"As the smallest institutions rely heavily on third parties, a failure at one of the third parties could result in a single point of failure affecting hundreds of credit unions around the country," Segerson said.

With cybersecurity hacks and failure from the government to protect Americans' financial data making headlines recently, CU Times reached out to the members of Congress who ordered the report to discuss whether they will be reconsidering offering the NCUA oversight authority. Members of Congress who asked for the GAO report were Sen. Shelley Capito (R-W. Va.), Rep. Sean Duffy (R-Wis.), Rep. Randy Neugebauer (R-TX) and Rep. Patrick McHenry (R-N.C.). None of the four members of Congress commented on the report and its findings despite repeated requests from CU Times.

The NCUA is the only regulator that does not have authority to examine third-party vendors and obtaining that authority remains the NCUA's top legislative authority.

However, not everyone feels that the NCUA should have that oversight or that it would indeed keep smaller credit unions safer from cybersecurity hacks.

NAFCU Director of Regulatory Affairs Alicia Nealon called the move unnecessary.

"As we have consistently maintained, NAFCU believes the agency's bid for third-party vendor examination authority is unnecessary given that the NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships," Nealon said. "While NAFCU acknowledges the importance of cybersecurity and risk management, we firmly believe that cybersecurity and third-party vendor examination authority do not go hand-in-hand."

Other organizations support the NCUA in obtaining authority to examine third-party vendors' data, however that is where the support stops. Some are concerned that complete authority over third-party vendors would give the NCUA the ability to complete financial examinations as well.

NASCUS President/CEO Lucy Ito said the NCUA should rely on exams already administered by state agencies.

"Since year 2000, and the concern about the Y2K date changes, NASCUS has been on record in support of the NCUA's desire to obtain examination authority over technology service providers," Ito said in a statement following the release of the GAO's report. "However, NASCUS supports this authority over technology service providers to the extent that the agency will rely on exams of these entities that are already administered by state credit union supervisory agencies to the maximum extent feasible. This would reduce system redundancy, minimize regulatory burden and foster interagency cooperation and coordination while also strengthening cybersecurity across the industry."

Other concerns over the NCUA receiving authority over third-party vendors has been focused on whether the NCUA has the budget to conduct the IT examinations.

NCUA spokesman Ben Hardaway said the organization would redeploy existing resources.

"It is not the NCUA's intention to regularly examine third-party vendors," he said. "We would do so only when red flags present themselves, based on the information received from credit union service organizations and other third-party vendors. The vast majority of these service providers do not represent a widespread risk to the system. The NCUA would concentrate its time and resources on the minority that do. This approach will help prevent any material change in the agency's budget and resources."

He said it would be a cost-saving measure for small credit unions over time due to the fact that many institutions use the same vendors.

"In this instance, being able to address a weakness at the source – in this case the service provider – could save the agency and credit unions time and resources by the eliminating the need to address the same issue over and over again at hundreds of credit unions," he said.

Segerson said having third-party vendor authority would not lessen the need for credit unions to perform due diligence over their service providers.

"But, it would significantly streamline our presence at credit unions as we attempt to evaluate the robustness of their service providers indirectly during the examination process, as part of our risk assessment of the credit union," he said.

Ryan Donovan, CUNA's chief advocacy officer, said he's not convinced it would be necessary.

"CUNA opposes new statutory authority for the NCUA to regulate and supervise directly CUSOs or other third-party entities that provide products and services to credit unions," he said. "Credit unions are subject to due diligence requirements with respect to their relationships with third-party vendors; we believe that through the supervisory process the NCUA has sufficient authority to ensure that the vendors on which credit unions rely follow sound information security practices."

The report also pointed to an issue that showed when regulators had done the examinations, there was not a concrete way to store and review the data across all the financial institutions and across all the regulating agencies.

NAFCU Vice President of Legislative Affairs Brad Thaler said the NCUA receiving the authority isn't likely to happen anyway.

"Congress specifically had this authority sunset after granting it in a limited sense for Y2K and has consistently rebuffed the agency's efforts to gain this power on a more permanent basis," Thaler said.