NCUA Board Member Rodney E. Hood Statement on Board Briefing, Cybersecurity Update

As Prepared for Delivery on April 21, 2022

If there’s one issue we face that keeps me up at night, it’s cybersecurity. It’s one of the top concerns I hear about when I talk to leaders in the credit union industry. I wish we could say that, after having focused on the threat for so long, we’re making progress toward a solution. But unfortunately, that’s simply not the case, given the evolution of cyber threats.

As such, we have to accept that cyber security threats are an ongoing risk, both to financial institutions’ operations and to their reputations. Moreover, we have to accept that the risk is a moving target. For example, a few years ago, most of us worried more about data breaches than ransomware attacks, in which a threat actor seizes control of a system and demands a ransom to be paid. But according to IBM Security’s Intelligence Threat Index for 2022, ransomware attacks were the most common type of cybersecurity incursion last year.

The unfortunate downside to our system of greater connectivity is that it does create more points of vulnerability. And while we see a great deal of focus on cyber threats from nation-state actors, those make up a relatively smaller percentage of cyberattacks. The most serious threats are more likely to come from cybercriminals or from internal security threats, which can be either malicious or inadvertent. Every credit union must recognize that their institution is just one wrong email or malicious link away from being on the front pages.

Given those realities, even those of us who favor a more balanced approach to regulation recognize that the agency’s cyber security review and supervision capabilities will necessarily have to be more robust.

When it comes to data protection and data security, credit unions need to lead the way, so don’t wait until your institution is compromised and your members are victims. I urge you to make use of the resources that are already available, and as a starting point, I recommend the cybersecurity assessment software that the NCUA released in December.

We all have to accept that cyber security will be an ongoing responsibility. Gone are the days when you can have a vendor provide you with an add-on patch to address a vulnerability and move on. Today we need to be thinking “defense in depth” when it comes to cyber security. That means not only addressing vulnerabilities and recognizing threats but also having response plans should be in place that not only identify vulnerabilities but also catch attacks in real-time and proactively prevent their impact on an institution. It also means focusing on hardening and constantly upgrading systems against not only external but also internal threat actors, and working to educate and train employees and managers on a full range of potential threats.

This won’t be easy, but it’s the non-negotiable reality of today’s world. The NCUA stands ready to work with credit unions to ensure that your institutions have the needed tools to stop these threats in real-time, and to protect the safety and soundness of the credit union system.

I do have several questions:

• How do we look at crypto as it relates to cybersecurity?
• Can you talk about the status of tabletop exercises and what you are seeing?
• Do you believe that ransomware identification programs that relay data to credit unions may often be too late to fix the breach? In other words, are programs that automatically fix credit union’s systems in real time a more appropriate solution, even if more costly?