Credit Union Regulatory Guidance Including: NCUA, CFPB, FDIC, OCC, FFIEC

www.marktreichel.com

https://www.linkedin.com/in/mark-treichel/



Show Notes: NCUA Board Cybersecurity Briefing - October 2024

 

🎙️ With Flying Colors - A Credit Union Examination Podcast

Hosted by Samantha Shares

Sponsored by Credit Union Exam Solutions Inc.

 

Episode Overview:

Join us for a comprehensive breakdown of the NCUA's October 2024 cybersecurity briefing, where key officials provided critical insights into the current threat landscape facing credit unions.

 

 

📊 Key Statistics:

- 1,072 cyber incidents reported (Sept 2023 - Aug 2024)

- 742 incidents (70%) involved third-party vendors

- 13 major service provider events affected multiple credit unions

- Financial services is 5th most targeted critical infrastructure sector

- Ransomware demands typically range from $1M-$10M

 

🔑 Main Discussion Points:

 

1. Current Cyber Threat Landscape:

   - Ransomware attacks

   - Business email compromises

   - ATM security issues

   - Third-party provider outages

 

2. Emerging Threats:

   - Malvertising attacks

   - Social engineering tactics

   - Web application vulnerabilities

 

3. NCUA Recommendations:

   - Maintain offline encrypted backups

   - Implement zero trust architecture

   - Create incident response plans

   - Strengthen vendor risk management

 

🚨 Incident Reporting Requirements:

- 72-hour reporting window

- Contact methods:

  - Phone: 1-833-CYBERCU (1-833-292-3728)

  - Email: cybercu@ncua.gov

  - New web form coming December 2024

 

📱 Pro Tip: Save the NCUA cyber incident reporting number in your contacts for quick access during emergencies.

 

🔗 Resources Mentioned:

- NCUA Cybersecurity Resources Page

- Letter to Credit Unions 24-CU-02 (October 21, 2024)

- NCUA's Automated Cybersecurity Examination Tool (ACET)

- CISA Cybersecurity Resources

 

💡 Key Takeaway:

Cybersecurity threats to credit unions continue to evolve and increase, with third-party vendors representing a significant vulnerability in the system. Credit unions must remain vigilant and maintain strong cyber hygiene practices.

 

📞 Contact Information:

- For exam assistance: Visit marktreichel.com

- Connect with Mark Treichel on LinkedIn

 

🎧 Next Episode:

Stay tuned for more insights on credit union examination success strategies.

 

#CreditUnions #Cybersecurity #NCUA #FinancialServices #RiskManagement

 

Sponsored by Credit Union Exam Solutions Inc. - Over 240 years of combined NCUA experience helping credit unions save time and money on examinations.

 

Note: This podcast is educational and does not constitute legal advice.

 


Are you worried about an NCUA exam in process or looming on the horizon? Don't face it alone!

We're ex-NCUA insiders with decades of experience, ready to guide you to success. Our team understands the intricacies of NCUA examinations from the inside out.

Hire us and gain:

• Peace of mind during your exam process

• Insider knowledge of NCUA procedures and expectations

• Strategies to address potential issues before they become problems

• Continuous access to our extensive subject matter expertise

With our access retainer, you'll have on-demand support from former NCUA experts. We're here to ensure your credit union achieves flying colors in its next examination.

Contact Credit Union Exam Solutions today to learn more about our services and how we can help your credit union succeed.

What is Credit Union Regulatory Guidance Including: NCUA, CFPB, FDIC, OCC, FFIEC?

This podcast provides you the ability to listen to new regulatory guidance issued by the National Credit Union Administration, and occasionally the F D I C, the O C C, the F F I E C, or the C F P B. We will focus on new and material agency guidance, and historically important and still active guidance from past years that NCUA cites in examinations or conversations. This podcast is educational only and is not legal advice. We are sponsored by Credit Union Exam Solutions Incorporated. We also have another podcast called With Flying Colors where we provide tips for achieving success with the N C U A examination process and discuss hot topics that impact your credit union.

Hello, this is Samantha Shares.

This episode covers the N C U A
Board briefing on Cybersecurity

from the October Board Meeting.

The following is an audio
version of that briefing.

This podcast is educational
and is not legal advice.

We are sponsored by Credit Union
Exam Solutions Incorporated, whose

team has over two hundred and
Forty years of National Credit

Union Administration experience.

We assist our clients with N C
U A so they save time and money.

If you are worried about a recent,
upcoming or in process N C U A

examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

Also check out our other podcast called
With Flying Colors where we provide tips

on how to achieve success with N C U A.

And now Board action memorandum
followed by the board briefing.

Samantha: Board Briefed on Cybersecurity,
New Charters, and Field of Membership

Board Action Bulletin

The National Credit Union Administration
Board held its seventh open meeting

of 2024 and received a briefing on:

Cybersecurity and the Information
Security Examination Program

Employees from the NCUA’s Office of
Examination and Insurance and Office of

the Executive Director briefed the Board
on cybersecurity, hacking economics,

cyber incident reporting, and the NCUA’s
Information Security Examination program.

The briefing noted that trends across
the credit union system include

outages caused by ransomware attacks
and third-party service providers.

Staff reported that from September
1, 2023, when the N C U A’s cyber

incident notification rule became
effective, through August 31 of this

year, credit unions reported 1,072
cyber incidents, of which 742 — nearly

7 in 10 — were related to the use or
involvement of a third-party vendor.

“These annual cybersecurity updates
at the N C U A Board table are an

important reminder that cyberattacks
on the financial services industry,

including within the credit union
system, will remain high for the

foreseeable future,” Chairman Harper said.

“Far too often, we see that third-party
service providers are a weak link in

the financial system, a danger noted
in the most recent Annual Report of the

Financial Stability Oversight Council.

And credit union third-party
service providers are no exception.”

In addition, the briefing provided
a description of what is reportable

under the cyber incident reporting
rule; a status of the Information

Security Examination Program,
including its strengths and

opportunities for improvement; and an
update on the number of third-party

provider and ransomware incidents.

“These incidents highlight significant
vulnerabilities to the $2.3

trillion federally insured credit
union industry and our nation’s

interconnected critical financial
infrastructure,” Chairman Harper said.

“We cannot afford to leave
these vulnerabilities unchecked.

As such, it’s everyone’s
responsibility to maintain good

cyber-hygiene — at home and at work.”

The N C U A continues to encourage credit
union staff and boards of directors to

review their third-party service provider
and vendor relationships, assess and

mitigate any potential risk associated
with their products and services, and

strengthen their institution’s cyber
vigilance and preparedness efforts.

Chairman Harper noted in his remarks
that a Letter to Credit Unions was

issued earlier this week that provides
boards of directors guidance on their

roles and responsibilities for ensuring
their credit union’s cyber defenses.

The N C U A’s Cyber Incident Notification
Requirements(Opens new window) rule

requires a federally insured credit
union that experiences a reportable

cyber incident to report the incident
to the NCUA as soon as possible and no

later than 72 hours after the credit
union reasonably believes that it

experienced a reportable cyber incident.

