The National Credit Union Administration plans to hold a “tabletop exercise” this summer related to emerging fraud threats and cybersecurity, similar to a session last summer on ransomware.
The agency’s board received a cybersecurity briefing Thursday during its monthly board meeting, part of an ongoing series of updates put in place during board member Rodney Hood’s chairmanship. Johnny Davis, NCUA’s special adviser to the chairman on cybersecurity and director of critical infrastructure in the agency’s office of examinations and insurance, suggested cyberattacks tied to the pandemic — particularly scams related to stimulus payments or to COVID-19 itself — continue to be a risk for credit unions.
“Making yourself a harder target by addressing cyber-hygiene components remains important,” he said Thursday, emphasizing the importance of organizational awareness and training on cybersecurity practices, along with monitoring access and ensuring adequate and effective security controls are in place.
Attacks against virtual private networks are also on the rise, and they can impact supply chains for credit unions, Davis said. Many credit unions began using VPNs more during the pandemic as employees shifted from working at the office to working from home.
While the agency has an online FAQ related to supply chain attacks, the August tabletop exercise will focus on that topic as well.
Despite those risks, NCUA Vice Chairman Kyle Hauptman noted, many of the losses to the National Credit Union Share Insurance Fund come from internal threats. “Turns out, often the real problem is the employees who are already inside,” he said.
Davis suggested the agency has an opportunity to increase required examination criteria to include an “emphasis on certain privacy and security controls that lend themselves to identifying and deterring fraud, especially around access management.” He added that the regulator hopes to offer a forum this fall, tied to Cybersecurity Awareness Month in October, to talk credit union leaders through best practices for implementing insider-threat detection programs and observing for alerts and behaviors to help identify abnormalities that could expose fraud.
Hood also suggested Congress reassess the NCUA’s request for third-party vendor oversight once the pandemic ends. For more than two decades, the regulator has
Still, Davis suggested that if granted those powers, the NCUA would need between eight and 11 new staffers to provide adequate oversight, and the full project would cost between $1.7 million and $2 million a year. Hood noted that the Federal Deposit Insurance Corp., does have those powers but has managed to implement them without adding to its budget, and if the FDIC can do that, he said, “it seems reasonable that we can do the same.”
“I think it’s important to note that our focus would only be on those significant service providers in the core processor and payments arenas that are not already covered by the work we do jointly with the FFIEC and our banking counterparts,” Davis said, referring to the Federal Financial Institutions Examination Council. “The selected entities would also need to present a significant concentration risk for credit unions in regards to the services and products being consumed.”
The board on Thursday also discussed an interim final rule, approved earlier in the month by notation vote, which modifies certain regulatory requirements on prompt corrective action intended to provide relief to credit unions during the pandemic. The rule is essentially a renewal of a measure implemented last year that expired at the end of December.
“At some point, the rate of share growth will return to normal patterns,” said Chairman Todd Harper. “Until then, the NCUA will continue to have its experts focus on the fundamentals of risk management and governance … rather than the financial and economic shocks of last year.”
