NCUA Chairman Todd M. Harper Remarks at the CUNA Cybersecurity Conference with NASCUS

June 2022
NCUA Chairman Todd M. Harper Remarks at the CUNA Cybersecurity Conference with NASCUS

As Prepared for Delivery on June 20, 2022

Good morning, everyone. Thank you for that warm welcome. And, thank you, John, for the kind introduction. It’s a pleasure to be here with you today.

“The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.”

That’s a direct quote from Robert Morris, the National Security Agency cryptographer and computer scientist, who helped develop the Unix operating system and pioneer many cybersecurity concepts and practices that are still in use today.

What I hope everyone takes away from Morris’s prophetic words is not the futility of defending against cyberthreats, but rather an appreciation of the potential severity of cyberattacks and the urgent need to keep pace with, or better yet, stay ahead of bad actors who perpetrate such attacks.

In public appearances, I am often asked what keeps me up at night.

The answer, almost always, is the risks that cyberattacks and data breaches pose to our financial system, especially within the credit union sector.

So, I cannot stress this enough: All of us must remain vigilant and take actions to safeguard our systems.

To be sure, that can be a daunting task, even when we are not experiencing geopolitical threats.

Indeed, the list of attack vectors grows longer by the day, and it now includes: phishing, spear-phishing, ransomware, malware, supply-chain vulnerabilities, social engineering, third-party service providers, business e-mail compromises, and insider threats, among others.

For example, as all of you know, phishing and its variant, smishing, uses email, text messages, and malicious websites and attachments to infect systems and extract personal information by posing as a trustworthy entity.

In an environment where we are all inundated with emails, texts, social media posts, and other messaging competing for our attention, these techniques count on our limited time and short attention spans to separate the proverbial wheat from the chaff.

Unfortunately, the chaff, in this case, is not just electronic junk to be discarded, it is in fact the handiwork of a pernicious and persistent enemy.

COVID-19 Pandemic

So, it should come as no surprise that the COVID-19 pandemic has increased cybersecurity exposure for all, including federally insured credit unions.

Like other regulators in the financial services sector, the NCUA has received increased reports of cyberattacks through phishing, exploitation of remote access vulnerabilities, and other social engineering methods.

In fact, COVID-19-related cyberattacks largely eclipsed the tax-related scams and frauds that are typical in the spring each year.

To combat this issue and protect the credit union system, the NCUA has participated in daily calls led by the Treasury Department and the Financial Services Information Sharing and Analysis Center since the onset of the pandemic.

Russia’s War in Ukraine

What is more, as noted in a presentation earlier this morning, the sources of these attacks have multiplied, as nation-state actors join rogue hackers as cyber intruders bent on crippling the U.S. critical infrastructure.

Today’s interconnected financial system promises greater collaboration, transparency, and consistency.

But, it also means Russia’s war in Ukraine has far-reaching implications beyond that nation’s borders.

Geopolitical tensions arising from Russia’s unjust war of choice raise the specter of malicious cyberattacks against our financial services sector.

Plus, there is significant precedent for Russian use of disruptive and destructive tactics to support military and political objectives, such as sabotage, punishment, undermining public confidence in governments and institutions, and sowing the seeds of political instability.

The U.S. Intelligence Community continues to warn of the potential for imminent Russian cyberattacks in retaliation for U.S. support of Ukraine’s government and the sanctions imposed upon Russia.

The likelihood of threats adversely affecting credit unions and consumers is not only rising because of advances in financial technology and increases in the use of remote workforces and mobile technology for financial transactions, but also because of a lack of cybersecurity awareness, obsolete information technology infrastructure, and cybersecurity policies and procedures.

While the U.S. government has not yet detected specific cyber operations directed at the financial sector or our credit union ecosystem, it has observed “preparations” that include scanning websites and probing for known vulnerabilities.

The NCUA, therefore, continues to provide guidance and resources to credit unions to assist them in mitigating these threats.

When attacks, breaches, or other suspicious activity occur, credit unions and their vendors should report these cyber incidents to their NCUA examiner, the FBI’s Internet Crime Complaint Center at www.ic3.gov, and the Cybersecurity and Infrastructure Security Agency at report@cisa.gov.

You can find all these links and much more information at our online cybersecurity resource center available at www.ncua.gov/cybersecurity.

ACET

The NCUA also continues to encourage credit unions to download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET for short.

ACET simplifies the process of determining a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations, and it enables a credit union to measure its levels of risk and the adequacy of its corresponding controls.

