WASHINGTON — NCUA is part of a new working group that includes members of law enforcement, intelligence communities and other financial services regulators, to better understand the cyber threats and vulnerabilities facing banks and credit unions.
The findings of the group over the next several months could impact the agency's supervisory process, announced NCUA Chairman Debbie Matz during CUNA's Governmental Affairs Conference.
"We are working with industry experts to review any necessary changes to our supervisory processes in the wake of increasingly sophisticated cyber-attacks," said Matz. "We are exploring ways to improve information sharing to help us all be better prepared."
In the coming months the working group plans to hold an industry webinar, Matz said, to help CUs better understand current cyber threats, and to share new ways to work together. "NCUA will also be issuing guidance to credit unions based on findings and recommendations of the working group."
Matz used the GAC podium to reinforce NCUA's two key focus areas for the year — the impact of rising interest rates on CU balance sheets and CU cyber security.
Matz reminded credit unions that protecting the shop from cyber thieves is a comprehensive effort that requires the credit union to rely on outside experts as well as internal staff, stay educated and collaborate with other CUs.
She warned credit unions that have yet to feel the sting of a direct fraudster attack not to become complacent, stressing that cyber attacks come from many angles — inside and outside the financial services system.
"No matter how far removed a given data breach is from your credit union, if it affects your members, you can pay dearly — both in terms of your reputation and your balance sheet," said Matz, asking CUs to pay close attention to keeping security tight with vendors.
Matz also pointed out that cyber terrorists are now targeting CUs with denial of service attacks.
"These attacks are like poison-tipped darts," offered Matz. "Where they hit doesn't matter. Once that poison is in the bloodstream, it moves quickly through the system."
Examiners will be looking to see how credit unions are implementing appropriate risk mitigation controls to better protect, detect and recover from cyber-attacks, Matz told GAC attendees. "This includes vendor due diligence, strong password policies, proper patch management, employee training and network monitoring."
Examiners will be paying close attention, as well, to the impact of rising interest rates on CU balance sheets — a point Matz emphasized in an
"With the unemployment rate falling, and the economy gaining momentum, a changing interest rate environment is not only on the way, it is already underway," said Matz.
She cautioned that CUs ignoring the trend are "pitching a tent on a beach at low tide. "You don't want to pitch your portfolio's tent in a low-rate environment when rates are near historic lows and market experts are asking how much will interest rates rise, and how quickly?"
Matz said the uptick in rates during the second and third quarters of last year caused unrealized gains to become unrealized losses for thousands of CUs. "This swing marks a dangerous warning of things to come. For now, these unrealized losses exist only on your books. But paper losses can turn into real losses. That happened during the savings and loan crisis."
Matz asked credit unions to avoid chasing yields while long-term rates are rising and short-term rates remain low, saying the move could "imperil your credit union."
Matz began her GAC speech noting the successes of CUs and NCUA in 2013. She pointed out that safety and soundness metrics remained strong and "trends are moving in the right direction. Net worth and loans are growing. Delinquencies and charge-offs are stable. Membership is at an all-time high."
She also pointed out,
"We are still seeking recoveries in 15 separate lawsuits," stated Matz. "Any further recoveries will reduce future assessments to credit unions. And if we ultimately recover enough money to outpace losses from the corporates' legacy assets, then by 2021 — when the Corporate Stabilization Fund expires — NCUA may even be able to provide a rebate."
