This podcast provides you the ability to listen to new regulatory guidance issued by the National Credit Union Administration, and occasionally the F D I C, the O C C, the F F I E C, or the C F P B. We will focus on new and material agency guidance, and historically important and still active guidance from past years that NCUA cites in examinations or conversations. This podcast is educational only and is not legal advice. We are sponsored by Credit Union Exam Solutions Incorporated. We also have another podcast called With Flying Colors where we provide tips for achieving success with the N C U A examination process and discuss hot topics that impact your credit union.
Hello, this is Samantha Shares.
This episode covers the N C U A
Board briefing on Cybersecurity
from the October Board Meeting.
The following is an audio
version of that briefing.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now Board action memorandum
followed by the board briefing.
Samantha: Board Briefed on Cybersecurity,
New Charters, and Field of Membership
Board Action Bulletin
The National Credit Union Administration
Board held its seventh open meeting
of 2024 and received a briefing on:
Cybersecurity and the Information
Security Examination Program
Employees from the NCUAâs Office of
Examination and Insurance and Office of
the Executive Director briefed the Board
on cybersecurity, hacking economics,
cyber incident reporting, and the NCUAâs
Information Security Examination program.
The briefing noted that trends across
the credit union system include
outages caused by ransomware attacks
and third-party service providers.
Staff reported that from September
1, 2023, when the N C U Aâs cyber
incident notification rule became
effective, through August 31 of this
year, credit unions reported 1,072
cyber incidents, of which 742 â nearly
7 in 10 â were related to the use or
involvement of a third-party vendor.
âThese annual cybersecurity updates
at the N C U A Board table are an
important reminder that cyberattacks
on the financial services industry,
including within the credit union
system, will remain high for the
foreseeable future,â Chairman Harper said.
âFar too often, we see that third-party
service providers are a weak link in
the financial system, a danger noted
in the most recent Annual Report of the
Financial Stability Oversight Council.
And credit union third-party
service providers are no exception.â
In addition, the briefing provided
a description of what is reportable
under the cyber incident reporting
rule; a status of the Information
Security Examination Program,
including its strengths and
opportunities for improvement; and an
update on the number of third-party
provider and ransomware incidents.
âThese incidents highlight significant
vulnerabilities to the $2.3
trillion federally insured credit
union industry and our nationâs
interconnected critical financial
infrastructure,â Chairman Harper said.
âWe cannot afford to leave
these vulnerabilities unchecked.
As such, itâs everyoneâs
responsibility to maintain good
cyber-hygiene â at home and at work.â
The N C U A continues to encourage credit
union staff and boards of directors to
review their third-party service provider
and vendor relationships, assess and
mitigate any potential risk associated
with their products and services, and
strengthen their institutionâs cyber
vigilance and preparedness efforts.
Chairman Harper noted in his remarks
that a Letter to Credit Unions was
issued earlier this week that provides
boards of directors guidance on their
roles and responsibilities for ensuring
their credit unionâs cyber defenses.
The N C U Aâs Cyber Incident Notification
Requirements(Opens new window) rule
requires a federally insured credit
union that experiences a reportable
cyber incident to report the incident
to the NCUA as soon as possible and no
later than 72 hours after the credit
union reasonably believes that it
experienced a reportable cyber incident.
To report a cyber incident, credit
unions may contact the N C U A by
calling 1.833.CYBERCU (1.833.292.3728)
or by using the NCUAâs Secure Email
Message Center(Opens new window) to
send a secure email to cybercu@ncua.gov.
Cybersecurity-related information,
including regulations, guidance,
and resources to help protect
credit unions and their members from
cyberthreats, is available on the
NCUAâs cybersecurity resources webpage.
and now the N C U A Board in their
own voice and words from the
public recording of the briefing.
Todd Harper: Good morning everyone.
I call this meeting of
the NCUA Board to order.
In addition to those joining us in
the boardroom, I want to note for the
record that today's meeting is open
to the public through a live webcast.
Before we begin our business,
I understand that Board Member
Otsuka has some brief remarks.
Tonya Otsuka: Thanks, chair Harper.
I just wanted to say thank you to you
and the vice chair and the NCA staff
for their well wishes as I welcome the
newest edition of my family last month.
Everybody has been really
kind and supportive.
So I just wanted to thank
you all appreciate it.
Todd Harper: Uh, so we certainly welcome
the news of her arrival here at the NCOA
and wish you well in all the weeks ahead.
I know it takes adjustment
with a newborn in the house.
I just want to say this, if I may.
In life, may Zoe have an open mind,
a caring heart, and a generous soul.
May she also read often and learn much.
Additionally, I see a credit
union account in Zoe's future.
Uh, after all, I learned important
lessons about budgeting, budgeting,
saving, and compound interest
from the mom and dad credit union
when I was just seven years old.
I'm sure that you're going to
do the same with your family.
With that, let me pause and see if
the vice chairman has any words.
Uh,
Kyle Hauptman: well, I would add that, um,
at Halloween, They get a bunch of candy.
Reach in, grab 40%.
They'll also learn about taxes.
I know it's your second try.
The biggest change in someone's life
is when they go from zero to one trial.
Staff Cyber1: As I said, Todd
Finkler and Dave Mateo here to
talk about the cybersecurity brief.
Next slide, please.
So we'll be talking about
Todd Harper: I think we
need to load the slides.
Kyle Hauptman: Is he getting slides?
Yes, he is.
Okay.
Staff Cyber1: There we go.
Perfect.
Next slide, please.
Unknown: Next slide.
Staff Cyber1: We
Kyle Hauptman: should
give these guys a clicker.
That's easier.
Yeah.
Staff Cyber1: Sometimes
you have to go back to one.
Right.
Yeah.
Um, so what we're going to be talking
about is, uh, I'm going to talk about
hacking economics, uh, and then we're
going to cover, uh, some free resources
for the credit unions to help them, uh,
manage the risks that they're coming
in with cyber, um, and then Dave gets
to do the fun stuff and looking at
the data from the credit union, uh,
cyber incident reports, uh, as well
as the information security exam.
Next slide, please.
So hacking economics, I like to think of,
uh, when you look at the cyber security
environment, what we have going on is
we have a maturation of the environment.
So five years ago, if you looked at
the great, You know, great, a sense, I
guess, bad hackers or cyber adversaries,
what you would see is, you would see
is primarily nation state actors.
Now what you're seeing is, is that
the organized crime has gotten into
the business, um, and they're running
this as a business, and so they're
becoming very professional at that.
So the way I look at these things, and
so these are actually five, four, four
trends that we're seeing across the
financial sector, uh, that are prominent.
Um, and and the reasoning behind
these four trends is because there's
a great return on investment.
