WEBVTT NOTE This file was generated by Descript 00:00:00.470 --> 00:00:02.400 Samantha: Hello, this is Samantha Shares. 00:00:03.010 --> 00:00:07.100 This episode covers N C U A’s Releases Annual Cybersecurity 00:00:07.867 --> 00:00:10.227 and Credit Union System Resilience Report 00:00:11.029 --> 00:00:14.389 The following is an audio version of that advisory and the report. 00:00:14.969 --> 00:00:18.129 This podcast is educational and is not legal advice. 00:00:18.579 --> 00:00:22.589 We are sponsored by Credit Union Exam Solutions Incorporated, whose 00:00:22.589 --> 00:00:25.629 team has over two hundred and Forty years of National Credit 00:00:25.629 --> 00:00:27.539 Union Administration experience. 00:00:28.059 --> 00:00:31.719 We assist our clients with N C U A so they save time and money. 00:00:32.079 --> 00:00:36.049 If you are worried about a recent, upcoming or in process N C U A 00:00:36.049 --> 00:00:40.429 examination, reach out to learn how they can assist at Mark Treichel DOT COM. 00:00:40.879 --> 00:00:45.219 Also check out our other podcast called With Flying Colors where we provide tips 00:00:45.219 --> 00:00:47.779 on how to achieve success with N C U A. 00:00:48.516 --> 00:00:49.436 And now the report 00:00:50.208 --> 00:00:51.438 MESSAGE FROM THE CHAIRMAN 00:00:52.127 --> 00:00:55.987 On behalf of the National Credit Union Administration (N.C.U.A.), I 00:00:55.987 --> 00:00:59.977 am submitting our annual, statutorily required Cybersecurity and Credit 00:00:59.977 --> 00:01:01.907 Union System Resilience Report. 00:01:02.607 --> 00:01:06.167 This report summarizes the current cybersecurity threat landscape, 00:01:06.167 --> 00:01:10.497 highlights the agency’s key cybersecurity initiatives, and outlines the 00:01:10.497 --> 00:01:14.997 agency’s ongoing efforts to enhance cybersecurity preparedness and resilience 00:01:14.997 --> 00:01:16.707 within the credit union industry. 00:01:17.463 --> 00:01:22.483 Throughout 2023, our nation—including its financial sector—has faced unprecedented 00:01:22.483 --> 00:01:26.103 challenges stemming from cyberattacks and other malicious activities 00:01:26.103 --> 00:01:27.883 targeting critical infrastructure. 00:01:28.533 --> 00:01:33.883 The credit union system, which serves more than 139 million Americans and plays a 00:01:34.606 --> 00:01:38.656 vital role in communities across the country, is not immune to these threats. 00:01:39.226 --> 00:01:43.506 In fact, in the face of an ever-evolving cybersecurity threat landscape, the 00:01:43.506 --> 00:01:47.836 need for ongoing vigilance in the credit union sector cannot be overstated. 00:01:48.535 --> 00:01:49.155 The N.C.U.A. 00:01:49.155 --> 00:01:53.175 is committed to ensuring consistency, transparency, and accountability 00:01:53.175 --> 00:01:56.995 in its cybersecurity examination program and related activities. 00:01:57.495 --> 00:02:00.115 Further, over the last several years the N.C.U.A. 00:02:00.115 --> 00:02:04.185 has made major strides in promoting a culture of cybersecurity awareness 00:02:04.185 --> 00:02:06.195 and resilience among credit unions. 00:02:06.545 --> 00:02:10.895 Through targeted supervision completed using the N.C.U.A.’s recently implemented 00:02:10.925 --> 00:02:15.705 Information Security Examination program, the development of risk- assessment tools 00:02:15.705 --> 00:02:20.425 like the agency’s Automated Cybersecurity Evaluation Toolbox, the adoption of a 00:02:20.425 --> 00:02:26.295 cyber incident notification regulation in 2023, ongoing educational outreach, and 00:02:26.295 --> 00:02:31.065 grants to eligible credit unions, we have worked diligently to improve cybersecurity 00:02:31.065 --> 00:02:32.975 practices and mitigate risks. 00:02:33.660 --> 00:02:34.990 Looking ahead, the N.C.U.A. 00:02:34.990 --> 00:02:38.800 remains committed to working closely with Congress, other regulatory 00:02:38.800 --> 00:02:42.420 agencies, industry stakeholders, and other partners to strengthen 00:02:42.420 --> 00:02:46.880 cybersecurity defenses and ensure the resilience of the credit union system. 00:02:47.460 --> 00:02:51.250 To that end, I respectfully ask for this Committee’s support in restoring 00:02:51.250 --> 00:02:55.270 the N.C.U.A.’s vendor authority over third-party service providers. 00:02:55.996 --> 00:03:00.246 This regulatory blind spot has already had a negative impact on the industry. 00:03:00.776 --> 00:03:04.726 For example, last years’ third-party core service provider ransomware 00:03:04.726 --> 00:03:09.256 disruption affecting 60 small credit unions illuminated the N.C.U.A.’s 00:03:09.256 --> 00:03:13.106 challenges as it tried to mitigate issues on behalf of impacted credit 00:03:13.106 --> 00:03:14.916 unions and their member-owners. 00:03:15.683 --> 00:03:19.993 Moreover, independent entities such as the Government Accountability Office, the 00:03:19.993 --> 00:03:24.513 Financial Stability Oversight Council, the N.C.U.A.’s Office of Inspector 00:03:24.513 --> 00:03:28.873 General, and a growing number of credit unions have identified this deficiency 00:03:28.943 --> 00:03:33.013 as a significant obstacle to the N.C.U.A.’s mission to safeguard credit 00:03:33.013 --> 00:03:35.263 union members and the financial system. 00:03:35.823 --> 00:03:38.763 All of them have recommended that Congress provide the N.C.U.A. 00:03:38.763 --> 00:03:39.703 with this authority. 00:03:40.452 --> 00:03:44.922 Cybersecurity and Credit Union System Resilience Report June 2024 00:03:45.739 --> 00:03:49.809 … Besides giving credit union members the same protection as bank customers, 00:03:50.209 --> 00:03:54.039 this sensible statutory change would significantly improve supervisory 00:03:54.039 --> 00:03:58.839 oversight and bolster our ability to mitigate cybersecurity risks, ultimately 00:03:58.839 --> 00:04:02.799 enhancing the credit union system’s overall security posture and the 00:04:02.799 --> 00:04:06.529 protection of critical infrastructure in the United States more broadly. 00:04:07.288 --> 00:04:11.568 As we seek to strengthen our cybersecurity resiliency, I want to express my 00:04:11.568 --> 00:04:15.508 gratitude for your continued support and engagement on this critical issue. 00:04:16.038 --> 00:04:20.488 Together, we can confront the challenges posed by cybersecurity threats and uphold 00:04:20.488 --> 00:04:24.568 the safety and soundness of the credit union system for generations to come. 00:04:25.191 --> 00:04:25.951 Sincerely, 00:04:26.723 --> 00:04:27.263 Todd M. 00:04:27.743 --> 00:04:28.573 Harper Chairman 00:04:29.217 --> 00:04:31.357 National Credit Union Administration 00:04:32.090 --> 00:04:32.820 INTRODUCTION 00:04:33.488 --> 00:04:37.008 This report details the measures taken to strengthen cybersecurity 00:04:37.008 --> 00:04:40.158 within credit unions and the N.C.U.A., per the Consolidated 00:04:40.158 --> 00:04:43.688 Appropriations Act, 2021.1 This report: 00:04:44.499 --> 00:04:48.919 • outlines the N.C.U.A.’s policies and procedures to address cybersecurity 00:04:48.919 --> 00:04:52.309 risks and activities to ensure their effective implementation; 00:04:53.017 --> 00:04:57.387 • discusses cybersecurity resilience within the credit union system, including 00:04:57.387 --> 00:05:01.247 the N.C.U.A.’s key initiatives to enhance cybersecurity preparedness 00:05:01.247 --> 00:05:05.957 among credit unions, such as targeted examinations, risk assessments, and 00:05:05.957 --> 00:05:07.957 educational and outreach efforts; 00:05:08.593 --> 00:05:11.573 • describes current and emerging threats; and 00:05:12.078 --> 00:05:16.518 • highlights the N.C.U.A.’s collaboration with other federal agencies, industry 00:05:16.518 --> 00:05:20.098 stakeholders, and cybersecurity experts to address emerging 00:05:20.098 --> 00:05:24.258 threats and promote a culture of cybersecurity awareness and resilience 00:05:24.258 --> 00:05:25.958 within the credit union industry. 00:05:26.755 --> 00:05:30.165 As the digital and geopolitical landscapes continues to evolve, 00:05:30.365 --> 00:05:33.905 the threat of cyberattacks against critical infrastructure, of which 00:05:33.905 --> 00:05:38.065 financial institutions are a vital part, looms larger than ever before. 00:05:38.465 --> 00:05:40.985 In response to this growing challenge, the N.C.U.A. 00:05:40.985 --> 00:05:44.305 has undertaken a comprehensive examination of cybersecurity 00:05:44.305 --> 00:05:47.705 resilience within the credit union system through its Information 00:05:47.705 --> 00:05:49.865 Security Examination (ISE) program. 00:05:50.651 --> 00:05:54.231 As a member of the Federal Financial Institutions Examination Council 00:05:54.231 --> 00:05:57.661 (FFIEC) and the Financial and Banking Information Infrastructure 00:05:57.661 --> 00:05:59.751 Committee (FBIIC), the N.C.U.A. 00:05:59.751 --> 00:06:03.311 collaborates with other regulatory agencies to develop and implement 00:06:03.311 --> 00:06:07.141 cybersecurity policies and standards across the financial industry. 00:06:07.909 --> 00:06:09.219 In addition, the N.C.U.A. 00:06:09.219 --> 00:06:12.379 Chairman serves as a voting member of the Financial Stability 00:06:12.379 --> 00:06:13.909 Oversight Council (FSOC). 00:06:14.479 --> 00:06:17.879 The FSOC identifies and responds to threats to the stability 00:06:17.879 --> 00:06:19.109 of the financial system. 00:06:19.619 --> 00:06:23.559 The chairman’s position on this body underscores the N.C.U.A.’s integral 00:06:23.559 --> 00:06:27.129 role in safeguarding the overall financial stability of the nation. 00:06:27.844 --> 00:06:31.704 The credit union system relies extensively on third-party vendors to 00:06:31.734 --> 00:06:34.184 operate and deliver key member services. 00:06:34.764 --> 00:06:35.294 The N.C.U.A. 00:06:35.294 --> 00:06:39.144 lacks statutory authority over third-party vendors, which hinders 00:06:39.144 --> 00:06:42.794 the agency’s ability to examine and address cybersecurity risks 00:06:42.794 --> 00:06:44.174 in the credit union system. 00:06:44.854 --> 00:06:48.754 As a result, the credit union system—of which more than a third of the American 00:06:48.754 --> 00:06:53.014 public uses for basic financial services—remains particularly vulnerable 00:06:53.014 --> 00:06:57.514 to cybersecurity threats to third-party vendors that provide essential services. 