NCUA Board Member Rodney E. Hood Statement Following the Board Briefing, Cybersecurity

As Prepared for Delivery on October 20, 2022

A cyber incident that compromises data security is every business leader’s nightmare. In recent months, news reports indicate credit unions in Florida, New Mexico, and across Canada, among others, have been targeted in cybercrime attacks.

In an interconnected world, we simply can’t take cybersecurity for granted. October is Cybersecurity Awareness Month, which is a good time for credit unions and the NCUA to review cyber plans and procedures to ensure institutions are prepared to face a cyber event.
 
In April, the NCUA’s Critical Infrastructure Division provided the NCUA Board with an update on today’s threat landscape. We know that with today’s geopolitical tensions, the risk of cyber warfare has grown. State actors like China, Iran, and Russia have previously launched disruptive and invasive cyber-attacks against U.S. networks, both government and private sector, and are likely to continue doing so.

Likewise, cybercriminal networks have evolved and become increasingly sophisticated in their operations. For example, a few years ago, most of us worried more about data breaches than ransomware attacks, in which a threat actor seizes control of a system and demands a ransom to be paid. But IBM Security’s 2022 Intelligence Threat Index found that ransomware attacks have emerged as the most common type of cybersecurity incursion. Such incidents bring high costs in the form of financial losses, lost time and productivity, and reputational damage, so credit unions should be asking if they have appropriate cyber hygiene and the appropriate controls in place.

And, of course, what may be the most likely threat for financial institutions and particularly smaller institutions, is the insider attack, in which an employee or trusted vendor compromises an institution’s data. That can be purposeful or inadvertent. We’ve all heard stories about employees clicking on malicious links in phishing emails or sharing passwords or other security credentials to unauthorized personnel in tech support scams.

Adding to the concern is that as financial technology tools and systems become more widespread and integrated into the mainstream of financial industry operations, credit unions will need to be prepared for additional potential cybersecurity risks. On balance, we expect fintech to be a tremendous benefit, but it’s a reality that new tools are likely with present new vulnerabilities.

The good news is that while the threats continue to grow and evolve, so does our ability to counter those threats.

Finally, open communication is critical. The NCUA Board is considering a proposed rule requiring credit unions to report substantial cyber incidents within a reasonable period of time. Such requirements are not intended to punish credit unions or create a reporting burden, but to give us a better understanding of the frequency and severity of threats, so we can work with credit unions more effectively in developing responses.

Unfortunately, cybersecurity isn’t one of those areas where you can just “set it and forget it” — it’s an ongoing commitment. Due to the nature of the threat, we all need to make cybersecurity a top priority to protect credit unions, our employees, and members.

I do have one question: last Thursday, the NCUA hosted a cybersecurity webinar on Ransomware in the Financial Sector featuring a panel of experts from the FBI, U.S. Treasury, and the Wisconsin Department of Financial Institutions. If credit union officials and staff did not have a chance to attend, will NCUA be archiving the webinar?

I have no questions or further comments.