To report a cyber incident, credit
unions may contact the N C U A by

calling 1.833.CYBERCU (1.833.292.3728)
or by using the NCUA’s Secure Email

Message Center(Opens new window) to
send a secure email to cybercu@ncua.gov.

Cybersecurity-related information,
including regulations, guidance,

and resources to help protect
credit unions and their members from

cyberthreats, is available on the
NCUA’s cybersecurity resources webpage.

and now the N C U A Board in their
own voice and words from the

public recording of the briefing.

Todd Harper: Good morning everyone.

I call this meeting of
the NCUA Board to order.

In addition to those joining us in
the boardroom, I want to note for the

record that today's meeting is open
to the public through a live webcast.

Before we begin our business,
I understand that Board Member

Otsuka has some brief remarks.

Tonya Otsuka: Thanks, chair Harper.

I just wanted to say thank you to you
and the vice chair and the NCA staff

for their well wishes as I welcome the
newest edition of my family last month.

Everybody has been really
kind and supportive.

So I just wanted to thank
you all appreciate it.

Todd Harper: Uh, so we certainly welcome
the news of her arrival here at the NCOA

and wish you well in all the weeks ahead.

I know it takes adjustment
with a newborn in the house.

I just want to say this, if I may.

In life, may Zoe have an open mind,
a caring heart, and a generous soul.

May she also read often and learn much.

Additionally, I see a credit
union account in Zoe's future.

Uh, after all, I learned important
lessons about budgeting, budgeting,

saving, and compound interest
from the mom and dad credit union

when I was just seven years old.

I'm sure that you're going to
do the same with your family.

With that, let me pause and see if
the vice chairman has any words.

Uh,

Kyle Hauptman: well, I would add that, um,
at Halloween, They get a bunch of candy.

Reach in, grab 40%.

They'll also learn about taxes.

I know it's your second try.

The biggest change in someone's life
is when they go from zero to one trial.

Staff Cyber1: As I said, Todd
Finkler and Dave Mateo here to

talk about the cybersecurity brief.

Next slide, please.

So we'll be talking about

Todd Harper: I think we
need to load the slides.

Kyle Hauptman: Is he getting slides?

Yes, he is.

Okay.

Staff Cyber1: There we go.

Perfect.

Next slide, please.

Unknown: Next slide.

Staff Cyber1: We

Kyle Hauptman: should
give these guys a clicker.

That's easier.

Yeah.

Staff Cyber1: Sometimes
you have to go back to one.

Right.

Yeah.

Um, so what we're going to be talking
about is, uh, I'm going to talk about

hacking economics, uh, and then we're
going to cover, uh, some free resources

for the credit unions to help them, uh,
manage the risks that they're coming

in with cyber, um, and then Dave gets
to do the fun stuff and looking at

the data from the credit union, uh,
cyber incident reports, uh, as well

as the information security exam.

Next slide, please.

So hacking economics, I like to think of,
uh, when you look at the cyber security

environment, what we have going on is
we have a maturation of the environment.

So five years ago, if you looked at
the great, You know, great, a sense, I

guess, bad hackers or cyber adversaries,
what you would see is, you would see

is primarily nation state actors.

Now what you're seeing is, is that
the organized crime has gotten into

the business, um, and they're running
this as a business, and so they're

becoming very professional at that.

So the way I look at these things, and
so these are actually five, four, four

trends that we're seeing across the
financial sector, uh, that are prominent.

Um, and and the reasoning behind
these four trends is because there's

a great return on investment.

So I'm gonna talk about each of these
relative to that return on investment.

So the first one is
third party exploitation.

So if I have to come up with one
exploit, what a great way for me to get

access to a lot of companies because
I only need to attack one vendor.

Um, and now I've got access to all the
people, the customers that they service.

Um, so great return on investment there.

For web applications, all I need is a
laptop and an internet connection, and I

can start attacking those web applications
without any real restrictions.

Um, and so it's a, it's a, it's a,
it's a target that's intended to

be open anyway, so it just makes
it easier for you to do the job.

Um, and so again, return on
investment there is, is high.

The third trend that has been consistent
for years now is social engineering.

Forget all the expertise that I
needed to actually do an attack.

I just need to figure out
how to attack people, right?

And so I just need to trick them
into giving me the information

so I can get into the networks.

And then the fourth trend that
we're seeing is a tremendous

amount of ransomware.

And the idea here is there's two
things I can do with data that I steal.

I could either hold it over someone's
head and get an immediate threat.

Uh, payment back on it, or I could turn
around and try to sell it on the dark

web, which makes it a little bit more
challenging and a little bit uglier,

so it's easier for them to do a ransom
attack for the return on investment.

Next slide, please.

So, extremely complex environment,
and, and it is, it is a hard job to do.

Um, I was once, uh, uh, I did
once, uh, um, signals intelligence.

I was in signals intelligence for a while.

Um, and, and I switched
over to the defensive side.

And it, it is definitely a hard job to do.

And so what, what I try to think
of when we do cybersecurity is

to help folks try to prioritize
their limited amount of resources.

Next slide, please.

Um, because you're never, and
there's going to be an attack.

And so the question is, and there's
not an infinite amount of resources,

you can't spend all your money to,
uh, protecting the, the, the data.

So, so really the question is, is how
can you best mitigate those, those risks?

Um, and so what, what I like to find
is, uh, uh, for credit unions that

are struggling with those resources,
let's find resources that the

government already understands there's
a problem here and is providing free

services that they can use today.

So I'd like to cover some of those.

The first one is a group of resources
that are provided by the Cybersecurity and

Critical Infrastructure Agency, or CISA.

And they provide four resources
I want to talk about briefly.

One is Regional Cybersecurity Expert.

Um, you can get, uh, get in
touch with them and, uh, build

a relationship with them.

They can help you with problems
that you, you're having, questions

you have on prioritizations.

If you have a, uh, cyber attack,
they can help you through

that, walk you through that.

They can do tabletop exercises and point
you to all the other references that

I'm, or resources I'm talking about
within CISA and even outside CISA.

It's great to build a relationship
now, uh, costs you nothing.

The second one, I really like this
one because it's a big deal with, with

being ex uh, exposed on the internet.

It's called cyber hygiene, and it does an
automated, uh, vulnerability scanning on

your external faces, facing IP addresses.

And where that helps you with the
prioritization is you can see where

you're exposed because you get a
weekly report, uh, based on the,

the automated scans that you see.

And you could try to prioritize
those based on those, those, uh,

vulnerabilities that you have exposed.

Um, the, the only thing I've seen people
hesitate to do this is their fear of

giving information to the government.

But last year, CISA told us about
three weeks ago, CISA said there was

a law passed last year that stops
them from sharing that information

unless it's anonymized and aggregated.

Um, so they can't even share it within
different, uh, compartments of, of CISA.

So I think this is a, is a
great opportunity for people

to leverage if they're, if
they're not already doing this.

The third thing they, they, they provide
is known exploitive vulnerabilities.

So if you're, if you've heard of
common vulnerabilities and exposure,

CVEs, um, it's a way to publish
vulnerabilities in software as well

as hardware to let the community
know where they need to fix things.

Um, last year in 2023,
there's about 29, 000 of them.

