WEBVTT NOTE This file was generated by Descript 00:00:00.000 --> 00:00:02.000 Hello, this is Samantha Shares. 00:00:02.000 --> 00:00:06.800 This episode covers the N C U A Board briefing on Cybersecurity 00:00:06.800 --> 00:00:08.800 from the October Board Meeting. 00:00:08.800 --> 00:00:12.400 The following is an audio version of that briefing. 00:00:12.400 --> 00:00:16.000 This podcast is educational and is not legal advice. 00:00:16.000 --> 00:00:20.000 We are sponsored by Credit Union Exam Solutions Incorporated, whose 00:00:20.000 --> 00:00:24.400 team has over two hundred and Forty years of National Credit 00:00:24.400 --> 00:00:25.600 Union Administration experience. 00:00:25.600 --> 00:00:31.600 We assist our clients with N C U A so they save time and money. 00:00:31.600 --> 00:00:37.600 If you are worried about a recent, upcoming or in process N C U A 00:00:37.600 --> 00:00:43.200 examination, reach out to learn how they can assist at Mark Treichel DOT COM. 00:00:43.200 --> 00:00:48.800 Also check out our other podcast called With Flying Colors where we provide tips 00:00:48.800 --> 00:00:52.800 on how to achieve success with N C U A. 00:00:52.800 --> 00:00:56.800 And now Board action memorandum followed by the board briefing. 00:00:57.280 --> 00:01:01.150 Samantha: Board Briefed on Cybersecurity, New Charters, and Field of Membership 00:01:01.895 --> 00:01:03.265 Board Action Bulletin 00:01:03.930 --> 00:01:08.050 The National Credit Union Administration Board held its seventh open meeting 00:01:08.050 --> 00:01:10.640 of 2024 and received a briefing on: 00:01:11.385 --> 00:01:15.065 Cybersecurity and the Information Security Examination Program 00:01:15.791 --> 00:01:20.111 Employees from the NCUA’s Office of Examination and Insurance and Office of 00:01:20.111 --> 00:01:24.671 the Executive Director briefed the Board on cybersecurity, hacking economics, 00:01:24.671 --> 00:01:29.551 cyber incident reporting, and the NCUA’s Information Security Examination program. 00:01:30.111 --> 00:01:33.601 The briefing noted that trends across the credit union system include 00:01:33.601 --> 00:01:37.801 outages caused by ransomware attacks and third-party service providers. 00:01:38.476 --> 00:01:43.716 Staff reported that from September 1, 2023, when the N C U A’s cyber 00:01:43.716 --> 00:01:47.966 incident notification rule became effective, through August 31 of this 00:01:47.966 --> 00:01:53.616 year, credit unions reported 1,072 cyber incidents, of which 742 — nearly 00:01:53.616 --> 00:01:57.936 7 in 10 — were related to the use or involvement of a third-party vendor. 00:01:58.681 --> 00:02:02.591 “These annual cybersecurity updates at the N C U A Board table are an 00:02:02.591 --> 00:02:06.291 important reminder that cyberattacks on the financial services industry, 00:02:06.651 --> 00:02:10.101 including within the credit union system, will remain high for the 00:02:10.101 --> 00:02:12.311 foreseeable future,” Chairman Harper said. 00:02:12.971 --> 00:02:17.181 “Far too often, we see that third-party service providers are a weak link in 00:02:17.181 --> 00:02:21.431 the financial system, a danger noted in the most recent Annual Report of the 00:02:21.431 --> 00:02:23.651 Financial Stability Oversight Council. 00:02:24.261 --> 00:02:27.801 And credit union third-party service providers are no exception.” 00:02:28.600 --> 00:02:32.220 In addition, the briefing provided a description of what is reportable 00:02:32.220 --> 00:02:36.160 under the cyber incident reporting rule; a status of the Information 00:02:36.160 --> 00:02:39.490 Security Examination Program, including its strengths and 00:02:39.520 --> 00:02:43.510 opportunities for improvement; and an update on the number of third-party 00:02:43.510 --> 00:02:45.650 provider and ransomware incidents. 00:02:46.287 --> 00:02:50.087 “These incidents highlight significant vulnerabilities to the $2.3 00:02:50.087 --> 00:02:54.127 trillion federally insured credit union industry and our nation’s 00:02:54.127 --> 00:02:57.777 interconnected critical financial infrastructure,” Chairman Harper said. 00:02:58.407 --> 00:03:01.237 “We cannot afford to leave these vulnerabilities unchecked. 00:03:01.827 --> 00:03:04.807 As such, it’s everyone’s responsibility to maintain good 00:03:04.807 --> 00:03:06.977 cyber-hygiene — at home and at work.” 00:03:07.785 --> 00:03:12.315 The N C U A continues to encourage credit union staff and boards of directors to 00:03:12.315 --> 00:03:16.615 review their third-party service provider and vendor relationships, assess and 00:03:16.615 --> 00:03:20.885 mitigate any potential risk associated with their products and services, and 00:03:20.885 --> 00:03:24.585 strengthen their institution’s cyber vigilance and preparedness efforts. 00:03:25.245 --> 00:03:28.785 Chairman Harper noted in his remarks that a Letter to Credit Unions was 00:03:28.815 --> 00:03:32.715 issued earlier this week that provides boards of directors guidance on their 00:03:32.715 --> 00:03:37.075 roles and responsibilities for ensuring their credit union’s cyber defenses. 00:03:37.799 --> 00:03:42.359 The N C U A’s Cyber Incident Notification Requirements(Opens new window) rule 00:03:42.359 --> 00:03:46.209 requires a federally insured credit union that experiences a reportable 00:03:46.209 --> 00:03:50.869 cyber incident to report the incident to the NCUA as soon as possible and no 00:03:50.869 --> 00:03:54.959 later than 72 hours after the credit union reasonably believes that it 00:03:54.959 --> 00:03:57.409 experienced a reportable cyber incident. 00:03:58.111 --> 00:04:02.361 To report a cyber incident, credit unions may contact the N C U A by 00:04:02.361 --> 00:04:11.941 calling 1.833.CYBERCU (1.833.292.3728) or by using the NCUA’s Secure Email 00:04:11.941 --> 00:04:16.991 Message Center(Opens new window) to send a secure email to cybercu@ncua.gov. 00:04:17.787 --> 00:04:21.847 Cybersecurity-related information, including regulations, guidance, 00:04:21.927 --> 00:04:25.357 and resources to help protect credit unions and their members from 00:04:25.357 --> 00:04:30.077 cyberthreats, is available on the NCUA’s cybersecurity resources webpage. 00:04:30.860 --> 00:04:34.140 and now the N C U A Board in their own voice and words from the 00:04:34.140 --> 00:04:35.870 public recording of the briefing. 00:04:36.147 --> 00:04:37.197 Todd Harper: Good morning everyone. 00:04:37.197 --> 00:04:39.607 I call this meeting of the NCUA Board to order. 00:04:40.307 --> 00:04:43.467 In addition to those joining us in the boardroom, I want to note for the 00:04:43.467 --> 00:04:48.237 record that today's meeting is open to the public through a live webcast. 00:04:48.617 --> 00:04:51.197 Before we begin our business, I understand that Board Member 00:04:51.197 --> 00:04:52.727 Otsuka has some brief remarks. 00:04:53.727 --> 00:04:54.527 Tonya Otsuka: Thanks, chair Harper. 00:04:54.967 --> 00:04:59.897 I just wanted to say thank you to you and the vice chair and the NCA staff 00:05:00.327 --> 00:05:05.107 for their well wishes as I welcome the newest edition of my family last month. 00:05:05.467 --> 00:05:07.397 Everybody has been really kind and supportive. 00:05:07.397 --> 00:05:09.587 So I just wanted to thank you all appreciate it. 00:05:10.587 --> 00:05:15.947 Todd Harper: Uh, so we certainly welcome the news of her arrival here at the NCOA 00:05:15.957 --> 00:05:18.917 and wish you well in all the weeks ahead. 00:05:19.237 --> 00:05:22.717 I know it takes adjustment with a newborn in the house. 00:05:23.137 --> 00:05:25.317 I just want to say this, if I may. 00:05:25.517 --> 00:05:29.767 In life, may Zoe have an open mind, a caring heart, and a generous soul. 00:05:30.117 --> 00:05:32.317 May she also read often and learn much. 00:05:32.887 --> 00:05:36.727 Additionally, I see a credit union account in Zoe's future. 00:05:37.027 --> 00:05:41.227 Uh, after all, I learned important lessons about budgeting, budgeting, 00:05:41.227 --> 00:05:44.337 saving, and compound interest from the mom and dad credit union 00:05:44.337 --> 00:05:46.117 when I was just seven years old. 00:05:46.387 --> 00:05:48.847 I'm sure that you're going to do the same with your family. 00:05:49.067 --> 00:05:52.597 With that, let me pause and see if the vice chairman has any words. 00:05:52.717 --> 00:05:52.927 Uh, 00:05:52.927 --> 00:05:56.807 Kyle Hauptman: well, I would add that, um, at Halloween, They get a bunch of candy. 00:05:57.487 --> 00:05:59.247 Reach in, grab 40%. 00:05:59.277 --> 00:06:00.637 They'll also learn about taxes. 00:06:01.637 --> 00:06:03.797 I know it's your second try. 00:06:03.837 --> 00:06:09.057 The biggest change in someone's life is when they go from zero to one trial. 00:06:10.057 --> 00:06:13.257 Staff Cyber1: As I said, Todd Finkler and Dave Mateo here to 00:06:13.257 --> 00:06:14.697 talk about the cybersecurity brief. 00:06:14.757 --> 00:06:15.707 Next slide, please. 00:06:16.707 --> 00:06:17.647 So we'll be talking about 00:06:17.707 --> 00:06:19.137 Todd Harper: I think we need to load the slides. 00:06:20.137 --> 00:06:20.947 Kyle Hauptman: Is he getting slides? 00:06:21.397 --> 00:06:21.917 Yes, he is. 00:06:22.467 --> 00:06:22.777 Okay. 00:06:23.777 --> 00:06:24.347 Staff Cyber1: There we go. 00:06:25.347 --> 00:06:25.687 Perfect. 00:06:25.777 --> 00:06:26.587 Next slide, please. 00:06:27.587 --> 00:06:28.207 Unknown: Next slide. 00:06:28.377 --> 00:06:28.457 Staff Cyber1: We 00:06:29.457 --> 00:06:30.647 Kyle Hauptman: should give these guys a clicker. 00:06:31.487 --> 00:06:32.007 That's easier. 00:06:33.007 --> 00:06:33.287 Yeah. 00:06:33.477 --> 00:06:35.667 Staff Cyber1: Sometimes you have to go back to one. 00:06:35.737 --> 00:06:36.117 Right. 00:06:36.217 --> 00:06:36.437 Yeah. 00:06:37.437 --> 00:06:40.037 Um, so what we're going to be talking about is, uh, I'm going to talk about 00:06:40.047 --> 00:06:44.297 hacking economics, uh, and then we're going to cover, uh, some free resources 00:06:44.297 --> 00:06:47.927 for the credit unions to help them, uh, manage the risks that they're coming 00:06:47.927 --> 00:06:51.057 in with cyber, um, and then Dave gets to do the fun stuff and looking at 00:06:51.057 --> 00:06:54.927 the data from the credit union, uh, cyber incident reports, uh, as well 00:06:54.927 --> 00:06:56.747 as the information security exam. 00:06:56.987 --> 00:06:57.757 Next slide, please. 00:06:58.757 --> 00:07:03.257 So hacking economics, I like to think of, uh, when you look at the cyber security 00:07:03.427 --> 00:07:08.067 environment, what we have going on is we have a maturation of the environment. 00:07:08.097 --> 00:07:12.697 So five years ago, if you looked at the great, You know, great, a sense, I 00:07:12.697 --> 00:07:17.187 guess, bad hackers or cyber adversaries, what you would see is, you would see 00:07:17.187 --> 00:07:18.997 is primarily nation state actors. 00:07:19.257 --> 00:07:23.127 Now what you're seeing is, is that the organized crime has gotten into 00:07:23.127 --> 00:07:26.137 the business, um, and they're running this as a business, and so they're 00:07:26.137 --> 00:07:27.757 becoming very professional at that. 00:07:27.767 --> 00:07:31.207 So the way I look at these things, and so these are actually five, four, four 00:07:31.207 --> 00:07:34.777 trends that we're seeing across the financial sector, uh, that are prominent. 00:07:35.087 --> 00:07:37.887 Um, and and the reasoning behind these four trends is because there's 00:07:37.887 --> 00:07:39.247 a great return on investment. 00:07:39.257 --> 00:07:42.247 So I'm gonna talk about each of these relative to that return on investment. 00:07:42.657 --> 00:07:44.587 So the first one is third party exploitation. 00:07:44.597 --> 00:07:48.187 So if I have to come up with one exploit, what a great way for me to get 00:07:48.197 --> 00:07:52.007 access to a lot of companies because I only need to attack one vendor. 00:07:52.322 --> 00:07:56.232 Um, and now I've got access to all the people, the customers that they service. 00:07:56.632 --> 00:07:58.472 Um, so great return on investment there. 