00:06:57.954 --> 00:07:00.844 Because of this regulatory blind spot, the N.C.U.A. 00:07:00.844 --> 00:07:05.154 cannot manage or measure threats within its regulated entities, nor can it 00:07:05.154 --> 00:07:09.554 warn other government regulators or the Cybersecurity and Infrastructure Security 00:07:09.554 --> 00:07:11.694 Agency (CISA) of threats the N.C.U.A. 00:07:11.694 --> 00:07:15.224 may identify that may be first used in the credit union system. 00:07:15.953 --> 00:07:19.553 By examining the current state of cybersecurity within the credit union 00:07:19.553 --> 00:07:24.153 system and identifying areas for improvement, this report aims to provide 00:07:24.153 --> 00:07:26.633 valuable insights and recommendations for 00:07:27.374 --> 00:07:27.984 1 Pub. 00:07:28.584 --> 00:07:28.834 L. 00:07:29.184 --> 00:07:29.534 No. 00:07:30.064 --> 00:07:34.054 116–260, 134 Stat. 00:07:34.724 --> 00:07:36.244 2173 (Dec. 00:07:36.244 --> 00:07:37.774 27, 2020) 00:07:38.533 --> 00:07:42.093 enhancing the security and stability of credit unions nationwide. 00:07:42.693 --> 00:07:46.313 It underscores the N.C.U.A.’s ongoing commitment to protecting the 00:07:46.313 --> 00:07:50.413 financial well-being of credit union members and upholding the integrity 00:07:50.413 --> 00:07:54.113 of the broader financial system in the face of cybersecurity threats. 00:07:54.795 --> 00:07:56.295 POLICIES & PROCEDURES 00:07:56.964 --> 00:08:00.034 Information Security and Cybersecurity Regulations 00:08:00.766 --> 00:08:03.286 Per the Gramm-Leach-Bliley Act, the N.C.U.A. 00:08:03.286 --> 00:08:06.666 Board established standards for federally insured credit unions 00:08:06.666 --> 00:08:10.526 relating to administrative, technical, and physical safeguards for credit 00:08:10.526 --> 00:08:12.686 union member records and information. 00:08:13.096 --> 00:08:16.976 These standards are incorporate into the N.C.U.A.’s regulations at 12 00:08:16.976 --> 00:08:22.916 Code of Federal Regulations (C.F.R.) part 748, Appendix A, Guidelines 00:08:22.916 --> 00:08:24.756 for Safeguarding Member Information. 00:08:25.510 --> 00:08:27.760 In February 2023, the N.C.U.A. 00:08:27.760 --> 00:08:31.360 Board approved a final rule that requires federally insured credit 00:08:31.360 --> 00:08:33.150 unions to notify the N.C.U.A. 00:08:33.150 --> 00:08:37.160 as soon as possible, within 72 hours, after a credit union 00:08:37.160 --> 00:08:40.640 reasonably believes that a reportable cyber incident has occurred. 00:08:41.190 --> 00:08:45.540 Under this rule, federally insured credit unions must report a cyber incident 00:08:45.540 --> 00:08:49.570 that (1) results in a substantial loss of confidentiality, integrity, 00:08:49.700 --> 00:08:53.490 or availability of a network or member information system(s) because of 00:08:53.530 --> 00:08:58.280 unauthorized access to or exposure of sensitive data, (2) disrupts vital 00:08:58.280 --> 00:09:03.200 member services, or (3) causes a serious impact on the safety and resiliency 00:09:03.200 --> 00:09:05.400 of operational systems and processes. 00:09:06.103 --> 00:09:09.483 This rule became effective September 1, 2023. 00:09:10.103 --> 00:09:14.873 From September 1, 2023, through May 1, 2024, credit unions 00:09:14.873 --> 00:09:17.553 reported 892 cyber incidents. 00:09:18.083 --> 00:09:22.113 Approximately 73 percent of all reported incidents were related to the 00:09:22.113 --> 00:09:24.263 use or involvement of a third party. 00:09:25.033 --> 00:09:27.463 Information Security Examination Program 00:09:28.205 --> 00:09:28.775 The N.C.U.A. 00:09:28.775 --> 00:09:32.995 regularly examines all federally insured credit unions.2 At 00:09:32.995 --> 00:09:34.755 each examination, the N.C.U.A. 00:09:34.755 --> 00:09:38.445 performs an information security review using the ISE program. 00:09:38.965 --> 00:09:43.165 The ISE program uses a risk-focused, scalable approach to examine credit 00:09:43.165 --> 00:09:48.055 unions’ information security programs, which provides examiners the flexibility 00:09:48.055 --> 00:09:52.255 to focus on areas of current or potential material risk relevant to each 00:09:52.255 --> 00:09:54.405 credit union’s unique business model. 00:09:55.159 --> 00:09:56.109 • ISE Program. 00:09:56.769 --> 00:09:59.059 The objectives of the ISE program include: 00:09:59.816 --> 00:10:03.906 o Evaluating management’s ability to recognize, assess, monitor, 00:10:04.006 --> 00:10:07.746 and manage information technology (IT) and systems-related risks; 00:10:08.497 --> 00:10:12.457 o Assessing whether the credit union has sufficient expertise to adequately 00:10:12.457 --> 00:10:16.997 plan, direct, and manage information systems and technology operations; 00:10:17.739 --> 00:10:21.289 o Evaluating the adequacy of internal information systems and 00:10:21.289 --> 00:10:25.439 technology controls and oversight to safeguard member information; and 00:10:26.214 --> 00:10:31.254 2 The N.C.U.A.’s examination frequency for federal credit unions is based on risk 00:10:31.644 --> 00:10:35.634 but generally may not extend more than 20 months from the previous examination. 00:10:36.204 --> 00:10:40.234 Federally insured, state-chartered credit unions are primarily examined 00:10:40.234 --> 00:10:44.144 by the applicable state regulator, with participation from the N.C.U.A. 00:10:44.144 --> 00:10:47.324 based on risk, but no less than every 5 years. 00:10:48.089 --> 00:10:51.999 o Determining whether the board of directors is providing adequate governance 00:10:52.079 --> 00:10:54.249 over information systems and security. 00:10:55.013 --> 00:10:55.553 The N.C.U.A. 00:10:55.553 --> 00:10:58.653 began using its ISE procedures in early 2023. 00:10:58.653 --> 00:11:03.703 The ISE procedures were designed to be scalable to enable examiners to tailor 00:11:03.703 --> 00:11:08.633 the examination based on asset size and complexity, standardize the examination 00:11:08.633 --> 00:11:13.403 of a credit union’s information security and cybersecurity program, and enhance 00:11:13.403 --> 00:11:17.343 the identification of control deficiencies and trends at the industry level. 00:11:17.973 --> 00:11:21.683 The ISE procedures also provide examiners and credit unions with a 00:11:21.683 --> 00:11:23.943 well-structured examination workflow. 00:11:24.698 --> 00:11:26.938 The ISE procedures are focused on N.C.U.A. 00:11:26.938 --> 00:11:28.588 regulations 12 C.F.R. 00:11:28.588 --> 00:11:35.358 parts 748 and 749 and align closely with the Automated Cybersecurity Evaluation 00:11:35.358 --> 00:11:39.428 Toolbox (ACET) maturity assessment application provided by the N.C.U.A. 00:11:39.428 --> 00:11:42.258 that credit unions can voluntarily use to conduct a 00:11:42.258 --> 00:11:44.188 cybersecurity maturity assessment. 00:11:44.548 --> 00:11:47.048 The ISE also references guidance from the N.C.U.A. 00:11:47.048 --> 00:11:51.118 and the FFIEC, as well as other industry-accepted best practices 00:11:51.118 --> 00:11:54.458 and security frameworks from the National Institute of Standards 00:11:54.558 --> 00:11:58.468 & Technology (NIST), the Center for Internet Security, and CISA. 00:11:59.258 --> 00:12:02.138 • Credit Union Service Organization (CUSO) Reviews. 00:12:02.618 --> 00:12:06.828 A CUSO is an entity in which at least one federally insured credit union(s) has 00:12:06.828 --> 00:12:11.088 an ownership interest in or has extended a loan to and the entity primarily 00:12:11.088 --> 00:12:15.418 provides products or services to credit unions or members of credit unions. 00:12:16.058 --> 00:12:16.678 The N.C.U.A. 00:12:16.678 --> 00:12:19.148 periodically performs reviews of CUSOs. 00:12:19.638 --> 00:12:20.398 While the N.C.U.A. 00:12:20.398 --> 00:12:24.228 has access to the “books and records” of a CUSO, the N.C.U.A. 00:12:24.228 --> 00:12:26.448 lacks direct authority over CUSOs. 00:12:26.998 --> 00:12:31.248 CUSOs, therefore, may reject any of the N.C.U.A.’s recommendations that 00:12:31.248 --> 00:12:35.738 result from a review, including those recommendations related to cybersecurity. 00:12:36.408 --> 00:12:39.428 As noted in the Chairman’s statement at the start of this report and 00:12:39.428 --> 00:12:43.038 explained more fully below, the restoration by Congress of the 00:12:43.088 --> 00:12:47.288 N.C.U.A.’s vendor authority powers to examine and supervise third-party 00:12:47.288 --> 00:12:52.098 vendors, including those CUSOs subject to cybersecurity risks, would close 00:12:52.098 --> 00:12:56.638 this regulatory blind spot and better protect our financial system and economy. 00:12:57.414 --> 00:12:58.894 ACET Maturity Assessment 00:12:59.613 --> 00:13:02.823 The ACET maturity assessment is a voluntary tool provided 00:13:02.823 --> 00:13:04.333 and maintained by the N.C.U.A. 00:13:04.333 --> 00:13:07.183 that allows credit unions to determine the maturity of their 00:13:07.183 --> 00:13:09.043 information security programs. 00:13:09.543 --> 00:13:13.333 The ACET incorporates appropriate cybersecurity standards and practices 00:13:13.403 --> 00:13:15.653 established for financial institutions. 00:13:16.193 --> 00:13:20.353 It also maps each declarative statement to best practices found in the FFIEC 00:13:20.623 --> 00:13:25.153 IT Examination Handbook, regulatory guidance, and leading industry standards 00:13:25.153 --> 00:13:27.153 like the NIST Cybersecurity Framework. 00:13:27.703 --> 00:13:31.463 The FFIEC IT Handbook Infobase offers various resources, from 00:13:31.463 --> 00:13:35.043 IT booklets and work programs to information on IT security-related 00:13:35.043 --> 00:13:37.103 laws, regulations, and guidance. 00:13:37.573 --> 00:13:40.723 Financial institutions can use these booklets to align their 00:13:40.723 --> 00:13:45.193 information security and cybersecurity practices with the FFIEC guidelines. 00:13:45.954 --> 00:13:49.604 Information Technology & Cybersecurity Supervisory Guidance 00:13:50.179 --> 00:13:52.669 Since June 2023, the N.C.U.A. 00:13:52.669 --> 00:13:56.709 has issued the following cybersecurity alerts and notices to help protect 00:13:56.839 --> 00:14:00.299 federally insured credit unions from cybersecurity exposures: 00:14:01.062 --> 00:14:05.142 • ATM and Interactive Teller Machine (ITM) Skimming and Shimming Activities. 