top of page

NCUA's Take On Cyber Security



Here's a draft blog post about the NCUA cybersecurity briefing:


Third-Party Vendors and Ransomware: NCUA's October Cybersecurity Warning to Credit Unions


The message from NCUA's October 2024 cybersecurity briefing was clear: cyber threats to credit unions are escalating, and the biggest vulnerability may be hiding in plain sight – third-party vendors. As the financial sector continues to digitize, this stark reality demands attention from credit union leaders at all levels.


The Numbers Tell the Story


In just one year (September 2023 - August 2024), credit unions reported over 1,000 cyber incidents to the NCUA. Here's the kicker: nearly 70% of these incidents involved third-party service providers. Even more concerning, these 742 third-party-related incidents stemmed from just 13 specific events, highlighting how a single breach can cascade through the system.


A Single Point of Failure


"Far too often, we see that third-party service providers are a weak link in the financial system," warned NCUA Chairman Todd Harper. This vulnerability is particularly troubling because approximately 90% of the industry's assets are managed or touched by third-party providers – currently operating without NCUA oversight.


The High Cost of Attacks


When cybercriminals target credit unions, they're not thinking small. Ransom demands typically range from $1 to $10 million, usually demanded in Bitcoin. One recent attack on a $10 billion credit union compromised personal information of over 1 million members and employees.


New Threats on the Horizon


While ransomware and business email compromises remain prevalent, a new threat has emerged: malvertising. This sophisticated attack injects malicious code into digital advertisements, potentially infecting systems without requiring any clicks. A simple internet search can trigger these malicious ads, making traditional security measures less effective.


Key Action Items for Credit Unions


1. Strengthen Your Defenses

- Maintain offline encrypted backups

- Implement zero trust architecture

- Deploy ad-blocking software

- Regular system patches and updates


2. Prepare for Incidents

- Create and regularly test incident response plans

- Develop clear communication protocols

- Save the NCUA reporting number: 1-833-CYBERCU


3. Focus on Third-Party Risk

- Review vendor relationships

- Assess potential risks

- Strengthen due diligence processes

- Monitor vendor cybersecurity practices


Report Early, Report Often


Credit unions must report cyber incidents within 72 hours of discovery. The NCUA has made this process straightforward:

- Call 1-833-CYBERCU (1-833-292-3728)

- Coming in December: A new web-based reporting form


The Role of Leadership


Credit union boards don't need to be technical experts, but they must:

- Approve information security programs annually

- Review programs regularly

- Oversee operational management

- Ensure proper third-party due diligence

- Maintain incident response plans


Free Resources Available


The NCUA highlighted several free government resources:

- CISA Regional Cybersecurity Experts

- Automated vulnerability scanning

- Known exploitable vulnerabilities list

- Threat information feeds

- Treasury Department clearance program for critical infrastructure


Looking Ahead


The financial services sector remains the fifth most targeted critical infrastructure sector, and attacks show no signs of slowing. Credit unions must remain vigilant and proactive in their cybersecurity efforts.


"These incidents highlight significant vulnerabilities to the $2.3 trillion federally insured credit union industry and our nation's interconnected critical financial infrastructure," Chairman Harper emphasized. "We cannot afford to leave these vulnerabilities unchecked."


Take Action Now


1. Save the NCUA cyber incident reporting number in your contacts

2. Review your third-party vendor relationships

3. Update your incident response plans

4. Implement the recommended security measures

5. Train staff on current threats and responses


Remember: in cybersecurity, it's not a matter of if but when an incident will occur. The key is being prepared and responding quickly when it does.


For more information and resources, visit the NCUA's cybersecurity resources webpage or contact your regional NCUA office.


[Note: This blog post is for informational purposes only and does not constitute legal advice.]


Comments


bottom of page