So I'm gonna talk about each of these
relative to that return on investment.
So the first one is
third party exploitation.
So if I have to come up with one
exploit, what a great way for me to get
access to a lot of companies because
I only need to attack one vendor.
Um, and now I've got access to all the
people, the customers that they service.
Um, so great return on investment there.
For web applications, all I need is a
laptop and an internet connection, and I
can start attacking those web applications
without any real restrictions.
Um, and so it's a, it's a, it's a,
it's a target that's intended to
be open anyway, so it just makes
it easier for you to do the job.
Um, and so again, return on
investment there is, is high.
The third trend that has been consistent
for years now is social engineering.
Forget all the expertise that I
needed to actually do an attack.
I just need to figure out
how to attack people, right?
And so I just need to trick them
into giving me the information
so I can get into the networks.
And then the fourth trend that
we're seeing is a tremendous
amount of ransomware.
And the idea here is there's two
things I can do with data that I steal.
I could either hold it over someone's
head and get an immediate threat.
Uh, payment back on it, or I could turn
around and try to sell it on the dark
web, which makes it a little bit more
challenging and a little bit uglier,
so it's easier for them to do a ransom
attack for the return on investment.
Next slide, please.
So, extremely complex environment,
and, and it is, it is a hard job to do.
Um, I was once, uh, uh, I did
once, uh, um, signals intelligence.
I was in signals intelligence for a while.
Um, and, and I switched
over to the defensive side.
And it, it is definitely a hard job to do.
And so what, what I try to think
of when we do cybersecurity is
to help folks try to prioritize
their limited amount of resources.
Next slide, please.
Um, because you're never, and
there's going to be an attack.
And so the question is, and there's
not an infinite amount of resources,
you can't spend all your money to,
uh, protecting the, the, the data.
So, so really the question is, is how
can you best mitigate those, those risks?
Um, and so what, what I like to find
is, uh, uh, for credit unions that
are struggling with those resources,
let's find resources that the
government already understands there's
a problem here and is providing free
services that they can use today.
So I'd like to cover some of those.
The first one is a group of resources
that are provided by the Cybersecurity and
Critical Infrastructure Agency, or CISA.
And they provide four resources
I want to talk about briefly.
One is Regional Cybersecurity Expert.
Um, you can get, uh, get in
touch with them and, uh, build
a relationship with them.
They can help you with problems
that you, you're having, questions
you have on prioritizations.
If you have a, uh, cyber attack,
they can help you through
that, walk you through that.
They can do tabletop exercises and point
you to all the other references that
I'm, or resources I'm talking about
within CISA and even outside CISA.
It's great to build a relationship
now, uh, costs you nothing.
The second one, I really like this
one because it's a big deal with, with
being ex uh, exposed on the internet.
It's called cyber hygiene, and it does an
automated, uh, vulnerability scanning on
your external faces, facing IP addresses.
And where that helps you with the
prioritization is you can see where
you're exposed because you get a
weekly report, uh, based on the,
the automated scans that you see.
And you could try to prioritize
those based on those, those, uh,
vulnerabilities that you have exposed.
Um, the, the only thing I've seen people
hesitate to do this is their fear of
giving information to the government.
But last year, CISA told us about
three weeks ago, CISA said there was
a law passed last year that stops
them from sharing that information
unless it's anonymized and aggregated.
Um, so they can't even share it within
different, uh, compartments of, of CISA.
So I think this is a, is a
great opportunity for people
to leverage if they're, if
they're not already doing this.
The third thing they, they, they provide
is known exploitive vulnerabilities.
So if you're, if you've heard of
common vulnerabilities and exposure,
CVEs, um, it's a way to publish
vulnerabilities in software as well
as hardware to let the community
know where they need to fix things.
Um, last year in 2023,
there's about 29, 000 of them.
This year, already in August, there's
over 34, 000 of them, um, as per ARGUS.
So what CISA does is not all
of them are actually exploited.
So CISA looks in, in the
environment to look at exploits.
And then it finds the ones that are
actually being used and puts those
on a special list to give you a
priority list of things to take care
of, so take care of those first.
They also offer automated
information feeds that they
do as well as Treasury does.
Theirs is focused on the
critical infrastructure.
Whereas the Treasury is focused
just on the financial sector.
So, moving to Treasury, I already
talked about their automated
threat information feed.
They also have an interesting feed
where, that you can get, they will pay
for a clearance for a member of your
organization, for critical infrastructure
organizations, to get cleared and be
able to come to the T Suite, which is a
secure compartmented information facility.
And they can see classified intelligence
threats, uh, in that facility and
talk with other, Uh, you know, other
parties on what threats are out there
to help, uh, prioritize their resources.
Um, in addition to that, U.
S.
Cyber Command has the, uh, something
called under advisement, a cover term.
Um, and under advisement, what the
focus is, is to help right now the
largest of credit unions to get
unclassified threat intelligence feeds.
Um, and they're working to get the
resources to expand that program to the
rest of the critical infrastructure.
Todd Harper: And before we leave
this slide, Where can people find
this on our website or what websites
Staff Cyber1: can they go to?
That is a great question.
So I have all the resources and
we're working to update our website
to contain that underneath the cyber
security references and resources page.
So this is all I have on here and
I'm gonna pass it over to David
to talk about the fun stuff,
the data that we've been seeing.
Next slide, please.
Staff cyber2: All right.
Thank you, Todd.
Uh, good morning, Chairman, uh,
Harper, Vice Chairman Hoffman,
and Board Member Otsuka.
Um, early in the presentation, Todd
spoke about the broader cybersecurity
landscape, and now I will talk about
the top trends that we are seeing
from the incidents credit union
reported to us in the last year.
So ransomware attacks and business
email compromises are not unique to
credit unions and are consistent across
all critical infrastructure sectors.
Uh, we're also seeing outages caused
by third party providers and attacks
against the security of ATMs.
In the next few slides, I hope
to provide some additional
detail about each of these areas.
Next slide, please.
Between September 1st of 2023 and
August 31st of 2024, that's the first
year since the Cyber Incident Reporting
Rule, uh, we received over 1, 000
incident reports to our Cyber, uh,
Incident Credit Union Reporting System.
Also, affectionately known as SICRS.
The upper left pie on this slide
represent incident reports about
ransomware, business evil compromise,
ATM tampering and fraud, and a
combination of other things such
as person to person transfers, wire
fraud, and BIN attacks on debit cards.
Nearly 70 percent of all incident
reports are related to third party
service provider and the 742 third
party incidents, you know, do not
represent a one to one relationship
with credit union incidents, but
represent 13 specific events.
And it's important to note
that one service provider
event can and has impacted two.