00:14:05.592 --> 00:14:08.882 Skimming and shimming fraud involves capturing card information 00:14:08.882 --> 00:14:10.692 using unauthorized devices. 00:14:11.172 --> 00:14:15.342 Since September 2023, 44 incidents were reported to the N.C.U.A., 00:14:15.442 --> 00:14:17.232 peaking in February 2024. 00:14:17.792 --> 00:14:18.232 N.C.U.A. 00:14:18.232 --> 00:14:21.852 provided cybersecurity guidance and alert notifications reminding 00:14:21.852 --> 00:14:26.802 credit unions to conduct inspections, install anti-skimming devices, enhance 00:14:26.802 --> 00:14:31.252 surveillance, educate members, monitor transactions, and update software. 00:14:32.007 --> 00:14:35.337 • Current Geopolitical Events Increase Likelihood of Cyberattacks 00:14:35.337 --> 00:14:36.917 on Financial Institutions. 00:14:37.527 --> 00:14:41.437 Due to evolving geopolitical events, the likelihood of cyberattacks on U.S. 00:14:41.437 --> 00:14:43.537 financial institutions has increased. 00:14:44.057 --> 00:14:48.487 The N.C.U.A., CISA, and the Federal Bureau of Investigation (FBI) encouraged 00:14:48.487 --> 00:14:52.657 credit unions to adopt heightened awareness, reassess business continuity 00:14:52.657 --> 00:14:57.207 plans, and review CISA’s recommendations to reduce the risk of compromise. 00:14:57.557 --> 00:15:02.067 Anecdotal warnings from some credit unions indicate that information technology and 00:15:02.067 --> 00:15:06.447 cybersecurity service providers sometimes have services originating in a foreign 00:15:06.447 --> 00:15:08.987 country; a significant risk the N.C.U.A. 00:15:08.987 --> 00:15:12.117 cannot manage or measure because the agency does not have 00:15:12.157 --> 00:15:13.687 third-party vendor authority. 00:15:14.427 --> 00:15:15.977 • Business Email Compromise. 00:15:16.537 --> 00:15:20.267 Business email compromise attacks targeting credit unions, involving 00:15:20.267 --> 00:15:24.437 compromised or spoofed email accounts to initiate fraudulent transactions. 00:15:24.987 --> 00:15:25.567 The N.C.U.A. 00:15:25.567 --> 00:15:30.517 provided credit unions with cybersecurity guidance and alert notifications to enable 00:15:30.547 --> 00:15:35.937 multi-factor authentication (MFA), educate employees, use anti- malware, and email 00:15:35.937 --> 00:15:40.757 filtering software, verify financial transactions, and backup data regularly. 00:15:41.529 --> 00:15:43.539 • Compromise at an ATM Provider. 00:15:44.169 --> 00:15:48.699 A third party experienced a cybersecurity attack potentially compromising systems. 00:15:49.269 --> 00:15:52.949 Credit unions relying on this vendor were advised to assess the impact, 00:15:53.119 --> 00:15:57.609 activate incident response teams, enhance monitoring, communicate with members, 00:15:57.799 --> 00:16:00.149 and comply with regulatory obligations. 00:16:00.799 --> 00:16:01.319 The N.C.U.A. 00:16:01.319 --> 00:16:05.449 subsequently learned the third party experienced a ransomware attack affecting 00:16:05.449 --> 00:16:07.909 internal systems and some ITMs and ATMs. 00:16:08.619 --> 00:16:11.879 The incident was contained, and the vendor worked with the FBI. 00:16:12.169 --> 00:16:12.749 The N.C.U.A. 00:16:12.749 --> 00:16:16.519 sent an updated notice to credit unions advising them to maintain 00:16:16.519 --> 00:16:20.519 communication with the vendor, consult cybersecurity experts, and 00:16:20.519 --> 00:16:22.719 visit CISA’s ransomware resources. 00:16:23.426 --> 00:16:27.026 This incident is an example of an unnecessary burden potentially 00:16:27.026 --> 00:16:30.796 placed on credit unions during a crisis when vendors deny N.C.U.A. 00:16:30.796 --> 00:16:33.596 requested information on a cybersecurity event. 00:16:34.096 --> 00:16:34.766 If the N.C.U.A. 00:16:34.766 --> 00:16:39.216 had third-party vendor authority, the agency can compel information directly 00:16:39.216 --> 00:16:43.516 from the service provider, relieving impacted credit unions of this burden, 00:16:43.806 --> 00:16:48.136 and potentially sharing valuable tactics, techniques, and procedures information 00:16:48.136 --> 00:16:52.326 with other federal and state regulatory agencies to ensure a whole of government 00:16:52.326 --> 00:16:55.926 approach to protecting critical infrastructure in the United States. 00:16:56.570 --> 00:17:00.220 • File Transfer solution Zero-Day Exploitation by Threat Actors. 00:17:00.750 --> 00:17:05.610 A zero-day vulnerability in a managed file transfer solution was actively exploited. 00:17:06.170 --> 00:17:10.140 The vendor released an emergency patch and credit unions using their software 00:17:10.140 --> 00:17:15.060 were advised to apply the patch, implement access controls, and avoid exposing the 00:17:15.060 --> 00:17:16.900 administrator console to the internet. 00:17:17.490 --> 00:17:21.100 When zero-day exploitations occur in third-party service provider 00:17:21.100 --> 00:17:22.970 operated systems, the N.C.U.A. 00:17:22.970 --> 00:17:27.050 cannot ascertain the risk to the system because of the lack of vendor authority. 00:17:27.380 --> 00:17:27.890 The N.C.U.A. 00:17:27.890 --> 00:17:31.290 also cannot warn other federal or state regulators about 00:17:32.041 --> 00:17:36.051 the threat that may also be used within other critical infrastructure regulated 00:17:36.051 --> 00:17:40.061 entities because the agency does not have third-party vendor authority. 00:17:40.792 --> 00:17:43.862 • Recent Uptick in Cyberattacks Against Credit Unions and 00:17:43.862 --> 00:17:45.542 Third-Party Service Providers. 00:17:45.992 --> 00:17:50.202 Cyberattacks against credit unions and service providers increased, including 00:17:50.202 --> 00:17:52.012 incidents with a web application. 00:17:52.532 --> 00:17:56.792 Credit unions were advised to patch vulnerabilities, implement MFA, train 00:17:56.792 --> 00:18:00.942 employees, deploy email security measures, develop incident response 00:18:00.942 --> 00:18:05.702 plans, assess vendor risks, segment networks, maintain data backups, 00:18:05.782 --> 00:18:07.472 and monitor security updates. 00:18:08.175 --> 00:18:11.375 • MFA Vulnerabilities and Mitigations for Credit Unions. 00:18:11.815 --> 00:18:15.485 Credit unions were reminded that MFA methods could be bypassed through 00:18:15.485 --> 00:18:19.935 phishing, social engineering, Subscriber Identity Module Subscriber Identity 00:18:19.935 --> 00:18:23.405 Module swapping, man-in-the-middle, and brute- force attacks. 00:18:23.835 --> 00:18:28.225 Credit unions were advised to educate users, use strong MFA methods, 00:18:28.325 --> 00:18:32.975 implement risk-based authentication, monitor suspicious activities, update 00:18:32.975 --> 00:18:34.925 software, and segment networks. 00:18:35.215 --> 00:18:39.115 Anecdotal warnings from some credit unions indicate that some third-party 00:18:39.115 --> 00:18:43.315 service providers do not utilize basic cybersecurity practices such as 00:18:43.315 --> 00:18:46.005 MFA; a significant risk the N.C.U.A. 00:18:46.005 --> 00:18:49.055 cannot manage or measure because the agency does not have 00:18:49.125 --> 00:18:50.635 third-party vendor authority. 00:18:51.434 --> 00:18:53.634 • Phishing Attacks Targeting Credit Unions. 00:18:54.084 --> 00:18:57.494 Credit unions were targeted by phishing schemes spoofing N.C.U.A. 00:18:57.494 --> 00:19:02.464 addresses, asking recipients to complete a web form to avoid email suspension. 00:19:02.904 --> 00:19:06.464 Recipients were advised not to click on links and delete such emails. 00:19:06.924 --> 00:19:09.964 Preventative measures included being cautious of unsolicited 00:19:09.964 --> 00:19:14.254 contacts, not revealing personal information via email, verifying 00:19:14.254 --> 00:19:18.854 requests directly, and maintaining anti-virus software and email filters. 00:19:19.394 --> 00:19:23.244 When phishing attacks occur at third-party service providers, unless 00:19:23.244 --> 00:19:27.514 the affected provider volunteers information to the N.C.U.A., the agency 00:19:27.514 --> 00:19:31.254 cannot manage or measure the risk to the system because the agency does 00:19:31.254 --> 00:19:33.264 not have third-party vendor authority. 00:19:34.011 --> 00:19:35.911 Agency Cybersecurity Program 00:19:36.605 --> 00:19:37.175 The N.C.U.A. 00:19:37.175 --> 00:19:41.325 Board has established a low-risk appetite for technology and information 00:19:41.325 --> 00:19:45.995 management for operational IT and IT systems.3 Additionally, the N.C.U.A. 00:19:45.995 --> 00:19:49.695 must comply with mandatory security standards for federal information 00:19:49.695 --> 00:19:53.665 and information systems and must meet these minimum information security 00:19:53.665 --> 00:19:57.915 requirements by using security and privacy controls recommended by NIST 00:19:57.915 --> 00:20:02.375 and Federal Information Security Modernization Act (FISMA).4,5 00:20:02.723 --> 00:20:03.523 The N.C.U.A. 00:20:03.523 --> 00:20:06.323 implements applicable statutes, regulations, and standards using 00:20:06.323 --> 00:20:10.323 the NIST Risk Management Framework and adherence to NIST Special 00:20:10.323 --> 00:20:12.323 Publication 800-53  Security and 00:20:12.823 --> 00:20:13.493 3 N.C.U.A. 00:20:13.493 --> 00:20:16.953 Risk Appetite Statement (October 20, 2022). 00:20:17.663 --> 00:20:21.763 The risk appetite for technology and information management for operational 00:20:21.763 --> 00:20:23.833 IT and IT systems is “averse.” 00:20:24.764 --> 00:20:29.704 4 FIPS Publication 199, Standards for Security Categorization of 00:20:29.704 --> 00:20:35.064 Federal Information, and Information Systems; FIPS Publication 200, Minimum 00:20:35.064 --> 00:20:39.224 Security Requirements for Federal Information, and Information Systems. 00:20:39.938 --> 00:20:45.588 5 NIST Special Publication 800-53, Security and Privacy Controls for Federal 00:20:45.588 --> 00:20:47.858 Information Systems and Organizations. 