Introduction
Every year, the National Credit Union Administration (NCUA) provides a Cybersecurity and Credit Union System Resilience Report to highlight and pinpoint rising threats and important focuses on vulnerabilities that credit unions may face. This year, it is apparent that there is a growing challenge to prevent and stay on top of these attacks, but the NCUA is making strives to protect the Credit Union System from bad actors.
The NCUA has always been transparent about their views on these sorts of risks and assessments. They have spent the last few years in encouraging credit unions and other financial institutions to be aware of these threats and to gain more knowledge on how to prevent it. Cybersecurity should be a serious factor for any business, especially financial institutions. There are many resources that you can take advantage of to prevent these malicious attacks.
It’s no mystery that the NCUA has had problems with keeping up with the threats. They have continually pulled in other various resources to assist, including the FFFIEC, FSOC, FBIIC, Financial Services Sector Coordinating Council, the US Department of Treasury, and CISA. With these federal and state regulatory agencies, the NCUA is looking to become more thorough in audits and reviews of their cybersecurity program.
The Information Security Examination Program
Credit unions have always been under examination by the NCUA. It can be a trying time, but it’s important to make sure that everything is being followed. They will highlight things wrong, if anything, to make sure that your credit union is protected against bad actors and hackers. There are a few specific things that they look for, as specified in the resilience report:
ISE Program
The ISE program was put into place last year in 2023, which was to get even smaller credit unions on the same protection that the larger ones were taking advantage of. It evaluates management’s experience with the credit union’s information technology and risks that come with it. ISE also assesses the credit union’s readiness and plans to manage information technology systems, along with the proper effectiveness of IT controls and safeguards. The board of directors is also considered in this, to see if they have acceptable governance over these networks and systems.
Credit Union Service Organization (CUSO) Reviews
This specific review is for a credit union that has at least one federally-insured credit union or provides loans. The NCUA does not have authority over these CUSOs, however, and they may reject any of the NCUA’s recommendations from reviews. The NCUA is looking to restore this, though.
ACET Maturity Assessment
The Automated Cybersecurity Examination Tool (ACET) Maturity Assessment is a voluntary tool provided and maintained by the NCUA. It is an extensive tool to assess information security programs, giving standards and practices for these financial institutions. It can also determine its risk exposure by identifying network architecture and the adequacy of corresponding controls.
Industry Efforts
While the NCUA is providing quite a bit of guidance, the administration looks to the financial institutions for participation in certain programs and procedures. With their participation, it helps protect the credit unions even more. These initiatives are:
- Participating in Information Sharing and Analysis Centers & Organizations
- Following Sheltered Harbor Standards
- Going through Hamilton Series Exercises
- Going over CISA Cyber Hygiene Services
Current and Emerging Threats
Threats and attacks are growing in numbers over the past few years. With the evolution of technology, so too do the bad actors that try to get into credit union and bank systems. Financial institutions are some of the biggest targets for these malicious attacks, so the NCUA has highlighted a few risks:
Third-Party Risk
The absence of a third-party vendor authority limits the NCUA’s ability to mitigate potential risks associated with third parties. Credit unions are dependent on these third parties to provide proper audit and assessments of vulnerabilities, but bad actors have taken to attacking and exploiting these as well. The NCUA states that, without authority to supervise and enforce corrective actions, the NCUA cannot effectively protect the credit union industry.
State-Sponsored Cyber Activities
There is a joint advisory out that alerts people to cyber actors of the People’s Republic of China and are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks. NCUA has encouraged security awareness to credit unions of all sizes to be proactive and hunt these threats.
Ransomware Attacks
Ransomware has been a growing concern for many businesses across the world. It is a dangerous script or program that can encrypt entire databases, rendering them inaccessible to the people that need them. The threat of ransomware is still getting bigger, too, especially since ransomware groups sell its code and malware to other hackers.
Quantum Computing and Cryptographic Risks
While not exactly much information is given on this, the US government is concerned with the development and trajectory of quantum IT technologies that could compromise existing encryption and controls.
AI-enabled Attacks
Artificial Intelligence has become a hot topic across all industries, ranging from writing code to getting advice on certain things. With the use of AI, however, bad actors can provide even more attractive options for phishing, vishing, and other social engineering. They can also use AI to amplify threats, stealing data at an even faster speed and finding specific vulnerabilities that may be overlooked.
Conclusion
The NCUA has provided their Cybersecurity and Credit Union System Resilience Report for 2024. It is becoming a bigger concern as threats have grown in complexity and sophistication. They have provided a few reminders of resources available to credit unions, along with going over the concerns for the new year. They continually try to better themselves and the industry so that they can protect against bad actors.
There are a few notable concerns that the NCUA has dictated for 2024. They include third-party risk, state-sponsored cyber activities, ransomware attacks, quantum computing and cryptographic risks, as well as artificial intelligence-enabled attacks. All of these things are growing more and more wide-spread across the world, so it’s important to know exactly what you need to do when it comes to these sorts of things.