This year, already in August, there's
over 34, 000 of them, um, as per ARGUS.

So what CISA does is not all
of them are actually exploited.

So CISA looks in, in the
environment to look at exploits.

And then it finds the ones that are
actually being used and puts those

on a special list to give you a
priority list of things to take care

of, so take care of those first.

They also offer automated
information feeds that they

do as well as Treasury does.

Theirs is focused on the
critical infrastructure.

Whereas the Treasury is focused
just on the financial sector.

So, moving to Treasury, I already
talked about their automated

threat information feed.

They also have an interesting feed
where, that you can get, they will pay

for a clearance for a member of your
organization, for critical infrastructure

organizations, to get cleared and be
able to come to the T Suite, which is a

secure compartmented information facility.

And they can see classified intelligence
threats, uh, in that facility and

talk with other, Uh, you know, other
parties on what threats are out there

to help, uh, prioritize their resources.

Um, in addition to that, U.

S.

Cyber Command has the, uh, something
called under advisement, a cover term.

Um, and under advisement, what the
focus is, is to help right now the

largest of credit unions to get
unclassified threat intelligence feeds.

Um, and they're working to get the
resources to expand that program to the

rest of the critical infrastructure.

Todd Harper: And before we leave
this slide, Where can people find

this on our website or what websites

Staff Cyber1: can they go to?

That is a great question.

So I have all the resources and
we're working to update our website

to contain that underneath the cyber
security references and resources page.

So this is all I have on here and
I'm gonna pass it over to David

to talk about the fun stuff,
the data that we've been seeing.

Next slide, please.

Staff cyber2: All right.

Thank you, Todd.

Uh, good morning, Chairman, uh,
Harper, Vice Chairman Hoffman,

and Board Member Otsuka.

Um, early in the presentation, Todd
spoke about the broader cybersecurity

landscape, and now I will talk about
the top trends that we are seeing

from the incidents credit union
reported to us in the last year.

So ransomware attacks and business
email compromises are not unique to

credit unions and are consistent across
all critical infrastructure sectors.

Uh, we're also seeing outages caused
by third party providers and attacks

against the security of ATMs.

In the next few slides, I hope
to provide some additional

detail about each of these areas.

Next slide, please.

Between September 1st of 2023 and
August 31st of 2024, that's the first

year since the Cyber Incident Reporting
Rule, uh, we received over 1, 000

incident reports to our Cyber, uh,
Incident Credit Union Reporting System.

Also, affectionately known as SICRS.

The upper left pie on this slide
represent incident reports about

ransomware, business evil compromise,
ATM tampering and fraud, and a

combination of other things such
as person to person transfers, wire

fraud, and BIN attacks on debit cards.

Nearly 70 percent of all incident
reports are related to third party

service provider and the 742 third
party incidents, you know, do not

represent a one to one relationship
with credit union incidents, but

represent 13 specific events.

And it's important to note
that one service provider

event can and has impacted two.

Many credit unions.

Next slide, please.

Ransomware attacks are quite common and
are increasingly problematic because

they often result in some form of loss
of availability, data integrity, or

confidentiality of member information.

Uh, the credit union reporting
trends about ransomware are

the same as the overall U.

S.

financial sector reporting.

According to the FBI's Internet Crimes
Complaints Center 2023 Annual Report.

The financial service sector
is the fifth most targeted

critical infrastructure sector.

And ransom demands are on average between
one and ten million dollars with payment

most typically demanded in Bitcoin.

To prepare against ransomware, credit
unions should maintain offline encrypted

backups of critical data, must implement
zero trust architecture, Create, maintain,

and regularly exercise a basic cyber
incident response plan and the associated

communications plan that includes
response and notification procedures,

and ensure that they have a plan for
resiliency of continuity of operations

in the event of a ransomware attack.

It is important to know that paying
a ransom could violate the Office

of Foreign Assets Control sanctions.

And lead to enforcement actions.

Planning to pay a ransom is
not a plan for resiliency.

Next slide please.

Anyone with an email account, as
Todd mentioned earlier, is vulnerable

to phishing and social engineering.

And these methods can often
lead to credential theft and

business email compromise.

Business email compromises remain a
viable tactic in the financial sector.

And make up 29 percent of the 330 non
vendor related credit union incident

reports that I showed earlier.

ATM incidents include skimming and
shimming, which result in the unauthorized

capture of card and PIN information.

And number two, exploits of
ATM hardware and software.

That result in jackpotting
withdrawal limits.

These sophisticated forms of financial
fraud represent 36 percent of the 330

credit union incident reports, uh,
that I mentioned earlier, excluding

the third party cyber incidents.

But additionally, I want to mention
that we have seen a rise in the takeover

of member service toll free numbers.

Um, and credit unions should
add measures to their accounts.

to prevent telecommunication companies
from being duped by fraudsters.

Lastly, uh, bad actors
exploit vulnerabilities,

especially unpatched ones.

So credit unions should move quickly
once issues are identified and

remediate critical vulnerabilities
after any patches are issued.

Next slide, please.

Information sharing is critical to
protecting the credit union system

and the shared insurance fund, and
information received may allow us

to proactively alert credit unions.

We have noticed that credit
unions might not be reporting all

incidents that require notification.

NCUA sometimes finds out about incidents
through news reports or social media, at

which time we may reach out to the credit
union and request incident information.

For example, uh, during a July IT
audit, uh, that disrupted vital member

services across the globe, NCOA received
only 16 reports from credit unions.

Also, credit unions should provide
incident updates as information

becomes known throughout the
entire lifespan of the incident.

The NCOA may also reach out to credit
unions or named incident contacts whenever

we require additional information.

We also encourage credit unions to form
relationships with their FBI field office.

Before an incident occurs.

And also, any legal representation
agreements should not preclude or prohibit

anyone from working with law enforcement.

Next slide please.

Last September marked the one year
since implementation of the NCUA

Cyber Incident Reporting Rule.

As a reminder, this slide outlines the
definition of a reportable incident

that must be reported to NCUA.

I want to provide some examples
of, uh, reportable incidents.

So, for example, if a federal insured
credit union becomes aware that

sensitive data is sensitive data
is Modified or destroyed, or if the

integrity of a network or member
information system is compromised, right?

There are many technical
reasons why a service may not

be available at any given time.

For example, when a computer
server is offline for maintenance

or a system is being updated.

Such events are routine and thus
would not be reportable to the NCOA.

A distributed denial of service attack
that disrupts member accounts access

and Leads to substantial system.

Audit is something that is reportable.

However, events such as blocked phishing
attempts, failed attempts to gain

access to a system or unsuccessful
malware attacks would not be reportable.

The credit union should report when a
third party service provider informs

the credit union, that the credit union
sensitive data or business operations

have been compromised or disrupted.

As a result of a cyber incident
experienced by that third party

service provider or upon the
credit union forming a reasonable

belief that that has occurred.

If you are not sure about
whether to report or not,

we ask you to please report.

Next slide please.

Soon, uh, we will be rolling out a
new web based cyber incident reporting

form that will help simplify reporting.

We will provide updated instructions
and a quick reference guide.

And the web form will complement
the other existing reporting

methods, voicemail and email.

