Credit Union Regulatory Guidance Including: NCUA, CFPB, FDIC, OCC, FFIEC

www.marktreichel.com

https://www.linkedin.com/in/mark-treichel/



NCUA issued its Annual Cybersecurity and Credit Union System Resilience Report today.  It is long but worth listening to in this "real time" release of an audiobook version of the Report.




Are you worried about an NCUA exam in process or looming on the horizon? Don't face it alone!

We're ex-NCUA insiders with decades of experience, ready to guide you to success. Our team understands the intricacies of NCUA examinations from the inside out.

Hire us and gain:

• Peace of mind during your exam process

• Insider knowledge of NCUA procedures and expectations

• Strategies to address potential issues before they become problems

• Continuous access to our extensive subject matter expertise

With our access retainer, you'll have on-demand support from former NCUA experts. We're here to ensure your credit union achieves flying colors in its next examination.

Contact Credit Union Exam Solutions today to learn more about our services and how we can help your credit union succeed.

What is Credit Union Regulatory Guidance Including: NCUA, CFPB, FDIC, OCC, FFIEC?

This podcast provides you the ability to listen to new regulatory guidance issued by the National Credit Union Administration, and occasionally the F D I C, the O C C, the F F I E C, or the C F P B. We will focus on new and material agency guidance, and historically important and still active guidance from past years that NCUA cites in examinations or conversations. This podcast is educational only and is not legal advice. We are sponsored by Credit Union Exam Solutions Incorporated. We also have another podcast called With Flying Colors where we provide tips for achieving success with the N C U A examination process and discuss hot topics that impact your credit union.

Samantha: Hello, this is Samantha Shares.

This episode covers N C U A’s
Releases Annual Cybersecurity

and Credit Union System Resilience Report

The following is an audio version
of that advisory and the report.

This podcast is educational
and is not legal advice.

We are sponsored by Credit Union
Exam Solutions Incorporated, whose

team has over two hundred and
Forty years of National Credit

Union Administration experience.

We assist our clients with N C
U A so they save time and money.

If you are worried about a recent,
upcoming or in process N C U A

examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

Also check out our other podcast called
With Flying Colors where we provide tips

on how to achieve success with N C U A.

And now the report

MESSAGE FROM THE CHAIRMAN

On behalf of the National Credit
Union Administration (N.C.U.A.), I

am submitting our annual, statutorily
required Cybersecurity and Credit

Union System Resilience Report.

This report summarizes the current
cybersecurity threat landscape,

highlights the agency’s key cybersecurity
initiatives, and outlines the

agency’s ongoing efforts to enhance
cybersecurity preparedness and resilience

within the credit union industry.

Throughout 2023, our nation—including its
financial sector—has faced unprecedented

challenges stemming from cyberattacks
and other malicious activities

targeting critical infrastructure.

The credit union system, which serves more
than 139 million Americans and plays a

vital role in communities across the
country, is not immune to these threats.

In fact, in the face of an ever-evolving
cybersecurity threat landscape, the

need for ongoing vigilance in the credit
union sector cannot be overstated.

The N.C.U.A.

is committed to ensuring consistency,
transparency, and accountability

in its cybersecurity examination
program and related activities.

Further, over the last
several years the N.C.U.A.

has made major strides in promoting
a culture of cybersecurity awareness

and resilience among credit unions.

Through targeted supervision completed
using the N.C.U.A.’s recently implemented

Information Security Examination program,
the development of risk- assessment tools

like the agency’s Automated Cybersecurity
Evaluation Toolbox, the adoption of a

cyber incident notification regulation in
2023, ongoing educational outreach, and

grants to eligible credit unions, we have
worked diligently to improve cybersecurity

practices and mitigate risks.

Looking ahead, the N.C.U.A.

remains committed to working closely
with Congress, other regulatory

agencies, industry stakeholders,
and other partners to strengthen

cybersecurity defenses and ensure the
resilience of the credit union system.

To that end, I respectfully ask for
this Committee’s support in restoring

the N.C.U.A.’s vendor authority
over third-party service providers.

This regulatory blind spot has already
had a negative impact on the industry.

For example, last years’ third-party
core service provider ransomware

disruption affecting 60 small credit
unions illuminated the N.C.U.A.’s

challenges as it tried to mitigate
issues on behalf of impacted credit

unions and their member-owners.

Moreover, independent entities such as
the Government Accountability Office, the

Financial Stability Oversight Council,
the N.C.U.A.’s Office of Inspector

General, and a growing number of credit
unions have identified this deficiency

as a significant obstacle to the
N.C.U.A.’s mission to safeguard credit

union members and the financial system.

All of them have recommended that
Congress provide the N.C.U.A.

with this authority.

Cybersecurity and Credit Union
System Resilience Report June 2024

…

Besides giving credit union members
the same protection as bank customers,

this sensible statutory change would
significantly improve supervisory

oversight and bolster our ability to
mitigate cybersecurity risks, ultimately

enhancing the credit union system’s
overall security posture and the

protection of critical infrastructure
in the United States more broadly.

As we seek to strengthen our cybersecurity
resiliency, I want to express my

gratitude for your continued support
and engagement on this critical issue.

Together, we can confront the challenges
posed by cybersecurity threats and uphold

the safety and soundness of the credit
union system for generations to come.

Sincerely,

Todd M.

Harper Chairman

National Credit Union Administration

INTRODUCTION

This report details the measures
taken to strengthen cybersecurity

within credit unions and the
N.C.U.A., per the Consolidated

Appropriations Act, 2021.1 This report:

• outlines the N.C.U.A.’s policies and
procedures to address cybersecurity

risks and activities to ensure
their effective implementation;

• discusses cybersecurity resilience
within the credit union system, including

the N.C.U.A.’s key initiatives to
enhance cybersecurity preparedness

among credit unions, such as targeted
examinations, risk assessments, and

educational and outreach efforts;

• describes current and
emerging threats; and

• highlights the N.C.U.A.’s collaboration
with other federal agencies, industry

stakeholders, and cybersecurity
experts to address emerging

threats and promote a culture of
cybersecurity awareness and resilience

within the credit union industry.