00:07:58.482 --> 00:08:02.322 For web applications, all I need is a laptop and an internet connection, and I 00:08:02.322 --> 00:08:06.982 can start attacking those web applications without any real restrictions. 00:08:07.252 --> 00:08:09.952 Um, and so it's a, it's a, it's a, it's a target that's intended to 00:08:09.972 --> 00:08:13.762 be open anyway, so it just makes it easier for you to do the job. 00:08:14.142 --> 00:08:17.672 Um, and so again, return on investment there is, is high. 00:08:18.342 --> 00:08:22.792 The third trend that has been consistent for years now is social engineering. 00:08:23.462 --> 00:08:25.962 Forget all the expertise that I needed to actually do an attack. 00:08:25.982 --> 00:08:27.972 I just need to figure out how to attack people, right? 00:08:28.012 --> 00:08:30.362 And so I just need to trick them into giving me the information 00:08:30.362 --> 00:08:32.162 so I can get into the networks. 00:08:32.522 --> 00:08:35.372 And then the fourth trend that we're seeing is a tremendous 00:08:35.372 --> 00:08:36.332 amount of ransomware. 00:08:36.702 --> 00:08:39.732 And the idea here is there's two things I can do with data that I steal. 00:08:40.262 --> 00:08:42.482 I could either hold it over someone's head and get an immediate threat. 00:08:42.652 --> 00:08:45.912 Uh, payment back on it, or I could turn around and try to sell it on the dark 00:08:45.912 --> 00:08:48.372 web, which makes it a little bit more challenging and a little bit uglier, 00:08:48.392 --> 00:08:52.012 so it's easier for them to do a ransom attack for the return on investment. 00:08:52.822 --> 00:08:53.652 Next slide, please. 00:08:54.652 --> 00:08:59.682 So, extremely complex environment, and, and it is, it is a hard job to do. 00:08:59.992 --> 00:09:04.292 Um, I was once, uh, uh, I did once, uh, um, signals intelligence. 00:09:04.292 --> 00:09:06.032 I was in signals intelligence for a while. 00:09:06.322 --> 00:09:08.762 Um, and, and I switched over to the defensive side. 00:09:08.762 --> 00:09:10.432 And it, it is definitely a hard job to do. 00:09:10.432 --> 00:09:13.142 And so what, what I try to think of when we do cybersecurity is 00:09:13.142 --> 00:09:16.522 to help folks try to prioritize their limited amount of resources. 00:09:16.522 --> 00:09:16.902 Next slide, please. 00:09:16.962 --> 00:09:19.772 Um, because you're never, and there's going to be an attack. 00:09:19.972 --> 00:09:22.482 And so the question is, and there's not an infinite amount of resources, 00:09:22.482 --> 00:09:25.642 you can't spend all your money to, uh, protecting the, the, the data. 00:09:25.672 --> 00:09:29.852 So, so really the question is, is how can you best mitigate those, those risks? 00:09:30.242 --> 00:09:33.362 Um, and so what, what I like to find is, uh, uh, for credit unions that 00:09:33.372 --> 00:09:36.232 are struggling with those resources, let's find resources that the 00:09:36.232 --> 00:09:39.022 government already understands there's a problem here and is providing free 00:09:39.022 --> 00:09:41.012 services that they can use today. 00:09:41.532 --> 00:09:42.932 So I'd like to cover some of those. 00:09:43.382 --> 00:09:47.742 The first one is a group of resources that are provided by the Cybersecurity and 00:09:47.742 --> 00:09:50.132 Critical Infrastructure Agency, or CISA. 00:09:50.872 --> 00:09:53.632 And they provide four resources I want to talk about briefly. 00:09:53.632 --> 00:09:56.662 One is Regional Cybersecurity Expert. 00:09:57.007 --> 00:10:00.567 Um, you can get, uh, get in touch with them and, uh, build 00:10:00.567 --> 00:10:01.577 a relationship with them. 00:10:01.577 --> 00:10:04.767 They can help you with problems that you, you're having, questions 00:10:04.767 --> 00:10:05.947 you have on prioritizations. 00:10:06.217 --> 00:10:09.047 If you have a, uh, cyber attack, they can help you through 00:10:09.047 --> 00:10:10.007 that, walk you through that. 00:10:10.037 --> 00:10:13.367 They can do tabletop exercises and point you to all the other references that 00:10:13.367 --> 00:10:17.197 I'm, or resources I'm talking about within CISA and even outside CISA. 00:10:17.467 --> 00:10:20.667 It's great to build a relationship now, uh, costs you nothing. 00:10:20.917 --> 00:10:24.007 The second one, I really like this one because it's a big deal with, with 00:10:24.007 --> 00:10:25.927 being ex uh, exposed on the internet. 00:10:26.107 --> 00:10:30.277 It's called cyber hygiene, and it does an automated, uh, vulnerability scanning on 00:10:30.277 --> 00:10:33.037 your external faces, facing IP addresses. 00:10:33.127 --> 00:10:36.357 And where that helps you with the prioritization is you can see where 00:10:36.357 --> 00:10:40.407 you're exposed because you get a weekly report, uh, based on the, 00:10:40.407 --> 00:10:41.727 the automated scans that you see. 00:10:41.727 --> 00:10:44.877 And you could try to prioritize those based on those, those, uh, 00:10:44.907 --> 00:10:46.857 vulnerabilities that you have exposed. 00:10:47.267 --> 00:10:51.277 Um, the, the only thing I've seen people hesitate to do this is their fear of 00:10:51.277 --> 00:10:52.777 giving information to the government. 00:10:52.797 --> 00:10:55.997 But last year, CISA told us about three weeks ago, CISA said there was 00:10:55.997 --> 00:10:59.247 a law passed last year that stops them from sharing that information 00:10:59.247 --> 00:11:00.857 unless it's anonymized and aggregated. 00:11:01.397 --> 00:11:05.717 Um, so they can't even share it within different, uh, compartments of, of CISA. 00:11:05.717 --> 00:11:08.237 So I think this is a, is a great opportunity for people 00:11:08.237 --> 00:11:10.287 to leverage if they're, if they're not already doing this. 00:11:10.637 --> 00:11:14.377 The third thing they, they, they provide is known exploitive vulnerabilities. 00:11:14.637 --> 00:11:17.617 So if you're, if you've heard of common vulnerabilities and exposure, 00:11:17.617 --> 00:11:21.807 CVEs, um, it's a way to publish vulnerabilities in software as well 00:11:21.807 --> 00:11:25.117 as hardware to let the community know where they need to fix things. 00:11:25.377 --> 00:11:28.717 Um, last year in 2023, there's about 29, 000 of them. 00:11:28.727 --> 00:11:33.877 This year, already in August, there's over 34, 000 of them, um, as per ARGUS. 00:11:33.877 --> 00:11:37.157 So what CISA does is not all of them are actually exploited. 00:11:37.447 --> 00:11:40.037 So CISA looks in, in the environment to look at exploits. 00:11:40.832 --> 00:11:43.892 And then it finds the ones that are actually being used and puts those 00:11:43.892 --> 00:11:47.982 on a special list to give you a priority list of things to take care 00:11:47.982 --> 00:11:49.512 of, so take care of those first. 00:11:50.182 --> 00:11:55.802 They also offer automated information feeds that they 00:11:55.812 --> 00:11:57.472 do as well as Treasury does. 00:11:57.472 --> 00:11:59.282 Theirs is focused on the critical infrastructure. 00:11:59.652 --> 00:12:02.532 Whereas the Treasury is focused just on the financial sector. 00:12:03.102 --> 00:12:05.342 So, moving to Treasury, I already talked about their automated 00:12:05.342 --> 00:12:07.172 threat information feed. 00:12:07.182 --> 00:12:10.512 They also have an interesting feed where, that you can get, they will pay 00:12:10.512 --> 00:12:13.402 for a clearance for a member of your organization, for critical infrastructure 00:12:13.402 --> 00:12:17.492 organizations, to get cleared and be able to come to the T Suite, which is a 00:12:17.502 --> 00:12:19.882 secure compartmented information facility. 00:12:20.282 --> 00:12:24.142 And they can see classified intelligence threats, uh, in that facility and 00:12:24.142 --> 00:12:27.927 talk with other, Uh, you know, other parties on what threats are out there 00:12:27.947 --> 00:12:30.297 to help, uh, prioritize their resources. 00:12:30.847 --> 00:12:31.827 Um, in addition to that, U. 00:12:31.827 --> 00:12:31.877 S. 00:12:31.887 --> 00:12:36.057 Cyber Command has the, uh, something called under advisement, a cover term. 00:12:36.417 --> 00:12:39.727 Um, and under advisement, what the focus is, is to help right now the 00:12:39.727 --> 00:12:43.927 largest of credit unions to get unclassified threat intelligence feeds. 00:12:44.237 --> 00:12:47.307 Um, and they're working to get the resources to expand that program to the 00:12:47.307 --> 00:12:48.487 rest of the critical infrastructure. 00:12:48.537 --> 00:12:52.752 Todd Harper: And before we leave this slide, Where can people find 00:12:52.762 --> 00:12:55.672 this on our website or what websites 00:12:55.712 --> 00:12:56.562 Staff Cyber1: can they go to? 00:12:56.582 --> 00:12:57.962 That is a great question. 00:12:57.962 --> 00:13:01.232 So I have all the resources and we're working to update our website 00:13:01.232 --> 00:13:05.162 to contain that underneath the cyber security references and resources page. 00:13:06.162 --> 00:13:08.292 So this is all I have on here and I'm gonna pass it over to David 00:13:08.292 --> 00:13:10.392 to talk about the fun stuff, the data that we've been seeing. 00:13:10.737 --> 00:13:11.507 Next slide, please. 00:13:12.507 --> 00:13:12.797 Staff cyber2: All right. 00:13:12.847 --> 00:13:13.497 Thank you, Todd. 00:13:13.777 --> 00:13:16.297 Uh, good morning, Chairman, uh, Harper, Vice Chairman Hoffman, 00:13:16.297 --> 00:13:17.277 and Board Member Otsuka. 00:13:17.787 --> 00:13:21.197 Um, early in the presentation, Todd spoke about the broader cybersecurity 00:13:21.197 --> 00:13:25.087 landscape, and now I will talk about the top trends that we are seeing 00:13:25.087 --> 00:13:28.887 from the incidents credit union reported to us in the last year. 00:13:29.727 --> 00:13:34.037 So ransomware attacks and business email compromises are not unique to 00:13:34.037 --> 00:13:39.057 credit unions and are consistent across all critical infrastructure sectors. 00:13:40.057 --> 00:13:44.657 Uh, we're also seeing outages caused by third party providers and attacks 00:13:44.677 --> 00:13:46.847 against the security of ATMs. 00:13:47.367 --> 00:13:50.557 In the next few slides, I hope to provide some additional 00:13:50.557 --> 00:13:52.347 detail about each of these areas. 00:13:52.937 --> 00:13:53.677 Next slide, please. 00:13:54.677 --> 00:14:00.907 Between September 1st of 2023 and August 31st of 2024, that's the first 00:14:00.907 --> 00:14:05.787 year since the Cyber Incident Reporting Rule, uh, we received over 1, 000 00:14:05.787 --> 00:14:10.587 incident reports to our Cyber, uh, Incident Credit Union Reporting System. 00:14:11.072 --> 00:14:12.982 Also, affectionately known as SICRS. 00:14:13.812 --> 00:14:18.772 The upper left pie on this slide represent incident reports about 00:14:18.772 --> 00:14:25.122 ransomware, business evil compromise, ATM tampering and fraud, and a 00:14:25.122 --> 00:14:29.912 combination of other things such as person to person transfers, wire 00:14:29.922 --> 00:14:31.962 fraud, and BIN attacks on debit cards. 00:14:32.962 --> 00:14:37.802 Nearly 70 percent of all incident reports are related to third party 00:14:37.802 --> 00:14:43.192 service provider and the 742 third party incidents, you know, do not 00:14:43.192 --> 00:14:46.952 represent a one to one relationship with credit union incidents, but 00:14:46.952 --> 00:14:49.412 represent 13 specific events. 00:14:50.012 --> 00:14:53.012 And it's important to note that one service provider 00:14:53.012 --> 00:14:55.202 event can and has impacted two. 00:14:55.552 --> 00:14:56.712 Many credit unions. 00:14:57.532 --> 00:14:58.372 Next slide, please. 00:14:59.372 --> 00:15:04.832 Ransomware attacks are quite common and are increasingly problematic because 00:15:04.832 --> 00:15:10.362 they often result in some form of loss of availability, data integrity, or 00:15:10.392 --> 00:15:12.332 confidentiality of member information. 00:15:13.102 --> 00:15:16.072 Uh, the credit union reporting trends about ransomware are 00:15:16.102 --> 00:15:17.982 the same as the overall U. 00:15:17.982 --> 00:15:18.122 S. 00:15:18.132 --> 00:15:19.562 financial sector reporting. 00:15:20.532 --> 00:15:24.922 According to the FBI's Internet Crimes Complaints Center 2023 Annual Report. 