00:20:48.564 --> 00:20:53.454 Privacy Controls for Information Systems and Organizations.6 The N.C.U.A. 00:20:53.454 --> 00:20:57.744 complies with binding operational directives, emergency directives, and 00:20:57.744 --> 00:21:02.494 cybersecurity coordination, assessment, and response directives issued by CISA. 00:21:03.189 --> 00:21:03.729 The N.C.U.A. 00:21:03.729 --> 00:21:08.559 documents, categorizes, and authorizes all information systems in the agency, 00:21:08.929 --> 00:21:13.349 including internally hosted federal systems, contractor-hosted systems, and 00:21:13.349 --> 00:21:15.679 services provided by other third parties. 00:21:16.309 --> 00:21:16.949 The N.C.U.A. 00:21:16.949 --> 00:21:20.469 is adopting a zero-trust security model based on the principle of 00:21:20.469 --> 00:21:22.679 maintaining strict access controls. 00:21:23.239 --> 00:21:25.649 As part of system authorization, the N.C.U.A. 00:21:25.649 --> 00:21:26.349 considers: 00:21:27.059 --> 00:21:29.629 • information types, assets, and systems; 00:21:30.355 --> 00:21:33.925 • the roles and privileges of those who manage and operate them; and 00:21:34.687 --> 00:21:36.667 • the interconnection of systems and data. 00:21:37.400 --> 00:21:40.720 Based on information and system sensitivity, the N.C.U.A. 00:21:40.720 --> 00:21:44.340 selects and implements the security controls necessary to protect the 00:21:44.340 --> 00:21:48.150 confidentiality, integrity, and availability of the organizational 00:21:48.150 --> 00:21:50.140 systems and critical infrastructure. 00:21:50.600 --> 00:21:53.900 The security control implementation statements are documented, 00:21:53.980 --> 00:21:57.510 reviewed, and tested to ensure they produce the desired outcome. 00:21:58.283 --> 00:22:02.833 Once authorized, systems are continuously monitored using automated and manual 00:22:02.833 --> 00:22:07.333 processes with regular testing of controls to validate their continued efficacy. 00:22:07.923 --> 00:22:12.133 System authorization data is stored in the N.C.U.A.’s governance, risk, 00:22:12.243 --> 00:22:16.233 and compliance repository, which aggregates and analyzes enterprise 00:22:16.233 --> 00:22:18.443 information security risk information. 00:22:19.023 --> 00:22:23.303 This provides seamless reporting to N.C.U.A.’s senior management and CISA. 00:22:24.018 --> 00:22:26.138 In addition to technology, the N.C.U.A. 00:22:26.138 --> 00:22:29.788 strengthens information security by designing and disseminating fully 00:22:29.788 --> 00:22:34.468 developed agency-wide and program-specific policies and procedures to establish 00:22:34.468 --> 00:22:39.128 appropriate practices for collecting, securing (data is encrypted in transit and 00:22:39.128 --> 00:22:41.438 at rest), retaining, and destroying data. 00:22:42.068 --> 00:22:46.158 These policies and procedures are based on applicable requirements in information 00:22:46.158 --> 00:22:50.848 security laws, or are otherwise mandated by NIST, the Office of Management 00:22:50.848 --> 00:22:55.028 and Budget, CISA, or the National Archives and Records Administration. 00:22:55.801 --> 00:22:59.381 ACTIVITIES TO ENSURE EFFECTIVE INFORMATION TECHNOLOGY SECURITY 00:23:00.121 --> 00:23:01.841 Appointing Qualified Staff 00:23:02.413 --> 00:23:02.983 The N.C.U.A. 00:23:02.983 --> 00:23:06.263 has hired staff focused on cybersecurity and privacy. 00:23:06.883 --> 00:23:11.203 IT security staff include cybersecurity operations and incident responders, 00:23:11.343 --> 00:23:14.893 cloud security architects, application security architects, 00:23:15.063 --> 00:23:16.793 and network security engineers. 00:23:17.433 --> 00:23:21.453 In addition, the agency uses contract staff with specialized skills to 00:23:21.453 --> 00:23:23.223 support its work in the areas of: 00:23:23.955 --> 00:23:27.475 6 In addition to NIST standards and guidelines, the N.C.U.A. 00:23:27.475 --> 00:23:32.175 is subject to federal statutes such as the Federal Information Security Modernization 00:23:32.175 --> 00:23:38.405 Act of 2014, the E-Government Act of 2002, the Privacy Act of 1974, and 00:23:38.405 --> 00:23:42.725 various Office of Management and Budget policies and guidance concerning federal 00:23:42.725 --> 00:23:44.735 information management and privacy. 00:23:45.505 --> 00:23:46.695 • Computer forensics; 00:23:47.412 --> 00:23:49.162 • Defensive cyber operations; 00:23:49.808 --> 00:23:51.858 • Malware analysis and mitigation; 00:23:52.515 --> 00:23:54.925 • Security information and event management; 00:23:55.687 --> 00:23:56.977 • Configuration management; 00:23:57.668 --> 00:23:58.958 • Threat hunting; and 00:23:59.637 --> 00:24:01.427 • Incident handling and response. 00:24:02.062 --> 00:24:07.192 The N.C.U.A.’s Enterprise Risk Management Council, a Cybersecurity Council, and 00:24:07.192 --> 00:24:11.172 IT Oversight Council are comprised of senior executives within the agency with 00:24:11.172 --> 00:24:16.032 diverse backgrounds, including information technology and security, and are tasked 00:24:16.032 --> 00:24:20.272 with monitoring, measuring, managing, and prioritizing risks and related 00:24:20.272 --> 00:24:22.442 investments, including IT security. 00:24:23.102 --> 00:24:27.002 These internal agency councils meet as often as monthly and are briefed 00:24:27.002 --> 00:24:30.642 regularly on cybersecurity matters that relate to credit unions, 00:24:30.722 --> 00:24:32.902 financial services, or the agency. 00:24:33.610 --> 00:24:34.190 The N.C.U.A. 00:24:34.190 --> 00:24:37.730 also has staff with the requisite national security clearances to 00:24:37.730 --> 00:24:41.640 support the dissemination of classified information to appropriately cleared 00:24:41.640 --> 00:24:45.980 staff members on a need-to- know basis, as well as other federal agencies to 00:24:45.980 --> 00:24:50.010 share relevant information that may be used to warn or proactively mitigate 00:24:50.010 --> 00:24:52.000 threats in their regulated entities. 00:24:52.380 --> 00:24:56.470 The Chief Information Officer, the Senior Agency Information Security/Risk 00:24:56.470 --> 00:25:00.430 Officer, and the Senior Agency Official for Privacy collaborate to 00:25:00.430 --> 00:25:03.980 ensure compliance with regulations and drive security performance. 00:25:04.590 --> 00:25:09.110 An executive- level Cybersecurity Advisor and Coordinator position was established 00:25:09.110 --> 00:25:13.810 in 2021 to organize, coordinate, and advise on cybersecurity and critical 00:25:13.810 --> 00:25:15.950 infrastructure matters across all N.C.U.A. 00:25:15.950 --> 00:25:16.790 offices. 00:25:17.370 --> 00:25:21.770 The Cybersecurity Advisor and Coordinator provides advice directly to the N.C.U.A. 00:25:21.770 --> 00:25:24.760 Board and senior leadership on cybersecurity matters. 00:25:25.508 --> 00:25:25.928 N.C.U.A. 00:25:25.928 --> 00:25:26.828 Staff Training 00:25:27.542 --> 00:25:28.302 • All Staff. 00:25:28.832 --> 00:25:31.972 All agency staff receive general and role-based training 00:25:31.972 --> 00:25:35.392 on information security and cybersecurity at least annually. 00:25:36.122 --> 00:25:40.512 This training addresses staff’s legal, reputational, and ethical obligations 00:25:40.512 --> 00:25:42.272 to protect sensitive information. 00:25:42.812 --> 00:25:43.442 The N.C.U.A. 00:25:43.442 --> 00:25:47.642 provides mandatory privacy and security awareness training to all N.C.U.A. 00:25:47.642 --> 00:25:48.612 system users. 00:25:48.992 --> 00:25:53.112 The training addresses appropriate information security practices, rules 00:25:53.112 --> 00:25:57.152 of behavior for access and use of data systems, responsibilities for 00:25:57.152 --> 00:26:01.702 protecting personally identifiable information, and ethics rules prohibiting 00:26:01.782 --> 00:26:03.972 unauthorized information disclosures. 00:26:04.422 --> 00:26:06.702 Staff are trained on policies regarding: 00:26:07.505 --> 00:26:10.975 o Collecting information necessary to perform their planned review; 00:26:11.688 --> 00:26:15.778 o Collecting information in a secure manner using a hierarchy of secure 00:26:15.778 --> 00:26:17.988 methods that best suit the situation; 00:26:18.755 --> 00:26:22.615 o Transferring and storing any sensitive information only where there is an 00:26:22.615 --> 00:26:27.075 identified, authorized need to retain such information, and in a manner 00:26:27.075 --> 00:26:31.445 consistent with agency instructions for handling sensitive information; and 00:26:32.222 --> 00:26:35.542 o Destroying or returning all other non-public sensitive 00:26:35.542 --> 00:26:39.162 or personally identifiable information after the examination 00:26:39.162 --> 00:26:41.212 or review, per applicable laws. 00:26:41.835 --> 00:26:43.605 • Staff with Elevated Access. 00:26:44.175 --> 00:26:47.625 Staff who have elevated access to systems or have management 00:26:47.625 --> 00:26:51.675 responsibility for systems and data take mandatory role-based training. 00:26:52.376 --> 00:26:53.006 For N.C.U.A. 00:26:53.006 --> 00:26:57.116 staff serving in cybersecurity roles, individual development plans are 00:26:57.116 --> 00:27:01.126 developed collaboratively with managers to build domain-specific skills. 00:27:01.873 --> 00:27:02.693 • Field Staff. 00:27:03.293 --> 00:27:06.773 The N.C.U.A.’s training for examiners and others that examine 00:27:06.773 --> 00:27:10.933 or supervise credit unions includes special training on the ISE program. 00:27:11.653 --> 00:27:15.393 The training program provides instruction on topics including N.C.U.A. 00:27:15.393 --> 00:27:22.023 regulations parts 748 and 749, agency guidance, and industry best practices 00:27:22.023 --> 00:27:26.113 related to measuring, monitoring, reporting, and controlling IT risks. 00:27:26.813 --> 00:27:30.773 Examiner training is designed to maintain and update knowledge of standards, 00:27:30.843 --> 00:27:35.993 tools, and practices to identify, detect, prevent, and mitigate IT and cybersecurity 00:27:35.993 --> 00:27:38.103 risks, threats, and vulnerabilities. 00:27:38.783 --> 00:27:42.403 This training includes classroom, online, and on-the-job training. 00:27:43.003 --> 00:27:47.003 The training is designed to specifically address competencies in the areas of IT, 00:27:47.193 --> 00:27:49.573 information security, and cybersecurity. 