As the digital and geopolitical
landscapes continues to evolve,

the threat of cyberattacks against
critical infrastructure, of which

financial institutions are a vital
part, looms larger than ever before.

In response to this growing
challenge, the N.C.U.A.

has undertaken a comprehensive
examination of cybersecurity

resilience within the credit union
system through its Information

Security Examination (ISE) program.

As a member of the Federal Financial
Institutions Examination Council

(FFIEC) and the Financial and
Banking Information Infrastructure

Committee (FBIIC), the N.C.U.A.

collaborates with other regulatory
agencies to develop and implement

cybersecurity policies and standards
across the financial industry.

In addition, the N.C.U.A.

Chairman serves as a voting
member of the Financial Stability

Oversight Council (FSOC).

The FSOC identifies and responds
to threats to the stability

of the financial system.

The chairman’s position on this body
underscores the N.C.U.A.’s integral

role in safeguarding the overall
financial stability of the nation.

The credit union system relies
extensively on third-party vendors to

operate and deliver key member services.

The N.C.U.A.

lacks statutory authority over
third-party vendors, which hinders

the agency’s ability to examine
and address cybersecurity risks

in the credit union system.

As a result, the credit union system—of
which more than a third of the American

public uses for basic financial
services—remains particularly vulnerable

to cybersecurity threats to third-party
vendors that provide essential services.

Because of this regulatory
blind spot, the N.C.U.A.

cannot manage or measure threats within
its regulated entities, nor can it

warn other government regulators or the
Cybersecurity and Infrastructure Security

Agency (CISA) of threats the N.C.U.A.

may identify that may be first
used in the credit union system.

By examining the current state of
cybersecurity within the credit union

system and identifying areas for
improvement, this report aims to provide

valuable insights and recommendations for

1 Pub.

L.

No.

116–260, 134 Stat.

2173 (Dec.

27, 2020)

enhancing the security and stability
of credit unions nationwide.

It underscores the N.C.U.A.’s
ongoing commitment to protecting the

financial well-being of credit union
members and upholding the integrity

of the broader financial system in
the face of cybersecurity threats.

POLICIES & PROCEDURES

Information Security and
Cybersecurity Regulations

Per the Gramm-Leach-Bliley
Act, the N.C.U.A.

Board established standards for
federally insured credit unions

relating to administrative, technical,
and physical safeguards for credit

union member records and information.

These standards are incorporate into
the N.C.U.A.’s regulations at 12

Code of Federal Regulations (C.F.R.)
part 748, Appendix A, Guidelines

for Safeguarding Member Information.

In February 2023, the N.C.U.A.

Board approved a final rule that
requires federally insured credit

unions to notify the N.C.U.A.

as soon as possible, within
72 hours, after a credit union

reasonably believes that a reportable
cyber incident has occurred.

Under this rule, federally insured credit
unions must report a cyber incident

that (1) results in a substantial
loss of confidentiality, integrity,

or availability of a network or member
information system(s) because of

unauthorized access to or exposure
of sensitive data, (2) disrupts vital

member services, or (3) causes a serious
impact on the safety and resiliency

of operational systems and processes.

This rule became effective
September 1, 2023.

From September 1, 2023, through
May 1, 2024, credit unions

reported 892 cyber incidents.

Approximately 73 percent of all
reported incidents were related to the

use or involvement of a third party.

Information Security Examination Program

The N.C.U.A.

regularly examines all federally
insured credit unions.2 At

each examination, the N.C.U.A.

performs an information security
review using the ISE program.

The ISE program uses a risk-focused,
scalable approach to examine credit

unions’ information security programs,
which provides examiners the flexibility

to focus on areas of current or
potential material risk relevant to each

credit union’s unique business model.

• ISE Program.

The objectives of the ISE program include:

o Evaluating management’s ability
to recognize, assess, monitor,

and manage information technology
(IT) and systems-related risks;

o Assessing whether the credit union
has sufficient expertise to adequately

plan, direct, and manage information
systems and technology operations;

o Evaluating the adequacy of
internal information systems and

technology controls and oversight
to safeguard member information; and

2 The N.C.U.A.’s examination frequency
for federal credit unions is based on risk

but generally may not extend more than
20 months from the previous examination.

Federally insured, state-chartered
credit unions are primarily examined

by the applicable state regulator,
with participation from the N.C.U.A.

based on risk, but no
less than every 5 years.

o Determining whether the board of
directors is providing adequate governance

over information systems and security.

The N.C.U.A.

began using its ISE
procedures in early 2023.

The ISE procedures were designed to be
scalable to enable examiners to tailor

the examination based on asset size and
complexity, standardize the examination

of a credit union’s information security
and cybersecurity program, and enhance

the identification of control deficiencies
and trends at the industry level.

The ISE procedures also provide
examiners and credit unions with a

well-structured examination workflow.

The ISE procedures are focused on N.C.U.A.

regulations 12 C.F.R.

parts 748 and 749 and align closely with
the Automated Cybersecurity Evaluation

Toolbox (ACET) maturity assessment
application provided by the N.C.U.A.

that credit unions can
voluntarily use to conduct a

cybersecurity maturity assessment.

The ISE also references
guidance from the N.C.U.A.

and the FFIEC, as well as other
industry-accepted best practices

and security frameworks from the
National Institute of Standards

& Technology (NIST), the Center
for Internet Security, and CISA.

• Credit Union Service
Organization (CUSO) Reviews.

A CUSO is an entity in which at least
one federally insured credit union(s) has

an ownership interest in or has extended
a loan to and the entity primarily

provides products or services to credit
unions or members of credit unions.

The N.C.U.A.

periodically performs reviews of CUSOs.

While the N.C.U.A.

has access to the “books and
records” of a CUSO, the N.C.U.A.

lacks direct authority over CUSOs.

