Cybersecurity Is a Shared Responsibility

Cybersecurity threats and data breaches keep me up at night.

The digital world in which we now live in is continuously changing. Private eyes are watching us nearly everywhere in the virtual world. And, ransomware, malware, supply-chain vulnerabilities, social engineering, business email compromises, insider threats and other forms of cyber intrusion that we haven’t even imagined yet are a clear and present danger to all credit unions, requiring ongoing measures for rapid detection, protection, response and recovery.

For its part, the NCUA recently announced two measures that strengthen the credit union system’s security and resiliency.

First, the NCUA’s new Information Security Examination program standardizes the examination of credit union information security and cybersecurity programs, and enhances the agency’s ability to identify deficiencies across the industry. The ISE program is flexible and adapts to all credit union asset sizes and complexity levels while providing examiners with standardized review steps to allow advanced data collection and analysis. These new procedures will assist the credit union system in preparing for, withstanding and recovering from cybersecurity threats.

The second measure is an early warning regulatory framework to strengthen the credit union system’s defenses against the bad actors who perpetrate cyberattacks. Just days ago, the NCUA board approved the cyber incident reporting final rule that sets parameters for what constitutes a reportable incident and the minimum notification requirements. Under this final rule, a federally insured credit union must notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred. This rule aligns the NCUA’s requirements with the reporting framework of other federal banking regulators.

As more incidents are reported, a reservoir of knowledge, experience and best practices is developed from which every credit union stands to benefit. This information has a potentially wide-ranging impact beyond the credit union system. For example, additional data points on cyber incidents can assist law enforcement and intelligence agencies in providing advanced warnings to other organizations within our nation’s critical infrastructure. When credit unions report these incidents, they help keep our country secure from similar cyberattacks elsewhere.

While these two measures will aid in the fight against cyberattacks, we must still address the growing regulatory blind spot that exists because the NCUA lacks authority over third-party vendors. Cyber risk in the credit union system often lurks in the ether beyond the NCUA’s reach, namely within CUSOs and third-party service providers that do not have the same level of oversight as bank vendors. As a result, thousands of credit unions, tens of millions of consumers and roughly $2 trillion in assets are exposed to unnecessary risk.

Adopting new technologies is essential for credit unions to remain competitive, especially now. But, leaving a hole in the financial system’s defenses means the credit union system is vulnerable to exploitation by cyber criminals, terrorist financiers, fraudsters and other bad actors who threaten our nation’s economic security and the financial well-being of our citizens.

That’s why I will continue to press for legislation allowing the NCUA to build a practical, risk-focused examination program for CUSOs and vendors before significant problems arise. I’m not alone in these concerns. The Government Accountability Office, the Financial Stability Oversight Council and the NCUA’s Inspector General have all recommended congressional action to fix this blind spot.

Until Congress approves such measures, credit unions must implement appropriate controls, due diligence and defenses to safeguard their IT systems, deliver member services, identify potential Bank Secrecy Act violations, protect consumer rights and adopt new technology – safely and securely.

The NCUA stands shoulder to shoulder with the industry and our federal counterparts to ensure the viability of the credit union system and the safety of the Share Insurance Fund. The agency’s Information Security Examination program, cyber incident reporting final rule and push for supervisory authority over third-party vendors are positive steps toward bolstering the credit union system’s resiliency and security.

Todd M. Harper is Chairman of the NCUA, Chairman of the Federal Financial Institutions Examination Council and a voting member of the Financial Stability Oversight Council.