This tool is an excellent resource — especially for small credit unions or credit unions with limited resources — to understand their cybersecurity preparedness levels.

The ACET is available at no cost and can be found on the NCUA’s website.

Additionally, as part of our 2022 Community Development Revolving Loan Fund grant round, the NCUA is providing eligible low-income credit unions with up to $10,000 in funding to modernize their information technology systems against cyberattacks.

The application period for the NCUA’s 2022 grant round runs until June 24.

And, I encourage all eligible institutions to apply for these digital services and the other grants that are available.

The NCUA is hoping to increase the amount available and the size of grants for cybersecurity support at credit unions.

Specifically, the Administration’s budget request included $4 million for the Community Development Revolving Loan Fund, an increase of more than 150 percent.

With additional funding, the NCUA will be able to make more grants and provide larger grants for strengthening cybersecurity within the credit union system.

The House subcommittee with responsibility for this budget line recently concurred with the President’s requested funding level, and I am hopeful that Congress will provide more money in next year’s budget.

The NCUA is also exploring other legislative funding mechanisms to support credit union efforts to be cybersmart, including whether to create a dedicated funding stream for cybersecurity grant programs for small and medium-sized credit unions.

This additional grant money would go a long way to bolster cybersecurity operations and cybersecurity awareness and training programs for small and medium-sized credit unions and make the system more secure overall.

Notifications to Credit Unions

While the interconnectedness of the credit union system could be targeted for attack, it can also be used to the system’s advantage.

Sharing information and accountability is vital to the credit union system’s cyber resilience.

To that end, the NCUA has in recent years issued several Letters to Credit Unions, Cybersecurity Advisories, and Risk Alerts, in addition to the joint agency statements published by the Federal Financial Institutions Examination Council.

These notifications address threats and vulnerabilities such as Social Engineering and Phishing Attacks; Business Email Compromise through Exploitation of Cloud-Based Email Services; and Cyber Actors Targeting the Ubiquitous Log4j Vulnerability, among other threats.

Each advisory provides associated mitigation actions and control measures to help protect against these threats.

Cyber Hygiene

Keeping cybersecurity top of mind is necessary as cyberattacks continue to evolve in sophistication and scope.

Among the most cost-effective measures is adopting best practices in cyber hygiene across the credit union system.

As a child, I attended Benjamin Franklin Elementary School.

So, I became very familiar with his many quotes, including when Franklin famously said, “An ounce of prevention is worth a pound of cure.”

Credit unions are the first line of defense as well as our eyes and ears, so it is crucial that they learn and practice cyber hygiene conscientiously.

That ounce of prevention will indeed be worth a pound of cure.

Relatively simple steps like using strong, alphanumeric passwords and multi-factor authentication go a long way to securing access to critical systems.

And ensuring software applications are updated, devices and data are encrypted, and data are backed up frequently contribute to a more robust cybersecurity regimen.

Credit union employees must also be current on the latest threat developments through ongoing education and refresher training, so they will know what to look out for and how to implement appropriate cyber hygiene measures.

Information Security Examination (ISE)

Staying current on trends and changes also applies to the NCUA’s supervisory functions, as we work to improve the system’s cyber resiliency through the agency’s examination program.

Specifically, the NCUA is revising its cybersecurity examination procedures with the goal of completing this revamp by the end of the year.

In 2020, the agency began piloting the Information Technology Risk Examination for Credit Unions, also known as InTREx-CU.

InTREx-CU sought to harmonize the IT and cybersecurity examination procedures shared by the Federal Deposit Insurance Corporation, the Federal Reserve System, and many state supervisory agencies, thereby generating a consistent approach across all community-based financial institutions.

In 2021, the NCUA used the information collected during the InTREx-CU pilot to evolve its cybersecurity review tools.

The new initiative — known as the Information Security Examination or ISE for short — offers a measure of flexibility for credit unions of all asset sizes and complexity levels while providing examiners with standardized review steps that will facilitate advanced data collection and analysis.

There are currently three work program levels of the ISE in testing.

The first is the ISE Small Credit Union Examination Program for credit unions with less than $50 million in assets.

For the first time, our information security examination program has been specifically tailored to the smallest credit unions and focuses on compliance with part 748 and 749 of NCUA’s regulations.

The second program, known as the ISE Core, is for risk-focused examinations of credit unions greater than $50 million in assets.