CUSOs, therefore, may reject any of
the N.C.U.A.’s recommendations that

result from a review, including those
recommendations related to cybersecurity.

As noted in the Chairman’s statement
at the start of this report and

explained more fully below, the
restoration by Congress of the

N.C.U.A.’s vendor authority powers
to examine and supervise third-party

vendors, including those CUSOs subject
to cybersecurity risks, would close

this regulatory blind spot and better
protect our financial system and economy.

ACET Maturity Assessment

The ACET maturity assessment
is a voluntary tool provided

and maintained by the N.C.U.A.

that allows credit unions to
determine the maturity of their

information security programs.

The ACET incorporates appropriate
cybersecurity standards and practices

established for financial institutions.

It also maps each declarative statement
to best practices found in the FFIEC

IT Examination Handbook, regulatory
guidance, and leading industry standards

like the NIST Cybersecurity Framework.

The FFIEC IT Handbook Infobase
offers various resources, from

IT booklets and work programs to
information on IT security-related

laws, regulations, and guidance.

Financial institutions can use
these booklets to align their

information security and cybersecurity
practices with the FFIEC guidelines.

Information Technology
& Cybersecurity Supervisory Guidance

Since June 2023, the N.C.U.A.

has issued the following cybersecurity
alerts and notices to help protect

federally insured credit unions
from cybersecurity exposures:

• ATM and Interactive Teller Machine
(ITM) Skimming and Shimming Activities.

Skimming and shimming fraud
involves capturing card information

using unauthorized devices.

Since September 2023, 44 incidents
were reported to the N.C.U.A.,

peaking in February 2024.

N.C.U.A.

provided cybersecurity guidance
and alert notifications reminding

credit unions to conduct inspections,
install anti-skimming devices, enhance

surveillance, educate members, monitor
transactions, and update software.

• Current Geopolitical Events
Increase Likelihood of Cyberattacks

on Financial Institutions.

Due to evolving geopolitical events,
the likelihood of cyberattacks on U.S.

financial institutions has increased.

The N.C.U.A., CISA, and the Federal
Bureau of Investigation (FBI) encouraged

credit unions to adopt heightened
awareness, reassess business continuity

plans, and review CISA’s recommendations
to reduce the risk of compromise.

Anecdotal warnings from some credit unions
indicate that information technology and

cybersecurity service providers sometimes
have services originating in a foreign

country; a significant risk the N.C.U.A.

cannot manage or measure
because the agency does not have

third-party vendor authority.

• Business Email Compromise.

Business email compromise attacks
targeting credit unions, involving

compromised or spoofed email accounts
to initiate fraudulent transactions.

The N.C.U.A.

provided credit unions with cybersecurity
guidance and alert notifications to enable

multi-factor authentication (MFA), educate
employees, use anti- malware, and email

filtering software, verify financial
transactions, and backup data regularly.

• Compromise at an ATM Provider.

A third party experienced a cybersecurity
attack potentially compromising systems.

Credit unions relying on this vendor
were advised to assess the impact,

activate incident response teams, enhance
monitoring, communicate with members,

and comply with regulatory obligations.

The N.C.U.A.

subsequently learned the third party
experienced a ransomware attack affecting

internal systems and some ITMs and ATMs.

The incident was contained, and
the vendor worked with the FBI.

The N.C.U.A.

sent an updated notice to credit
unions advising them to maintain

communication with the vendor,
consult cybersecurity experts, and

visit CISA’s ransomware resources.

This incident is an example of
an unnecessary burden potentially

placed on credit unions during a
crisis when vendors deny N.C.U.A.

requested information on
a cybersecurity event.

If the N.C.U.A.

had third-party vendor authority, the
agency can compel information directly

from the service provider, relieving
impacted credit unions of this burden,

and potentially sharing valuable tactics,
techniques, and procedures information

with other federal and state regulatory
agencies to ensure a whole of government

approach to protecting critical
infrastructure in the United States.

• File Transfer solution Zero-Day
Exploitation by Threat Actors.

A zero-day vulnerability in a managed file
transfer solution was actively exploited.

The vendor released an emergency patch
and credit unions using their software

were advised to apply the patch, implement
access controls, and avoid exposing the

administrator console to the internet.

When zero-day exploitations occur
in third-party service provider

operated systems, the N.C.U.A.

cannot ascertain the risk to the system
because of the lack of vendor authority.

The N.C.U.A.

also cannot warn other federal
or state regulators about

the threat that may also be used within
other critical infrastructure regulated

entities because the agency does not
have third-party vendor authority.

• Recent Uptick in Cyberattacks
Against Credit Unions and

Third-Party Service Providers.

Cyberattacks against credit unions and
service providers increased, including

incidents with a web application.

Credit unions were advised to patch
vulnerabilities, implement MFA, train

employees, deploy email security
measures, develop incident response

plans, assess vendor risks, segment
networks, maintain data backups,

and monitor security updates.

• MFA Vulnerabilities and
Mitigations for Credit Unions.

Credit unions were reminded that MFA
methods could be bypassed through

phishing, social engineering, Subscriber
Identity Module Subscriber Identity

Module swapping, man-in-the-middle,
and brute- force attacks.

Credit unions were advised to educate
users, use strong MFA methods,

implement risk-based authentication,
monitor suspicious activities, update

software, and segment networks.

Anecdotal warnings from some credit
unions indicate that some third-party

service providers do not utilize
basic cybersecurity practices such as

MFA; a significant risk the N.C.U.A.

cannot manage or measure
because the agency does not have

third-party vendor authority.

• Phishing Attacks Targeting Credit Unions.

Credit unions were targeted by
phishing schemes spoofing N.C.U.A.

addresses, asking recipients to complete
a web form to avoid email suspension.

Recipients were advised not to click
on links and delete such emails.

Preventative measures included
being cautious of unsolicited

contacts, not revealing personal
information via email, verifying

requests directly, and maintaining
anti-virus software and email filters.