00:15:25.367 --> 00:15:28.137 The financial service sector is the fifth most targeted 00:15:28.187 --> 00:15:29.677 critical infrastructure sector. 00:15:30.307 --> 00:15:35.337 And ransom demands are on average between one and ten million dollars with payment 00:15:35.567 --> 00:15:37.227 most typically demanded in Bitcoin. 00:15:38.227 --> 00:15:43.467 To prepare against ransomware, credit unions should maintain offline encrypted 00:15:43.487 --> 00:15:50.107 backups of critical data, must implement zero trust architecture, Create, maintain, 00:15:50.117 --> 00:15:55.147 and regularly exercise a basic cyber incident response plan and the associated 00:15:55.147 --> 00:15:59.247 communications plan that includes response and notification procedures, 00:15:59.717 --> 00:16:04.927 and ensure that they have a plan for resiliency of continuity of operations 00:16:05.237 --> 00:16:07.107 in the event of a ransomware attack. 00:16:08.107 --> 00:16:12.217 It is important to know that paying a ransom could violate the Office 00:16:12.217 --> 00:16:14.007 of Foreign Assets Control sanctions. 00:16:14.437 --> 00:16:16.277 And lead to enforcement actions. 00:16:17.277 --> 00:16:20.247 Planning to pay a ransom is not a plan for resiliency. 00:16:21.247 --> 00:16:22.087 Next slide please. 00:16:23.087 --> 00:16:26.227 Anyone with an email account, as Todd mentioned earlier, is vulnerable 00:16:26.247 --> 00:16:27.987 to phishing and social engineering. 00:16:28.377 --> 00:16:31.287 And these methods can often lead to credential theft and 00:16:31.287 --> 00:16:32.477 business email compromise. 00:16:33.047 --> 00:16:37.207 Business email compromises remain a viable tactic in the financial sector. 00:16:37.722 --> 00:16:43.122 And make up 29 percent of the 330 non vendor related credit union incident 00:16:43.162 --> 00:16:44.932 reports that I showed earlier. 00:16:45.932 --> 00:16:51.462 ATM incidents include skimming and shimming, which result in the unauthorized 00:16:51.462 --> 00:16:53.812 capture of card and PIN information. 00:16:54.672 --> 00:16:58.732 And number two, exploits of ATM hardware and software. 00:16:59.142 --> 00:17:01.612 That result in jackpotting withdrawal limits. 00:17:02.612 --> 00:17:08.242 These sophisticated forms of financial fraud represent 36 percent of the 330 00:17:08.242 --> 00:17:11.592 credit union incident reports, uh, that I mentioned earlier, excluding 00:17:11.602 --> 00:17:13.002 the third party cyber incidents. 00:17:14.002 --> 00:17:17.462 But additionally, I want to mention that we have seen a rise in the takeover 00:17:17.462 --> 00:17:19.822 of member service toll free numbers. 00:17:20.512 --> 00:17:23.912 Um, and credit unions should add measures to their accounts. 00:17:24.512 --> 00:17:28.362 to prevent telecommunication companies from being duped by fraudsters. 00:17:29.362 --> 00:17:33.292 Lastly, uh, bad actors exploit vulnerabilities, 00:17:33.412 --> 00:17:34.822 especially unpatched ones. 00:17:35.592 --> 00:17:39.662 So credit unions should move quickly once issues are identified and 00:17:39.662 --> 00:17:43.472 remediate critical vulnerabilities after any patches are issued. 00:17:44.472 --> 00:17:45.322 Next slide, please. 00:17:46.322 --> 00:17:49.842 Information sharing is critical to protecting the credit union system 00:17:49.842 --> 00:17:53.752 and the shared insurance fund, and information received may allow us 00:17:53.752 --> 00:17:55.562 to proactively alert credit unions. 00:17:56.562 --> 00:17:59.792 We have noticed that credit unions might not be reporting all 00:17:59.792 --> 00:18:01.712 incidents that require notification. 00:18:02.612 --> 00:18:08.552 NCUA sometimes finds out about incidents through news reports or social media, at 00:18:08.552 --> 00:18:12.692 which time we may reach out to the credit union and request incident information. 00:18:13.692 --> 00:18:18.812 For example, uh, during a July IT audit, uh, that disrupted vital member 00:18:18.812 --> 00:18:23.282 services across the globe, NCOA received only 16 reports from credit unions. 00:18:24.282 --> 00:18:28.192 Also, credit unions should provide incident updates as information 00:18:28.192 --> 00:18:31.932 becomes known throughout the entire lifespan of the incident. 00:18:32.932 --> 00:18:37.402 The NCOA may also reach out to credit unions or named incident contacts whenever 00:18:37.402 --> 00:18:39.212 we require additional information. 00:18:40.212 --> 00:18:45.172 We also encourage credit unions to form relationships with their FBI field office. 00:18:45.842 --> 00:18:47.672 Before an incident occurs. 00:18:48.602 --> 00:18:53.272 And also, any legal representation agreements should not preclude or prohibit 00:18:53.312 --> 00:18:55.152 anyone from working with law enforcement. 00:18:56.082 --> 00:18:56.952 Next slide please. 00:18:57.952 --> 00:19:01.702 Last September marked the one year since implementation of the NCUA 00:19:01.712 --> 00:19:03.152 Cyber Incident Reporting Rule. 00:19:03.732 --> 00:19:08.822 As a reminder, this slide outlines the definition of a reportable incident 00:19:08.832 --> 00:19:10.662 that must be reported to NCUA. 00:19:10.662 --> 00:19:14.432 I want to provide some examples of, uh, reportable incidents. 00:19:15.432 --> 00:19:19.072 So, for example, if a federal insured credit union becomes aware that 00:19:19.072 --> 00:19:25.607 sensitive data is sensitive data is Modified or destroyed, or if the 00:19:25.607 --> 00:19:30.627 integrity of a network or member information system is compromised, right? 00:19:30.897 --> 00:19:33.937 There are many technical reasons why a service may not 00:19:33.937 --> 00:19:35.597 be available at any given time. 00:19:35.997 --> 00:19:39.147 For example, when a computer server is offline for maintenance 00:19:39.657 --> 00:19:41.347 or a system is being updated. 00:19:42.137 --> 00:19:45.887 Such events are routine and thus would not be reportable to the NCOA. 00:19:46.887 --> 00:19:51.677 A distributed denial of service attack that disrupts member accounts access 00:19:51.707 --> 00:19:54.292 and Leads to substantial system. 00:19:54.292 --> 00:19:56.632 Audit is something that is reportable. 00:19:57.062 --> 00:20:02.302 However, events such as blocked phishing attempts, failed attempts to gain 00:20:02.302 --> 00:20:07.342 access to a system or unsuccessful malware attacks would not be reportable. 00:20:08.342 --> 00:20:12.752 The credit union should report when a third party service provider informs 00:20:12.752 --> 00:20:17.072 the credit union, that the credit union sensitive data or business operations 00:20:17.282 --> 00:20:19.172 have been compromised or disrupted. 00:20:19.687 --> 00:20:22.587 As a result of a cyber incident experienced by that third party 00:20:22.587 --> 00:20:26.997 service provider or upon the credit union forming a reasonable 00:20:26.997 --> 00:20:28.297 belief that that has occurred. 00:20:29.297 --> 00:20:32.017 If you are not sure about whether to report or not, 00:20:32.477 --> 00:20:33.737 we ask you to please report. 00:20:34.737 --> 00:20:35.547 Next slide please. 00:20:36.547 --> 00:20:41.677 Soon, uh, we will be rolling out a new web based cyber incident reporting 00:20:41.677 --> 00:20:44.647 form that will help simplify reporting. 00:20:45.257 --> 00:20:48.467 We will provide updated instructions and a quick reference guide. 00:20:48.902 --> 00:20:52.642 And the web form will complement the other existing reporting 00:20:52.652 --> 00:20:54.892 methods, voicemail and email. 00:20:55.892 --> 00:21:01.542 NCUA and the Cybersecurity Infrastructure Security Agency, CISA, met in August to 00:21:01.542 --> 00:21:04.182 discuss the Notice of Approval rulemaking. 00:21:04.687 --> 00:21:08.897 Uh, that, uh, comments that were received either from credit unions 00:21:08.917 --> 00:21:13.637 or about credit unions, um, uh, in regards to the Cyber Incident 00:21:13.697 --> 00:21:17.387 Reporting for Critical Infrastructure Act, commonly known as CIRSIA. 00:21:18.387 --> 00:21:23.297 NCUA remains committed to working with CISA to find the best and least 00:21:23.307 --> 00:21:27.827 burdensome way For credit union incident report information to make it to CISA. 00:21:28.577 --> 00:21:32.347 The new web form I mentioned will help us capture the information 00:21:32.357 --> 00:21:34.217 that CISA is interested in. 00:21:35.177 --> 00:21:38.557 And we will continue to collaborate with other federal agencies to ensure 00:21:38.557 --> 00:21:43.377 awareness of best practices across the financial sector, share information, and 00:21:43.377 --> 00:21:45.127 minimize the burden to credit unions. 00:21:45.812 --> 00:21:46.372 Next slide. 00:21:47.372 --> 00:21:53.212 Since the implementation in early 2023, examiners have completed nearly 2, 00:21:53.212 --> 00:21:58.992 400 information security examination assessments, also known as ICE. 00:21:59.872 --> 00:22:06.212 From those nearly 2, 400 assessments, we have found that smaller institutions, and 00:22:06.212 --> 00:22:08.282 those are, you know, 50 million or less. 00:22:08.912 --> 00:22:13.652 are doing well in terms of critical cyber security controls, such as 00:22:13.682 --> 00:22:19.122 implementing antivirus and anti malware protections, patching critical systems 00:22:19.152 --> 00:22:21.832 and applications, and access controls. 00:22:22.512 --> 00:22:27.682 Additionally, more than 93 percent of them maintain backup and recovery plans 00:22:27.912 --> 00:22:29.612 for critical systems and services. 00:22:30.612 --> 00:22:33.982 For credit unions greater than 50 million in assets, they're 00:22:33.982 --> 00:22:38.082 doing well in maintaining board approved policies and procedures and 00:22:38.102 --> 00:22:40.292 implementing network security controls. 00:22:40.672 --> 00:22:44.402 such as firewalls and intrusion prevention systems, as well as 00:22:44.402 --> 00:22:47.772 cybersecurity controls, such as antivirus and anti malware. 00:22:48.532 --> 00:22:49.162 Next slide. 00:22:50.162 --> 00:22:54.462 When we look at the exams, the three areas with the most opportunities 00:22:54.462 --> 00:22:58.252 for improvement, the three areas with the most opportunities for 00:22:58.252 --> 00:23:03.632 improvement are information security risk assessments, business continuity 00:23:03.632 --> 00:23:06.747 programs, and Incident response programs, 00:23:07.517 --> 00:23:08.237 Staff Cyber1: I think we need to catch up on. 00:23:08.237 --> 00:23:10.247 No, we we're actually, we're, we're caught up. 00:23:10.607 --> 00:23:10.757 Oh, good. 00:23:10.847 --> 00:23:11.057 Thanks. 00:23:12.057 --> 00:23:12.477 Staff cyber2: No worries. 00:23:12.827 --> 00:23:17.927 Uh, the next group of opportunities for improvements include awareness training, 00:23:18.217 --> 00:23:22.567 security program policies, governance, and third party risk management. 00:23:23.077 --> 00:23:27.907 Uh, we encourage credit unions of all sizes to focus on increasing 00:23:27.907 --> 00:23:29.737 their maturity in these areas. 00:23:30.737 --> 00:23:34.607 And lastly, since credit unions rely heavily on third parties for 00:23:34.607 --> 00:23:36.937 a variety of services and products. 00:23:37.457 --> 00:23:39.907 They are more vulnerable to cybersecurity threats. 00:23:40.797 --> 00:23:44.687 Risks can be mitigated with more comprehensive information about 00:23:44.687 --> 00:23:46.487 these third party service providers. 00:23:47.257 --> 00:23:47.867 Next slide. 00:23:48.867 --> 00:23:54.977 I want to bring your attention to the NCUA Letter to Credit Unions 24 CU 02 00:23:55.487 --> 00:24:00.907 that was published on Monday, October 21st of 2024 about the need for boards 00:24:00.907 --> 00:24:05.537 of directors to remain focused on managing cyber risks and ensuring the 00:24:05.537 --> 00:24:07.767 credit union has the necessary resources. 00:24:08.432 --> 00:24:12.772 to maintain an effective cybersecurity program that aligns with its products, 00:24:13.002 --> 00:24:14.912 its services, and its risk profile. 00:24:15.592 --> 00:24:19.462 Boards should engage in ongoing education about current cybersecurity 00:24:19.462 --> 00:24:21.582 threads, trends, and best practices. 