00:27:50.173 --> 00:27:54.193 The courses are designed to introduce ISE procedures and expand examiners’ 00:27:54.193 --> 00:27:58.773 understanding of cybersecurity concepts found in the FFIEC IT Booklets, NIST 00:27:58.773 --> 00:28:01.013 guidance, and industry best practices. 00:28:01.732 --> 00:28:02.532 • Specialists. 00:28:03.112 --> 00:28:03.702 The N.C.U.A. 00:28:03.702 --> 00:28:06.812 has a cadre of examiners specially trained in IT security. 00:28:07.432 --> 00:28:10.982 These regional specialist and subject matter examiners have the technical 00:28:10.982 --> 00:28:15.762 knowledge and skills necessary to perform in-depth information security examinations 00:28:15.762 --> 00:28:17.692 for the more complex institutions. 00:28:18.442 --> 00:28:19.002 The N.C.U.A. 00:28:19.002 --> 00:28:23.122 has recently added the role of Director of Specialist Resources (DSR) in 00:28:23.122 --> 00:28:25.282 each of the N.C.U.A.’s three regions. 00:28:26.022 --> 00:28:29.692 The DSRs are tasked with overseeing the Regional Information Systems 00:28:29.692 --> 00:28:31.562 Officers and other specialists. 00:28:31.942 --> 00:28:36.222 These new supervisory positions facilitate better communication and coordination 00:28:36.222 --> 00:28:40.372 among N.C.U.A.’s cybersecurity teams and contribute to the formulation of 00:28:40.372 --> 00:28:44.692 policies and operational strategies that significantly impact the safety and 00:28:44.692 --> 00:28:46.712 soundness of the credit union system. 00:28:47.472 --> 00:28:51.442 The addition of the DSR role reflects the agency’s proactive approach to 00:28:51.442 --> 00:28:55.462 cybersecurity management and aligns with its broader goals of protecting the 00:28:55.492 --> 00:28:59.892 interests of credit union members while promoting systemic financial stability. 00:29:00.152 --> 00:29:00.732 The N.C.U.A. 00:29:00.732 --> 00:29:04.782 also has specialized personnel in the Office of Examination and Insurance 00:29:04.782 --> 00:29:09.022 to develop and maintain examination policies and tools, supervisory 00:29:09.022 --> 00:29:10.922 guidance, and examiner training. 00:29:11.639 --> 00:29:13.469 Credit Union Training and Support 00:29:14.221 --> 00:29:17.961 The N.C.U.A.’s Office of Credit Union Resources and Expansion 00:29:17.961 --> 00:29:19.951 provides training for credit unions. 00:29:20.561 --> 00:29:21.151 The N.C.U.A. 00:29:21.151 --> 00:29:25.201 maintains an online system available to credit unions at no cost with 00:29:25.241 --> 00:29:30.071 over 200 courses available on various topics, including information security. 00:29:30.781 --> 00:29:35.091 This office also hosts webinars that deliver timely and meaningful information 00:29:35.091 --> 00:29:38.761 to help credit union professionals stay current on relevant topics 00:29:38.991 --> 00:29:40.901 affecting the credit union community. 00:29:41.301 --> 00:29:44.421 These webinars provide credit union management with important 00:29:44.421 --> 00:29:47.671 information on how to protect their credit unions and members. 00:29:48.345 --> 00:29:48.965 The N.C.U.A. 00:29:48.965 --> 00:29:52.715 provides credit unions additional resources through its website and 00:29:52.715 --> 00:29:56.345 by offering technical assistance grants and low-interest loans to 00:29:56.345 --> 00:29:58.575 low-income designated credit unions. 00:29:59.298 --> 00:29:59.728 • ACET. 00:30:00.388 --> 00:30:02.258 As noted previously, the N.C.U.A. 00:30:02.258 --> 00:30:06.278 provides credit unions with free access to the ACET maturity assessment. 00:30:07.118 --> 00:30:11.018 This tool helps a credit union determine its risk exposure by 00:30:11.780 --> 00:30:15.300 identifying the type, volume, and complexity of the institution’s 00:30:15.300 --> 00:30:19.270 operations, and enables the credit union to assess the adequacy 00:30:19.270 --> 00:30:20.770 of corresponding controls. 00:30:21.400 --> 00:30:22.720 ACET is based on the U.S. 00:30:22.720 --> 00:30:26.920 Department of Homeland Security (DHS) Cyber Security Evaluation Tool. 00:30:27.460 --> 00:30:30.580 It provides a multitude of cybersecurity standards and other 00:30:30.580 --> 00:30:34.550 resources for a credit union to conduct self-assessments, including 00:30:34.550 --> 00:30:36.450 the Ransomware Readiness Assessment. 00:30:37.261 --> 00:30:38.671 • N.C.U.A..gov. 00:30:38.671 --> 00:30:39.611 The N.C.U.A. 00:30:39.611 --> 00:30:45.061 website provides cybersecurity resources for research and informational purposes. 00:30:45.581 --> 00:30:49.851 Specifically, the Cybersecurity Resources page centralizes and contains 00:30:49.851 --> 00:30:51.581 applicable references to N.C.U.A. 00:30:51.581 --> 00:30:54.961 regulations and guidance, federal government requirements and 00:30:54.961 --> 00:30:58.721 guidelines, information sharing, cybersecurity threats, best 00:30:58.721 --> 00:31:01.061 practices, and privacy and protection. 00:31:01.804 --> 00:31:02.884 • Grants and Loans. 00:31:03.474 --> 00:31:04.084 The N.C.U.A. 00:31:04.084 --> 00:31:07.894 provides technical assistance grants and low-interest loans to support 00:31:07.894 --> 00:31:11.674 credit unions’ efforts to improve and expand service through the Community 00:31:11.674 --> 00:31:13.534 Development Revolving Loan Fund. 00:31:14.364 --> 00:31:18.214 Year after year, demand for this funding continues to exceed supply. 00:31:18.614 --> 00:31:23.514 During the 2023 grant round, the agency received 316 applications 00:31:23.514 --> 00:31:29.154 totaling more than $10.3 million, and awarded more than $3.5 million 00:31:29.224 --> 00:31:34.364 in technical assistance grants to 146 low-income-designated credit unions. 00:31:34.894 --> 00:31:39.674 Of that amount, 79 grants totaling nearly $800,000 were specifically 00:31:39.714 --> 00:31:43.114 earmarked for digital services and cybersecurity projects. 00:31:43.769 --> 00:31:46.949 Agency Investment in Information Technology Security 00:31:47.629 --> 00:31:48.239 The N.C.U.A. 00:31:48.239 --> 00:31:51.669 has invested significant resources in prioritizing agency 00:31:51.669 --> 00:31:56.219 cybersecurity resiliency and adopting Zero-Trust Architecture (ZTA). 00:31:56.789 --> 00:32:00.919 These investments are designed to identify, deter, protect against, detect, 00:32:01.069 --> 00:32:05.139 and respond to persistent and increasingly sophisticated cyber campaigns. 00:32:05.689 --> 00:32:09.069 The aim is to meet and exceed the standards outlined in the latest 00:32:09.069 --> 00:32:12.759 Office of Management and Budget directives advocating for a robust 00:32:12.759 --> 00:32:14.749 ZTA across federal agencies. 00:32:15.518 --> 00:32:18.738 All basic user accounts must use multi-factor, 00:32:18.948 --> 00:32:21.968 certificate-based authentication to access network resources. 00:32:22.468 --> 00:32:26.328 Elevated privilege accounts (system and network administrators and engineers) 00:32:26.328 --> 00:32:30.298 are issued session-based credentials with specific expiration timeframes. 00:32:30.758 --> 00:32:34.048 To mitigate vulnerabilities, N.C.U.A. 00:32:34.048 --> 00:32:37.698 network users remotely access network services and resources 00:32:37.698 --> 00:32:41.358 protected by encrypted virtual private network (VPN) tunnels. 00:32:41.888 --> 00:32:45.398 Internal and external network traffic is managed and monitored. 00:32:45.848 --> 00:32:47.748 VPN connectivity on N.C.U.A. 00:32:47.748 --> 00:32:50.188 laptops is mandatory for all users. 00:32:50.808 --> 00:32:54.928 This system continually enforces technical policies and ensures traffic 00:32:54.928 --> 00:32:56.988 and data are encrypted and secure. 00:32:57.702 --> 00:32:58.232 The N.C.U.A. 00:32:58.232 --> 00:33:01.782 uses a security information and event management solution to 00:33:01.782 --> 00:33:05.732 enhance visibility, investigative, and remediation capabilities. 00:33:06.332 --> 00:33:10.282 This solution provides insights, automated analytics, and actionable 00:33:10.282 --> 00:33:14.122 intelligence through correlation and machine learning to efficiently identify 00:33:14.122 --> 00:33:18.562 anomalous behavior in agency networks, infrastructure, and applications. 00:33:19.207 --> 00:33:19.727 The N.C.U.A. 00:33:19.727 --> 00:33:23.437 uses a threat intelligence platform to automate threat analysis 00:33:23.437 --> 00:33:25.077 and identify threat exposure. 00:33:25.707 --> 00:33:28.817 This platform enables better decision-making and improves 00:33:28.817 --> 00:33:31.997 security capabilities to reduce the risk of compromise. 00:33:32.527 --> 00:33:35.487 In support of national efforts to remove barriers to threat 00:33:35.487 --> 00:33:37.557 information sharing, the N.C.U.A. 00:33:37.557 --> 00:33:40.337 leverages automated indicator sharing from DHS. 00:33:40.877 --> 00:33:41.427 The N.C.U.A. 00:33:41.427 --> 00:33:45.477 also leverages DHS’s Protective Domain Name System and Trusted 00:33:45.507 --> 00:33:47.747 Internet Connection 3.0 to 00:33:48.502 --> 00:33:52.212 enhance cybersecurity analysis, situational awareness, and 00:33:52.212 --> 00:33:55.232 security response in internet traffic and connections. 00:33:55.947 --> 00:33:59.897 To support cybersecurity resiliency and mitigate risks resulting from 00:33:59.927 --> 00:34:02.107 infrastructure failure, the N.C.U.A. 00:34:02.107 --> 00:34:06.087 has redundant data center facilities that are failovers for essential N.C.U.A. 00:34:06.087 --> 00:34:08.037 network resources and services. 00:34:08.567 --> 00:34:12.437 Essential public-facing web services have been migrated to cloud- based 00:34:12.477 --> 00:34:16.127 infrastructure to leverage both inherent geographic dispersion and 00:34:16.157 --> 00:34:18.347 infrastructure failure risk mitigation. 00:34:18.877 --> 00:34:21.497 For critical business productivity and collaboration 00:34:21.497 --> 00:34:23.457 client resilience, the N.C.U.A. 00:34:23.457 --> 00:34:27.937 migrated to Microsoft’s Office 365 government cloud environment. 00:34:28.701 --> 00:34:32.191 The N.C.U.A.’s approach to data loss prevention limits local 00:34:32.191 --> 00:34:36.301 downloading of business information; however, when necessary due to 00:34:36.301 --> 00:34:40.161 limited network connectivity, any downloads are to centrally tracked 00:34:40.161 --> 00:34:42.031 and managed encrypted devices. 