When phishing attacks occur at
third-party service providers, unless

the affected provider volunteers
information to the N.C.U.A., the agency

cannot manage or measure the risk to
the system because the agency does

not have third-party vendor authority.

Agency Cybersecurity Program

The N.C.U.A.

Board has established a low-risk
appetite for technology and information

management for operational IT and IT
systems.3 Additionally, the N.C.U.A.

must comply with mandatory security
standards for federal information

and information systems and must meet
these minimum information security

requirements by using security and
privacy controls recommended by NIST

and Federal Information Security
Modernization Act (FISMA).4,5

The N.C.U.A.

implements applicable statutes,
regulations, and standards using

the NIST Risk Management Framework
and adherence to NIST Special

Publication 800-53  Security and

3 N.C.U.A.

Risk Appetite Statement
(October 20, 2022).

The risk appetite for technology and
information management for operational

IT and IT systems is “averse.”

4 FIPS Publication 199, Standards
for Security Categorization of

Federal Information, and Information
Systems; FIPS Publication 200, Minimum

Security Requirements for Federal
Information, and Information Systems.

5 NIST Special Publication 800-53,
Security and Privacy Controls for Federal

Information Systems and Organizations.

Privacy Controls for Information
Systems and Organizations.6 The N.C.U.A.

complies with binding operational
directives, emergency directives, and

cybersecurity coordination, assessment,
and response directives issued by CISA.

The N.C.U.A.

documents, categorizes, and authorizes
all information systems in the agency,

including internally hosted federal
systems, contractor-hosted systems, and

services provided by other third parties.

The N.C.U.A.

is adopting a zero-trust security
model based on the principle of

maintaining strict access controls.

As part of system
authorization, the N.C.U.A.

considers:

• information types, assets, and systems;

• the roles and privileges of those
who manage and operate them; and

• the interconnection of systems and data.

Based on information and system
sensitivity, the N.C.U.A.

selects and implements the security
controls necessary to protect the

confidentiality, integrity, and
availability of the organizational

systems and critical infrastructure.

The security control implementation
statements are documented,

reviewed, and tested to ensure
they produce the desired outcome.

Once authorized, systems are continuously
monitored using automated and manual

processes with regular testing of controls
to validate their continued efficacy.

System authorization data is stored
in the N.C.U.A.’s governance, risk,

and compliance repository, which
aggregates and analyzes enterprise

information security risk information.

This provides seamless reporting to
N.C.U.A.’s senior management and CISA.

In addition to technology, the N.C.U.A.

strengthens information security by
designing and disseminating fully

developed agency-wide and program-specific
policies and procedures to establish

appropriate practices for collecting,
securing (data is encrypted in transit and

at rest), retaining, and destroying data.

These policies and procedures are based
on applicable requirements in information

security laws, or are otherwise mandated
by NIST, the Office of Management

and Budget, CISA, or the National
Archives and Records Administration.

ACTIVITIES TO ENSURE EFFECTIVE
INFORMATION TECHNOLOGY SECURITY

Appointing Qualified Staff

The N.C.U.A.

has hired staff focused on
cybersecurity and privacy.

IT security staff include cybersecurity
operations and incident responders,

cloud security architects,
application security architects,

and network security engineers.

In addition, the agency uses contract
staff with specialized skills to

support its work in the areas of:

6 In addition to NIST standards
and guidelines, the N.C.U.A.

is subject to federal statutes such as the
Federal Information Security Modernization

Act of 2014, the E-Government Act of
2002, the Privacy Act of 1974, and

various Office of Management and Budget
policies and guidance concerning federal

information management and privacy.

• Computer forensics;

• Defensive cyber operations;

• Malware analysis and mitigation;

• Security information and event management;

• Configuration management;

• Threat hunting; and

• Incident handling and response.

The N.C.U.A.’s Enterprise Risk Management
Council, a Cybersecurity Council, and

IT Oversight Council are comprised of
senior executives within the agency with

diverse backgrounds, including information
technology and security, and are tasked

with monitoring, measuring, managing,
and prioritizing risks and related

investments, including IT security.

These internal agency councils meet
as often as monthly and are briefed

regularly on cybersecurity matters
that relate to credit unions,

financial services, or the agency.

The N.C.U.A.

also has staff with the requisite
national security clearances to

support the dissemination of classified
information to appropriately cleared

staff members on a need-to- know basis,
as well as other federal agencies to

share relevant information that may be
used to warn or proactively mitigate

threats in their regulated entities.

The Chief Information Officer, the
Senior Agency Information Security/Risk

Officer, and the Senior Agency
Official for Privacy collaborate to

ensure compliance with regulations
and drive security performance.

An executive- level Cybersecurity Advisor
and Coordinator position was established

in 2021 to organize, coordinate, and
advise on cybersecurity and critical

infrastructure matters across all N.C.U.A.

offices.

The Cybersecurity Advisor and Coordinator
provides advice directly to the N.C.U.A.

Board and senior leadership
on cybersecurity matters.

N.C.U.A.

Staff Training

• All Staff.

All agency staff receive
general and role-based training

on information security and
cybersecurity at least annually.

This training addresses staff’s legal,
reputational, and ethical obligations

to protect sensitive information.

The N.C.U.A.

provides mandatory privacy and security
awareness training to all N.C.U.A.

system users.

The training addresses appropriate
information security practices, rules

of behavior for access and use of
data systems, responsibilities for

protecting personally identifiable
information, and ethics rules prohibiting

unauthorized information disclosures.

Staff are trained on policies regarding:

o Collecting information necessary
to perform their planned review;

o Collecting information in a secure
manner using a hierarchy of secure

methods that best suit the situation;

o Transferring and storing any sensitive
information only where there is an

identified, authorized need to retain
such information, and in a manner

consistent with agency instructions
for handling sensitive information; and

o Destroying or returning all
other non-public sensitive

or personally identifiable
information after the examination

or review, per applicable laws.

