Federally insured credit unions reported 1,072 cyber incidents from Sept. 1, 2023 to Aug. 31 2024, with 70% of those related to the use or involvement of a third-party vendor, credit unions were told by their federal regulator in a letter Monday, who also underscored board directors’ role in overseeing cybersecurity.
In a letter signed by board Chairman Todd Harper, the National Credit Union Administration urged boards of federally insured credit unions to “prioritize cybersecurity as a top oversight and governance responsibility.”
“Credit union board directors like you must ensure that a credit union’s senior leadership is highly focused on managing cyber risks and that your credit union has the necessary resources to maintain an effective cybersecurity program that aligns with the products, services, and risk profile of your institution,” Harper wrote.
He zeroed in on four key areas for attention:
- Provide for recurring training: “Your credit union board needs to stay aware of the specific cyber risks that pertain to your credit union’s operations and the implications of these risks. Board members don’t need to be technical experts, but they must know enough about cybersecurity to provide effective oversight and direction for the executive team and subject matter experts.”
- Approve information security program: “Your board must approve a comprehensive information security program that meets the requirements of Part 748 of the NCUA’s regulations, which includes risk assessments, security controls, and incident response plans.” He also recommended reviewing the program annually.
- Oversee operational management: “Your board is responsible for overseeing management of the credit union,” focusing on eight cybersecurity areas: Third-party due diligence, embedding cybersecurity and operational resilience into the organizational culture, resources, vulnerability/patch management and threat intelligence, audit function, reporting, protecting and managing backups, membership education.
- Plan for incident response and resilience: “This planning may involve identifying alternative processes or systems that can be utilized during an outage. Consistent with statutory requirements, the NCUA’s regulations require that a federally insured credit union that experiences a reportable cyber incident must report the incident to the NCUA as soon as possible and no later than 72 hours after the credit union reasonably believes that it has experienced such an incident.”
“Cybersecurity is not just an ‘IT’ issue,” Harper wrote in conclusion. “It must be a critical component of any credit union’s overall governance and risk-management strategy. A cyber incident can have far-reaching consequences, not only affecting your institution’s financial stability but also potentially impacting the entire financial services system while eroding member trust and damaging your credit union’s reputation.”
Letter to credit unions 24-CU-02: Board of Director Engagement in Cybersecurity Oversight