00:34:42.551 --> 00:34:45.471 For email data loss and exfiltration, the N.C.U.A. 00:34:45.471 --> 00:34:49.571 uses a third-party technology that monitors, notifies, logs, 00:34:49.681 --> 00:34:52.771 and prevents business information from malicious and inadvertent 00:34:52.771 --> 00:34:55.031 transfer to external email domains. 00:34:55.631 --> 00:34:56.131 The N.C.U.A. 00:34:56.131 --> 00:35:00.861 uses Domain-based Message Authentication, Reporting, and Conformance to combat 00:35:00.861 --> 00:35:03.431 spam, phishing, and spoofing of N.C.U.A. 00:35:03.431 --> 00:35:04.421 email domains. 00:35:05.176 --> 00:35:07.766 To mitigate the risk of endpoint malware-based data 00:35:07.766 --> 00:35:09.486 exfiltration, the N.C.U.A. 00:35:09.486 --> 00:35:13.296 uses a robust real- time Endpoint Detection and Response tool with 00:35:13.366 --> 00:35:17.166 integrated open-source intelligence feeds, creating opportunities 00:35:17.166 --> 00:35:20.476 for malware auto-response at the user and server endpoints. 00:35:21.136 --> 00:35:21.676 The N.C.U.A. 00:35:21.676 --> 00:35:25.466 has enhanced the security of mobile devices by hardening the devices 00:35:25.466 --> 00:35:29.726 and implementing an adaptable mobile security solution to detect and protect 00:35:29.726 --> 00:35:34.146 against mobile threats, including phishing, malicious mobile apps, device 00:35:34.146 --> 00:35:36.226 compromise, and risky connections. 00:35:36.931 --> 00:35:38.311 Finally, the N.C.U.A. 00:35:38.311 --> 00:35:42.111 evaluates new systems and services to determine if they are candidates 00:35:42.111 --> 00:35:45.351 for the Office of Management and Budget’s Cloud Smart initiative. 00:35:45.891 --> 00:35:49.571 As part of the initiative to move to a ZTA and accelerate movement to 00:35:49.571 --> 00:35:52.041 secure cloud services, the N.C.U.A. 00:35:52.041 --> 00:35:55.201 is carefully evaluating the need for additional investment in 00:35:55.201 --> 00:35:57.031 both technology and personnel. 00:35:57.781 --> 00:36:01.431 Audits and Reviews of the N.C.U.A.’s Cybersecurity Program 00:36:02.171 --> 00:36:06.831 The N.C.U.A.’s Office of the Inspector General (OIG) conducts independent audits, 00:36:06.921 --> 00:36:11.361 investigations, and other activities to verify the N.C.U.A.’s compliance 00:36:11.361 --> 00:36:15.691 with applicable laws, regulations, and standards, including those related 00:36:15.691 --> 00:36:19.751 to privacy and information security, to determine whether the N.C.U.A. 00:36:19.751 --> 00:36:23.861 effectively implemented all appropriate security and privacy controls. 00:36:24.591 --> 00:36:27.341 There are five FISMA maturity levels, and the N.C.U.A. 00:36:27.341 --> 00:36:33.311 was evaluated as Maturity Level 4 “Managed and Measurable” as of fiscal year 2023. 00:36:33.981 --> 00:36:35.721 This rating reflects that the N.C.U.A. 00:36:35.721 --> 00:36:38.711 implemented an effective information security program 00:36:38.961 --> 00:36:42.341 and substantially complied with information security and privacy 00:36:42.341 --> 00:36:44.861 practices, policies, and procedures. 00:36:45.531 --> 00:36:49.461 In addition, as indicated in the financial statement audits, the N.C.U.A. 00:36:49.461 --> 00:36:52.131 complies with the requirements of the Federal Managers’ 00:36:52.131 --> 00:36:54.711 Financial Integrity Act of 1982. 00:36:55.281 --> 00:36:59.591 Credit unions and their members can review OIG audit reports, semiannual 00:36:59.591 --> 00:37:04.111 reports, and letters to Congress on the N.C.U.A.’s OIG reports page. 00:37:04.903 --> 00:37:05.293 N.C.U.A. 00:37:05.293 --> 00:37:08.813 senior leadership are briefed on the status of open findings every 00:37:08.813 --> 00:37:13.283 quarter, and resources are allocated as appropriate to ensure mitigation. 00:37:14.007 --> 00:37:18.117 Binding Operational Directive 18-02 requires the federal government to 00:37:18.117 --> 00:37:23.707 identify high value assets and submit to a DHS-led assessment once every 3 years. 00:37:24.147 --> 00:37:28.637 The N.C.U.A.’s General Support System was assessed by a CISA-led team during the 00:37:28.637 --> 00:37:33.017 week of February 26, 2024 – March 1, 2024. 00:37:33.447 --> 00:37:37.557 After a review of the General Support System documentation, an in-depth 00:37:37.557 --> 00:37:39.607 technical exchange meeting with N.C.U.A. 00:37:39.607 --> 00:37:43.717 subject matter experts, and a targeted penetration test, CISA 00:37:43.717 --> 00:37:44.977 determined that the N.C.U.A. 00:37:44.977 --> 00:37:48.847 has a thorough and well-documented risk management program that includes 00:37:48.847 --> 00:37:52.277 participation, involvement, and awareness from the system-level 00:37:52.277 --> 00:37:53.447 up to senior leadership. 00:37:54.097 --> 00:37:54.657 The N.C.U.A. 00:37:54.657 --> 00:37:57.547 received no critical or high reportable findings. 00:37:58.047 --> 00:37:58.597 The N.C.U.A. 00:37:58.597 --> 00:38:01.767 will continue to report quarterly the status and compliance 00:38:01.767 --> 00:38:03.287 of its high-value assets. 00:38:03.984 --> 00:38:05.904 Interagency Coordination Efforts 00:38:06.585 --> 00:38:07.125 The N.C.U.A. 00:38:07.125 --> 00:38:11.075 coordinates with other federal and state regulatory agencies to strengthen 00:38:11.075 --> 00:38:15.535 cybersecurity, including the development and dissemination of best practices 00:38:15.535 --> 00:38:17.175 and sharing threat information. 00:38:17.595 --> 00:38:18.785 Examples include the: 00:38:19.663 --> 00:38:20.103 • FFIEC. 00:38:20.713 --> 00:38:22.193 In particular, the N.C.U.A. 00:38:22.193 --> 00:38:25.463 participates on the FFIEC’s Information Technology Subcommittee. 00:38:26.073 --> 00:38:30.213 This group addresses information systems and technology policy issues as they 00:38:30.213 --> 00:38:34.193 relate to financial institutions and their technology service providers. 00:38:34.803 --> 00:38:35.363 The N.C.U.A. 00:38:35.363 --> 00:38:39.273 also participates on the Cybersecurity Critical Infrastructure Subcommittee. 00:38:39.953 --> 00:38:43.383 This group addresses policy relating to cybersecurity, critical 00:38:43.383 --> 00:38:47.413 infrastructure security, and the resilience of financial institutions 00:38:47.413 --> 00:38:49.413 and technology service providers. 00:38:50.129 --> 00:38:50.599 • FSOC. 00:38:51.219 --> 00:38:54.019 Because a weakness in the information security of financial 00:38:54.019 --> 00:38:57.089 systems or data could lead to an incident that could potentially 00:38:57.089 --> 00:38:58.649 threaten the stability of the U.S. 00:38:58.649 --> 00:39:02.379 financial system, cybersecurity falls under the charge of FSOC. 00:39:03.089 --> 00:39:07.729 In its 2023 annual report, FSOC provides several cybersecurity related 00:39:07.729 --> 00:39:11.829 recommendations focused on maintaining and improving the cyber resilience 00:39:11.829 --> 00:39:15.659 of the financial system, including that Congress provide the N.C.U.A. 00:39:15.659 --> 00:39:17.489 with third-party vendor authority. 00:39:18.247 --> 00:39:18.797 • FBIIC. 00:39:19.317 --> 00:39:19.937 The N.C.U.A. 00:39:19.937 --> 00:39:23.167 is one of the 18 FBIIC member organizations from across the 00:39:23.167 --> 00:39:26.417 financial regulatory community, both federal and state. 00:39:27.007 --> 00:39:30.637 Through monthly meetings, staff from FBIIC member organizations work 00:39:30.637 --> 00:39:34.317 on operational and tactical issues related to critical infrastructure 00:39:34.317 --> 00:39:38.727 matters, including cybersecurity, within the financial services industry. 00:39:39.307 --> 00:39:42.567 The FBIIC also leads the financial sector’s cybersecurity 00:39:42.567 --> 00:39:44.687 exercises, of which the N.C.U.A. 00:39:44.687 --> 00:39:46.137 regularly participates. 00:39:46.824 --> 00:39:49.474 • Financial Services Sector Coordinating Council. 00:39:50.044 --> 00:39:50.674 The N.C.U.A. 00:39:50.674 --> 00:39:53.314 collaborates and coordinates with the private sector through 00:39:53.314 --> 00:39:56.744 the Financial Services Sector Coordinating Council (FSSCC). 00:39:56.774 --> 00:40:01.854 The FSSCC works collaboratively with key government agencies to protect the 00:40:01.854 --> 00:40:05.744 nation’s critical infrastructure from cybersecurity and physical threats. 00:40:06.474 --> 00:40:10.534 The FSSCC is comprised of more than 70 members from financial trade 00:40:10.534 --> 00:40:14.954 associations, financial utilities, and the most critical financial firms. 00:40:15.444 --> 00:40:19.584 Through government relationships, the FSSCC directly assists the sector’s 00:40:19.584 --> 00:40:21.464 response to natural disasters. 00:40:22.218 --> 00:40:22.358 • U.S. 00:40:22.358 --> 00:40:24.108 Department of Treasury and CISA. 00:40:24.808 --> 00:40:26.668 As a federal agency, the N.C.U.A. 00:40:26.668 --> 00:40:28.088 follows CISA and the U.S. 00:40:28.088 --> 00:40:31.018 Department of the Treasury’s direction during government-wide 00:40:31.018 --> 00:40:32.698 incident response activities. 00:40:33.288 --> 00:40:34.388 In addition, the N.C.U.A. 00:40:34.388 --> 00:40:39.598 identifies potential, actual, and emerging threats, issues, or challenges to analyze 00:40:39.598 --> 00:40:42.048 underlying causes and develop innovative 00:40:42.759 --> 00:40:44.719 short- and long-term solutions. 00:40:45.469 --> 00:40:49.629 This analysis supports the shaping of the N.C.U.A.’s internal policies and 00:40:49.629 --> 00:40:54.379 procedures related to cybersecurity, critical infrastructure protection, supply 00:40:54.379 --> 00:40:59.619 chain risks, national security, insider threats, counterintelligence, continuity 00:40:59.619 --> 00:41:02.099 of operations, and emergency response. 00:41:02.949 --> 00:41:07.509 The N.C.U.A.’s staff also participate in the following interagency initiatives: 00:41:08.242 --> 00:41:12.602 o CISA security operations center information and collaboration sessions; 00:41:13.318 --> 00:41:17.458 o Treasury sector cybersecurity collaboration and information sessions; 00:41:18.203 --> 00:41:21.753 o The Federal Chief Information Security Officer Council; and 00:41:22.535 --> 00:41:26.985 o The Small Agency Chief Information Security Officer collaboration forum. 