• Staff with Elevated Access.

Staff who have elevated access
to systems or have management

responsibility for systems and data
take mandatory role-based training.

For N.C.U.A.

staff serving in cybersecurity roles,
individual development plans are

developed collaboratively with managers
to build domain-specific skills.

• Field Staff.

The N.C.U.A.’s training for
examiners and others that examine

or supervise credit unions includes
special training on the ISE program.

The training program provides
instruction on topics including N.C.U.A.

regulations parts 748 and 749, agency
guidance, and industry best practices

related to measuring, monitoring,
reporting, and controlling IT risks.

Examiner training is designed to maintain
and update knowledge of standards,

tools, and practices to identify, detect,
prevent, and mitigate IT and cybersecurity

risks, threats, and vulnerabilities.

This training includes classroom,
online, and on-the-job training.

The training is designed to specifically
address competencies in the areas of IT,

information security, and cybersecurity.

The courses are designed to introduce
ISE procedures and expand examiners’

understanding of cybersecurity concepts
found in the FFIEC IT Booklets, NIST

guidance, and industry best practices.

• Specialists.

The N.C.U.A.

has a cadre of examiners
specially trained in IT security.

These regional specialist and subject
matter examiners have the technical

knowledge and skills necessary to perform
in-depth information security examinations

for the more complex institutions.

The N.C.U.A.

has recently added the role of Director
of Specialist Resources (DSR) in

each of the N.C.U.A.’s three regions.

The DSRs are tasked with overseeing
the Regional Information Systems

Officers and other specialists.

These new supervisory positions facilitate
better communication and coordination

among N.C.U.A.’s cybersecurity teams
and contribute to the formulation of

policies and operational strategies
that significantly impact the safety and

soundness of the credit union system.

The addition of the DSR role reflects
the agency’s proactive approach to

cybersecurity management and aligns
with its broader goals of protecting the

interests of credit union members while
promoting systemic financial stability.

The N.C.U.A.

also has specialized personnel in the
Office of Examination and Insurance

to develop and maintain examination
policies and tools, supervisory

guidance, and examiner training.

Credit Union Training and Support

The N.C.U.A.’s Office of Credit
Union Resources and Expansion

provides training for credit unions.

The N.C.U.A.

maintains an online system available
to credit unions at no cost with

over 200 courses available on various
topics, including information security.

This office also hosts webinars that
deliver timely and meaningful information

to help credit union professionals
stay current on relevant topics

affecting the credit union community.

These webinars provide credit
union management with important

information on how to protect
their credit unions and members.

The N.C.U.A.

provides credit unions additional
resources through its website and

by offering technical assistance
grants and low-interest loans to

low-income designated credit unions.

• ACET.

As noted previously, the N.C.U.A.

provides credit unions with free
access to the ACET maturity assessment.

This tool helps a credit union
determine its risk exposure by

identifying the type, volume, and
complexity of the institution’s

operations, and enables the credit
union to assess the adequacy

of corresponding controls.

ACET is based on the U.S.

Department of Homeland Security
(DHS) Cyber Security Evaluation Tool.

It provides a multitude of
cybersecurity standards and other

resources for a credit union to
conduct self-assessments, including

the Ransomware Readiness Assessment.

• N.C.U.A..gov.

The N.C.U.A.

website provides cybersecurity resources
for research and informational purposes.

Specifically, the Cybersecurity
Resources page centralizes and contains

applicable references to N.C.U.A.

regulations and guidance, federal
government requirements and

guidelines, information sharing,
cybersecurity threats, best

practices, and privacy and protection.

• Grants and Loans.

The N.C.U.A.

provides technical assistance grants
and low-interest loans to support

credit unions’ efforts to improve and
expand service through the Community

Development Revolving Loan Fund.

Year after year, demand for this
funding continues to exceed supply.

During the 2023 grant round, the
agency received 316 applications

totaling more than $10.3 million,
and awarded more than $3.5 million

in technical assistance grants to 146
low-income-designated credit unions.

Of that amount, 79 grants totaling
nearly $800,000 were specifically

earmarked for digital services
and cybersecurity projects.

Agency Investment in
Information Technology Security

The N.C.U.A.

has invested significant
resources in prioritizing agency

cybersecurity resiliency and adopting
Zero-Trust Architecture (ZTA).

These investments are designed to
identify, deter, protect against, detect,

and respond to persistent and increasingly
sophisticated cyber campaigns.

The aim is to meet and exceed the
standards outlined in the latest

Office of Management and Budget
directives advocating for a robust

ZTA across federal agencies.

All basic user accounts
must use multi-factor,

certificate-based authentication
to access network resources.

Elevated privilege accounts (system and
network administrators and engineers)

are issued session-based credentials
with specific expiration timeframes.

To mitigate vulnerabilities, N.C.U.A.

network users remotely access
network services and resources

protected by encrypted virtual
private network (VPN) tunnels.

Internal and external network
traffic is managed and monitored.

VPN connectivity on N.C.U.A.

laptops is mandatory for all users.

This system continually enforces
technical policies and ensures traffic

and data are encrypted and secure.

The N.C.U.A.

uses a security information and
event management solution to

enhance visibility, investigative,
and remediation capabilities.

This solution provides insights,
automated analytics, and actionable

intelligence through correlation and
machine learning to efficiently identify

anomalous behavior in agency networks,
infrastructure, and applications.

The N.C.U.A.

uses a threat intelligence platform
to automate threat analysis

and identify threat exposure.

This platform enables better
decision-making and improves

security capabilities to
reduce the risk of compromise.

In support of national efforts
to remove barriers to threat

information sharing, the N.C.U.A.

leverages automated
indicator sharing from DHS.

The N.C.U.A.

also leverages DHS’s Protective
Domain Name System and Trusted

Internet Connection 3.0 to

enhance cybersecurity analysis,
situational awareness, and

security response in internet
traffic and connections.