00:24:22.582 --> 00:24:25.582 Um, and the board members do not need to be technical experts. 00:24:25.772 --> 00:24:29.312 They must know enough cybersecurity to provide effective oversight 00:24:29.692 --> 00:24:33.322 and direction for their executive teams and subject matter experts. 00:24:34.322 --> 00:24:36.632 Credit union boards of directors must approve and 00:24:36.632 --> 00:24:40.322 regularly review a comprehensive information security program. 00:24:40.632 --> 00:24:45.752 that meets the requirements of Part 748 of the NCOA regulations, which 00:24:45.752 --> 00:24:49.172 include risk assessments, security controls, and incident plans. 00:24:50.172 --> 00:24:54.112 The Credit Union Board should set clear expectations for management about the 00:24:54.122 --> 00:24:58.372 due diligence of third party vendors with respect to information security, 00:24:58.752 --> 00:25:04.322 ensure that cybersecurity is a core value within the Credit Union, and influencing 00:25:04.322 --> 00:25:08.812 decision making at all levels, and provide periodic information security 00:25:08.812 --> 00:25:14.537 education Um, Uh, Um, Uh, Um, Um, Uh, Um, Um, Um, Um, Um, Um, Um, Um, Um, Um, Um. 00:25:14.537 --> 00:25:18.632 And it's kind of interesting to think about what we do for the short term. 00:25:18.632 --> 00:25:21.908 So just, just, um, look at, you know, what was the budget. 00:25:21.908 --> 00:25:26.277 And then kind of, um, what kind of, led to what happened, um, so, look at, 00:25:26.277 --> 00:25:30.100 you know, what is the fiscal burden on, on, you know, the cancer risk. 00:25:30.100 --> 00:25:31.192 Have a great day. 00:25:32.192 --> 00:25:34.782 or systems that can be utilized during an audit. 00:25:35.782 --> 00:25:36.372 Next slide. 00:25:37.372 --> 00:25:41.722 The Federal Financial Institutions Examination Council at the FFIEC 00:25:42.342 --> 00:25:46.442 recently announced the sunsetting of its cyber security assessment 00:25:46.452 --> 00:25:50.332 tool, the CAT, on August 31st, 2025. 00:25:51.182 --> 00:25:57.032 While that decision impacts the broader financial services industry, NCUA's 00:25:57.082 --> 00:26:01.452 Automated Cybersecurity Examination Tool, commonly known as ASET, will 00:26:01.452 --> 00:26:05.702 continue to be supported and will remain available for use by credit unions. 00:26:06.702 --> 00:26:11.402 The NCUA will ensure the ASET remains relevant and current with 00:26:11.402 --> 00:26:13.102 the evolving cybersecurity landscape. 00:26:13.702 --> 00:26:17.502 We are planning updates to the ASET content to align with new 00:26:17.522 --> 00:26:21.402 standards and frameworks, such as the National Institute of Standards and 00:26:21.402 --> 00:26:24.322 Technology Cybersecurity Framework 2. 00:26:24.322 --> 00:26:28.382 0 and the CISA Cybersecurity Performance Goals. 00:26:29.242 --> 00:26:34.632 These updates will ensure that the ASET continues to meet credit union needs in 00:26:34.632 --> 00:26:36.822 assessing their cybersecurity stance. 00:26:37.692 --> 00:26:41.532 We are very encouraged by seeing that the ASET has been downloaded 00:26:42.032 --> 00:26:44.212 nearly 8, 000 times in the last year. 00:26:45.212 --> 00:26:45.772 Next slide. 00:26:46.772 --> 00:26:50.062 As a reminder, there are several resources available on NCUA's 00:26:50.082 --> 00:26:54.367 website and we have a dedicated Cybersecurity Resources page Next slide. 00:26:54.717 --> 00:26:58.327 That includes guidance, tools, and links to federal programs. 00:26:59.297 --> 00:27:02.817 That concludes our remarks, and we'd be happy to answer any questions for you. 00:27:03.527 --> 00:27:07.247 Todd Harper: Um, thank you, uh, Todd and Dave for that informative briefing. 00:27:07.247 --> 00:27:11.877 I know that for a number of years we've been having these at least once annually. 00:27:12.217 --> 00:27:15.617 Um, this briefing by far is the most informative briefing 00:27:15.627 --> 00:27:17.497 that we've had on this topic. 00:27:17.897 --> 00:27:22.207 Um, and if I could just make, uh, I know that we do webinars. 00:27:22.237 --> 00:27:23.817 I know that we do outreach. 00:27:23.827 --> 00:27:29.137 But if I could make, uh, uh, uh, a plea, uh, if credit union. 00:27:29.437 --> 00:27:33.427 Um, uh, leagues, trade associations would like for us to come 00:27:33.427 --> 00:27:34.407 and speak to their members. 00:27:34.407 --> 00:27:39.067 We'd be happy to do that as well as if for media outlets, uh, in the credit 00:27:39.077 --> 00:27:41.917 union space to have, uh, more in depth. 00:27:41.917 --> 00:27:45.107 I think that everybody would benefit from this information. 00:27:45.807 --> 00:27:50.037 October is Cybersecurity Awareness Month and during this annual observance, the 00:27:50.037 --> 00:27:53.897 National Credit Union Administration seeks to shine a light on the many 00:27:53.897 --> 00:27:57.667 cybersecurity issues currently confronting credit union members. 00:27:57.952 --> 00:28:01.282 The credit union system, the agency, and the financial 00:28:01.282 --> 00:28:02.842 services sector more broadly. 00:28:03.262 --> 00:28:08.022 But the reality is, is that we must remain laser focused on these issues year round. 00:28:08.472 --> 00:28:12.252 That's because foreign and domestic cyber fraudsters, as you point out, 00:28:12.572 --> 00:28:17.342 including some of our international adversaries, continue to target financial 00:28:17.452 --> 00:28:19.282 services providers and their vendors. 00:28:19.717 --> 00:28:23.857 The credit union system is a critical part of the financial services sector, 00:28:24.507 --> 00:28:29.027 and these annual cybersecurity updates at the NCWA board table are an important 00:28:29.027 --> 00:28:34.177 reminder that cyber attacks on financial, the financial services industry, including 00:28:34.177 --> 00:28:38.657 within the credit union system, will remain high for the foreseeable future. 00:28:39.167 --> 00:28:45.737 In fact, I am reminded of the phrase of, uh, um, the famous and notorious, uh, bank 00:28:45.737 --> 00:28:50.387 robber, uh, Willie Sutton, who said, you know, when asked, why do people steal from 00:28:50.397 --> 00:28:52.017 banks and why did he steal from banks? 00:28:52.327 --> 00:28:54.207 He said, that's where the money is. 00:28:54.417 --> 00:28:58.977 Well, we are seeing that this is the fifth, uh, largest sector that is targeted 00:28:59.687 --> 00:29:04.247 by cyber fraudsters, and we need to make sure that everyone remains on their toes. 00:29:04.937 --> 00:29:08.807 Far too often, we see that third party service providers are a weak link in 00:29:08.807 --> 00:29:13.257 the financial system, a danger noted in the annual report of Financial Stability 00:29:13.277 --> 00:29:18.017 Oversight Council, and credit union third party service providers are no exception. 00:29:18.407 --> 00:29:23.757 In fact, if we could pull up slide six, um, we see that from September 00:29:23.767 --> 00:29:29.152 1st, 2023, we see When the NCOA's cybersecurity incident rule notification 00:29:29.152 --> 00:29:33.942 became effective through August 31st of this year, credit unions reported 00:29:33.952 --> 00:29:37.712 nearly 1, 100 cybersecurity incidents. 00:29:38.212 --> 00:29:42.892 In fact, 7 out of 10 of these reports related to the use or involvement 00:29:42.912 --> 00:29:44.852 of third party service providers. 00:29:45.282 --> 00:29:50.812 Moreover, approximately 90 percent of the industry's assets are managed 00:29:50.812 --> 00:29:55.032 by third party service providers are touched with no NCOA oversight. 00:29:55.522 --> 00:29:59.782 Last November, a single third party service provider's cybersecurity 00:29:59.792 --> 00:30:04.202 incident disrupted the daily operations of 60 credit unions. 00:30:04.702 --> 00:30:09.772 And in June, a credit union with almost 10 billion in assets reported the personal 00:30:09.772 --> 00:30:14.762 information of more than 1 million current and former members and employees had 00:30:14.762 --> 00:30:18.092 been accessed during a ransomware attack. 00:30:18.607 --> 00:30:23.317 The breach initially occurred on May 23rd, but Todd, as you pointed out, sometimes 00:30:23.327 --> 00:30:25.517 these cyber fraudsters lie in wait. 00:30:25.807 --> 00:30:30.037 Um, the ransomware attackers actually did not shut down the credit unions 00:30:30.037 --> 00:30:34.557 online and mobile banking systems until a month later on June 29th. 00:30:35.242 --> 00:30:41.152 What's more, ransomware attacks attributed to, attributed to malvertising, a 00:30:41.152 --> 00:30:46.462 relatively new cyber, uh, attack technique that injects malicious digital code 00:30:46.462 --> 00:30:48.822 within digital ads are on the rise. 00:30:49.202 --> 00:30:52.822 Through this type of, um, attack to work, the user doesn't even 00:30:52.832 --> 00:30:57.532 have to physically click on a link for the system to become infected. 00:30:57.842 --> 00:31:01.702 Instead, a simple Internet search can result in advertising that 00:31:01.702 --> 00:31:06.522 appears on the page and exploits the vulnerabilities of the Internet browser. 00:31:06.872 --> 00:31:11.212 Credit union cybersecurity teams should focus, therefore, on standardizing and 00:31:11.522 --> 00:31:15.752 securing web browsers and deploying ad blocking software to protect 00:31:15.772 --> 00:31:18.142 against this very real world threat. 00:31:18.822 --> 00:31:21.672 2. 00:31:21.722 --> 00:31:24.932 3 trillion federally insured credit union industry. 00:31:25.142 --> 00:31:28.442 And our nation's interconnected critical financial infrastructure. 00:31:28.892 --> 00:31:31.882 We cannot afford to leave these vulnerabilities unchecked. 00:31:32.302 --> 00:31:35.532 As such, it's everyone's responsibility to maintain good 00:31:35.532 --> 00:31:38.302 cyber hygiene at home and at work. 00:31:38.742 --> 00:31:41.542 Keeping cyber, uh, keeping software updated. 00:31:41.822 --> 00:31:46.292 Using strong words and pass keys, reporting phishing attempts, and 00:31:46.292 --> 00:31:50.652 enforcing the use of multi factor authentication are just a few examples 00:31:50.842 --> 00:31:55.362 of the measures anyone can adopt to strengthen their collective defenses. 00:31:56.012 --> 00:31:59.962 Education and training are also critical to raising and maintaining 00:32:00.332 --> 00:32:01.862 awareness of cyber threats. 00:32:02.272 --> 00:32:06.052 Earlier this week, as you noted, Dave, the NCUA issued a letter to credit 00:32:06.062 --> 00:32:10.252 unions that provides boards of directors with clear guidance on their roles and 00:32:10.252 --> 00:32:15.022 responsibilities for bolstering the credit union system's cyber defenses. 00:32:15.342 --> 00:32:19.852 Those responsibilities include providing recurring training, approving the credit 00:32:19.862 --> 00:32:25.492 union's information security program, overseeing operational matters related 00:32:25.492 --> 00:32:29.502 to credit, the credit union, including third party service organizations 00:32:29.722 --> 00:32:33.822 and other technology systems, and ensuring appropriate incident response 00:32:33.862 --> 00:32:36.492 and resiliency plans are in place. 00:32:36.982 --> 00:32:41.112 Dave, of these several recommendations, and I know the letter ran several 00:32:41.112 --> 00:32:47.682 pages in length, um, um, uh, in it, if you could emphasize just one piece. 00:32:48.297 --> 00:32:52.677 of advice or action that a credit union board should take, what would it be? 00:32:53.257 --> 00:32:54.357 Staff cyber2: I appreciate the question. 00:32:54.717 --> 00:33:01.397 Um, I want to ensure that every credit union, um, has a robust incident 00:33:01.517 --> 00:33:06.752 response and resiliency plan that includes scenarios for responding to. 00:33:07.192 --> 00:33:12.572 Operating and working during, um, and recovering from a ransomware attack. 00:33:13.122 --> 00:33:17.822 Todd Harper: Um, you know, I think that that is a great piece of advice. 00:33:18.272 --> 00:33:23.112 Cyber threats and technology are rapidly advancing and all of us must 00:33:23.112 --> 00:33:25.772 keep pace and having that robust. 