00:41:27.682 --> 00:41:28.692 Industry Efforts 00:41:29.395 --> 00:41:33.105 Credit union participation in the following initiatives reflect the credit 00:41:33.105 --> 00:41:37.645 union system’s proactive engagement with the broader information security community 00:41:37.685 --> 00:41:40.115 to enhance cybersecurity and resilience. 00:41:40.766 --> 00:41:44.056 • Information Sharing and Analysis Centers & Organizations. 00:41:44.536 --> 00:41:48.426 Credit unions actively participate in the Financial Services Information 00:41:48.426 --> 00:41:52.816 Sharing and Analysis Center (FS-ISAC), where the financial sector shares 00:41:52.816 --> 00:41:55.066 intelligence, knowledge, and practices. 00:41:55.666 --> 00:41:59.776 The National Credit Union Information Sharing and Analysis Organization was 00:41:59.776 --> 00:42:04.206 established to tailor these efforts to the unique needs of credit unions and provides 00:42:04.206 --> 00:42:09.426 security coordination and collaboration to identify, protect, detect, respond, and 00:42:09.426 --> 00:42:11.586 recover from threats and vulnerabilities. 00:42:12.312 --> 00:42:13.322 • Sheltered Harbor. 00:42:13.812 --> 00:42:17.922 Comprised of financial institutions, core service providers, national 00:42:17.922 --> 00:42:22.262 trade associations, alliance partners, and solution providers dedicated to 00:42:22.262 --> 00:42:26.272 enhancing financial sector stability and resiliency, Sheltered Harbor 00:42:26.272 --> 00:42:28.272 is a subsidiary of the FS-ISAC. 00:42:29.022 --> 00:42:31.952 It developed standards to assist financial institutions 00:42:31.952 --> 00:42:33.732 prepare for catastrophic events. 00:42:34.352 --> 00:42:38.212 The standards are designed to help institutions to plan for and recover 00:42:38.212 --> 00:42:41.682 from catastrophic events, and to be able to continue to provide 00:42:41.682 --> 00:42:45.482 essential services until normal operations can be reestablished. 00:42:45.791 --> 00:42:46.991 • Hamilton Series Exercises. 00:42:46.991 --> 00:42:47.791 The N.C.U.A. 00:42:47.791 --> 00:42:52.191 supports the Hamilton Series exercises through its membership on the joint 00:42:52.191 --> 00:42:54.191 FSSCC  FBIIC Exercise Committee. 00:42:54.191 --> 00:42:56.991 These one-day exercises simulate various cyberattack scenarios 00:42:56.991 --> 00:43:00.191 to enhance cybersecurity threat responses within the U.S. 00:43:00.191 --> 00:43:00.991 financial sector. 00:43:00.991 --> 00:43:04.991 They also aim to improve public-private coordination strategies by including 00:43:04.991 --> 00:43:06.991 diverse participants from both sectors.7 00:43:07.391 --> 00:43:09.341 • CISA Cyber Hygiene Services. 00:43:09.961 --> 00:43:14.131 Over 200 credit unions have engaged with CISA’s Cyber Hygiene Services 00:43:14.131 --> 00:43:18.181 program, which offers vulnerability scanning and web application 00:43:18.181 --> 00:43:21.591 scanning to help institutions mitigate cybersecurity threats. 00:43:22.264 --> 00:43:33.254 7 https://www.fsisac.com/hubfs/Resources/FS-ISAC_ExercisesOverview.pdf 00:43:34.130 --> 00:43:35.740 CURRENT & EMERGING THREATS 00:43:36.388 --> 00:43:40.038 In today’s digital age, the financial sector faces an increasingly 00:43:40.038 --> 00:43:43.718 sophisticated array of cybersecurity threats that demand vigilance. 00:43:44.278 --> 00:43:48.068 The rapid evolution of technology, coupled with escalating geopolitical 00:43:48.068 --> 00:43:51.488 tensions, has expanded the threat landscape significantly. 00:43:52.028 --> 00:43:55.798 Financial institutions, including credit unions, are particularly 00:43:55.798 --> 00:43:59.868 vulnerable due to their increasing reliance on technology and third-party 00:43:59.868 --> 00:44:01.568 service providers that the N.C.U.A. 00:44:01.568 --> 00:44:04.948 has no authority to examine, supervise, or regulate. 00:44:05.728 --> 00:44:06.298 The N.C.U.A. 00:44:06.298 --> 00:44:10.228 remains concerned about the risks cyberattacks pose to the financial system. 00:44:10.798 --> 00:44:13.808 Cybersecurity risks grow as threats evolve, become more 00:44:13.808 --> 00:44:17.758 sophisticated, and cause greater damage to a variety of industries. 00:44:18.288 --> 00:44:21.938 Geopolitical tensions increase the possibility of nation-states and 00:44:21.938 --> 00:44:25.758 other sophisticated actors conducting malicious cyberattacks against U.S. 00:44:25.758 --> 00:44:29.768 critical infrastructure, of which credit unions are a significant part. 00:44:30.408 --> 00:44:34.578 To ensure the industry’s long-term success, credit unions must deliver member 00:44:34.578 --> 00:44:36.778 services using appropriate controls. 00:44:37.472 --> 00:44:40.972 The evolving array of cybersecurity threats that require continued 00:44:40.972 --> 00:44:43.052 vigilance by credit unions include: 00:44:43.804 --> 00:44:44.844 • Third-Party Risk. 00:44:45.384 --> 00:44:49.594 Credit unions’ dependency on third-party vendors and the integral nature of the 00:44:49.594 --> 00:44:54.274 supply chain introduces considerable risk as cyber actors continue to exploit the 00:44:54.274 --> 00:44:56.584 vulnerabilities of third-party providers. 00:44:57.284 --> 00:45:01.374 The absence of third-party vendor authority limits the N.C.U.A.’s ability 00:45:01.374 --> 00:45:05.334 to assess and mitigate potential risks associated with these vendors. 00:45:05.834 --> 00:45:09.684 Vendors typically decline examination requests or refuse to implement 00:45:09.684 --> 00:45:14.324 recommended actions, exacerbating credit unions’ exposure to operational, 00:45:14.384 --> 00:45:18.544 cybersecurity, and compliance risks that can arise from these relationships. 00:45:19.094 --> 00:45:22.694 Without visibility into these entities and the authority to supervise and 00:45:22.694 --> 00:45:25.144 enforce corrective actions, the N.C.U.A. 00:45:25.144 --> 00:45:28.894 cannot effectively protect credit unions and their member-owners or 00:45:28.894 --> 00:45:33.044 provide relevant information to other federal and state regulators of threats 00:45:33.044 --> 00:45:35.164 encountered in the credit union industry. 00:45:35.901 --> 00:45:40.301 Based on cyber incident reports submitted by credit unions since September 1, 00:45:40.421 --> 00:45:45.311 2023, compromises within third-party services have led to systemic risks 00:45:45.311 --> 00:45:47.371 across the credit union ecosystem. 00:45:47.861 --> 00:45:52.591 In fact, incidents related to third-party vendors accounted for approximately 73 00:45:52.591 --> 00:45:54.651 percent of total reported incidents. 00:45:55.345 --> 00:45:58.865 A recent cyber incident has underscored the importance of the N.C.U.A. 00:45:58.865 --> 00:46:01.505 obtaining vendor authority to address these risks. 00:46:02.065 --> 00:46:07.315 On November 26, 2023, a major service provider for the credit union industry 00:46:07.315 --> 00:46:11.205 was targeted by a ransomware attack, resulting in a prolonged service 00:46:11.205 --> 00:46:13.655 outage that affected 60 credit unions. 00:46:14.265 --> 00:46:17.905 This incident exposed significant challenges in the agency’s ability 00:46:17.905 --> 00:46:20.985 to respond effectively due to the lack of vendor authority. 00:46:21.495 --> 00:46:23.065 During the incident, the N.C.U.A. 00:46:23.065 --> 00:46:26.555 faced substantial difficulties in obtaining crucial information 00:46:26.555 --> 00:46:29.765 from third-party vendors, which hindered response efforts. 00:46:30.345 --> 00:46:34.375 Due specifically to the N.C.U.A.’s lack of vendor authority, the N.C.U.A. 00:46:34.375 --> 00:46:38.215 encountered delays in communication and inability to obtain data. 00:46:38.845 --> 00:46:41.535 These obstacles could have been mitigated if the N.C.U.A. 00:46:41.535 --> 00:46:44.935 had the authority to demand timely and reliable information 00:46:44.935 --> 00:46:46.405 from all relevant parties. 00:46:47.127 --> 00:46:50.677 Moreover, the lack of vendor authority also impacts the nation’s 00:46:50.677 --> 00:46:54.577 critical economic infrastructure and national security, as the 00:46:54.577 --> 00:46:56.837 interconnectedness of financial services 00:46:57.533 --> 00:47:00.553 expands with other industries and national infrastructure. 00:47:01.083 --> 00:47:04.853 Currently, more than one in three Americans use a credit union for basic 00:47:04.853 --> 00:47:09.183 financial services, and there are many credit unions with fields of membership 00:47:09.183 --> 00:47:13.433 that are tied to high-risk populations such as congressional staff, the U.S. 00:47:13.433 --> 00:47:16.383 military, the State Department, and members of the U.S. 00:47:16.383 --> 00:47:17.553 Intelligence Community. 00:47:18.213 --> 00:47:21.663 Many of these credit unions use third-party service providers to 00:47:21.663 --> 00:47:23.573 provide critical member services. 00:47:23.973 --> 00:47:27.943 A sophisticated cyberattack against a vendor can have measurable impacts on the 00:47:27.943 --> 00:47:31.903 personnel who are critical to government operations and national security. 00:47:32.423 --> 00:47:36.963 By current estimates, roughly 90 percent (or approximately $1.9 trillion) 00:47:36.993 --> 00:47:41.713 of industry assets are in some way managed or affected by unregulated 00:47:41.713 --> 00:47:43.493 third-party service providers. 00:47:44.228 --> 00:47:46.248 • State-Sponsored Cyber Activities. 00:47:46.828 --> 00:47:48.078 Over the past year, U.S. 00:47:48.078 --> 00:47:52.298 government organizations, including CISA, the National Security Agency, 00:47:52.668 --> 00:47:56.848 and the FBI produced a joint advisory to alert the public that cyber actors 00:47:56.848 --> 00:48:00.538 sponsored by the People’s Republic of China are seeking to pre-position 00:48:00.538 --> 00:48:04.658 themselves on IT networks for disruptive or destructive cyberattacks against U.S. 00:48:04.658 --> 00:48:08.598 critical infrastructure in the event of a major crisis or conflict with 00:48:08.598 --> 00:48:10.448 the United States or its allies. 