To support cybersecurity resiliency
and mitigate risks resulting from

infrastructure failure, the N.C.U.A.

has redundant data center facilities
that are failovers for essential N.C.U.A.

network resources and services.

Essential public-facing web services
have been migrated to cloud- based

infrastructure to leverage both
inherent geographic dispersion and

infrastructure failure risk mitigation.

For critical business
productivity and collaboration

client resilience, the N.C.U.A.

migrated to Microsoft’s Office
365 government cloud environment.

The N.C.U.A.’s approach to data
loss prevention limits local

downloading of business information;
however, when necessary due to

limited network connectivity, any
downloads are to centrally tracked

and managed encrypted devices.

For email data loss and
exfiltration, the N.C.U.A.

uses a third-party technology
that monitors, notifies, logs,

and prevents business information
from malicious and inadvertent

transfer to external email domains.

The N.C.U.A.

uses Domain-based Message Authentication,
Reporting, and Conformance to combat

spam, phishing, and spoofing of N.C.U.A.

email domains.

To mitigate the risk of
endpoint malware-based data

exfiltration, the N.C.U.A.

uses a robust real- time Endpoint
Detection and Response tool with

integrated open-source intelligence
feeds, creating opportunities

for malware auto-response at
the user and server endpoints.

The N.C.U.A.

has enhanced the security of mobile
devices by hardening the devices

and implementing an adaptable mobile
security solution to detect and protect

against mobile threats, including
phishing, malicious mobile apps, device

compromise, and risky connections.

Finally, the N.C.U.A.

evaluates new systems and services
to determine if they are candidates

for the Office of Management and
Budget’s Cloud Smart initiative.

As part of the initiative to move
to a ZTA and accelerate movement to

secure cloud services, the N.C.U.A.

is carefully evaluating the need
for additional investment in

both technology and personnel.

Audits and Reviews of the
N.C.U.A.’s Cybersecurity Program

The N.C.U.A.’s Office of the Inspector
General (OIG) conducts independent audits,

investigations, and other activities
to verify the N.C.U.A.’s compliance

with applicable laws, regulations,
and standards, including those related

to privacy and information security,
to determine whether the N.C.U.A.

effectively implemented all appropriate
security and privacy controls.

There are five FISMA maturity
levels, and the N.C.U.A.

was evaluated as Maturity Level 4 “Managed
and Measurable” as of fiscal year 2023.

This rating reflects that the N.C.U.A.

implemented an effective
information security program

and substantially complied with
information security and privacy

practices, policies, and procedures.

In addition, as indicated in the
financial statement audits, the N.C.U.A.

complies with the requirements
of the Federal Managers’

Financial Integrity Act of 1982.

Credit unions and their members can
review OIG audit reports, semiannual

reports, and letters to Congress
on the N.C.U.A.’s OIG reports page.

N.C.U.A.

senior leadership are briefed on
the status of open findings every

quarter, and resources are allocated
as appropriate to ensure mitigation.

Binding Operational Directive 18-02
requires the federal government to

identify high value assets and submit to
a DHS-led assessment once every 3 years.

The N.C.U.A.’s General Support System was
assessed by a CISA-led team during the

week of February 26, 2024 – March 1, 2024.

After a review of the General Support
System documentation, an in-depth

technical exchange meeting with N.C.U.A.

subject matter experts, and a
targeted penetration test, CISA

determined that the N.C.U.A.

has a thorough and well-documented
risk management program that includes

participation, involvement, and
awareness from the system-level

up to senior leadership.

The N.C.U.A.

received no critical or
high reportable findings.

The N.C.U.A.

will continue to report quarterly
the status and compliance

of its high-value assets.

Interagency Coordination Efforts

The N.C.U.A.

coordinates with other federal and
state regulatory agencies to strengthen

cybersecurity, including the development
and dissemination of best practices

and sharing threat information.

Examples include the:

• FFIEC.

In particular, the N.C.U.A.

participates on the FFIEC’s
Information Technology Subcommittee.

This group addresses information systems
and technology policy issues as they

relate to financial institutions and
their technology service providers.

The N.C.U.A.

also participates on the Cybersecurity
Critical Infrastructure Subcommittee.

This group addresses policy
relating to cybersecurity, critical

infrastructure security, and the
resilience of financial institutions

and technology service providers.

• FSOC.

Because a weakness in the
information security of financial

systems or data could lead to an
incident that could potentially

threaten the stability of the U.S.

financial system, cybersecurity
falls under the charge of FSOC.

In its 2023 annual report, FSOC
provides several cybersecurity related

recommendations focused on maintaining
and improving the cyber resilience

of the financial system, including
that Congress provide the N.C.U.A.

with third-party vendor authority.

• FBIIC.

The N.C.U.A.

is one of the 18 FBIIC member
organizations from across the

financial regulatory community,
both federal and state.

Through monthly meetings, staff
from FBIIC member organizations work

on operational and tactical issues
related to critical infrastructure

matters, including cybersecurity,
within the financial services industry.

The FBIIC also leads the
financial sector’s cybersecurity

exercises, of which the N.C.U.A.

regularly participates.

• Financial Services Sector
Coordinating Council.

The N.C.U.A.

collaborates and coordinates
with the private sector through

the Financial Services Sector
Coordinating Council (FSSCC).

The FSSCC works collaboratively with
key government agencies to protect the

nation’s critical infrastructure from
cybersecurity and physical threats.

The FSSCC is comprised of more than
70 members from financial trade

associations, financial utilities,
and the most critical financial firms.

Through government relationships, the
FSSCC directly assists the sector’s

response to natural disasters.

• U.S.

Department of Treasury and CISA.

As a federal agency, the N.C.U.A.

follows CISA and the U.S.

Department of the Treasury’s
direction during government-wide

incident response activities.

In addition, the N.C.U.A.

identifies potential, actual, and emerging
threats, issues, or challenges to analyze

underlying causes and develop innovative

short- and long-term solutions.