Many credit unions.
Next slide, please.
Ransomware attacks are quite common and
are increasingly problematic because
they often result in some form of loss
of availability, data integrity, or
confidentiality of member information.
Uh, the credit union reporting
trends about ransomware are
the same as the overall U.
S.
financial sector reporting.
According to the FBI's Internet Crimes
Complaints Center 2023 Annual Report.
The financial service sector
is the fifth most targeted
critical infrastructure sector.
And ransom demands are on average between
one and ten million dollars with payment
most typically demanded in Bitcoin.
To prepare against ransomware, credit
unions should maintain offline encrypted
backups of critical data, must implement
zero trust architecture, Create, maintain,
and regularly exercise a basic cyber
incident response plan and the associated
communications plan that includes
response and notification procedures,
and ensure that they have a plan for
resiliency of continuity of operations
in the event of a ransomware attack.
It is important to know that paying
a ransom could violate the Office
of Foreign Assets Control sanctions.
And lead to enforcement actions.
Planning to pay a ransom is
not a plan for resiliency.
Next slide please.
Anyone with an email account, as
Todd mentioned earlier, is vulnerable
to phishing and social engineering.
And these methods can often
lead to credential theft and
business email compromise.
Business email compromises remain a
viable tactic in the financial sector.
And make up 29 percent of the 330 non
vendor related credit union incident
reports that I showed earlier.
ATM incidents include skimming and
shimming, which result in the unauthorized
capture of card and PIN information.
And number two, exploits of
ATM hardware and software.
That result in jackpotting
withdrawal limits.
These sophisticated forms of financial
fraud represent 36 percent of the 330
credit union incident reports, uh,
that I mentioned earlier, excluding
the third party cyber incidents.
But additionally, I want to mention
that we have seen a rise in the takeover
of member service toll free numbers.
Um, and credit unions should
add measures to their accounts.
to prevent telecommunication companies
from being duped by fraudsters.
Lastly, uh, bad actors
exploit vulnerabilities,
especially unpatched ones.
So credit unions should move quickly
once issues are identified and
remediate critical vulnerabilities
after any patches are issued.
Next slide, please.
Information sharing is critical to
protecting the credit union system
and the shared insurance fund, and
information received may allow us
to proactively alert credit unions.
We have noticed that credit
unions might not be reporting all
incidents that require notification.
NCUA sometimes finds out about incidents
through news reports or social media, at
which time we may reach out to the credit
union and request incident information.
For example, uh, during a July IT
audit, uh, that disrupted vital member
services across the globe, NCOA received
only 16 reports from credit unions.
Also, credit unions should provide
incident updates as information
becomes known throughout the
entire lifespan of the incident.
The NCOA may also reach out to credit
unions or named incident contacts whenever
we require additional information.
We also encourage credit unions to form
relationships with their FBI field office.
Before an incident occurs.
And also, any legal representation
agreements should not preclude or prohibit
anyone from working with law enforcement.
Next slide please.
Last September marked the one year
since implementation of the NCUA
Cyber Incident Reporting Rule.
As a reminder, this slide outlines the
definition of a reportable incident
that must be reported to NCUA.
I want to provide some examples
of, uh, reportable incidents.
So, for example, if a federal insured
credit union becomes aware that
sensitive data is sensitive data
is Modified or destroyed, or if the
integrity of a network or member
information system is compromised, right?
There are many technical
reasons why a service may not
be available at any given time.
For example, when a computer
server is offline for maintenance
or a system is being updated.
Such events are routine and thus
would not be reportable to the NCOA.
A distributed denial of service attack
that disrupts member accounts access
and Leads to substantial system.
Audit is something that is reportable.
However, events such as blocked phishing
attempts, failed attempts to gain
access to a system or unsuccessful
malware attacks would not be reportable.
The credit union should report when a
third party service provider informs
the credit union, that the credit union
sensitive data or business operations
have been compromised or disrupted.
As a result of a cyber incident
experienced by that third party
service provider or upon the
credit union forming a reasonable
belief that that has occurred.
If you are not sure about
whether to report or not,
we ask you to please report.
Next slide please.
Soon, uh, we will be rolling out a
new web based cyber incident reporting
form that will help simplify reporting.
We will provide updated instructions
and a quick reference guide.
And the web form will complement
the other existing reporting
methods, voicemail and email.
NCUA and the Cybersecurity Infrastructure
Security Agency, CISA, met in August to
discuss the Notice of Approval rulemaking.
Uh, that, uh, comments that were
received either from credit unions
or about credit unions, um, uh,
in regards to the Cyber Incident
Reporting for Critical Infrastructure
Act, commonly known as CIRSIA.
NCUA remains committed to working
with CISA to find the best and least
burdensome way For credit union incident
report information to make it to CISA.
The new web form I mentioned will
help us capture the information
that CISA is interested in.
And we will continue to collaborate
with other federal agencies to ensure
awareness of best practices across the
financial sector, share information, and
minimize the burden to credit unions.
Next slide.
Since the implementation in early 2023,
examiners have completed nearly 2,
400 information security examination
assessments, also known as ICE.
From those nearly 2, 400 assessments, we
have found that smaller institutions, and
those are, you know, 50 million or less.
are doing well in terms of critical
cyber security controls, such as
implementing antivirus and anti malware
protections, patching critical systems
and applications, and access controls.
Additionally, more than 93 percent of
them maintain backup and recovery plans
for critical systems and services.
For credit unions greater than
50 million in assets, they're
doing well in maintaining board
approved policies and procedures and
implementing network security controls.
such as firewalls and intrusion
prevention systems, as well as
cybersecurity controls, such
as antivirus and anti malware.
Next slide.
When we look at the exams, the three
areas with the most opportunities
for improvement, the three areas
with the most opportunities for
improvement are information security
risk assessments, business continuity
programs, and Incident response programs,
Staff Cyber1: I think
we need to catch up on.
No, we we're actually,
we're, we're caught up.
Oh, good.
Thanks.
Staff cyber2: No worries.
Uh, the next group of opportunities for
improvements include awareness training,
security program policies, governance,
and third party risk management.
Uh, we encourage credit unions of
all sizes to focus on increasing
their maturity in these areas.
And lastly, since credit unions
rely heavily on third parties for
a variety of services and products.
They are more vulnerable
to cybersecurity threats.
Risks can be mitigated with more
comprehensive information about
these third party service providers.
Next slide.
I want to bring your attention to the
NCUA Letter to Credit Unions 24 CU 02
that was published on Monday, October
21st of 2024 about the need for boards
of directors to remain focused on
managing cyber risks and ensuring the
credit union has the necessary resources.
to maintain an effective cybersecurity
program that aligns with its products,
its services, and its risk profile.