00:33:26.322 --> 00:33:31.812 plan of attack when, when the attack happens, uh, is certainly a smart idea. 00:33:31.812 --> 00:33:35.202 It's better, it's better to have your plan in place beforehand than 00:33:35.202 --> 00:33:37.092 trying to figure it out afterwards. 00:33:37.322 --> 00:33:42.972 Um, it's also why we require periodic cybersecurity, uh, training here and 00:33:42.972 --> 00:33:48.612 planning here at the agency as, and why we conduct exercises to test that knowledge. 00:33:49.047 --> 00:33:52.567 Um, I also want to ask another question, and I, and we didn't 00:33:52.577 --> 00:33:56.197 discuss this in advance, but I, I, I think you can, uh, help me out here. 00:33:57.087 --> 00:34:02.407 I'm, I, I am under no illusion that we see as many eyes on the NCUA board 00:34:02.407 --> 00:34:07.517 meeting broadcast as we see on C SPAN, um, and certainly on the nightly news. 00:34:08.042 --> 00:34:13.512 But our exam teams are going in to credit unions, uh, on a regular basis. 00:34:13.652 --> 00:34:19.392 What are we doing to educate our examiners so that they can educate credit unions 00:34:19.462 --> 00:34:23.522 and provide the information needed, uh, to credit unions that there are 00:34:23.522 --> 00:34:25.812 front lines in this whole situation? 00:34:26.632 --> 00:34:29.452 Staff cyber2: Well, um, there's, uh, I appreciate the question, you know, 00:34:29.452 --> 00:34:31.462 and there's, there's ongoing education. 00:34:31.952 --> 00:34:35.712 There's also the application of lessons learned, uh, gathered from 00:34:35.712 --> 00:34:38.182 the exams to be used to inform. 00:34:38.247 --> 00:34:46.537 So, the more information that we have, the better insight we get and the 00:34:46.537 --> 00:34:52.527 more that we can do to provide, uh, so that our examiners look for the more 00:34:52.527 --> 00:34:55.917 important things, for the riskiest things, as well as for the credit 00:34:55.917 --> 00:34:58.877 units to protect themselves and, you know, make everybody's jobs easier. 00:34:59.267 --> 00:35:02.107 Todd Harper: And how are we ensuring that that communication between what 00:35:02.147 --> 00:35:07.157 we are teaching and what we're Our examiners is actually happening to, uh, 00:35:07.157 --> 00:35:09.117 getting to credit union, uh, leaders. 00:35:09.707 --> 00:35:14.207 Staff cyber2: So, um, so we're regularly, uh, uh, collecting feedback 00:35:14.247 --> 00:35:19.597 from our examiners and, and turning that into advice, into guidelines, 00:35:19.627 --> 00:35:22.687 into procedures, into communications. 00:35:23.002 --> 00:35:28.852 to the credit unions, um, and as well, uh, as, you know, as, as a regional, um, field 00:35:28.852 --> 00:35:31.892 staff to, uh, to, to, to do these things. 00:35:31.892 --> 00:35:33.852 So it's ongoing communication. 00:35:33.882 --> 00:35:36.922 It is, uh, regular sharing of information. 00:35:36.932 --> 00:35:39.532 Information sharing is the key, uh, to what we're doing. 00:35:39.842 --> 00:35:43.022 Um, and just learning, listening, and observing. 00:35:43.232 --> 00:35:46.872 Um, it's, uh, as Todd, uh, mentioned earlier, it's, uh, when 00:35:46.872 --> 00:35:49.552 it comes to cybersecurity, it's not about if it's going to happen. 00:35:49.552 --> 00:35:51.137 It's It's unfortunately when it's going to happen. 00:35:51.387 --> 00:35:51.707 Yeah. 00:35:51.757 --> 00:35:53.917 And Dave, would it be fair to say I've 00:35:53.927 --> 00:35:57.257 Todd Harper: heard of a number of credit unions that have seen their management 00:35:57.257 --> 00:36:03.487 component rating downgraded, uh, because of information security issues. 00:36:03.667 --> 00:36:08.307 Is that what you're seeing in, uh, the office overall as you collect 00:36:08.307 --> 00:36:09.577 that and aggregate that data? 00:36:09.737 --> 00:36:11.287 Staff cyber2: It, it certainly happens. 00:36:11.317 --> 00:36:17.047 Um, and, and then, uh, you know, it said it, it informs, uh, the types of, uh, of 00:36:17.047 --> 00:36:19.037 questions and, and things that we assess. 00:36:20.037 --> 00:36:20.837 Todd Harper: Thank you so much. 00:36:20.837 --> 00:36:23.927 I think that that's really helpful information to get out there. 00:36:24.427 --> 00:36:27.527 Despite our efforts to strengthen the system's cyber defenses, we 00:36:27.527 --> 00:36:29.377 of course still have a blind spot. 00:36:29.727 --> 00:36:33.577 For example, NCUA's ability to analyze and assess the risk in the entire credit 00:36:33.587 --> 00:36:38.437 union system remains limited because the agency lacks the same level of 00:36:38.437 --> 00:36:42.657 oversight of third party service providers as federal banking regulators have. 00:36:43.237 --> 00:36:46.217 Stakeholders must understand the risks resulting from the NCUA's 00:36:46.257 --> 00:36:48.487 lack of vendor authority are real. 00:36:49.487 --> 00:36:53.087 Um, and as both of you discussed, the NCOA is not just the regulator for federal 00:36:53.087 --> 00:36:55.187 credit unions, but also the insurer. 00:36:55.597 --> 00:36:59.087 The NCOA board may need to consider changes to the normal operating level 00:36:59.087 --> 00:37:03.347 of the share insurance fund given the additional risk of insuring an industry 00:37:03.567 --> 00:37:07.667 that more and more outsources core business operations to unregulated 00:37:07.837 --> 00:37:09.397 third party service providers. 00:37:09.747 --> 00:37:13.357 Um, and as both of you discussed, the Most cyber incidents reported 00:37:13.357 --> 00:37:17.317 to the NCWA, in fact, involve third party service providers. 00:37:17.607 --> 00:37:21.487 Until this growing regulatory blind spot is closed, thousands of federally 00:37:21.487 --> 00:37:26.887 insured credit unions with more than 140 million consumers who use those credit 00:37:26.887 --> 00:37:32.097 unions and trillions dollars in assets are exposed to higher levels of risk. 00:37:32.707 --> 00:37:35.607 Credit union leaders must also understand that their institutions 00:37:35.817 --> 00:37:39.237 are a significant part of our nation's critical infrastructure. 00:37:39.557 --> 00:37:40.417 Something that the U. 00:37:40.417 --> 00:37:40.657 S. 00:37:40.667 --> 00:37:44.737 has a, government has a solemn obligation to protect. 00:37:45.077 --> 00:37:49.777 We cannot do that without the ability to assess and analyze risk, 00:37:50.107 --> 00:37:54.107 and that is what vendor supervision would provide us the ability to do. 00:37:54.872 --> 00:37:58.762 It's heartening to hear, as I speak with more and more credit union leaders, 00:37:58.832 --> 00:38:03.272 that they understand the value of the NCUA having the same vendor supervisory 00:38:03.272 --> 00:38:05.542 authority as the federal banking agencies. 00:38:05.862 --> 00:38:09.692 They understand that their industry is worthy of the same protections as the 00:38:09.692 --> 00:38:14.642 banking industry and they understand that if the NCUA had vendor authority, 00:38:14.852 --> 00:38:20.282 we could provide summary reports of those third party exams to credit unions. 00:38:20.592 --> 00:38:24.682 For use in due diligence, this statutory change, in other words, 00:38:24.872 --> 00:38:28.742 would eliminate a competitive disadvantage that credit unions 00:38:28.742 --> 00:38:31.042 currently have when compared to banks. 00:38:31.572 --> 00:38:35.982 During my travels and meetings with credit union leagues and officials, more CEOs and 00:38:35.982 --> 00:38:40.442 leaders have also told, um, my team and me that they see the value and benefits 00:38:40.502 --> 00:38:45.392 of restoring the NCUA's third party service authority because they cannot. 00:38:45.412 --> 00:38:47.477 No, no, I agree. 00:38:47.477 --> 00:38:47.994 Thanks. 00:38:47.994 --> 00:38:50.575 I mean We're we're we're. 00:38:50.575 --> 00:38:54.190 We're all a part of this right. 00:38:54.190 --> 00:39:01.392 The pathways to recovery in soundness and enhance consumer financial protection 00:39:01.632 --> 00:39:04.032 and anti money laundering compliance. 00:39:04.262 --> 00:39:08.302 It would also save credit unions time and money in the long term. 00:39:08.512 --> 00:39:11.452 So it's common sense and just good business. 00:39:11.762 --> 00:39:15.177 Plus, it would give credit union members The same protection 00:39:15.367 --> 00:39:16.677 that bank consumers have. 00:39:17.047 --> 00:39:18.417 That concludes my remarks. 00:39:18.417 --> 00:39:20.497 I now recognize the Vice Chairman for his. 00:39:20.547 --> 00:39:21.047 Thank you, sir. 00:39:21.047 --> 00:39:21.237 And 00:39:21.237 --> 00:39:22.637 Kyle Hauptman: thanks, Todd and David, for the update. 00:39:22.747 --> 00:39:23.547 David, it's your first time. 00:39:24.407 --> 00:39:24.747 All right. 00:39:24.847 --> 00:39:25.477 Well done. 00:39:25.667 --> 00:39:27.747 Um, thank you for all the work you put into that. 00:39:27.777 --> 00:39:32.637 As the Chairman mentioned, it's the fifth most targeted, uh, sector of the nation. 00:39:32.707 --> 00:39:33.757 Uh, they have money. 00:39:33.927 --> 00:39:36.167 Financial institutions know that they have cash. 00:39:36.167 --> 00:39:37.132 They know how to send it. 00:39:37.712 --> 00:39:40.032 Um, so we can understand why they're targeted. 00:39:40.062 --> 00:39:42.562 Um, and every single one of us is vulnerable. 00:39:42.562 --> 00:39:45.142 I want to compliment you on your choice of career. 00:39:45.182 --> 00:39:47.572 Cyber security is a growth industry, unfortunately. 00:39:48.002 --> 00:39:50.312 Do you know anybody who's good at cyber that's unemployed? 00:39:50.362 --> 00:39:50.912 Me neither. 00:39:51.322 --> 00:39:54.252 Um, I remember, uh, our July board meeting. 00:39:54.392 --> 00:39:58.572 It was July 18th, and we finished up the following morning. 00:39:58.772 --> 00:40:01.442 Packed up the car, the family, and the car, and the dog. 00:40:01.962 --> 00:40:04.872 Arduous 15 hour family trip up to Maine, right? 00:40:04.872 --> 00:40:08.492 It's not flying a kid in a car seat, you know on a long trip I remember that 00:40:08.492 --> 00:40:11.282 Friday actually because we debated flying. 00:40:11.982 --> 00:40:13.392 I was really glad we drove. 00:40:13.752 --> 00:40:14.792 Do you happen to remember why? 00:40:15.792 --> 00:40:19.882 Systems was a Southwest Ground stray. 00:40:19.992 --> 00:40:24.442 It was the crowd strike Delta United American Elysian halted 00:40:24.452 --> 00:40:27.402 all travel Absolute nightmare. 00:40:27.442 --> 00:40:31.422 Now that let me ask you, was that considered to be a cyber incident? 00:40:32.422 --> 00:40:33.312 It's not really right. 00:40:34.312 --> 00:40:39.772 That was that was a code update that hit Microsoft Windows from CrowdStrike, right? 00:40:39.942 --> 00:40:40.932 From a cyber standpoint. 00:40:40.982 --> 00:40:44.312 My next question is, did we get calls from people who thought things were 00:40:44.312 --> 00:40:48.552 down, but I don't believe It's a cyber incident, but you're the experts here. 00:40:48.562 --> 00:40:48.792 So 00:40:49.072 --> 00:40:52.592 Staff Cyber1: I believe based on our rule, we, that is a cyber incident. 00:40:53.252 --> 00:40:53.562 Okay. 00:40:53.572 --> 00:40:56.582 Because it affected the operational, um, the operations of the credit union. 00:40:57.212 --> 00:41:01.012 Kyle Hauptman: What if the local cable provider, uh, had a problem 00:41:01.012 --> 00:41:02.052 and the internet was down? 00:41:02.242 --> 00:41:03.262 Is that a cyber incident? 00:41:03.382 --> 00:41:04.442 Either way, you can't do anything. 00:41:05.442 --> 00:41:06.562 Staff Cyber1: It's also a cyber incident. 00:41:06.572 --> 00:41:07.392 That's a cyber incident? 00:41:07.402 --> 00:41:08.042 I believe based on the 00:41:08.042 --> 00:41:08.482 Kyle Hauptman: rules, yeah. 00:41:08.742 --> 00:41:13.062 Because I remember during that whole mess, right, and it took some of 00:41:13.062 --> 00:41:16.372 these airlines until the next week to get these people, uh, uh, going. 00:41:16.782 --> 00:41:20.852 Uh, especially with Delta, people slept in the Atlanta airport for days, you know. 00:41:20.892 --> 00:41:23.822 Um, you couldn't get a hotel, imagine you were connecting through, right, 00:41:23.822 --> 00:41:24.772 because all the hotels were closed. 