This analysis supports the shaping of
the N.C.U.A.’s internal policies and

procedures related to cybersecurity,
critical infrastructure protection, supply

chain risks, national security, insider
threats, counterintelligence, continuity

of operations, and emergency response.

The N.C.U.A.’s staff also participate in
the following interagency initiatives:

o CISA security operations center
information and collaboration sessions;

o Treasury sector cybersecurity
collaboration and information sessions;

o The Federal Chief Information
Security Officer Council; and

o The Small Agency Chief Information
Security Officer collaboration forum.

Industry Efforts

Credit union participation in the
following initiatives reflect the credit

union system’s proactive engagement with
the broader information security community

to enhance cybersecurity and resilience.

• Information Sharing and Analysis
Centers & Organizations.

Credit unions actively participate
in the Financial Services Information

Sharing and Analysis Center (FS-ISAC),
where the financial sector shares

intelligence, knowledge, and practices.

The National Credit Union Information
Sharing and Analysis Organization was

established to tailor these efforts to the
unique needs of credit unions and provides

security coordination and collaboration
to identify, protect, detect, respond, and

recover from threats and vulnerabilities.

• Sheltered Harbor.

Comprised of financial institutions,
core service providers, national

trade associations, alliance partners,
and solution providers dedicated to

enhancing financial sector stability
and resiliency, Sheltered Harbor

is a subsidiary of the FS-ISAC.

It developed standards to
assist financial institutions

prepare for catastrophic events.

The standards are designed to help
institutions to plan for and recover

from catastrophic events, and to
be able to continue to provide

essential services until normal
operations can be reestablished.

• Hamilton Series Exercises.

The N.C.U.A.

supports the Hamilton Series exercises
through its membership on the joint

FSSCC  FBIIC Exercise Committee.

These one-day exercises simulate
various cyberattack scenarios

to enhance cybersecurity threat
responses within the U.S.

financial sector.

They also aim to improve public-private
coordination strategies by including

diverse participants from both sectors.7

• CISA Cyber Hygiene Services.

Over 200 credit unions have engaged
with CISA’s Cyber Hygiene Services

program, which offers vulnerability
scanning and web application

scanning to help institutions
mitigate cybersecurity threats.

https://www.fsisac.com/hubfs/Resources/FS-ISAC_ExercisesOverview.pdf

CURRENT & EMERGING THREATS

In today’s digital age, the financial
sector faces an increasingly

sophisticated array of cybersecurity
threats that demand vigilance.

The rapid evolution of technology,
coupled with escalating geopolitical

tensions, has expanded the
threat landscape significantly.

Financial institutions, including
credit unions, are particularly

vulnerable due to their increasing
reliance on technology and third-party

service providers that the N.C.U.A.

has no authority to examine,
supervise, or regulate.

The N.C.U.A.

remains concerned about the risks
cyberattacks pose to the financial system.

Cybersecurity risks grow as
threats evolve, become more

sophisticated, and cause greater
damage to a variety of industries.

Geopolitical tensions increase the
possibility of nation-states and

other sophisticated actors conducting
malicious cyberattacks against U.S.

critical infrastructure, of which
credit unions are a significant part.

To ensure the industry’s long-term
success, credit unions must deliver member

services using appropriate controls.

The evolving array of cybersecurity
threats that require continued

vigilance by credit unions include:

• Third-Party Risk.

Credit unions’ dependency on third-party
vendors and the integral nature of the

supply chain introduces considerable risk
as cyber actors continue to exploit the

vulnerabilities of third-party providers.

The absence of third-party vendor
authority limits the N.C.U.A.’s ability

to assess and mitigate potential
risks associated with these vendors.

Vendors typically decline examination
requests or refuse to implement

recommended actions, exacerbating
credit unions’ exposure to operational,

cybersecurity, and compliance risks
that can arise from these relationships.

Without visibility into these entities
and the authority to supervise and

enforce corrective actions, the N.C.U.A.

cannot effectively protect credit
unions and their member-owners or

provide relevant information to other
federal and state regulators of threats

encountered in the credit union industry.

Based on cyber incident reports submitted
by credit unions since September 1,

2023, compromises within third-party
services have led to systemic risks

across the credit union ecosystem.

In fact, incidents related to third-party
vendors accounted for approximately 73

percent of total reported incidents.

A recent cyber incident has underscored
the importance of the N.C.U.A.

obtaining vendor authority
to address these risks.

On November 26, 2023, a major service
provider for the credit union industry

was targeted by a ransomware attack,
resulting in a prolonged service

outage that affected 60 credit unions.

This incident exposed significant
challenges in the agency’s ability

to respond effectively due to
the lack of vendor authority.

During the incident, the N.C.U.A.

faced substantial difficulties
in obtaining crucial information

from third-party vendors, which
hindered response efforts.

Due specifically to the N.C.U.A.’s
lack of vendor authority, the N.C.U.A.

encountered delays in communication
and inability to obtain data.

These obstacles could have
been mitigated if the N.C.U.A.

had the authority to demand
timely and reliable information

from all relevant parties.

Moreover, the lack of vendor
authority also impacts the nation’s

critical economic infrastructure
and national security, as the

interconnectedness of financial services

expands with other industries
and national infrastructure.

Currently, more than one in three
Americans use a credit union for basic

financial services, and there are many
credit unions with fields of membership

that are tied to high-risk populations
such as congressional staff, the U.S.

military, the State Department,
and members of the U.S.

Intelligence Community.

Many of these credit unions use
third-party service providers to

provide critical member services.

A sophisticated cyberattack against a
vendor can have measurable impacts on the

personnel who are critical to government
operations and national security.

By current estimates, roughly 90
percent (or approximately $1.9 trillion)

of industry assets are in some way
managed or affected by unregulated

third-party service providers.

• State-Sponsored Cyber Activities.

Over the past year, U.S.

government organizations, including
CISA, the National Security Agency,

and the FBI produced a joint advisory
to alert the public that cyber actors

sponsored by the People’s Republic
of China are seeking to pre-position

themselves on IT networks for disruptive
or destructive cyberattacks against U.S.

critical infrastructure in the event
of a major crisis or conflict with

the United States or its allies.