NCUA and the Cybersecurity Infrastructure
Security Agency, CISA, met in August to

discuss the Notice of Approval rulemaking.

Uh, that, uh, comments that were
received either from credit unions

or about credit unions, um, uh,
in regards to the Cyber Incident

Reporting for Critical Infrastructure
Act, commonly known as CIRSIA.

NCUA remains committed to working
with CISA to find the best and least

burdensome way For credit union incident
report information to make it to CISA.

The new web form I mentioned will
help us capture the information

that CISA is interested in.

And we will continue to collaborate
with other federal agencies to ensure

awareness of best practices across the
financial sector, share information, and

minimize the burden to credit unions.

Next slide.

Since the implementation in early 2023,
examiners have completed nearly 2,

400 information security examination
assessments, also known as ICE.

From those nearly 2, 400 assessments, we
have found that smaller institutions, and

those are, you know, 50 million or less.

are doing well in terms of critical
cyber security controls, such as

implementing antivirus and anti malware
protections, patching critical systems

and applications, and access controls.

Additionally, more than 93 percent of
them maintain backup and recovery plans

for critical systems and services.

For credit unions greater than
50 million in assets, they're

doing well in maintaining board
approved policies and procedures and

implementing network security controls.

such as firewalls and intrusion
prevention systems, as well as

cybersecurity controls, such
as antivirus and anti malware.

Next slide.

When we look at the exams, the three
areas with the most opportunities

for improvement, the three areas
with the most opportunities for

improvement are information security
risk assessments, business continuity

programs, and Incident response programs,

Staff Cyber1: I think
we need to catch up on.

No, we we're actually,
we're, we're caught up.

Oh, good.

Thanks.

Staff cyber2: No worries.

Uh, the next group of opportunities for
improvements include awareness training,

security program policies, governance,
and third party risk management.

Uh, we encourage credit unions of
all sizes to focus on increasing

their maturity in these areas.

And lastly, since credit unions
rely heavily on third parties for

a variety of services and products.

They are more vulnerable
to cybersecurity threats.

Risks can be mitigated with more
comprehensive information about

these third party service providers.

Next slide.

I want to bring your attention to the
NCUA Letter to Credit Unions 24 CU 02

that was published on Monday, October
21st of 2024 about the need for boards

of directors to remain focused on
managing cyber risks and ensuring the

credit union has the necessary resources.

to maintain an effective cybersecurity
program that aligns with its products,

its services, and its risk profile.

Boards should engage in ongoing
education about current cybersecurity

threads, trends, and best practices.

Um, and the board members do not
need to be technical experts.

They must know enough cybersecurity
to provide effective oversight

and direction for their executive
teams and subject matter experts.

Credit union boards of
directors must approve and

regularly review a comprehensive
information security program.

that meets the requirements of Part
748 of the NCOA regulations, which

include risk assessments, security
controls, and incident plans.

The Credit Union Board should set clear
expectations for management about the

due diligence of third party vendors
with respect to information security,

ensure that cybersecurity is a core value
within the Credit Union, and influencing

decision making at all levels, and
provide periodic information security

education Um, Uh, Um, Uh, Um, Um, Uh, Um,
Um, Um, Um, Um, Um, Um, Um, Um, Um, Um.

And it's kind of interesting to think
about what we do for the short term.

So just, just, um, look at,
you know, what was the budget.

And then kind of, um, what kind of,
led to what happened, um, so, look at,

you know, what is the fiscal burden
on, on, you know, the cancer risk.

Have a great day.

or systems that can be
utilized during an audit.

Next slide.

The Federal Financial Institutions
Examination Council at the FFIEC

recently announced the sunsetting
of its cyber security assessment

tool, the CAT, on August 31st, 2025.

While that decision impacts the broader
financial services industry, NCUA's

Automated Cybersecurity Examination
Tool, commonly known as ASET, will

continue to be supported and will remain
available for use by credit unions.

The NCUA will ensure the ASET
remains relevant and current with

the evolving cybersecurity landscape.

We are planning updates to the
ASET content to align with new

standards and frameworks, such as the
National Institute of Standards and

Technology Cybersecurity Framework 2.

0 and the CISA Cybersecurity
Performance Goals.

These updates will ensure that the ASET
continues to meet credit union needs in

assessing their cybersecurity stance.

We are very encouraged by seeing
that the ASET has been downloaded

nearly 8, 000 times in the last year.

Next slide.

As a reminder, there are several
resources available on NCUA's

website and we have a dedicated
Cybersecurity Resources page Next slide.

That includes guidance, tools,
and links to federal programs.

That concludes our remarks, and we'd be
happy to answer any questions for you.

Todd Harper: Um, thank you, uh, Todd
and Dave for that informative briefing.

I know that for a number of years we've
been having these at least once annually.

Um, this briefing by far is
the most informative briefing

that we've had on this topic.

Um, and if I could just make,
uh, I know that we do webinars.

I know that we do outreach.

But if I could make, uh, uh,
uh, a plea, uh, if credit union.

Um, uh, leagues, trade associations
would like for us to come

and speak to their members.

We'd be happy to do that as well as if
for media outlets, uh, in the credit

union space to have, uh, more in depth.

I think that everybody would
benefit from this information.

October is Cybersecurity Awareness Month
and during this annual observance, the

National Credit Union Administration
seeks to shine a light on the many

cybersecurity issues currently
confronting credit union members.

The credit union system, the
agency, and the financial

services sector more broadly.

But the reality is, is that we must remain
laser focused on these issues year round.

That's because foreign and domestic
cyber fraudsters, as you point out,

including some of our international
adversaries, continue to target financial

services providers and their vendors.

The credit union system is a critical
part of the financial services sector,

and these annual cybersecurity updates
at the NCWA board table are an important

reminder that cyber attacks on financial,
the financial services industry, including

within the credit union system, will
remain high for the foreseeable future.

In fact, I am reminded of the phrase of,
uh, um, the famous and notorious, uh, bank

robber, uh, Willie Sutton, who said, you
know, when asked, why do people steal from

banks and why did he steal from banks?

He said, that's where the money is.

Well, we are seeing that this is the
fifth, uh, largest sector that is targeted

by cyber fraudsters, and we need to make
sure that everyone remains on their toes.

Far too often, we see that third party
service providers are a weak link in

the financial system, a danger noted in
the annual report of Financial Stability

Oversight Council, and credit union third
party service providers are no exception.

In fact, if we could pull up slide
six, um, we see that from September

1st, 2023, we see When the NCOA's
cybersecurity incident rule notification

became effective through August 31st
of this year, credit unions reported

nearly 1, 100 cybersecurity incidents.

In fact, 7 out of 10 of these reports
related to the use or involvement

of third party service providers.

Moreover, approximately 90 percent
of the industry's assets are managed

by third party service providers
are touched with no NCOA oversight.

Last November, a single third party
service provider's cybersecurity

incident disrupted the daily
operations of 60 credit unions.

And in June, a credit union with almost
10 billion in assets reported the personal

information of more than 1 million current
and former members and employees had

been accessed during a ransomware attack.

The breach initially occurred on May 23rd,
but Todd, as you pointed out, sometimes

these cyber fraudsters lie in wait.

