff are
familiar with restoration procedures.

00:07:50.846 --> 00:07:52.176
â¢	Membership Education.

00:07:52.706 --> 00:07:56.186
Your board should work with management
to provide periodic information

00:07:56.186 --> 00:08:00.446
security education for members to
promote sound cybersecurity practices,

00:08:00.746 --> 00:08:04.416
such as the use of multi-factor
authentication and the importance of

00:08:04.416 --> 00:08:06.796
strong, frequently changed passwords.

00:08:07.491 --> 00:08:09.831
Incident Response Planning and Resilience

00:08:10.510 --> 00:08:14.140
Your board must, moreover, ensure
that resilience plans allow the

00:08:14.140 --> 00:08:17.900
credit union to operate effectively
during and after a cyber-attack.

00:08:18.720 --> 00:08:22.750
This planning may involve identifying
alternative processes or systems that

00:08:22.750 --> 00:08:24.530
can be utilized during an outage.

00:08:24.840 --> 00:08:29.510
Consistent with statutory requirements,
the N C U Aâs regulations require

00:08:29.510 --> 00:08:33.480
that a federally insured credit union
that experiences a reportable cyber

00:08:33.480 --> 00:08:37.480
incident must report the incident
to the N C U A as soon as possible

00:08:37.600 --> 00:08:41.750
and no later than 72 hours after the
credit union reasonably believes that

00:08:41.750 --> 00:08:43.570
it has experienced such an incident.

00:08:44.130 --> 00:08:48.150
This statutory requirement underscores
the importance of having a well-defined

00:08:48.150 --> 00:08:51.850
incident response plan that enables
prompt reporting and effective

00:08:51.850 --> 00:08:54.030
communication with regulatory bodies.2

00:08:55.532 --> 00:08:58.152
Effective resilience planning
includes the following:

00:08:58.890 --> 00:09:00.950
â¢	Internal and External Communication.

00:09:01.540 --> 00:09:05.200
Establish a communication strategy
for informing your board immediately

00:09:05.200 --> 00:09:09.820
following a security incident, ensuring
transparency and timely decision-making.

00:09:10.340 --> 00:09:14.200
The communication strategy should
also inform both internal stakeholders

00:09:14.200 --> 00:09:17.830
and external parties, including
your members and regulators, in

00:09:17.830 --> 00:09:19.410
the event of a cyber incident.

00:09:19.980 --> 00:09:23.980
Clear communication can help manage
expectations and maintain trust.

00:09:24.752 --> 00:09:26.262
â¢	Insurance Considerations.

00:09:26.772 --> 00:09:30.342
Evaluate cybersecurity insurance
policies to ensure adequate

00:09:30.342 --> 00:09:32.132
coverage for potential incidents.

00:09:32.942 --> 00:09:35.902
This assessment includes
understanding the scope of coverage

00:09:36.002 --> 00:09:37.952
and any exclusions that may apply.

00:09:38.699 --> 00:09:40.009
â¢	Incident Response Team.

00:09:40.549 --> 00:09:44.269
Identify and designate an incident
response team that includes key

00:09:44.269 --> 00:09:46.149
personnel from various departments.

00:09:46.869 --> 00:09:49.569
This team should be prepared
to take immediate action in

00:09:49.569 --> 00:09:51.199
the event of a cyber incident.

00:09:51.953 --> 00:09:53.383
â¢	Tabletop Exercises.

00:09:53.813 --> 00:09:58.373
Conduct regular tabletop exercises
to simulate cyber incident scenarios.

00:09:58.943 --> 00:10:02.193
These exercises will help your
credit union board and management

00:10:02.193 --> 00:10:06.773
practice response plans, identify
areas for improvement, and ensure

00:10:06.773 --> 00:10:09.953
that all team members understand
their roles during an incident.

00:10:10.670 --> 00:10:11.390
Conclusion

00:10:12.055 --> 00:10:16.275
By focusing on the key areas outlined
above, your credit unionâs board of

00:10:16.275 --> 00:10:20.855
directors can significantly improve the
credit unionâs cybersecurity posture and

00:10:20.855 --> 00:10:22.635
protect the interests of its members.

00:10:23.045 --> 00:10:25.585
Cybersecurity is not just an âITâ issue.

00:10:26.075 --> 00:10:30.045
It must be a critical component of
any credit unionâs overall governance

00:10:30.045 --> 00:10:31.665
and risk-management strategy.

00:10:32.105 --> 00:10:36.195
A cyber incident can have far-reaching
consequences, not only affecting your

00:10:36.195 --> 00:10:40.205
institutionâs financial stability
but also potentially impacting the

00:10:40.205 --> 00:10:44.545
entire financial services system while
eroding member trust and damaging

00:10:44.545 --> 00:10:46.295
your credit unionâs reputation.

00:10:47.009 --> 00:10:51.289
By taking the proactive steps outlined
above and prioritizing cybersecurity

00:10:51.289 --> 00:10:55.649
as a fundamental aspect of governance,
your credit unionâs board of directors

00:10:55.649 --> 00:11:00.049
can effectively safeguard the credit
union and its membersâ assets, maintain

00:11:00.049 --> 00:11:03.859
member trust, and ensure compliance
with regulatory requirements.

00:11:04.509 --> 00:11:08.889
To that end, we encourage you to consult
the many available cybersecurity resources

00:11:08.889 --> 00:11:13.449
available on the N C U Aâs public
website not just during cybersecurity

00:11:13.449 --> 00:11:15.879
month in October but also year round.

00:11:16.566 --> 00:11:17.326
Sincerely,

00:11:18.067 --> 00:11:18.807
Todd Harper

00:11:19.520 --> 00:11:20.040
Chairman

00:11:20.675 --> 00:11:25.155
This concludes Letter to credit
unions 24 dash C U 2 Board of Director

00:11:25.155 --> 00:11:27.345
Engagement in Cybersecurity Oversight

00:11:28.161 --> 00:11:32.421
If your Credit union could use assistance
with your exam, reach out to Mark Treichel

00:11:32.421 --> 00:11:35.061
on LinkedIn, or at mark Treichel dot com.

00:11:35.631 --> 00:11:38.301
This is Samantha Shares and
we Thank you for listening.