This advisory was published
following months of observations and

incident response activities at U.S.

critical infrastructure organizations
which had been compromised.

State-sponsored cyber activities
against critical infrastructure are

a real threat to the credit union
system—due, primarily, to the number

of Americans that can be impacted
and the resulting effects on the U.S.

economy.

Along with CISA, the FBI, and the
National Security Agency, the N.C.U.A.

has encouraged credit unions of all
sizes to adopt a heightened state

of awareness and to proactively hunt
threats to defend against this risk.

Additionally, the N.C.U.A.

provided guidance and resources to credit
unions to assist in mitigating this

threat and specifically recommended credit
unions report cyber incidents to CISA.

The N.C.U.A.

has also directed credit unions
to CISA’s Shields Up website for

additional guidance, reporting
options, and mitigation measures.

• Ransomware Attacks.

Ransomware is an increasingly
serious threat to credit unions.

Ransomware attacks continue across
all sectors, including the financial

sector, and have left victims without
the data they need to operate.

Over the past year, ransomware
attacks and payments have escalated

in frequency, scope, and volume across
all critical infrastructure sectors.

One of the primary causes of this sharp
growth is the increase in cyber actors

using ransomware to carry out attacks
and, in turn, profit from their actions.

Ransomware as a service is a cybercrime
business model in which a ransomware

group sells its code or malware to
other hackers, who then use it to

carry out their own ransomware attacks.

This has made it easier for bad actors
to carry out ransomware attacks.

Designed to help public and private
organizations defend against the rise in

ransomware cases, CISA’s StopRansomware
provides a whole-of-government approach

to tackle ransomware more effectively
and serves as one central location

for ransomware resources and alerts.

• Quantum Computing and Cryptographic Risks.

The U.S.

government remains concerned with the
development and trajectory of quantum

information technologies and products
that could compromise existing encryption

and other cybersecurity controls
across critical infrastructure sectors.

• Artificial Intelligence
(AI)-enabled Attacks.

Generative AI creates new text,
images, video, and other content.

Generative AI has gone mainstream and
is increasingly being used by cyber

actors to create complex malware and
advanced social engineering attacks,

including phishing and spoofing.

By making these attacks more
effective, they are also

harder to detect and prevent.

In addition to generative AI being
used for initial attack vectors,

it can also amplify threats once
an initial breach has occurred.

AI tools can be used to
modify code at scale, quickly

giving control to attackers.

These tools can also be trained on
a dataset of known vulnerabilities

and used to automatically generate
new exploit code to target multiple

vulnerabilities in rapid succession.

Cyber actors can also use generative
AI to scan massive amounts of company

data, summarizing it to identify
employees, relationships, and assets,

potentially leading to further
social engineering attacks via user

impersonation, blackmail, or coercion.

However, generative AI is not used
exclusively by bad actors—organizations

are increasingly using the same technology
to build better cybersecurity defenses.

The evolving nature of cybersecurity
threats demands a dynamic and

informed response strategy from
both credit unions and the N.C.U.A..

By focusing on third-party
vulnerabilities, geopolitical risks,

advanced cybercrime tactics, and
by maintaining robust communication

channels, credit unions can enhance
their resilience against a broad

spectrum of cybersecurity threats.

This integrated approach not only
addresses current threats but also

positions the credit union sector to adapt
to future challenges, ensuring long-term

security and operational success.

CONCLUSION

The N.C.U.A.

is committed to fortifying
cybersecurity resilience within the

agency and the credit union system.

Through targeted examinations,
comprehensive risk assessments,

and robust educational outreach
initiatives, the N.C.U.A.

is working diligently to
strengthen cybersecurity

practices and mitigate potential
vulnerabilities across the industry.

Within the limits of its current
statutory authorities, the N.C.U.A.

remains proactive in furthering
effective IT security within

the credit union system.

By leveraging partnerships with other
federal agencies, industry stakeholders,

and cybersecurity experts, the N.C.U.A.

continues to foster a collaborative
environment conducive to information

sharing and coordination.

This collaborative approach
enables the N.C.U.A.

to stay abreast of current and
emerging threats, enhancing its

ability to anticipate and respond
effectively to cybersecurity risks.

However, challenges persist,
particularly concerning the lack of

authority over third-party vendors.8
The reliance of credit unions on

third-party vendors for essential
services exposes them to additional

cybersecurity risks and is a growing
regulatory blind spot for the N.C.U.A..

As the digital landscape
continues to evolve, the N.C.U.A.

remains committed to adapting its
cybersecurity approach to effectively

address emerging threats and challenges.

By remaining vigilant and
proactive, the N.C.U.A.

aims to defend the security and
stability of the credit union system,

promoting the financial well-being of
credit union members, and safeguarding

the integrity of the broader financial
system for generations to come.

In order to achieve these
worthy goals, the N.C.U.A.

will continue to request that
Congress provide the long

overdue ability for the N.C.U.A.

to supervise and examine
third-party service providers

in the credit union industry.

This authority is needed to manage,
measure, and proactively mitigate risks

within the credit union system, and to be
able to share relevant information with

government partners to add to the whole of
government approach to protecting critical

infrastructure in the United States.

8 Independent entities such as the
Government Accountability Office, the

Financial Stability Oversight Council,
and the N.C.U.A.’s Office of Inspector

General have identified this deficiency
as a significant obstacle to the

N.C.U.A.’s mission to safeguard credit
union members and the financial system.

All of them have recommended that
Congress provide the N.C.U.A.

with this authority.

This concludes the NCUA Letter to
credit unions on Annual Cybersecurity

and Credit Union System Resilience Report

If your Credit union could use assistance
with your exam, reach out to Mark Treichel

on LinkedIn, or at mark Treichel dot com.

This is Samantha Shares and
we Thank you for listening.