Boards should engage in ongoing
education about current cybersecurity
threads, trends, and best practices.
Um, and the board members do not
need to be technical experts.
They must know enough cybersecurity
to provide effective oversight
and direction for their executive
teams and subject matter experts.
Credit union boards of
directors must approve and
regularly review a comprehensive
information security program.
that meets the requirements of Part
748 of the NCOA regulations, which
include risk assessments, security
controls, and incident plans.
The Credit Union Board should set clear
expectations for management about the
due diligence of third party vendors
with respect to information security,
ensure that cybersecurity is a core value
within the Credit Union, and influencing
decision making at all levels, and
provide periodic information security
education Um, Uh, Um, Uh, Um, Um, Uh, Um,
Um, Um, Um, Um, Um, Um, Um, Um, Um, Um.
And it's kind of interesting to think
about what we do for the short term.
So just, just, um, look at,
you know, what was the budget.
And then kind of, um, what kind of,
led to what happened, um, so, look at,
you know, what is the fiscal burden
on, on, you know, the cancer risk.
Have a great day.
or systems that can be
utilized during an audit.
Next slide.
The Federal Financial Institutions
Examination Council at the FFIEC
recently announced the sunsetting
of its cyber security assessment
tool, the CAT, on August 31st, 2025.
While that decision impacts the broader
financial services industry, NCUA's
Automated Cybersecurity Examination
Tool, commonly known as ASET, will
continue to be supported and will remain
available for use by credit unions.
The NCUA will ensure the ASET
remains relevant and current with
the evolving cybersecurity landscape.
We are planning updates to the
ASET content to align with new
standards and frameworks, such as the
National Institute of Standards and
Technology Cybersecurity Framework 2.
0 and the CISA Cybersecurity
Performance Goals.
These updates will ensure that the ASET
continues to meet credit union needs in
assessing their cybersecurity stance.
We are very encouraged by seeing
that the ASET has been downloaded
nearly 8, 000 times in the last year.
Next slide.
As a reminder, there are several
resources available on NCUA's
website and we have a dedicated
Cybersecurity Resources page Next slide.
That includes guidance, tools,
and links to federal programs.
That concludes our remarks, and we'd be
happy to answer any questions for you.
Todd Harper: Um, thank you, uh, Todd
and Dave for that informative briefing.
I know that for a number of years we've
been having these at least once annually.
Um, this briefing by far is
the most informative briefing
that we've had on this topic.
Um, and if I could just make,
uh, I know that we do webinars.
I know that we do outreach.
But if I could make, uh, uh,
uh, a plea, uh, if credit union.
Um, uh, leagues, trade associations
would like for us to come
and speak to their members.
We'd be happy to do that as well as if
for media outlets, uh, in the credit
union space to have, uh, more in depth.
I think that everybody would
benefit from this information.
October is Cybersecurity Awareness Month
and during this annual observance, the
National Credit Union Administration
seeks to shine a light on the many
cybersecurity issues currently
confronting credit union members.
The credit union system, the
agency, and the financial
services sector more broadly.
But the reality is, is that we must remain
laser focused on these issues year round.
That's because foreign and domestic
cyber fraudsters, as you point out,
including some of our international
adversaries, continue to target financial
services providers and their vendors.
The credit union system is a critical
part of the financial services sector,
and these annual cybersecurity updates
at the NCWA board table are an important
reminder that cyber attacks on financial,
the financial services industry, including
within the credit union system, will
remain high for the foreseeable future.
In fact, I am reminded of the phrase of,
uh, um, the famous and notorious, uh, bank
robber, uh, Willie Sutton, who said, you
know, when asked, why do people steal from
banks and why did he steal from banks?
He said, that's where the money is.
Well, we are seeing that this is the
fifth, uh, largest sector that is targeted
by cyber fraudsters, and we need to make
sure that everyone remains on their toes.
Far too often, we see that third party
service providers are a weak link in
the financial system, a danger noted in
the annual report of Financial Stability
Oversight Council, and credit union third
party service providers are no exception.
In fact, if we could pull up slide
six, um, we see that from September
1st, 2023, we see When the NCOA's
cybersecurity incident rule notification
became effective through August 31st
of this year, credit unions reported
nearly 1, 100 cybersecurity incidents.
In fact, 7 out of 10 of these reports
related to the use or involvement
of third party service providers.
Moreover, approximately 90 percent
of the industry's assets are managed
by third party service providers
are touched with no NCOA oversight.
Last November, a single third party
service provider's cybersecurity
incident disrupted the daily
operations of 60 credit unions.
And in June, a credit union with almost
10 billion in assets reported the personal
information of more than 1 million current
and former members and employees had
been accessed during a ransomware attack.
The breach initially occurred on May 23rd,
but Todd, as you pointed out, sometimes
these cyber fraudsters lie in wait.
Um, the ransomware attackers actually
did not shut down the credit unions
online and mobile banking systems
until a month later on June 29th.
What's more, ransomware attacks attributed
to, attributed to malvertising, a
relatively new cyber, uh, attack technique
that injects malicious digital code
within digital ads are on the rise.
Through this type of, um, attack
to work, the user doesn't even
have to physically click on a link
for the system to become infected.
Instead, a simple Internet search
can result in advertising that
appears on the page and exploits the
vulnerabilities of the Internet browser.
Credit union cybersecurity teams should
focus, therefore, on standardizing and
securing web browsers and deploying
ad blocking software to protect
against this very real world threat.
2.
3 trillion federally insured
credit union industry.
And our nation's interconnected
critical financial infrastructure.
We cannot afford to leave these
vulnerabilities unchecked.
As such, it's everyone's
responsibility to maintain good
cyber hygiene at home and at work.
Keeping cyber, uh,
keeping software updated.
Using strong words and pass keys,
reporting phishing attempts, and
enforcing the use of multi factor
authentication are just a few examples
of the measures anyone can adopt to
strengthen their collective defenses.
Education and training are also
critical to raising and maintaining
awareness of cyber threats.
Earlier this week, as you noted, Dave,
the NCUA issued a letter to credit
unions that provides boards of directors
with clear guidance on their roles and
responsibilities for bolstering the
credit union system's cyber defenses.
Those responsibilities include providing
recurring training, approving the credit
union's information security program,
overseeing operational matters related
to credit, the credit union, including
third party service organizations
and other technology systems, and
ensuring appropriate incident response
and resiliency plans are in place.
Dave, of these several recommendations,
and I know the letter ran several
pages in length, um, um, uh, in it,
if you could emphasize just one piece.
of advice or action that a credit union
board should take, what would it be?
