NCUA Report: CUs Have ‘Significantly Improved’ IT & Security Programs
The NCUA’s cybersecurity report to lawmakers also makes another case for third-party vendor authority.
On Wednesday, the NCUA released its annual cybersecurity report to lawmakers explaining how the agency and the credit union industry has strengthened cybersecurity efforts. Overall, the report found glimpses of positive progress in the fight against cyber-related crimes, but expressed the need to have more authority over third-party vendors to help decrease risks to the credit union system.
The 27-page “Report to the Committee on Financial Services of the House of Representatives and to the Committee on Banking, Housing, and Urban Affairs of the Senate on Cybersecurity and Credit Union System Resilience” outlined three areas of cybersecurity focus for the NCUA. Those areas included:
- Information on the policies and procedures to address cybersecurity risks.
- Activities to ensure effective implementation.
- Current or emerging threats.
On the positive side, according to the report, “In response to the policies, procedures, and activities making up the NCUA’s IT examination program, credit unions have significantly improved their IT programs. Over the last 4 years, IT risk factors requiring immediate attention (which are issued to credit unions in the form of documents of resolution) have decreased.”
Concerning the report, NCUA Board Chairman Todd Harper said, “The actions outlined in this comprehensive report demonstrate the NCUA’s commitment to promoting a secure and resilient environment for credit unions and their members. Recent agency efforts to address cybersecurity risks, including implementation of the scalable Information Security Examination procedures at credit unions, training and support programs, and the cyber incident notification rule, are described in the report.”
Harper continued, “Additionally, the report to Congress details the significant risks and challenges facing the credit union system and the financial system because of the NCUA’s lack of authority over third-party vendors. I continue to call on Congress to close this growing regulatory blind spot.”
Officials with NAFCU and CUNA have expressed their objections to the NCUA expanding any type of authority over third-party vendors, as, according to NAFCU, “these vendors are already examined by other regulators.”
According to the NCUA, cybersecurity-related issues will remain a “supervisory priority” for 2023 by promoting best practices and credit union information system reviews.
“Building upon its industry outreach efforts, the NCUA will continue to provide guidance and resources to assist credit unions with strengthening their cyber defenses throughout the year,” the agency stated.