00:48:10.748 --> 00:48:13.938 This advisory was published following months of observations and 00:48:13.938 --> 00:48:15.878 incident response activities at U.S. 00:48:15.878 --> 00:48:19.118 critical infrastructure organizations which had been compromised. 00:48:19.688 --> 00:48:23.368 State-sponsored cyber activities against critical infrastructure are 00:48:23.368 --> 00:48:27.168 a real threat to the credit union system—due, primarily, to the number 00:48:27.168 --> 00:48:30.658 of Americans that can be impacted and the resulting effects on the U.S. 00:48:30.658 --> 00:48:31.278 economy. 00:48:31.798 --> 00:48:36.228 Along with CISA, the FBI, and the National Security Agency, the N.C.U.A. 00:48:36.228 --> 00:48:39.888 has encouraged credit unions of all sizes to adopt a heightened state 00:48:39.888 --> 00:48:44.038 of awareness and to proactively hunt threats to defend against this risk. 00:48:44.428 --> 00:48:45.818 Additionally, the N.C.U.A. 00:48:45.818 --> 00:48:49.968 provided guidance and resources to credit unions to assist in mitigating this 00:48:49.968 --> 00:48:54.708 threat and specifically recommended credit unions report cyber incidents to CISA. 00:48:55.288 --> 00:48:55.858 The N.C.U.A. 00:48:55.858 --> 00:48:59.618 has also directed credit unions to CISA’s Shields Up website for 00:48:59.618 --> 00:49:03.318 additional guidance, reporting options, and mitigation measures. 00:49:04.033 --> 00:49:05.243 • Ransomware Attacks. 00:49:05.863 --> 00:49:09.363 Ransomware is an increasingly serious threat to credit unions. 00:49:09.903 --> 00:49:13.723 Ransomware attacks continue across all sectors, including the financial 00:49:13.723 --> 00:49:17.323 sector, and have left victims without the data they need to operate. 00:49:18.053 --> 00:49:21.563 Over the past year, ransomware attacks and payments have escalated 00:49:21.563 --> 00:49:26.013 in frequency, scope, and volume across all critical infrastructure sectors. 00:49:26.493 --> 00:49:30.783 One of the primary causes of this sharp growth is the increase in cyber actors 00:49:30.783 --> 00:49:35.243 using ransomware to carry out attacks and, in turn, profit from their actions. 00:49:35.653 --> 00:49:39.703 Ransomware as a service is a cybercrime business model in which a ransomware 00:49:39.703 --> 00:49:43.603 group sells its code or malware to other hackers, who then use it to 00:49:43.603 --> 00:49:45.713 carry out their own ransomware attacks. 00:49:46.353 --> 00:49:50.163 This has made it easier for bad actors to carry out ransomware attacks. 00:49:50.663 --> 00:49:54.423 Designed to help public and private organizations defend against the rise in 00:49:54.423 --> 00:49:58.923 ransomware cases, CISA’s StopRansomware provides a whole-of-government approach 00:49:58.923 --> 00:50:03.103 to tackle ransomware more effectively and serves as one central location 00:50:03.103 --> 00:50:05.293 for ransomware resources and alerts. 00:50:06.014 --> 00:50:08.364 • Quantum Computing and Cryptographic Risks. 00:50:09.064 --> 00:50:09.374 The U.S. 00:50:09.374 --> 00:50:12.974 government remains concerned with the development and trajectory of quantum 00:50:12.974 --> 00:50:17.124 information technologies and products that could compromise existing encryption 00:50:17.334 --> 00:50:21.284 and other cybersecurity controls across critical infrastructure sectors. 00:50:22.036 --> 00:50:24.736 • Artificial Intelligence (AI)-enabled Attacks. 00:50:25.296 --> 00:50:29.466 Generative AI creates new text, images, video, and other content. 00:50:29.986 --> 00:50:34.026 Generative AI has gone mainstream and is increasingly being used by cyber 00:50:34.026 --> 00:50:38.286 actors to create complex malware and advanced social engineering attacks, 00:50:38.336 --> 00:50:39.976 including phishing and spoofing. 00:50:40.556 --> 00:50:43.216 By making these attacks more effective, they are also 00:50:43.216 --> 00:50:44.836 harder to detect and prevent. 00:50:45.436 --> 00:50:49.126 In addition to generative AI being used for initial attack vectors, 00:50:49.366 --> 00:50:52.796 it can also amplify threats once an initial breach has occurred. 00:50:53.156 --> 00:50:56.346 AI tools can be used to modify code at scale, quickly 00:50:56.346 --> 00:50:57.996 giving control to attackers. 00:50:58.446 --> 00:51:01.976 These tools can also be trained on a dataset of known vulnerabilities 00:51:02.186 --> 00:51:05.806 and used to automatically generate new exploit code to target multiple 00:51:05.806 --> 00:51:07.836 vulnerabilities in rapid succession. 00:51:08.356 --> 00:51:12.646 Cyber actors can also use generative AI to scan massive amounts of company 00:51:12.646 --> 00:51:17.116 data, summarizing it to identify employees, relationships, and assets, 00:51:17.236 --> 00:51:20.856 potentially leading to further social engineering attacks via user 00:51:20.856 --> 00:51:23.346 impersonation, blackmail, or coercion. 00:51:23.716 --> 00:51:28.396 However, generative AI is not used exclusively by bad actors—organizations 00:51:28.506 --> 00:51:33.116 are increasingly using the same technology to build better cybersecurity defenses. 00:51:33.840 --> 00:51:37.610 The evolving nature of cybersecurity threats demands a dynamic and 00:51:37.610 --> 00:51:41.240 informed response strategy from both credit unions and the N.C.U.A.. 00:51:41.740 --> 00:51:45.330 By focusing on third-party vulnerabilities, geopolitical risks, 00:51:45.450 --> 00:51:49.500 advanced cybercrime tactics, and by maintaining robust communication 00:51:49.500 --> 00:51:53.070 channels, credit unions can enhance their resilience against a broad 00:51:53.070 --> 00:51:55.100 spectrum of cybersecurity threats. 00:51:55.410 --> 00:51:59.250 This integrated approach not only addresses current threats but also 00:51:59.250 --> 00:52:04.340 positions the credit union sector to adapt to future challenges, ensuring long-term 00:52:04.340 --> 00:52:06.450 security and operational success. 00:52:07.154 --> 00:52:07.894 CONCLUSION 00:52:08.529 --> 00:52:09.129 The N.C.U.A. 00:52:09.129 --> 00:52:12.329 is committed to fortifying cybersecurity resilience within the 00:52:12.329 --> 00:52:14.449 agency and the credit union system. 00:52:14.979 --> 00:52:18.349 Through targeted examinations, comprehensive risk assessments, 00:52:18.449 --> 00:52:21.739 and robust educational outreach initiatives, the N.C.U.A. 00:52:21.739 --> 00:52:24.319 is working diligently to strengthen cybersecurity 00:52:24.319 --> 00:52:28.229 practices and mitigate potential vulnerabilities across the industry. 00:52:28.993 --> 00:52:32.383 Within the limits of its current statutory authorities, the N.C.U.A. 00:52:32.383 --> 00:52:35.733 remains proactive in furthering effective IT security within 00:52:35.733 --> 00:52:37.063 the credit union system. 00:52:37.643 --> 00:52:41.753 By leveraging partnerships with other federal agencies, industry stakeholders, 00:52:41.843 --> 00:52:44.233 and cybersecurity experts, the N.C.U.A. 00:52:44.233 --> 00:52:47.863 continues to foster a collaborative environment conducive to information 00:52:47.863 --> 00:52:49.273 sharing and coordination. 00:52:49.823 --> 00:52:52.213 This collaborative approach enables the N.C.U.A. 00:52:52.213 --> 00:52:55.743 to stay abreast of current and emerging threats, enhancing its 00:52:55.743 --> 00:52:59.973 ability to anticipate and respond effectively to cybersecurity risks. 00:53:00.648 --> 00:53:04.198 However, challenges persist, particularly concerning the lack of 00:53:04.198 --> 00:53:08.978 authority over third-party vendors.8 The reliance of credit unions on 00:53:08.978 --> 00:53:12.918 third-party vendors for essential services exposes them to additional 00:53:12.918 --> 00:53:17.528 cybersecurity risks and is a growing regulatory blind spot for the N.C.U.A.. 00:53:18.289 --> 00:53:21.519 As the digital landscape continues to evolve, the N.C.U.A. 00:53:21.519 --> 00:53:25.349 remains committed to adapting its cybersecurity approach to effectively 00:53:25.349 --> 00:53:27.589 address emerging threats and challenges. 00:53:28.149 --> 00:53:30.829 By remaining vigilant and proactive, the N.C.U.A. 00:53:30.829 --> 00:53:34.549 aims to defend the security and stability of the credit union system, 00:53:34.869 --> 00:53:39.019 promoting the financial well-being of credit union members, and safeguarding 00:53:39.019 --> 00:53:42.619 the integrity of the broader financial system for generations to come. 00:53:43.310 --> 00:53:45.720 In order to achieve these worthy goals, the N.C.U.A. 00:53:45.720 --> 00:53:48.590 will continue to request that Congress provide the long 00:53:48.590 --> 00:53:50.300 overdue ability for the N.C.U.A. 00:53:50.300 --> 00:53:53.470 to supervise and examine third-party service providers 00:53:53.470 --> 00:53:55.000 in the credit union industry. 00:53:55.610 --> 00:53:59.770 This authority is needed to manage, measure, and proactively mitigate risks 00:53:59.770 --> 00:54:03.990 within the credit union system, and to be able to share relevant information with 00:54:03.990 --> 00:54:08.130 government partners to add to the whole of government approach to protecting critical 00:54:08.130 --> 00:54:10.080 infrastructure in the United States. 00:54:10.744 --> 00:54:14.524 8 Independent entities such as the Government Accountability Office, the 00:54:14.524 --> 00:54:19.304 Financial Stability Oversight Council, and the N.C.U.A.’s Office of Inspector 00:54:19.304 --> 00:54:23.374 General have identified this deficiency as a significant obstacle to the 00:54:23.374 --> 00:54:27.854 N.C.U.A.’s mission to safeguard credit union members and the financial system. 00:54:28.544 --> 00:54:31.484 All of them have recommended that Congress provide the N.C.U.A. 00:54:31.484 --> 00:54:32.454 with this authority. 00:54:33.181 --> 00:54:37.321 This concludes the NCUA Letter to credit unions on Annual Cybersecurity 00:54:38.117 --> 00:54:40.497 and Credit Union System Resilience Report 00:54:41.260 --> 00:54:45.430 If your Credit union could use assistance with your exam, reach out to Mark Treichel 00:54:45.430 --> 00:54:48.200 on LinkedIn, or at mark Treichel dot com. 00:54:48.740 --> 00:54:51.360 This is Samantha Shares and we Thank you for listening.