Staff cyber2: I appreciate the question.
Um, I want to ensure that every credit
union, um, has a robust incident
response and resiliency plan that
includes scenarios for responding to.
Operating and working during, um, and
recovering from a ransomware attack.
Todd Harper: Um, you know, I think
that that is a great piece of advice.
Cyber threats and technology are
rapidly advancing and all of us must
keep pace and having that robust.
plan of attack when, when the attack
happens, uh, is certainly a smart idea.
It's better, it's better to have
your plan in place beforehand than
trying to figure it out afterwards.
Um, it's also why we require periodic
cybersecurity, uh, training here and
planning here at the agency as, and why we
conduct exercises to test that knowledge.
Um, I also want to ask another
question, and I, and we didn't
discuss this in advance, but I, I, I
think you can, uh, help me out here.
I'm, I, I am under no illusion that
we see as many eyes on the NCUA board
meeting broadcast as we see on C SPAN,
um, and certainly on the nightly news.
But our exam teams are going in to
credit unions, uh, on a regular basis.
What are we doing to educate our examiners
so that they can educate credit unions
and provide the information needed,
uh, to credit unions that there are
front lines in this whole situation?
Staff cyber2: Well, um, there's, uh,
I appreciate the question, you know,
and there's, there's ongoing education.
There's also the application of
lessons learned, uh, gathered from
the exams to be used to inform.
So, the more information that we have,
the better insight we get and the
more that we can do to provide, uh, so
that our examiners look for the more
important things, for the riskiest
things, as well as for the credit
units to protect themselves and, you
know, make everybody's jobs easier.
Todd Harper: And how are we ensuring
that that communication between what
we are teaching and what we're Our
examiners is actually happening to, uh,
getting to credit union, uh, leaders.
Staff cyber2: So, um, so we're
regularly, uh, uh, collecting feedback
from our examiners and, and turning
that into advice, into guidelines,
into procedures, into communications.
to the credit unions, um, and as well, uh,
as, you know, as, as a regional, um, field
staff to, uh, to, to, to do these things.
So it's ongoing communication.
It is, uh, regular sharing of information.
Information sharing is the
key, uh, to what we're doing.
Um, and just learning,
listening, and observing.
Um, it's, uh, as Todd, uh,
mentioned earlier, it's, uh, when
it comes to cybersecurity, it's
not about if it's going to happen.
It's It's unfortunately
when it's going to happen.
Yeah.
And Dave, would it be fair to say I've
Todd Harper: heard of a number of credit
unions that have seen their management
component rating downgraded, uh,
because of information security issues.
Is that what you're seeing in, uh,
the office overall as you collect
that and aggregate that data?
Staff cyber2: It, it certainly happens.
Um, and, and then, uh, you know, it said
it, it informs, uh, the types of, uh, of
questions and, and things that we assess.
Todd Harper: Thank you so much.
I think that that's really helpful
information to get out there.
Despite our efforts to strengthen
the system's cyber defenses, we
of course still have a blind spot.
For example, NCUA's ability to analyze
and assess the risk in the entire credit
union system remains limited because
the agency lacks the same level of
oversight of third party service providers
as federal banking regulators have.
Stakeholders must understand the
risks resulting from the NCUA's
lack of vendor authority are real.
Um, and as both of you discussed, the
NCOA is not just the regulator for federal
credit unions, but also the insurer.
The NCOA board may need to consider
changes to the normal operating level
of the share insurance fund given the
additional risk of insuring an industry
that more and more outsources core
business operations to unregulated
third party service providers.
Um, and as both of you discussed,
the Most cyber incidents reported
to the NCWA, in fact, involve
third party service providers.
Until this growing regulatory blind
spot is closed, thousands of federally
insured credit unions with more than 140
million consumers who use those credit
unions and trillions dollars in assets
are exposed to higher levels of risk.
Credit union leaders must also
understand that their institutions
are a significant part of our
nation's critical infrastructure.
Something that the U.
S.
has a, government has a
solemn obligation to protect.
We cannot do that without the
ability to assess and analyze risk,
and that is what vendor supervision
would provide us the ability to do.
It's heartening to hear, as I speak
with more and more credit union leaders,
that they understand the value of the
NCUA having the same vendor supervisory
authority as the federal banking agencies.
They understand that their industry is
worthy of the same protections as the
banking industry and they understand
that if the NCUA had vendor authority,
we could provide summary reports of
those third party exams to credit unions.
For use in due diligence, this
statutory change, in other words,
would eliminate a competitive
disadvantage that credit unions
currently have when compared to banks.
During my travels and meetings with credit
union leagues and officials, more CEOs and
leaders have also told, um, my team and
me that they see the value and benefits
of restoring the NCUA's third party
service authority because they cannot.
No, no, I agree.
Thanks.
I mean We're we're we're.
We're all a part of this right.
The pathways to recovery in soundness
and enhance consumer financial protection
and anti money laundering compliance.
It would also save credit unions
time and money in the long term.
So it's common sense
and just good business.
Plus, it would give credit union
members The same protection
that bank consumers have.
That concludes my remarks.
I now recognize the Vice Chairman for his.
Thank you, sir.
And
Kyle Hauptman: thanks, Todd
and David, for the update.
David, it's your first time.
All right.
Well done.
Um, thank you for all the
work you put into that.
As the Chairman mentioned, it's the fifth
most targeted, uh, sector of the nation.
Uh, they have money.
Financial institutions
know that they have cash.
They know how to send it.
Um, so we can understand
why they're targeted.
Um, and every single
one of us is vulnerable.
I want to compliment you
on your choice of career.
Cyber security is a growth
industry, unfortunately.
Do you know anybody who's good
at cyber that's unemployed?
Me neither.
Um, I remember, uh,
our July board meeting.
It was July 18th, and we finished
up the following morning.
Packed up the car, the family,
and the car, and the dog.
Arduous 15 hour family
trip up to Maine, right?
It's not flying a kid in a car seat,
you know on a long trip I remember that
Friday actually because we debated flying.
I was really glad we drove.
Do you happen to remember why?
Systems was a Southwest Ground stray.
It was the crowd strike Delta
United American Elysian halted
all travel Absolute nightmare.
Now that let me ask you, was that
considered to be a cyber incident?
It's not really right.
That was that was a code update that hit
Microsoft Windows from CrowdStrike, right?
From a cyber standpoint.
My next question is, did we get calls
from people who thought things were
down, but I don't believe It's a cyber
incident, but you're the experts here.
So
Staff Cyber1: I believe based on our
rule, we, that is a cyber incident.
Okay.
Because it affected the operational,
um, the operations of the credit union.
Kyle Hauptman: What if the local
cable provider, uh, had a problem
and the internet was down?