00:41:25.572 --> 00:41:30.132 Sold out within 100 miles absolute nightmare, but they were making sure that 00:41:30.142 --> 00:41:33.852 this is not a cyber attack No one's being held for ransom or anything like that. 00:41:33.882 --> 00:41:35.142 There was a lot of talk about that. 00:41:35.152 --> 00:41:40.732 You know, the DHS Involved that this thing is terrible, but they made a 00:41:40.732 --> 00:41:44.282 whole point of saying they by their standards didn't consider a cyber attack 00:41:44.692 --> 00:41:49.167 um, right and but we Did get calls. 00:41:50.107 --> 00:41:51.197 Staff cyber2: I can answer that. 00:41:51.267 --> 00:41:56.237 Um, first to add that the the aspect that would have made 00:41:56.247 --> 00:42:00.347 irrelevant to us is the disruption to vital member services, right? 00:42:00.567 --> 00:42:04.637 It's inevitable that many member services were impacted even before 00:42:04.637 --> 00:42:08.892 it's fully known that it was a But a poor configuration management practice. 00:42:08.942 --> 00:42:12.242 Kyle Hauptman: One person uploading an untested line of code in a patch and boom. 00:42:12.482 --> 00:42:15.932 Staff cyber2: And in regards to that specific event, we received 16 reports. 00:42:15.932 --> 00:42:17.012 Kyle Hauptman: We got 16 for that. 00:42:17.072 --> 00:42:17.542 Okay. 00:42:17.572 --> 00:42:22.272 Now, so just to be clear, if your local internet provider had a problem, right? 00:42:22.422 --> 00:42:29.422 You know, a storm, wires get cut, um, or there's just a power outage. 00:42:29.512 --> 00:42:30.652 So obviously you're not going to have internet. 00:42:30.652 --> 00:42:31.232 There's no power. 00:42:32.132 --> 00:42:32.512 Right? 00:42:32.762 --> 00:42:35.452 Uh, and the average credit union doesn't have its own generator in 00:42:35.452 --> 00:42:36.432 those kind of office buildings. 00:42:36.712 --> 00:42:37.172 Who's that? 00:42:37.787 --> 00:42:41.407 Is that also something that they're supposed to report, per our rule? 00:42:41.697 --> 00:42:45.567 Staff cyber2: If it affects vital member services, yes. 00:42:46.137 --> 00:42:46.477 Kyle Hauptman: Okay. 00:42:47.417 --> 00:42:47.717 All right. 00:42:47.777 --> 00:42:52.337 Um, one thing I want to mention is the role of, because these things are 00:42:52.337 --> 00:42:57.107 important, the CrowdStrike, you couldn't not notice that it was very regulated 00:42:57.107 --> 00:42:59.127 industries, and there was a connection. 00:42:59.167 --> 00:43:03.212 Airlines, hospitals, Financial services very regular in this United States, very 00:43:03.212 --> 00:43:08.852 regulated industries and government played a role in making this worse in a way, 00:43:09.122 --> 00:43:12.792 because as I understand it, and I am, I don't want to get out over my skis because 00:43:12.792 --> 00:43:15.502 I don't know much about CrowdStrike in that industry, but CrowdStrike 00:43:15.542 --> 00:43:17.412 was seen as when you were in an exam. 00:43:17.412 --> 00:43:19.682 It was a quick way to be able to move on to the next topic. 00:43:20.162 --> 00:43:21.552 Oh, oh, you're using CrowdStrike. 00:43:21.592 --> 00:43:22.252 Okay, good. 00:43:22.802 --> 00:43:25.802 So people knew that that was what regulators liked. 00:43:26.802 --> 00:43:31.832 So and I'm not here to say there was better options, but it's a longer meeting. 00:43:32.512 --> 00:43:35.602 If you use somebody else, if you're using, and that was kind of the 00:43:35.602 --> 00:43:36.992 good housekeeping skill approval. 00:43:36.992 --> 00:43:38.252 Oh, you have this CrowdStrike system? 00:43:38.532 --> 00:43:40.662 All right, all right, next topic, which is what you want 00:43:40.692 --> 00:43:42.002 if you're a regulated industry. 00:43:42.072 --> 00:43:42.772 Next topic. 00:43:43.422 --> 00:43:47.342 So you wound up having, you know, maybe it would have been only one airline. 00:43:47.812 --> 00:43:49.322 You know, I'm speculating here. 00:43:49.462 --> 00:43:50.932 But no, we're using this new thing. 00:43:50.952 --> 00:43:51.742 It's cheaper. 00:43:51.872 --> 00:43:53.212 It's better, whatever. 00:43:53.342 --> 00:43:55.762 That now, it makes your meeting longer. 00:43:56.202 --> 00:43:58.252 You're putting the examiner in a tougher spot. 00:43:58.607 --> 00:44:02.967 My point is, sometimes government, uh, if we lean and feel we have our preferred 00:44:02.967 --> 00:44:07.397 answers, you know, and we act kind of like there's a white list, that if you 00:44:07.397 --> 00:44:13.007 answer A, your exam is easier and quicker, or if you answer B, it's longer, with 00:44:13.007 --> 00:44:15.457 a lot more work, and you've made your examiner a little uncomfortable, because 00:44:15.457 --> 00:44:18.717 we don't, people don't like signing off on things they don't really know, okay? 00:44:19.717 --> 00:44:22.567 But A might not be better than B, right? 00:44:22.787 --> 00:44:25.967 Uh, it might not be more effective for your organization, more cost effective. 00:44:26.967 --> 00:44:30.397 Anyway, I just wanted to note that and it was pointed out to, to me. 00:44:30.457 --> 00:44:31.817 Well, it was pointed out to me online. 00:44:31.827 --> 00:44:34.687 I read it that, um, the. 00:44:35.547 --> 00:44:39.107 We don't have that sort of regulation where they can shut you down entirely 00:44:39.137 --> 00:44:42.487 that that level of regulation and you get graded and that sort of thing. 00:44:42.867 --> 00:44:44.037 Very regulated industries. 00:44:44.297 --> 00:44:45.387 The government played a role in that. 00:44:45.997 --> 00:44:47.057 Put it that put it that way. 00:44:47.217 --> 00:44:50.967 Um, also, you may, uh, usually ask for Bitcoin. 00:44:50.967 --> 00:44:52.447 I just want to defend Bitcoin for a second. 00:44:53.087 --> 00:44:56.247 Uh, the reason you do it is because it's useful because there's no other 00:44:56.247 --> 00:45:01.037 way that any team human beings on Earth can send each other money 24 00:45:01.037 --> 00:45:02.857 hours a day with instant settlement. 00:45:03.347 --> 00:45:04.597 There's no fake deposits. 00:45:04.597 --> 00:45:05.437 You don't have to worry about it. 00:45:05.447 --> 00:45:06.277 Money's counterfeit. 00:45:06.782 --> 00:45:07.782 Any two humans on earth. 00:45:07.832 --> 00:45:09.922 Now, in this country, things work kind of well. 00:45:10.372 --> 00:45:13.482 The payment system is a little creaky, but it's an absolute lifeline 00:45:13.502 --> 00:45:16.672 if your government is destroying your currency via inflation. 00:45:17.192 --> 00:45:19.822 In Argentina, you know, they have siesta, where they have different prices 00:45:19.822 --> 00:45:20.932 in the afternoon than the morning. 00:45:21.342 --> 00:45:23.652 Uh, for a lot of people, it's an absolute godsend. 00:45:23.912 --> 00:45:27.172 So it's, um, uh, Bitcoin itself is just incredibly useful, 00:45:27.172 --> 00:45:29.102 but not that great for cyber. 00:45:29.122 --> 00:45:31.512 They really have to hustle on their end, the bad guys, because 00:45:31.512 --> 00:45:32.542 what do we know about Bitcoin? 00:45:32.952 --> 00:45:36.112 Has an unalterable public database. 00:45:36.502 --> 00:45:41.952 That transaction sent from this wallet to that wallet can never, ever be erased. 00:45:42.332 --> 00:45:46.962 Bitcoin, as you know, has, uh, their redundancies built in because 00:45:46.962 --> 00:45:48.132 there's separate copies everywhere. 00:45:48.822 --> 00:45:49.972 Uh, there's no central database. 00:45:49.972 --> 00:45:51.682 It's a totally decentralized system. 00:45:52.342 --> 00:45:56.772 Their redundancies are the envy of any organization in the world because it's 00:45:56.772 --> 00:45:58.822 almost impossible to change that database. 00:45:59.172 --> 00:46:01.162 It's an unalterable transaction. 00:46:01.712 --> 00:46:03.102 So there's more of a record of it. 00:46:03.102 --> 00:46:05.262 This is why there's companies like Chainalysis that use 00:46:05.262 --> 00:46:06.102 them, you know, tracking. 00:46:06.592 --> 00:46:07.032 These things. 00:46:07.042 --> 00:46:10.872 So, um, they have to hustle on their end to disappear and clean that wallet out 00:46:10.872 --> 00:46:13.762 and never use it again and never send any money to anybody else from that. 00:46:14.032 --> 00:46:15.092 It's difficult to do. 00:46:15.122 --> 00:46:15.792 It's a paper trail. 00:46:15.792 --> 00:46:19.572 So, Bitcoin has an unalterable, unchangeable public database 00:46:19.572 --> 00:46:20.562 that can never be changed. 00:46:21.032 --> 00:46:25.092 And, um, yes, it is useful and criminals use it. 00:46:25.542 --> 00:46:30.722 But I would say is that if you think crypto is often used by 00:46:30.722 --> 00:46:33.302 criminals, you're going to freak out when you hear about cash. 00:46:33.302 --> 00:46:35.692 Um, 00:46:36.692 --> 00:46:41.402 so we said, uh, Sherman mentioned, uh, financial institutions have two things, 00:46:41.772 --> 00:46:44.092 data it's useful and they have cash. 00:46:44.412 --> 00:46:46.772 They're also savvier than some at making payments. 00:46:47.272 --> 00:46:53.602 Um, and while I don't think we need any new regs, uh, specifically for artificial 00:46:53.602 --> 00:46:57.667 intelligence, like most technology, The stuff that bad guys do is already illegal. 00:46:57.667 --> 00:47:00.557 Technology just made new ways to do it before, right? 00:47:00.557 --> 00:47:07.277 Yeah, when I know that, um, groups look at linked in and see recent updates for jobs 00:47:07.287 --> 00:47:11.777 like CFO controller, anyone who has the power to send enormous amount of money. 00:47:12.357 --> 00:47:17.387 And if the person came from outside the employer, okay, brand new CFA job, you're 00:47:17.387 --> 00:47:18.667 new, you don't want to rock the boat. 00:47:19.027 --> 00:47:21.907 They are more likely to fall for an email that looks like it's 00:47:21.907 --> 00:47:24.687 from the boss says, Hey, we got to send 400 million to this account. 00:47:25.412 --> 00:47:28.822 Uh, you know, uh, they don't, might not realize how it is, they don't want to 00:47:28.822 --> 00:47:33.742 push back on the new job they got, so, um, and it used to be you could call, uh, 00:47:33.772 --> 00:47:36.492 you know, if the boss called you and you heard their voice, I know Todd's voice, 00:47:36.492 --> 00:47:39.422 I know if it's him, well, that's a whole nother thing now, it could be his voice, 00:47:39.432 --> 00:47:41.082 hell, he could even be on a screen. 00:47:41.312 --> 00:47:44.702 So, uh, I don't think many people ask, you can have regs on this, the 00:47:44.702 --> 00:47:47.662 stuff is already illegal or bad, there's just new ways to do it. 00:47:47.672 --> 00:47:49.416 Hearing someone's voice used to be illegal. 00:47:50.027 --> 00:47:52.357 Uh, more sure, uh, than we are now. 00:47:53.097 --> 00:47:57.117 Um, uh, Greater Unions are, uh, one thing about them is they're quite 00:47:57.117 --> 00:47:58.937 cooperative with each other as well. 00:47:59.387 --> 00:48:02.867 Um, they built interconnected systems, make it possible to compete 00:48:02.927 --> 00:48:04.877 with larger institutions, right? 00:48:04.947 --> 00:48:07.657 Uh, they're like that story about the school of fish that looked like the 00:48:07.657 --> 00:48:08.867 big one, whatever that story's called. 00:48:09.657 --> 00:48:13.512 Um, But we remember interconnected is good in a lot of ways, but 00:48:13.512 --> 00:48:14.792 it's also negative, right? 00:48:15.122 --> 00:48:16.732 It provides points of leverage. 00:48:17.092 --> 00:48:20.722 So, uh, Monday, October 21, you know, we released a letter. 00:48:20.722 --> 00:48:23.062 We mentioned it before just to go over the four items in it. 00:48:23.882 --> 00:48:26.992 The agency is not asking any credit union board to be technical experts. 00:48:27.022 --> 00:48:30.022 I don't think our board considers ourselves to be technical experts, 00:48:30.382 --> 00:48:31.702 but they must be aware of the risk. 00:48:31.862 --> 00:48:37.232 Um, and these credit unions should approve their IT information 00:48:37.232 --> 00:48:38.792 security program annually. 