Um, the ransomware attackers actually
did not shut down the credit unions

online and mobile banking systems
until a month later on June 29th.

What's more, ransomware attacks attributed
to, attributed to malvertising, a

relatively new cyber, uh, attack technique
that injects malicious digital code

within digital ads are on the rise.

Through this type of, um, attack
to work, the user doesn't even

have to physically click on a link
for the system to become infected.

Instead, a simple Internet search
can result in advertising that

appears on the page and exploits the
vulnerabilities of the Internet browser.

Credit union cybersecurity teams should
focus, therefore, on standardizing and

securing web browsers and deploying
ad blocking software to protect

against this very real world threat.

2.

3 trillion federally insured
credit union industry.

And our nation's interconnected
critical financial infrastructure.

We cannot afford to leave these
vulnerabilities unchecked.

As such, it's everyone's
responsibility to maintain good

cyber hygiene at home and at work.

Keeping cyber, uh,
keeping software updated.

Using strong words and pass keys,
reporting phishing attempts, and

enforcing the use of multi factor
authentication are just a few examples

of the measures anyone can adopt to
strengthen their collective defenses.

Education and training are also
critical to raising and maintaining

awareness of cyber threats.

Earlier this week, as you noted, Dave,
the NCUA issued a letter to credit

unions that provides boards of directors
with clear guidance on their roles and

responsibilities for bolstering the
credit union system's cyber defenses.

Those responsibilities include providing
recurring training, approving the credit

union's information security program,
overseeing operational matters related

to credit, the credit union, including
third party service organizations

and other technology systems, and
ensuring appropriate incident response

and resiliency plans are in place.

Dave, of these several recommendations,
and I know the letter ran several

pages in length, um, um, uh, in it,
if you could emphasize just one piece.

of advice or action that a credit union
board should take, what would it be?

Staff cyber2: I appreciate the question.

Um, I want to ensure that every credit
union, um, has a robust incident

response and resiliency plan that
includes scenarios for responding to.

Operating and working during, um, and
recovering from a ransomware attack.

Todd Harper: Um, you know, I think
that that is a great piece of advice.

Cyber threats and technology are
rapidly advancing and all of us must

keep pace and having that robust.

plan of attack when, when the attack
happens, uh, is certainly a smart idea.

It's better, it's better to have
your plan in place beforehand than

trying to figure it out afterwards.

Um, it's also why we require periodic
cybersecurity, uh, training here and

planning here at the agency as, and why we
conduct exercises to test that knowledge.

Um, I also want to ask another
question, and I, and we didn't

discuss this in advance, but I, I, I
think you can, uh, help me out here.

I'm, I, I am under no illusion that
we see as many eyes on the NCUA board

meeting broadcast as we see on C SPAN,
um, and certainly on the nightly news.

But our exam teams are going in to
credit unions, uh, on a regular basis.

What are we doing to educate our examiners
so that they can educate credit unions

and provide the information needed,
uh, to credit unions that there are

front lines in this whole situation?

Staff cyber2: Well, um, there's, uh,
I appreciate the question, you know,

and there's, there's ongoing education.

There's also the application of
lessons learned, uh, gathered from

the exams to be used to inform.

So, the more information that we have,
the better insight we get and the

more that we can do to provide, uh, so
that our examiners look for the more

important things, for the riskiest
things, as well as for the credit

units to protect themselves and, you
know, make everybody's jobs easier.

Todd Harper: And how are we ensuring
that that communication between what

we are teaching and what we're Our
examiners is actually happening to, uh,

getting to credit union, uh, leaders.

Staff cyber2: So, um, so we're
regularly, uh, uh, collecting feedback

from our examiners and, and turning
that into advice, into guidelines,

into procedures, into communications.

to the credit unions, um, and as well, uh,
as, you know, as, as a regional, um, field

staff to, uh, to, to, to do these things.

So it's ongoing communication.

It is, uh, regular sharing of information.

Information sharing is the
key, uh, to what we're doing.

Um, and just learning,
listening, and observing.

Um, it's, uh, as Todd, uh,
mentioned earlier, it's, uh, when

it comes to cybersecurity, it's
not about if it's going to happen.

It's It's unfortunately
when it's going to happen.

Yeah.

And Dave, would it be fair to say I've

Todd Harper: heard of a number of credit
unions that have seen their management

component rating downgraded, uh,
because of information security issues.

Is that what you're seeing in, uh,
the office overall as you collect

that and aggregate that data?

Staff cyber2: It, it certainly happens.

Um, and, and then, uh, you know, it said
it, it informs, uh, the types of, uh, of

questions and, and things that we assess.

Todd Harper: Thank you so much.

I think that that's really helpful
information to get out there.

Despite our efforts to strengthen
the system's cyber defenses, we

of course still have a blind spot.

For example, NCUA's ability to analyze
and assess the risk in the entire credit

union system remains limited because
the agency lacks the same level of

oversight of third party service providers
as federal banking regulators have.

Stakeholders must understand the
risks resulting from the NCUA's

lack of vendor authority are real.

Um, and as both of you discussed, the
NCOA is not just the regulator for federal

credit unions, but also the insurer.

The NCOA board may need to consider
changes to the normal operating level

of the share insurance fund given the
additional risk of insuring an industry

that more and more outsources core
business operations to unregulated

third party service providers.

Um, and as both of you discussed,
the Most cyber incidents reported

to the NCWA, in fact, involve
third party service providers.

Until this growing regulatory blind
spot is closed, thousands of federally

insured credit unions with more than 140
million consumers who use those credit

unions and trillions dollars in assets
are exposed to higher levels of risk.

Credit union leaders must also
understand that their institutions

are a significant part of our
nation's critical infrastructure.

Something that the U.

S.

has a, government has a
solemn obligation to protect.

We cannot do that without the
ability to assess and analyze risk,

and that is what vendor supervision
would provide us the ability to do.

It's heartening to hear, as I speak
with more and more credit union leaders,

that they understand the value of the
NCUA having the same vendor supervisory

authority as the federal banking agencies.

They understand that their industry is
worthy of the same protections as the

banking industry and they understand
that if the NCUA had vendor authority,

we could provide summary reports of
those third party exams to credit unions.

For use in due diligence, this
statutory change, in other words,

would eliminate a competitive
disadvantage that credit unions

currently have when compared to banks.

During my travels and meetings with credit
union leagues and officials, more CEOs and

leaders have also told, um, my team and
me that they see the value and benefits

of restoring the NCUA's third party
service authority because they cannot.

No, no, I agree.

Thanks.

I mean We're we're we're.

We're all a part of this right.

The pathways to recovery in soundness
and enhance consumer financial protection

and anti money laundering compliance.

It would also save credit unions
time and money in the long term.

So it's common sense
and just good business.

Plus, it would give credit union
members The same protection

that bank consumers have.

That concludes my remarks.

I now recognize the Vice Chairman for his.

Thank you, sir.

And

Kyle Hauptman: thanks, Todd
and David, for the update.

David, it's your first time.

All right.

Well done.

Um, thank you for all the
work you put into that.

As the Chairman mentioned, it's the fifth
most targeted, uh, sector of the nation.