Is that a cyber incident?
Either way, you can't do anything.
Staff Cyber1: It's also a cyber incident.
That's a cyber incident?
I believe based on the
Kyle Hauptman: rules, yeah.
Because I remember during that whole
mess, right, and it took some of
these airlines until the next week
to get these people, uh, uh, going.
Uh, especially with Delta, people slept
in the Atlanta airport for days, you know.
Um, you couldn't get a hotel, imagine
you were connecting through, right,
because all the hotels were closed.
Sold out within 100 miles absolute
nightmare, but they were making sure that
this is not a cyber attack No one's being
held for ransom or anything like that.
There was a lot of talk about that.
You know, the DHS Involved that this
thing is terrible, but they made a
whole point of saying they by their
standards didn't consider a cyber attack
um, right and but we Did get calls.
Staff cyber2: I can answer that.
Um, first to add that the the
aspect that would have made
irrelevant to us is the disruption
to vital member services, right?
It's inevitable that many member
services were impacted even before
it's fully known that it was a But a
poor configuration management practice.
Kyle Hauptman: One person uploading an
untested line of code in a patch and boom.
Staff cyber2: And in regards to that
specific event, we received 16 reports.
Kyle Hauptman: We got 16 for that.
Okay.
Now, so just to be clear, if your local
internet provider had a problem, right?
You know, a storm, wires get cut,
um, or there's just a power outage.
So obviously you're not
going to have internet.
There's no power.
Right?
Uh, and the average credit union
doesn't have its own generator in
those kind of office buildings.
Who's that?
Is that also something that they're
supposed to report, per our rule?
Staff cyber2: If it affects
vital member services, yes.
Kyle Hauptman: Okay.
All right.
Um, one thing I want to mention is
the role of, because these things are
important, the CrowdStrike, you couldn't
not notice that it was very regulated
industries, and there was a connection.
Airlines, hospitals, Financial services
very regular in this United States, very
regulated industries and government played
a role in making this worse in a way,
because as I understand it, and I am, I
don't want to get out over my skis because
I don't know much about CrowdStrike
in that industry, but CrowdStrike
was seen as when you were in an exam.
It was a quick way to be able
to move on to the next topic.
Oh, oh, you're using CrowdStrike.
Okay, good.
So people knew that that
was what regulators liked.
So and I'm not here to say there was
better options, but it's a longer meeting.
If you use somebody else, if you're
using, and that was kind of the
good housekeeping skill approval.
Oh, you have this CrowdStrike system?
All right, all right, next
topic, which is what you want
if you're a regulated industry.
Next topic.
So you wound up having, you know, maybe
it would have been only one airline.
You know, I'm speculating here.
But no, we're using this new thing.
It's cheaper.
It's better, whatever.
That now, it makes your meeting longer.
You're putting the
examiner in a tougher spot.
My point is, sometimes government, uh,
if we lean and feel we have our preferred
answers, you know, and we act kind of
like there's a white list, that if you
answer A, your exam is easier and quicker,
or if you answer B, it's longer, with
a lot more work, and you've made your
examiner a little uncomfortable, because
we don't, people don't like signing off
on things they don't really know, okay?
But A might not be better than B, right?
Uh, it might not be more effective for
your organization, more cost effective.
Anyway, I just wanted to note that
and it was pointed out to, to me.
Well, it was pointed out to me online.
I read it that, um, the.
We don't have that sort of regulation
where they can shut you down entirely
that that level of regulation and you
get graded and that sort of thing.
Very regulated industries.
The government played a role in that.
Put it that put it that way.
Um, also, you may, uh,
usually ask for Bitcoin.
I just want to defend
Bitcoin for a second.
Uh, the reason you do it is because
it's useful because there's no other
way that any team human beings on
Earth can send each other money 24
hours a day with instant settlement.
There's no fake deposits.
You don't have to worry about it.
Money's counterfeit.
Any two humans on earth.
Now, in this country,
things work kind of well.
The payment system is a little
creaky, but it's an absolute lifeline
if your government is destroying
your currency via inflation.
In Argentina, you know, they have
siesta, where they have different prices
in the afternoon than the morning.
Uh, for a lot of people,
it's an absolute godsend.
So it's, um, uh, Bitcoin itself
is just incredibly useful,
but not that great for cyber.
They really have to hustle on
their end, the bad guys, because
what do we know about Bitcoin?
Has an unalterable public database.
That transaction sent from this wallet
to that wallet can never, ever be erased.
Bitcoin, as you know, has, uh,
their redundancies built in because
there's separate copies everywhere.
Uh, there's no central database.
It's a totally decentralized system.
Their redundancies are the envy of any
organization in the world because it's
almost impossible to change that database.
It's an unalterable transaction.
So there's more of a record of it.
This is why there's companies
like Chainalysis that use
them, you know, tracking.
These things.
So, um, they have to hustle on their end
to disappear and clean that wallet out
and never use it again and never send
any money to anybody else from that.
It's difficult to do.
It's a paper trail.
So, Bitcoin has an unalterable,
unchangeable public database
that can never be changed.
And, um, yes, it is useful
and criminals use it.
But I would say is that if you
think crypto is often used by
criminals, you're going to freak
out when you hear about cash.
Um,
so we said, uh, Sherman mentioned, uh,
financial institutions have two things,
data it's useful and they have cash.
They're also savvier than
some at making payments.
Um, and while I don't think we need any
new regs, uh, specifically for artificial
intelligence, like most technology, The
stuff that bad guys do is already illegal.
Technology just made new
ways to do it before, right?
Yeah, when I know that, um, groups look at
linked in and see recent updates for jobs
like CFO controller, anyone who has the
power to send enormous amount of money.
And if the person came from outside the
employer, okay, brand new CFA job, you're
new, you don't want to rock the boat.
They are more likely to fall for
an email that looks like it's
from the boss says, Hey, we got to
send 400 million to this account.
Uh, you know, uh, they don't, might not
realize how it is, they don't want to
push back on the new job they got, so,
um, and it used to be you could call, uh,
you know, if the boss called you and you
heard their voice, I know Todd's voice,
I know if it's him, well, that's a whole
nother thing now, it could be his voice,
hell, he could even be on a screen.
So, uh, I don't think many people
ask, you can have regs on this, the
stuff is already illegal or bad,
there's just new ways to do it.
Hearing someone's voice
used to be illegal.
Uh, more sure, uh, than we are now.
Um, uh, Greater Unions are, uh, one
thing about them is they're quite
cooperative with each other as well.
Um, they built interconnected
systems, make it possible to compete
with larger institutions, right?
Uh, they're like that story about the
school of fish that looked like the
big one, whatever that story's called.