00:48:38.842 --> 00:48:39.512 That's not new. 00:48:39.522 --> 00:48:39.582 Thank you. 00:48:40.117 --> 00:48:42.887 Uh, they should review the program annually, make sure it's a evolving 00:48:42.977 --> 00:48:44.577 threat, for example, like we just said. 00:48:44.587 --> 00:48:47.407 AI makes a lot of other solutions harder. 00:48:48.407 --> 00:48:49.937 And oversee operational management. 00:48:49.947 --> 00:48:52.337 No one's asking anybody to be a technical expert, but there's things 00:48:52.337 --> 00:48:53.817 that they're responsible for overseeing. 00:48:53.827 --> 00:48:55.117 Third party due diligence. 00:48:55.327 --> 00:48:57.567 Credit unions are responsible for who they do business with. 00:48:57.887 --> 00:49:02.577 They may have a, a relationship that, um, where they get upset with their 00:49:02.577 --> 00:49:04.247 vendor that they didn't do as well. 00:49:04.287 --> 00:49:06.387 People were certainly upset with CrowdStrike, um, but 00:49:06.387 --> 00:49:08.327 that's still a response. 00:49:08.397 --> 00:49:10.267 From our perspective, it's solely the responsibility of 00:49:10.267 --> 00:49:11.297 the credit union executive not. 00:49:11.722 --> 00:49:14.152 Because can they manage their relationships or not? 00:49:14.502 --> 00:49:16.582 If they can't, that speaks poorly of management. 00:49:16.892 --> 00:49:20.282 And they also don't want us to start coming in and having a good list of 00:49:20.282 --> 00:49:21.912 vendors and a bad list of vendors. 00:49:22.002 --> 00:49:22.282 Right? 00:49:23.012 --> 00:49:24.412 Uh, that's not going to help anybody. 00:49:24.802 --> 00:49:30.561 Um, seven in ten cyber incidents this year with credit unions involved a third party. 00:49:31.561 --> 00:49:33.651 So we want to make sure the requirements you have in your 00:49:33.651 --> 00:49:35.491 contracts protect third party data. 00:49:35.881 --> 00:49:38.981 Oh, and just to finish that letter we just sent, the fourth one was incident 00:49:38.981 --> 00:49:40.491 response planning and resilience. 00:49:41.131 --> 00:49:43.081 You want to make this easy, okay? 00:49:43.121 --> 00:49:47.951 I want to tell people, because we know for a fact, that people probably should have. 00:49:48.491 --> 00:49:51.451 We know that there's been people of credit unions affected that didn't call us. 00:49:51.451 --> 00:49:52.571 We know because of the numbers. 00:49:52.761 --> 00:49:55.441 We know, you know, it'd be a hundred credit unions affected, we got 20 calls. 00:49:55.441 --> 00:49:56.391 Well, we know 80 didn't. 00:49:57.391 --> 00:50:04.171 I want to do things that are easy to do Get done the simpler you make it the more 00:50:04.171 --> 00:50:07.391 effective it is the higher response rate we get right and we want to do Our part 00:50:07.791 --> 00:50:12.041 make it simple and I think the credit this reporting this reminds me of our 00:50:12.041 --> 00:50:15.511 discussion about signing up for the CLF It's one of those things where if you 00:50:15.511 --> 00:50:18.851 do it It's one of those things you might put off and then you do it you're like, 00:50:18.851 --> 00:50:19.981 wait a second That wasn't that hard. 00:50:19.991 --> 00:50:20.961 Why did I put that off? 00:50:21.171 --> 00:50:22.011 You know a two minute rule? 00:50:22.051 --> 00:50:25.911 You can do it in under two minutes do it right now I want people to know credit 00:50:25.911 --> 00:50:30.491 unions that this is actually very easy to do It's not some long government form 00:50:30.491 --> 00:50:32.896 you may be imagining Your first time. 00:50:32.966 --> 00:50:34.426 Um, can I have a slide, please? 00:50:35.426 --> 00:50:36.006 Um, 00:50:37.006 --> 00:50:38.716 I just Googled NCRA Cyber Reporting. 00:50:38.736 --> 00:50:39.946 You can put NCRA Cyber. 00:50:40.156 --> 00:50:41.796 I did this in a couple of different browsers. 00:50:41.836 --> 00:50:43.026 I did it on my phone. 00:50:43.906 --> 00:50:46.636 You literally don't even have to click past that. 00:50:47.166 --> 00:50:47.636 Why? 00:50:47.766 --> 00:50:51.486 Because even on that preview part, see the number right there? 00:50:51.656 --> 00:50:53.056 Stop right there. 00:50:53.346 --> 00:50:53.606 Right? 00:50:53.606 --> 00:50:56.486 If somebody's, uh, Saturday, it's their kid's soccer game. 00:50:56.876 --> 00:50:58.916 And someone says, Bosch, you know, we have an outage. 00:50:59.916 --> 00:51:02.796 And she's like, okay, I guess there's a, we have to report that. 00:51:02.796 --> 00:51:03.326 A form. 00:51:04.121 --> 00:51:05.161 You have your phone on you. 00:51:05.911 --> 00:51:06.341 Google. 00:51:06.371 --> 00:51:06.741 Boom. 00:51:06.831 --> 00:51:07.991 You are finished. 00:51:08.321 --> 00:51:09.271 All you have to do is the number. 00:51:09.271 --> 00:51:10.191 You don't even have to click on the link. 00:51:10.201 --> 00:51:10.921 See that number right there? 00:51:11.131 --> 00:51:12.031 1 833. 00:51:12.541 --> 00:51:15.721 I'm asking every, uh, credit union CEO, whoever made the reporting, 00:51:16.031 --> 00:51:18.191 just take that number and I would put it in your contacts. 00:51:18.201 --> 00:51:21.861 If you're like us and you have two phones, you have a personal, put it in there. 00:51:21.921 --> 00:51:24.151 That's gonna help you on Saturday, uh, when you're watching 00:51:24.151 --> 00:51:25.551 your daughter's soccer game. 00:51:25.921 --> 00:51:27.061 Just put that number in. 00:51:27.061 --> 00:51:29.281 I would save it like cyber NCUA or something. 00:51:29.761 --> 00:51:34.521 If you, if you want to be good, I would also put in the contact itself, um, 00:51:34.531 --> 00:51:36.321 your charter number to have it handy. 00:51:36.401 --> 00:51:38.661 You know, like, I have United Airlines customer service in here. 00:51:38.661 --> 00:51:41.611 I also have my, my own bus number right there in the contact, 00:51:41.611 --> 00:51:42.501 so I have it in front of me. 00:51:42.891 --> 00:51:46.661 All you need to do, if you ever, any, as long as you have access to a phone 00:51:46.661 --> 00:51:50.331 or internet, you can get this done right then and there, on the spot. 00:51:50.401 --> 00:51:50.861 Okay? 00:51:51.021 --> 00:51:53.551 I would take that number, save it to your phone, whatever 00:51:53.551 --> 00:51:54.321 phones you're going to use. 00:51:54.736 --> 00:51:55.026 Okay. 00:51:55.176 --> 00:51:56.276 And if you do click it. 00:51:56.316 --> 00:51:57.016 Next slide, please. 00:51:58.016 --> 00:51:58.196 All right. 00:51:58.246 --> 00:51:58.746 This is it. 00:51:58.996 --> 00:51:59.616 This is the form. 00:51:59.896 --> 00:52:00.136 Okay. 00:52:00.136 --> 00:52:00.986 Quick reference guide. 00:52:01.486 --> 00:52:04.726 We acknowledge this thing as a, as a wallet card, knowing that in 00:52:04.726 --> 00:52:08.056 the scenarios we're talking about, depending on what kind of situation 00:52:08.056 --> 00:52:10.216 you have, you may not have work email. 00:52:11.216 --> 00:52:12.806 You might not be able to go find that email. 00:52:13.006 --> 00:52:13.576 What do we do? 00:52:14.426 --> 00:52:16.496 Um, you might not have access to much. 00:52:17.246 --> 00:52:18.626 So if I was the, the. 00:52:19.386 --> 00:52:22.416 person in charge, either the CEO or the CIO, I would not only have this 00:52:22.426 --> 00:52:27.206 physically taped to my desk or whatever, I would have that little card, because 00:52:27.206 --> 00:52:30.646 you have the charter number in there, and that's like kind of a wallet card. 00:52:30.666 --> 00:52:33.326 Remember, we have to think about a scenario where there's no internet, 00:52:33.356 --> 00:52:38.256 no email, your system's down, that you can get this done and it's easy. 00:52:38.466 --> 00:52:41.926 Uh, I know when you have a, a, notifying N2A is not your first 00:52:41.926 --> 00:52:42.906 priority, nor should it be. 00:52:43.666 --> 00:52:46.136 But this is an easy one to get off your to do list. 00:52:46.436 --> 00:52:48.996 I would have that, I would also take a picture of that and have 00:52:48.996 --> 00:52:53.286 it in a folder on your phone, you know, in your photos, and it's very, 00:52:53.446 --> 00:52:55.326 uh, very, very simple to do, okay? 00:52:55.366 --> 00:52:57.506 So save it in your contacts, a lot easier. 00:52:57.556 --> 00:53:00.766 Even if you didn't have the charter number, whoever decided to call, that 00:53:00.766 --> 00:53:03.086 number, we could probably live with it. 00:53:03.316 --> 00:53:08.096 Uh, you know, we're, we're Apple First Credit Union in, uh, in Wisconsin, right? 00:53:08.376 --> 00:53:11.026 Um, and especially from our perspective, am I correct? 00:53:11.206 --> 00:53:12.996 You want to know if there's a problem at a credit union, but. 00:53:13.931 --> 00:53:16.911 What we, I think, really care about is all of a sudden, this 00:53:16.911 --> 00:53:18.011 morning, everything's fine. 00:53:18.201 --> 00:53:20.631 But by noon today, we got 25 calls. 00:53:20.641 --> 00:53:21.881 Something's going on. 00:53:22.351 --> 00:53:22.641 Right? 00:53:22.661 --> 00:53:23.731 A broader issue. 00:53:23.771 --> 00:53:26.581 There's always going to be some credit union out there where the local internet 00:53:26.581 --> 00:53:28.261 provider's down or what have you. 00:53:28.461 --> 00:53:31.041 A tree falls on a branch and you lose, it happened to me in my house. 00:53:31.131 --> 00:53:33.291 A tree hit the branch and I lost cable and internet for a while. 00:53:33.896 --> 00:53:34.256 That's good. 00:53:34.306 --> 00:53:36.326 We care about, is there something happening? 00:53:36.406 --> 00:53:40.026 Is there a broad issue where we at NCWA can help and say, hey, whatever you do, 00:53:40.046 --> 00:53:41.796 don't, don't, don't download that patch. 00:53:42.086 --> 00:53:43.346 It's going to make everything worse. 00:53:43.566 --> 00:53:45.246 Um, so do that. 00:53:45.276 --> 00:53:48.296 And then that number is, uh, 24 hours. 00:53:49.296 --> 00:53:53.296 Um, if you, even if you didn't have that wildcard, I'm sorry, 00:53:53.306 --> 00:53:54.406 you're going to know your own name. 00:53:54.726 --> 00:53:56.996 I don't love the reporter name and title. 00:53:57.296 --> 00:53:59.806 That refers to the credit union person who's calling it in. 00:54:00.536 --> 00:54:03.486 I don't know, like people think a reporter is a journalist, 00:54:04.006 --> 00:54:05.506 or maybe it's some expression. 00:54:05.526 --> 00:54:08.246 Anyway, reporter name and title, like, I don't know, I'm not a reporter, 00:54:08.246 --> 00:54:09.626 I'm a CIT guy, so they'll credit you. 00:54:10.626 --> 00:54:14.106 But even if you didn't have that card, and you just Googled it, remember, you're 00:54:14.106 --> 00:54:16.646 sitting there, you have your personal phone, you didn't save the contact, you're 00:54:16.646 --> 00:54:19.686 watching the kids soccer game on Saturday, you get a call, you can get it done. 00:54:20.686 --> 00:54:23.416 In 10 seconds, you'll get no information. 00:54:23.626 --> 00:54:25.026 NCUA cyber boom. 00:54:25.656 --> 00:54:26.716 You're going to get that number. 00:54:26.966 --> 00:54:28.856 Okay, let's try it. 00:54:28.996 --> 00:54:29.666 NCUA 00:54:30.666 --> 00:54:32.026 AI Fraudster: cyber incident reporting. 00:54:33.026 --> 00:54:35.106 Please enter your credit union charter number. 00:54:35.186 --> 00:54:37.086 If you don't know it, it's three pounds. 00:54:37.286 --> 00:54:37.536 Okay, 00:54:38.006 --> 00:54:38.706 Kyle Hauptman: I press three. 00:54:39.626 --> 00:54:43.986 AI Fraudster: Please leave your name, title, bank number, credit union 00:54:43.986 --> 00:54:48.276 name, order number, the date and time the incident was identified and 00:54:48.276 --> 00:54:49.846 basic description of the incident. 00:54:49.976 --> 00:54:53.876 Description should include what functions were or are reasonably 00:54:53.876 --> 00:54:57.426 believed to have been affected or if sensitive information was compromised. 00:54:58.106 --> 00:55:00.506 Please hang up once your voicemail is complete. 00:55:00.846 --> 00:55:05.276 If the NCUA requires additional information, we will contact you shortly. 00:55:05.406 --> 00:55:06.546 Thank you. 00:55:07.546 --> 00:55:10.016 Kyle Hauptman: Alright, um, shall I leave a message? 00:55:10.356 --> 00:55:12.596 I downloaded the Todd Harper virus. 