Uh, they have money.

Financial institutions
know that they have cash.

They know how to send it.

Um, so we can understand
why they're targeted.

Um, and every single
one of us is vulnerable.

I want to compliment you
on your choice of career.

Cyber security is a growth
industry, unfortunately.

Do you know anybody who's good
at cyber that's unemployed?

Me neither.

Um, I remember, uh,
our July board meeting.

It was July 18th, and we finished
up the following morning.

Packed up the car, the family,
and the car, and the dog.

Arduous 15 hour family
trip up to Maine, right?

It's not flying a kid in a car seat,
you know on a long trip I remember that

Friday actually because we debated flying.

I was really glad we drove.

Do you happen to remember why?

Systems was a Southwest Ground stray.

It was the crowd strike Delta
United American Elysian halted

all travel Absolute nightmare.

Now that let me ask you, was that
considered to be a cyber incident?

It's not really right.

That was that was a code update that hit
Microsoft Windows from CrowdStrike, right?

From a cyber standpoint.

My next question is, did we get calls
from people who thought things were

down, but I don't believe It's a cyber
incident, but you're the experts here.

So

Staff Cyber1: I believe based on our
rule, we, that is a cyber incident.

Okay.

Because it affected the operational,
um, the operations of the credit union.

Kyle Hauptman: What if the local
cable provider, uh, had a problem

and the internet was down?

Is that a cyber incident?

Either way, you can't do anything.

Staff Cyber1: It's also a cyber incident.

That's a cyber incident?

I believe based on the

Kyle Hauptman: rules, yeah.

Because I remember during that whole
mess, right, and it took some of

these airlines until the next week
to get these people, uh, uh, going.

Uh, especially with Delta, people slept
in the Atlanta airport for days, you know.

Um, you couldn't get a hotel, imagine
you were connecting through, right,

because all the hotels were closed.

Sold out within 100 miles absolute
nightmare, but they were making sure that

this is not a cyber attack No one's being
held for ransom or anything like that.

There was a lot of talk about that.

You know, the DHS Involved that this
thing is terrible, but they made a

whole point of saying they by their
standards didn't consider a cyber attack

um, right and but we Did get calls.

Staff cyber2: I can answer that.

Um, first to add that the the
aspect that would have made

irrelevant to us is the disruption
to vital member services, right?

It's inevitable that many member
services were impacted even before

it's fully known that it was a But a
poor configuration management practice.

Kyle Hauptman: One person uploading an
untested line of code in a patch and boom.

Staff cyber2: And in regards to that
specific event, we received 16 reports.

Kyle Hauptman: We got 16 for that.

Okay.

Now, so just to be clear, if your local
internet provider had a problem, right?

You know, a storm, wires get cut,
um, or there's just a power outage.

So obviously you're not
going to have internet.

There's no power.

Right?

Uh, and the average credit union
doesn't have its own generator in

those kind of office buildings.

Who's that?

Is that also something that they're
supposed to report, per our rule?

Staff cyber2: If it affects
vital member services, yes.

Kyle Hauptman: Okay.

All right.

Um, one thing I want to mention is
the role of, because these things are

important, the CrowdStrike, you couldn't
not notice that it was very regulated

industries, and there was a connection.

Airlines, hospitals, Financial services
very regular in this United States, very

regulated industries and government played
a role in making this worse in a way,

because as I understand it, and I am, I
don't want to get out over my skis because

I don't know much about CrowdStrike
in that industry, but CrowdStrike

was seen as when you were in an exam.

It was a quick way to be able
to move on to the next topic.

Oh, oh, you're using CrowdStrike.

Okay, good.

So people knew that that
was what regulators liked.

So and I'm not here to say there was
better options, but it's a longer meeting.

If you use somebody else, if you're
using, and that was kind of the

good housekeeping skill approval.

Oh, you have this CrowdStrike system?

All right, all right, next
topic, which is what you want

if you're a regulated industry.

Next topic.

So you wound up having, you know, maybe
it would have been only one airline.

You know, I'm speculating here.

But no, we're using this new thing.

It's cheaper.

It's better, whatever.

That now, it makes your meeting longer.

You're putting the
examiner in a tougher spot.

My point is, sometimes government, uh,
if we lean and feel we have our preferred

answers, you know, and we act kind of
like there's a white list, that if you

answer A, your exam is easier and quicker,
or if you answer B, it's longer, with

a lot more work, and you've made your
examiner a little uncomfortable, because

we don't, people don't like signing off
on things they don't really know, okay?

But A might not be better than B, right?

Uh, it might not be more effective for
your organization, more cost effective.

Anyway, I just wanted to note that
and it was pointed out to, to me.

Well, it was pointed out to me online.

I read it that, um, the.

We don't have that sort of regulation
where they can shut you down entirely

that that level of regulation and you
get graded and that sort of thing.

Very regulated industries.

The government played a role in that.

Put it that put it that way.

Um, also, you may, uh,
usually ask for Bitcoin.

I just want to defend
Bitcoin for a second.

Uh, the reason you do it is because
it's useful because there's no other

way that any team human beings on
Earth can send each other money 24

hours a day with instant settlement.

There's no fake deposits.

You don't have to worry about it.

Money's counterfeit.

Any two humans on earth.

Now, in this country,
things work kind of well.

The payment system is a little
creaky, but it's an absolute lifeline

if your government is destroying
your currency via inflation.

In Argentina, you know, they have
siesta, where they have different prices

in the afternoon than the morning.

Uh, for a lot of people,
it's an absolute godsend.

So it's, um, uh, Bitcoin itself
is just incredibly useful,

but not that great for cyber.

They really have to hustle on
their end, the bad guys, because

what do we know about Bitcoin?

Has an unalterable public database.

That transaction sent from this wallet
to that wallet can never, ever be erased.

Bitcoin, as you know, has, uh,
their redundancies built in because

there's separate copies everywhere.

Uh, there's no central database.

It's a totally decentralized system.

Their redundancies are the envy of any
organization in the world because it's

almost impossible to change that database.

It's an unalterable transaction.

So there's more of a record of it.

This is why there's companies
like Chainalysis that use

them, you know, tracking.

These things.

So, um, they have to hustle on their end
to disappear and clean that wallet out

and never use it again and never send
any money to anybody else from that.

It's difficult to do.

It's a paper trail.

So, Bitcoin has an unalterable,
unchangeable public database

that can never be changed.

And, um, yes, it is useful
and criminals use it.

But I would say is that if you
think crypto is often used by

criminals, you're going to freak
out when you hear about cash.

Um,

so we said, uh, Sherman mentioned, uh,
financial institutions have two things,

data it's useful and they have cash.

They're also savvier than
some at making payments.

Um, and while I don't think we need any
new regs, uh, specifically for artificial

intelligence, like most technology, The
stuff that bad guys do is already illegal.

Technology just made new
ways to do it before, right?

Yeah, when I know that, um, groups look at
linked in and see recent updates for jobs

like CFO controller, anyone who has the
power to send enormous amount of money.

And if the person came from outside the
employer, okay, brand new CFA job, you're

new, you don't want to rock the boat.