Um, But we remember interconnected
is good in a lot of ways, but
it's also negative, right?
It provides points of leverage.
So, uh, Monday, October 21,
you know, we released a letter.
We mentioned it before just to
go over the four items in it.
The agency is not asking any credit
union board to be technical experts.
I don't think our board considers
ourselves to be technical experts,
but they must be aware of the risk.
Um, and these credit unions should
approve their IT information
security program annually.
That's not new.
Thank you.
Uh, they should review the program
annually, make sure it's a evolving
threat, for example, like we just said.
AI makes a lot of other solutions harder.
And oversee operational management.
No one's asking anybody to be a
technical expert, but there's things
that they're responsible for overseeing.
Third party due diligence.
Credit unions are responsible
for who they do business with.
They may have a, a relationship that,
um, where they get upset with their
vendor that they didn't do as well.
People were certainly upset
with CrowdStrike, um, but
that's still a response.
From our perspective, it's
solely the responsibility of
the credit union executive not.
Because can they manage
their relationships or not?
If they can't, that speaks
poorly of management.
And they also don't want us to start
coming in and having a good list of
vendors and a bad list of vendors.
Right?
Uh, that's not going to help anybody.
Um, seven in ten cyber incidents this year
with credit unions involved a third party.
So we want to make sure the
requirements you have in your
contracts protect third party data.
Oh, and just to finish that letter we
just sent, the fourth one was incident
response planning and resilience.
You want to make this easy, okay?
I want to tell people, because we know for
a fact, that people probably should have.
We know that there's been people of credit
unions affected that didn't call us.
We know because of the numbers.
We know, you know, it'd be a hundred
credit unions affected, we got 20 calls.
Well, we know 80 didn't.
I want to do things that are easy to do
Get done the simpler you make it the more
effective it is the higher response rate
we get right and we want to do Our part
make it simple and I think the credit
this reporting this reminds me of our
discussion about signing up for the CLF
It's one of those things where if you
do it It's one of those things you might
put off and then you do it you're like,
wait a second That wasn't that hard.
Why did I put that off?
You know a two minute rule?
You can do it in under two minutes do it
right now I want people to know credit
unions that this is actually very easy
to do It's not some long government form
you may be imagining Your first time.
Um, can I have a slide, please?
Um,
I just Googled NCRA Cyber Reporting.
You can put NCRA Cyber.
I did this in a couple
of different browsers.
I did it on my phone.
You literally don't even
have to click past that.
Why?
Because even on that preview
part, see the number right there?
Stop right there.
Right?
If somebody's, uh, Saturday,
it's their kid's soccer game.
And someone says, Bosch,
you know, we have an outage.
And she's like, okay, I guess
there's a, we have to report that.
A form.
You have your phone on you.
Google.
Boom.
You are finished.
All you have to do is the number.
You don't even have to click on the link.
See that number right there?
1 833.
I'm asking every, uh, credit union
CEO, whoever made the reporting,
just take that number and I
would put it in your contacts.
If you're like us and you have two phones,
you have a personal, put it in there.
That's gonna help you on
Saturday, uh, when you're watching
your daughter's soccer game.
Just put that number in.
I would save it like
cyber NCUA or something.
If you, if you want to be good, I would
also put in the contact itself, um,
your charter number to have it handy.
You know, like, I have United
Airlines customer service in here.
I also have my, my own bus number
right there in the contact,
so I have it in front of me.
All you need to do, if you ever, any,
as long as you have access to a phone
or internet, you can get this done
right then and there, on the spot.
Okay?
I would take that number, save
it to your phone, whatever
phones you're going to use.
Okay.
And if you do click it.
Next slide, please.
All right.
This is it.
This is the form.
Okay.
Quick reference guide.
We acknowledge this thing as a,
as a wallet card, knowing that in
the scenarios we're talking about,
depending on what kind of situation
you have, you may not have work email.
You might not be able
to go find that email.
What do we do?
Um, you might not have access to much.
So if I was the, the.
person in charge, either the CEO or
the CIO, I would not only have this
physically taped to my desk or whatever,
I would have that little card, because
you have the charter number in there,
and that's like kind of a wallet card.
Remember, we have to think about a
scenario where there's no internet,
no email, your system's down, that
you can get this done and it's easy.
Uh, I know when you have a, a,
notifying N2A is not your first
priority, nor should it be.
But this is an easy one to
get off your to do list.
I would have that, I would also
take a picture of that and have
it in a folder on your phone, you
know, in your photos, and it's very,
uh, very, very simple to do, okay?
So save it in your contacts, a lot easier.
Even if you didn't have the charter
number, whoever decided to call, that
number, we could probably live with it.
Uh, you know, we're, we're Apple First
Credit Union in, uh, in Wisconsin, right?
Um, and especially from our
perspective, am I correct?
You want to know if there's a
problem at a credit union, but.
What we, I think, really care
about is all of a sudden, this
morning, everything's fine.
But by noon today, we got 25 calls.
Something's going on.
Right?
A broader issue.
There's always going to be some credit
union out there where the local internet
provider's down or what have you.
A tree falls on a branch and you
lose, it happened to me in my house.
A tree hit the branch and I lost
cable and internet for a while.
That's good.
We care about, is there
something happening?
Is there a broad issue where we at NCWA
can help and say, hey, whatever you do,
don't, don't, don't download that patch.
It's going to make everything worse.
Um, so do that.
And then that number is, uh, 24 hours.
Um, if you, even if you didn't
have that wildcard, I'm sorry,
you're going to know your own name.
I don't love the reporter name and title.
That refers to the credit union
person who's calling it in.
I don't know, like people think
a reporter is a journalist,
or maybe it's some expression.
Anyway, reporter name and title, like,
I don't know, I'm not a reporter,
I'm a CIT guy, so they'll credit you.
But even if you didn't have that card,
and you just Googled it, remember, you're
sitting there, you have your personal
phone, you didn't save the contact, you're
watching the kids soccer game on Saturday,
you get a call, you can get it done.
In 10 seconds, you'll get no information.
NCUA cyber boom.
You're going to get that number.
Okay, let's try it.
NCUA
AI Fraudster: cyber incident reporting.
Please enter your credit
union charter number.
If you don't know it, it's three pounds.
Okay,
Kyle Hauptman: I press three.
AI Fraudster: Please leave your name,
title, bank number, credit union
name, order number, the date and
time the incident was identified and
basic description of the incident.
Description should include what
functions were or are reasonably
believed to have been affected or if
sensitive information was compromised.
Please hang up once your
voicemail is complete.
If the NCUA requires additional
information, we will contact you shortly.
Thank you.