00:55:12.656 --> 00:55:13.106 What happened? 00:55:13.106 --> 00:55:13.596 What do I do? 00:55:14.246 --> 00:55:15.996 Um, anyway, that's pretty good. 00:55:16.476 --> 00:55:19.676 The only, remember, the simpler you make it, the more likely you get it. 00:55:20.506 --> 00:55:23.526 Um, and your response rate is going to be quicker, it's going to be higher. 00:55:23.946 --> 00:55:29.826 Um, I don't know if every person who calls in all, 24 hours a day, waking up in 00:55:29.826 --> 00:55:32.856 the night at the kid's soccer game would know, I don't know how well known charter 00:55:32.856 --> 00:55:34.236 numbers are in terms of knowing it. 00:55:34.706 --> 00:55:37.116 But again, we could live with it if they didn't have that, right? 00:55:37.156 --> 00:55:39.286 Remember, it says either enter your charter number, and if you don't 00:55:39.286 --> 00:55:42.876 know it, press 3, which then asks for your charter number, which you only 00:55:42.876 --> 00:55:43.916 hit 3 because you didn't know it. 00:55:44.306 --> 00:55:44.606 Right? 00:55:44.716 --> 00:55:47.436 So, uh, but I still think we could live with it. 00:55:47.446 --> 00:55:48.746 Just get the call in. 00:55:48.796 --> 00:55:49.416 It's easy. 00:55:49.426 --> 00:55:51.806 Nobody's going to ding you because you didn't remember every 00:55:51.816 --> 00:55:52.706 digit of your charter number. 00:55:53.376 --> 00:55:55.586 You're the new CTO, you just got hired last week. 00:55:55.856 --> 00:55:58.486 I walk up to them right now and ask them what their employer's 00:55:58.496 --> 00:55:59.476 charter number is, right? 00:55:59.706 --> 00:56:00.536 A lot of people won't know. 00:56:00.746 --> 00:56:02.526 But my point is, I don't want people to get hung up. 00:56:03.076 --> 00:56:06.536 Pick up the phone, call that number, it's very easy to leave it, you have done. 00:56:06.826 --> 00:56:10.486 And like it says, we'll get back to you if, uh, we need more. 00:56:11.266 --> 00:56:13.526 This is not a step, the incident reporting, a lot 00:56:13.526 --> 00:56:14.446 of people aren't doing it. 00:56:15.181 --> 00:56:19.041 Uh, they can choose not to do it if they want to, but I just want people to 00:56:19.041 --> 00:56:22.471 know that there's very little roadblock. 00:56:22.471 --> 00:56:23.391 It's very simple to do. 00:56:23.401 --> 00:56:25.881 This is not some complicated bureaucratic form where you're going 00:56:25.881 --> 00:56:27.151 to have to look up a bunch of stuff up. 00:56:27.181 --> 00:56:31.261 You can do it in your shorts and your dad's shoes on the 00:56:31.261 --> 00:56:32.451 side of the soccer game. 00:56:32.481 --> 00:56:34.221 You know, um, easy to do. 00:56:34.261 --> 00:56:37.031 Anyway, uh, I will, uh, stop there. 00:56:37.031 --> 00:56:42.506 I just want to ask, um, The incident reporting, uh, the presentation, you 00:56:42.506 --> 00:56:43.796 showed us the incident reporting form. 00:56:43.826 --> 00:56:44.846 Where is that going to live? 00:56:44.866 --> 00:56:46.276 Just a good time to remind people. 00:56:46.476 --> 00:56:46.676 Staff cyber2: Sure. 00:56:46.726 --> 00:56:49.316 Um, it, the, the form will live on the ncoa. 00:56:49.536 --> 00:56:52.836 gov, the public website on the cybersecurity resources webpage. 00:56:53.286 --> 00:56:55.926 Um, and, uh, it will go live in December. 00:56:56.156 --> 00:56:56.706 Kyle Hauptman: In December. 00:56:56.866 --> 00:56:59.156 Staff cyber2: And we will be updating the, the quick reference guide, 00:56:59.156 --> 00:57:02.166 the, the, the contact card that you mentioned earlier, um, as well as 00:57:02.196 --> 00:57:03.996 providing instructions on how to use it. 00:57:04.136 --> 00:57:07.006 Kyle Hauptman: Sounds like a not a bad thing to also actively push out. 00:57:07.381 --> 00:57:09.471 People obviously don't check our website, and they wouldn't know 00:57:09.471 --> 00:57:11.581 that there was something new to check in the first place, right? 00:57:11.681 --> 00:57:15.281 We could push it out, see attachment, print this out, tape your, you know, desk. 00:57:15.311 --> 00:57:16.751 Um, that concludes my remarks. 00:57:17.451 --> 00:57:18.791 Todd Harper: Uh, thank you so much. 00:57:18.811 --> 00:57:23.501 One of the things I like about everybody putting it into their contact list is it 00:57:23.501 --> 00:57:28.011 helps protect against malvertising, uh, when they do the search, um, overall. 00:57:28.321 --> 00:57:32.091 Um, I, I, I'd like to actually take your suggestion one step further. 00:57:32.501 --> 00:57:36.641 Perhaps we could update our examination guidelines That we push out that two 00:57:36.641 --> 00:57:42.011 pager, uh, to everybody at every exam and just make it a normal course of business. 00:57:42.041 --> 00:57:42.791 Physically hand it to them. 00:57:42.791 --> 00:57:43.911 Physically hand it to them. 00:57:43.921 --> 00:57:45.841 I think that that would be a great way to do it. 00:57:46.121 --> 00:57:48.431 Um, Board Member Otsuka, you're now recognized. 00:57:49.431 --> 00:57:50.201 Tonya Otsuka: Thank you, chair Harper. 00:57:50.241 --> 00:57:53.641 Um, and thank you, Dave and Todd for the briefing, um, and for your work 00:57:53.671 --> 00:57:57.401 to keep the NC way and the credit union system safe from cyber attacks. 00:57:57.871 --> 00:58:02.281 Um, you know, as you mentioned during the briefing, cyber attacks come in 00:58:02.281 --> 00:58:07.881 all forms, ransomware attacks to ATMs, emails, and it can affect credit unions. 00:58:08.031 --> 00:58:12.401 It's of all sizes, a credit union having to pay millions of dollars to a hacker 00:58:12.401 --> 00:58:16.911 to retrieve its own customers data hurts credit union members reduces trust in the 00:58:16.911 --> 00:58:20.641 greater system and potentially negatively affects the share insurance fund. 00:58:21.121 --> 00:58:24.311 So, I'm happy to support the work that you and your team are doing to implement 00:58:24.311 --> 00:58:28.051 the new cyber incident reporting web form and continue to build out the 00:58:28.051 --> 00:58:29.931 information security exam program. 00:58:30.521 --> 00:58:33.081 Um, just want to clarify one thing. 00:58:33.556 --> 00:58:37.816 Credit unions, um, I think it's great that we all that we demonstrated 00:58:37.816 --> 00:58:39.466 how easy it is to report. 00:58:40.016 --> 00:58:45.306 Um, can you remind us all how long credit unions have to report, um, what 00:58:45.306 --> 00:58:50.636 the timeframe is, um, especially seeing is how it's so easy to do and, um, you 00:58:50.636 --> 00:58:52.166 know, whether it's required to do so. 00:58:53.166 --> 00:58:54.016 Staff cyber2: I'll take that question. 00:58:54.046 --> 00:58:55.006 Uh, thank you for the question. 00:58:55.356 --> 00:58:59.626 Uh, the credit union should report, uh, within 72 hours from when 00:58:59.626 --> 00:59:02.306 they recently believe, uh, that there's been a cyber incident. 00:59:03.306 --> 00:59:03.976 Tonya Otsuka: Okay, great. 00:59:04.976 --> 00:59:12.576 And, um, what, uh, kind of what we're looking for, right, is for 00:59:12.626 --> 00:59:14.166 incidents at the credit union. 00:59:14.376 --> 00:59:17.736 Are we also looking for incidents that third parties, anything affecting 00:59:17.736 --> 00:59:19.586 the credit unions operations? 00:59:20.586 --> 00:59:20.816 Yes. 00:59:21.256 --> 00:59:21.546 Okay. 00:59:22.546 --> 00:59:22.836 Okay. 00:59:22.836 --> 00:59:23.126 Great. 00:59:23.346 --> 00:59:23.906 Thank you. 00:59:24.486 --> 00:59:28.426 Um, and, you know, I'd also be remiss if I didn't highlight. 00:59:28.686 --> 00:59:33.336 You know, something that chair Harper, I think, raised that the, um. 00:59:34.336 --> 00:59:37.566 Needs 3rd party vendor authority to fully safeguard our system of 00:59:37.566 --> 00:59:39.476 cooperative credit from cyber threats. 00:59:39.786 --> 00:59:46.376 I think that chart that you all presented, um, of the percentage of of, uh, 00:59:46.416 --> 00:59:48.616 incidents involving 3rd parties is really. 00:59:49.616 --> 00:59:52.966 It demonstrates that that's really where a lot of the issues are, 00:59:52.966 --> 00:59:55.996 and I've talked to a lot of credit unions who have had difficulties 00:59:56.996 --> 01:00:01.006 when they have those incidents with their 3rd party service providers. 01:00:01.556 --> 01:00:06.116 Um, you know, we lack the critical oversight of 3rd party vendors that are. 01:00:06.906 --> 01:00:10.936 Banking agency counterparts have, um, and I know credit unions kind of have 01:00:10.936 --> 01:00:15.766 to turn to a lot of 3rd party service providers in a lot of ways to do back 01:00:15.766 --> 01:00:17.626 office operations to protect data. 01:00:18.066 --> 01:00:21.606 Um, but these 3rd parties can also be exploited as backdoors into 01:00:21.606 --> 01:00:23.136 credit unions processing systems. 01:00:23.796 --> 01:00:27.991 Um, And so we've seen how agencies lack of authority and limited insight into a 01:00:27.991 --> 01:00:32.751 critical component of the credit union ecosystem has impacted our ability. 01:00:32.751 --> 01:00:37.151 The ability to help credit unions respond to credit to excuse me to cyber 01:00:37.151 --> 01:00:39.871 threats, cyber attacks in real time. 01:00:40.381 --> 01:00:41.421 And I think. 01:00:41.851 --> 01:00:47.111 You know, I've also, um, uh, I also understand it hinders us, um, in 01:00:47.111 --> 01:00:50.261 some ways from working with other agencies to minimize vulnerabilities 01:00:50.261 --> 01:00:52.221 in the broader financial system. 01:00:52.241 --> 01:00:55.141 So, I just want to say, I do think it's imperative that we continue to 01:00:55.141 --> 01:00:58.991 work with Congress to restore this much needed authority to the NCOA. 01:00:59.461 --> 01:01:03.261 Um, and before I conclude, just kind of circling back to cyber incident 01:01:03.261 --> 01:01:07.691 reporting more generally, you know, I, Do you think that's really great? 01:01:07.721 --> 01:01:10.761 And I think the work that you and your team are doing to build a more 01:01:10.761 --> 01:01:13.161 robust program is really, really great. 01:01:14.161 --> 01:01:14.881 Important. 01:01:15.881 --> 01:01:22.661 Remember, you know, I think the as a government agency, we, I think credit 01:01:22.661 --> 01:01:26.861 unions, of course, have responsibility to manage their operations to manage 01:01:26.861 --> 01:01:30.451 their credit unions themselves, but we have a responsibility to 01:01:30.451 --> 01:01:32.231 make sure that they are doing. 01:01:32.231 --> 01:01:36.961 So, in a safe and sound way that protects the members, because 01:01:37.561 --> 01:01:39.081 credit union members who are. 01:01:39.521 --> 01:01:42.101 Working, we're taking care of their families. 01:01:42.321 --> 01:01:47.151 They don't have time or the expertise to double check whether their credit 01:01:47.161 --> 01:01:52.851 union is monitoring their 3rd party systems or, you know, paying attention 01:01:52.851 --> 01:01:56.981 to the latest cyber threats that might be happening credit union members. 01:01:57.891 --> 01:01:59.161 They don't have time for that. 01:01:59.171 --> 01:02:01.261 That is what our job is as the NC way. 01:02:01.591 --> 01:02:05.061 We are there to protect members and members harder and money. 01:02:05.811 --> 01:02:09.171 And so I just want to say, thank you to you and your team for all 01:02:09.171 --> 01:02:14.601 the work and, uh, you know, look forward to, um, to more more to come. 01:02:14.621 --> 01:02:15.241 So thanks. 01:02:15.291 --> 01:02:15.881 Appreciate it. 01:02:16.411 --> 01:02:16.641 Thank you. 01:02:17.641 --> 01:02:21.061 Todd Harper: And thank you so much for those observations, Board Member Otsuka. 01:02:21.431 --> 01:02:26.011 Uh, thank you also, Todd and David, uh, for being here, uh, on this 01:02:26.011 --> 01:02:29.471 important briefing that concludes our first item of business. 01:02:30.051 --> 01:02:31.481 Samantha: This concludes the briefing. 01:02:32.143 --> 01:02:36.323 If your Credit union could use assistance with your exam, reach out to Mark Treichel 01:02:36.323 --> 01:02:39.083 on LinkedIn, or at mark Treichel dot com. 01:02:39.623 --> 01:02:42.283 This is Samantha Shares and we Thank you for listening.