They are more likely to fall for
an email that looks like it's

from the boss says, Hey, we got to
send 400 million to this account.

Uh, you know, uh, they don't, might not
realize how it is, they don't want to

push back on the new job they got, so,
um, and it used to be you could call, uh,

you know, if the boss called you and you
heard their voice, I know Todd's voice,

I know if it's him, well, that's a whole
nother thing now, it could be his voice,

hell, he could even be on a screen.

So, uh, I don't think many people
ask, you can have regs on this, the

stuff is already illegal or bad,
there's just new ways to do it.

Hearing someone's voice
used to be illegal.

Uh, more sure, uh, than we are now.

Um, uh, Greater Unions are, uh, one
thing about them is they're quite

cooperative with each other as well.

Um, they built interconnected
systems, make it possible to compete

with larger institutions, right?

Uh, they're like that story about the
school of fish that looked like the

big one, whatever that story's called.

Um, But we remember interconnected
is good in a lot of ways, but

it's also negative, right?

It provides points of leverage.

So, uh, Monday, October 21,
you know, we released a letter.

We mentioned it before just to
go over the four items in it.

The agency is not asking any credit
union board to be technical experts.

I don't think our board considers
ourselves to be technical experts,

but they must be aware of the risk.

Um, and these credit unions should
approve their IT information

security program annually.

That's not new.

Thank you.

Uh, they should review the program
annually, make sure it's a evolving

threat, for example, like we just said.

AI makes a lot of other solutions harder.

And oversee operational management.

No one's asking anybody to be a
technical expert, but there's things

that they're responsible for overseeing.

Third party due diligence.

Credit unions are responsible
for who they do business with.

They may have a, a relationship that,
um, where they get upset with their

vendor that they didn't do as well.

People were certainly upset
with CrowdStrike, um, but

that's still a response.

From our perspective, it's
solely the responsibility of

the credit union executive not.

Because can they manage
their relationships or not?

If they can't, that speaks
poorly of management.

And they also don't want us to start
coming in and having a good list of

vendors and a bad list of vendors.

Right?

Uh, that's not going to help anybody.

Um, seven in ten cyber incidents this year
with credit unions involved a third party.

So we want to make sure the
requirements you have in your

contracts protect third party data.

Oh, and just to finish that letter we
just sent, the fourth one was incident

response planning and resilience.

You want to make this easy, okay?

I want to tell people, because we know for
a fact, that people probably should have.

We know that there's been people of credit
unions affected that didn't call us.

We know because of the numbers.

We know, you know, it'd be a hundred
credit unions affected, we got 20 calls.

Well, we know 80 didn't.

I want to do things that are easy to do
Get done the simpler you make it the more

effective it is the higher response rate
we get right and we want to do Our part

make it simple and I think the credit
this reporting this reminds me of our

discussion about signing up for the CLF
It's one of those things where if you

do it It's one of those things you might
put off and then you do it you're like,

wait a second That wasn't that hard.

Why did I put that off?

You know a two minute rule?

You can do it in under two minutes do it
right now I want people to know credit

unions that this is actually very easy
to do It's not some long government form

you may be imagining Your first time.

Um, can I have a slide, please?

Um,

I just Googled NCRA Cyber Reporting.

You can put NCRA Cyber.

I did this in a couple
of different browsers.

I did it on my phone.

You literally don't even
have to click past that.

Why?

Because even on that preview
part, see the number right there?

Stop right there.

Right?

If somebody's, uh, Saturday,
it's their kid's soccer game.

And someone says, Bosch,
you know, we have an outage.

And she's like, okay, I guess
there's a, we have to report that.

A form.

You have your phone on you.

Google.

Boom.

You are finished.

All you have to do is the number.

You don't even have to click on the link.

See that number right there?

1 833.

I'm asking every, uh, credit union
CEO, whoever made the reporting,

just take that number and I
would put it in your contacts.

If you're like us and you have two phones,
you have a personal, put it in there.

That's gonna help you on
Saturday, uh, when you're watching

your daughter's soccer game.

Just put that number in.

I would save it like
cyber NCUA or something.

If you, if you want to be good, I would
also put in the contact itself, um,

your charter number to have it handy.

You know, like, I have United
Airlines customer service in here.

I also have my, my own bus number
right there in the contact,

so I have it in front of me.

All you need to do, if you ever, any,
as long as you have access to a phone

or internet, you can get this done
right then and there, on the spot.

Okay?

I would take that number, save
it to your phone, whatever

phones you're going to use.

Okay.

And if you do click it.

Next slide, please.

All right.

This is it.

This is the form.

Okay.

Quick reference guide.

We acknowledge this thing as a,
as a wallet card, knowing that in

the scenarios we're talking about,
depending on what kind of situation

you have, you may not have work email.

You might not be able
to go find that email.

What do we do?

Um, you might not have access to much.

So if I was the, the.

person in charge, either the CEO or
the CIO, I would not only have this

physically taped to my desk or whatever,
I would have that little card, because

you have the charter number in there,
and that's like kind of a wallet card.

Remember, we have to think about a
scenario where there's no internet,

no email, your system's down, that
you can get this done and it's easy.

Uh, I know when you have a, a,
notifying N2A is not your first

priority, nor should it be.

But this is an easy one to
get off your to do list.

I would have that, I would also
take a picture of that and have

it in a folder on your phone, you
know, in your photos, and it's very,

uh, very, very simple to do, okay?

So save it in your contacts, a lot easier.

Even if you didn't have the charter
number, whoever decided to call, that

number, we could probably live with it.

Uh, you know, we're, we're Apple First
Credit Union in, uh, in Wisconsin, right?

Um, and especially from our
perspective, am I correct?

You want to know if there's a
problem at a credit union, but.

What we, I think, really care
about is all of a sudden, this

morning, everything's fine.

But by noon today, we got 25 calls.

Something's going on.

Right?

A broader issue.

There's always going to be some credit
union out there where the local internet

provider's down or what have you.

A tree falls on a branch and you
lose, it happened to me in my house.

A tree hit the branch and I lost
cable and internet for a while.

That's good.

We care about, is there
something happening?

Is there a broad issue where we at NCWA
can help and say, hey, whatever you do,

don't, don't, don't download that patch.

It's going to make everything worse.

Um, so do that.

And then that number is, uh, 24 hours.

Um, if you, even if you didn't
have that wildcard, I'm sorry,

you're going to know your own name.

I don't love the reporter name and title.

That refers to the credit union
person who's calling it in.

I don't know, like people think
a reporter is a journalist,

or maybe it's some expression.

Anyway, reporter name and title, like,
I don't know, I'm not a reporter,

I'm a CIT guy, so they'll credit you.

But even if you didn't have that card,
and you just Googled it, remember, you're

sitting there, you have your personal
phone, you didn't save the contact, you're

watching the kids soccer game on Saturday,
you get a call, you can get it done.

In 10 seconds, you'll get no information.

NCUA cyber boom.

You're going to get that number.

Okay, let's try it.

NCUA

AI Fraudster: cyber incident reporting.

Please enter your credit
union charter number.

If you don't know it, it's three pounds.

Okay,

Kyle Hauptman: I press three.