Kyle Hauptman: Alright, um,
shall I leave a message?
I downloaded the Todd Harper virus.
What happened?
What do I do?
Um, anyway, that's pretty good.
The only, remember, the simpler you
make it, the more likely you get it.
Um, and your response rate is going to
be quicker, it's going to be higher.
Um, I don't know if every person who
calls in all, 24 hours a day, waking up in
the night at the kid's soccer game would
know, I don't know how well known charter
numbers are in terms of knowing it.
But again, we could live with it
if they didn't have that, right?
Remember, it says either enter your
charter number, and if you don't
know it, press 3, which then asks for
your charter number, which you only
hit 3 because you didn't know it.
Right?
So, uh, but I still think
we could live with it.
Just get the call in.
It's easy.
Nobody's going to ding you
because you didn't remember every
digit of your charter number.
You're the new CTO, you
just got hired last week.
I walk up to them right now and
ask them what their employer's
charter number is, right?
A lot of people won't know.
But my point is, I don't
want people to get hung up.
Pick up the phone, call that number, it's
very easy to leave it, you have done.
And like it says, we'll get back
to you if, uh, we need more.
This is not a step, the
incident reporting, a lot
of people aren't doing it.
Uh, they can choose not to do it if
they want to, but I just want people to
know that there's very little roadblock.
It's very simple to do.
This is not some complicated
bureaucratic form where you're going
to have to look up a bunch of stuff up.
You can do it in your shorts
and your dad's shoes on the
side of the soccer game.
You know, um, easy to do.
Anyway, uh, I will, uh, stop there.
I just want to ask, um, The incident
reporting, uh, the presentation, you
showed us the incident reporting form.
Where is that going to live?
Just a good time to remind people.
Staff cyber2: Sure.
Um, it, the, the form
will live on the ncoa.
gov, the public website on the
cybersecurity resources webpage.
Um, and, uh, it will go live in December.
Kyle Hauptman: In December.
Staff cyber2: And we will be updating
the, the quick reference guide,
the, the, the contact card that you
mentioned earlier, um, as well as
providing instructions on how to use it.
Kyle Hauptman: Sounds like a not a
bad thing to also actively push out.
People obviously don't check our
website, and they wouldn't know
that there was something new to
check in the first place, right?
We could push it out, see attachment,
print this out, tape your, you know, desk.
Um, that concludes my remarks.
Todd Harper: Uh, thank you so much.
One of the things I like about everybody
putting it into their contact list is it
helps protect against malvertising, uh,
when they do the search, um, overall.
Um, I, I, I'd like to actually take
your suggestion one step further.
Perhaps we could update our examination
guidelines That we push out that two
pager, uh, to everybody at every exam and
just make it a normal course of business.
Physically hand it to them.
Physically hand it to them.
I think that that would
be a great way to do it.
Um, Board Member Otsuka,
you're now recognized.
Tonya Otsuka: Thank you, chair Harper.
Um, and thank you, Dave and Todd for
the briefing, um, and for your work
to keep the NC way and the credit
union system safe from cyber attacks.
Um, you know, as you mentioned during
the briefing, cyber attacks come in
all forms, ransomware attacks to ATMs,
emails, and it can affect credit unions.
It's of all sizes, a credit union having
to pay millions of dollars to a hacker
to retrieve its own customers data hurts
credit union members reduces trust in the
greater system and potentially negatively
affects the share insurance fund.
So, I'm happy to support the work that
you and your team are doing to implement
the new cyber incident reporting web
form and continue to build out the
information security exam program.
Um, just want to clarify one thing.
Credit unions, um, I think it's great
that we all that we demonstrated
how easy it is to report.
Um, can you remind us all how long
credit unions have to report, um, what
the timeframe is, um, especially seeing
is how it's so easy to do and, um, you
know, whether it's required to do so.
Staff cyber2: I'll take that question.
Uh, thank you for the question.
Uh, the credit union should report,
uh, within 72 hours from when
they recently believe, uh, that
there's been a cyber incident.
Tonya Otsuka: Okay, great.
And, um, what, uh, kind of what
we're looking for, right, is for
incidents at the credit union.
Are we also looking for incidents
that third parties, anything affecting
the credit unions operations?
Yes.
Okay.
Okay.
Great.
Thank you.
Um, and, you know, I'd also be
remiss if I didn't highlight.
You know, something that chair
Harper, I think, raised that the, um.
Needs 3rd party vendor authority
to fully safeguard our system of
cooperative credit from cyber threats.
I think that chart that you all presented,
um, of the percentage of of, uh,
incidents involving 3rd parties is really.
It demonstrates that that's really
where a lot of the issues are,
and I've talked to a lot of credit
unions who have had difficulties
when they have those incidents with
their 3rd party service providers.
Um, you know, we lack the critical
oversight of 3rd party vendors that are.
Banking agency counterparts have, um,
and I know credit unions kind of have
to turn to a lot of 3rd party service
providers in a lot of ways to do back
office operations to protect data.
Um, but these 3rd parties can also
be exploited as backdoors into
credit unions processing systems.
Um, And so we've seen how agencies lack
of authority and limited insight into a
critical component of the credit union
ecosystem has impacted our ability.
The ability to help credit unions
respond to credit to excuse me to cyber
threats, cyber attacks in real time.
And I think.
You know, I've also, um, uh, I also
understand it hinders us, um, in
some ways from working with other
agencies to minimize vulnerabilities
in the broader financial system.
So, I just want to say, I do think
it's imperative that we continue to
work with Congress to restore this
much needed authority to the NCOA.
Um, and before I conclude, just kind
of circling back to cyber incident
reporting more generally, you know,
I, Do you think that's really great?
And I think the work that you and
your team are doing to build a more
robust program is really, really great.
Important.
Remember, you know, I think the as a
government agency, we, I think credit
unions, of course, have responsibility
to manage their operations to manage
their credit unions themselves,
but we have a responsibility to
make sure that they are doing.
So, in a safe and sound way that
protects the members, because
credit union members who are.
Working, we're taking
care of their families.
They don't have time or the expertise
to double check whether their credit
union is monitoring their 3rd party
systems or, you know, paying attention
to the latest cyber threats that might
be happening credit union members.
They don't have time for that.
That is what our job is as the NC way.
We are there to protect members
and members harder and money.
And so I just want to say, thank
you to you and your team for all
the work and, uh, you know, look
forward to, um, to more more to come.
So thanks.
Appreciate it.
Thank you.
Todd Harper: And thank you so much for
those observations, Board Member Otsuka.
Uh, thank you also, Todd and David,
uh, for being here, uh, on this
important briefing that concludes
our first item of business.
Samantha: This concludes the briefing.
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.