AI Fraudster: Please leave your name,
title, bank number, credit union

name, order number, the date and
time the incident was identified and

basic description of the incident.

Description should include what
functions were or are reasonably

believed to have been affected or if
sensitive information was compromised.

Please hang up once your
voicemail is complete.

If the NCUA requires additional
information, we will contact you shortly.

Thank you.

Kyle Hauptman: Alright, um,
shall I leave a message?

I downloaded the Todd Harper virus.

What happened?

What do I do?

Um, anyway, that's pretty good.

The only, remember, the simpler you
make it, the more likely you get it.

Um, and your response rate is going to
be quicker, it's going to be higher.

Um, I don't know if every person who
calls in all, 24 hours a day, waking up in

the night at the kid's soccer game would
know, I don't know how well known charter

numbers are in terms of knowing it.

But again, we could live with it
if they didn't have that, right?

Remember, it says either enter your
charter number, and if you don't

know it, press 3, which then asks for
your charter number, which you only

hit 3 because you didn't know it.

Right?

So, uh, but I still think
we could live with it.

Just get the call in.

It's easy.

Nobody's going to ding you
because you didn't remember every

digit of your charter number.

You're the new CTO, you
just got hired last week.

I walk up to them right now and
ask them what their employer's

charter number is, right?

A lot of people won't know.

But my point is, I don't
want people to get hung up.

Pick up the phone, call that number, it's
very easy to leave it, you have done.

And like it says, we'll get back
to you if, uh, we need more.

This is not a step, the
incident reporting, a lot

of people aren't doing it.

Uh, they can choose not to do it if
they want to, but I just want people to

know that there's very little roadblock.

It's very simple to do.

This is not some complicated
bureaucratic form where you're going

to have to look up a bunch of stuff up.

You can do it in your shorts
and your dad's shoes on the

side of the soccer game.

You know, um, easy to do.

Anyway, uh, I will, uh, stop there.

I just want to ask, um, The incident
reporting, uh, the presentation, you

showed us the incident reporting form.

Where is that going to live?

Just a good time to remind people.

Staff cyber2: Sure.

Um, it, the, the form
will live on the ncoa.

gov, the public website on the
cybersecurity resources webpage.

Um, and, uh, it will go live in December.

Kyle Hauptman: In December.

Staff cyber2: And we will be updating
the, the quick reference guide,

the, the, the contact card that you
mentioned earlier, um, as well as

providing instructions on how to use it.

Kyle Hauptman: Sounds like a not a
bad thing to also actively push out.

People obviously don't check our
website, and they wouldn't know

that there was something new to
check in the first place, right?

We could push it out, see attachment,
print this out, tape your, you know, desk.

Um, that concludes my remarks.

Todd Harper: Uh, thank you so much.

One of the things I like about everybody
putting it into their contact list is it

helps protect against malvertising, uh,
when they do the search, um, overall.

Um, I, I, I'd like to actually take
your suggestion one step further.

Perhaps we could update our examination
guidelines That we push out that two

pager, uh, to everybody at every exam and
just make it a normal course of business.

Physically hand it to them.

Physically hand it to them.

I think that that would
be a great way to do it.

Um, Board Member Otsuka,
you're now recognized.

Tonya Otsuka: Thank you, chair Harper.

Um, and thank you, Dave and Todd for
the briefing, um, and for your work

to keep the NC way and the credit
union system safe from cyber attacks.

Um, you know, as you mentioned during
the briefing, cyber attacks come in

all forms, ransomware attacks to ATMs,
emails, and it can affect credit unions.

It's of all sizes, a credit union having
to pay millions of dollars to a hacker

to retrieve its own customers data hurts
credit union members reduces trust in the

greater system and potentially negatively
affects the share insurance fund.

So, I'm happy to support the work that
you and your team are doing to implement

the new cyber incident reporting web
form and continue to build out the

information security exam program.

Um, just want to clarify one thing.

Credit unions, um, I think it's great
that we all that we demonstrated

how easy it is to report.

Um, can you remind us all how long
credit unions have to report, um, what

the timeframe is, um, especially seeing
is how it's so easy to do and, um, you

know, whether it's required to do so.

Staff cyber2: I'll take that question.

Uh, thank you for the question.

Uh, the credit union should report,
uh, within 72 hours from when

they recently believe, uh, that
there's been a cyber incident.

Tonya Otsuka: Okay, great.

And, um, what, uh, kind of what
we're looking for, right, is for

incidents at the credit union.

Are we also looking for incidents
that third parties, anything affecting

the credit unions operations?

Yes.

Okay.

Okay.

Great.

Thank you.

Um, and, you know, I'd also be
remiss if I didn't highlight.

You know, something that chair
Harper, I think, raised that the, um.

Needs 3rd party vendor authority
to fully safeguard our system of

cooperative credit from cyber threats.

I think that chart that you all presented,
um, of the percentage of of, uh,

incidents involving 3rd parties is really.

It demonstrates that that's really
where a lot of the issues are,

and I've talked to a lot of credit
unions who have had difficulties

when they have those incidents with
their 3rd party service providers.

Um, you know, we lack the critical
oversight of 3rd party vendors that are.

Banking agency counterparts have, um,
and I know credit unions kind of have

to turn to a lot of 3rd party service
providers in a lot of ways to do back

office operations to protect data.

Um, but these 3rd parties can also
be exploited as backdoors into

credit unions processing systems.

Um, And so we've seen how agencies lack
of authority and limited insight into a

critical component of the credit union
ecosystem has impacted our ability.

The ability to help credit unions
respond to credit to excuse me to cyber

threats, cyber attacks in real time.

And I think.

You know, I've also, um, uh, I also
understand it hinders us, um, in

some ways from working with other
agencies to minimize vulnerabilities

in the broader financial system.

So, I just want to say, I do think
it's imperative that we continue to

work with Congress to restore this
much needed authority to the NCOA.

Um, and before I conclude, just kind
of circling back to cyber incident

reporting more generally, you know,
I, Do you think that's really great?

And I think the work that you and
your team are doing to build a more

robust program is really, really great.

Important.

Remember, you know, I think the as a
government agency, we, I think credit

unions, of course, have responsibility
to manage their operations to manage

their credit unions themselves,
but we have a responsibility to

make sure that they are doing.

So, in a safe and sound way that
protects the members, because

credit union members who are.

Working, we're taking
care of their families.

They don't have time or the expertise
to double check whether their credit

union is monitoring their 3rd party
systems or, you know, paying attention

to the latest cyber threats that might
be happening credit union members.

They don't have time for that.

That is what our job is as the NC way.

We are there to protect members
and members harder and money.

And so I just want to say, thank
you to you and your team for all

the work and, uh, you know, look
forward to, um, to more more to come.

So thanks.

Appreciate it.

Thank you.

Todd Harper: And thank you so much for
those observations, Board Member Otsuka.

Uh, thank you also, Todd and David,
uh, for being here, uh, on this

important briefing that concludes
our first item of business.

Samantha: This concludes the briefing.

If your Credit union could use assistance
with your exam, reach out to Mark Treichel

on LinkedIn, or at mark Treichel dot com.

This is Samantha Shares and
we Thank you for listening.