And the third program, known as ISE Core Plus, provides a risk-focused examination for credit unions that need expanded reviews and deeper dives into specific operational areas and security controls.

The NCUA continues to refine its ISE program through continuous feedback from the program’s testing group.

The new scalable procedures are scheduled for deployment by year-end 2022 and will assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats.

Vendor Authority

Unfortunately, cyber risk in the credit union system also lurks beyond the NCUA’s reach, namely with credit union service organizations and third-party service providers.

In fact, activities fundamental to the credit union mission, such as consumer financial products and services, Bank Secrecy Act and Anti-Money Laundering compliance, and information technology management, are increasingly outsourced to entities not subject to NCUA’s regulatory oversight.

Credit unions are also using third-party vendors more to provide technological services, including information security and mobile and online banking, and to store member data.

While there are advantages to using third-party service providers, the concentration of credit union services within credit union service organizations, otherwise known as CUSOs, and third-party vendors presents safety-and-soundness, cybersecurity threats, and compliance risk for the entire credit union industry.

The continued transfer of operations to CUSOs and other third parties, which accelerated during the pandemic, diminishes the NCUA’s ability to accurately assess all the risks present in the credit union system.

Why?

Because unlike other federal banking regulators and many state supervisory agencies, the NCUA has no supervisory authority over third-party service providers.

In fact, the NCUA is the only FFIEC member banking agency that lacks this authority.

And, counter to public perception, the NCUA cannot obtain useful information about third-party vendors from the banking regulators due to the lack of this authority.

This is a considerable cybersecurity blind spot which leaves thousands of credit unions, millions of members, and billions of dollars in assets exposed to unnecessary risks.

That is why the NCUA is supportive of the current legislative efforts to restore third party vendor authority to the agency, including a bill recently approved by the House Financial Services Committee.

Indeed, the NCUA’s Inspector General, the Financial Stability Oversight Council, the U.S. Government Accountability Office, and numerous NCUA Board Chairs of both parties have each called for the NCUA to have the same authority over third parties as federal banking agencies.

And, obtaining third-party vendor authority remains a legislative priority for the NCUA Board, as noted in the final CUSO rule adopted in September 2021.

This authority is critical for mitigating the very real national security, cybersecurity, anti-money laundering, consumer financial protection, safety-and-soundness, and other risks to the credit union system and the broader financial services sector.

Cyber Incident Reporting Rulemaking

Beyond seeking vendor authority in legislation, the NCUA anticipates another step forward in promoting cyberthreat detection, response, and information sharing.

The agency is accordingly working on an update to its cybersecurity notification requirements, with a proposed rule expected to be on the NCUA Board’s agenda in the near future.

Last November, the federal banking agencies finalized a computer-security incident rulemaking to improve the sharing of information about cyber incidents that may affect the U.S. banking system.

That final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident no later than 36 hours after the banking organization determines a cyber incident occurred.

The final rule also requires a bank service provider to notify affected customers as soon as possible.

In addition, the Cyber Incident Reporting for Critical Infrastructure Act, signed into law in mid-March, creates two new reporting obligations on owners and operators of critical infrastructure: first, to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours, and second, to report ransomware payments within 24 hours.

The NCUA is looking at this new law, in addition to what our fellow federal banking regulators adopted, to formulate our future rulemaking, because credit unions are vital to our nation’s critical economic infrastructure.

The proposed rule we are developing will seek to ensure the NCUA receives reportable incident data in a way that limits regulatory burdens, to the extent possible.

The good news is that momentum is building among critical infrastructure organizations to comply with the recently enacted reporting mandate.

According to the CISA Director, “Industry is beginning to see this as not a burden, but as something that is collectively good for the ecosystem.”

As far as next steps, CISA plans to issue a formal request for feedback to guide decisions about what types of information to require; and what types of companies are covered.1

Closing

So, as we think about the road ahead, let me return to our friend, Robert Morris, who I quoted earlier.

In addition to his recommendation to unplug completely to ensure computer security, the famed computer scientist said, “To protect information, one has to be paranoid.”

That outlook can easily be interpreted as excessively alarmist.

But, last year’s Executive Order on Improving the Nation’s Cybersecurity, as well as the steady drumbeat of headlines lamenting the catastrophic consequences of the latest cyberattacks, tell us otherwise.

This is anything but crying wolf. The stakes are incredibly high, and our adversaries are relentless.

So, I encourage you — actually, I urge you — to continue fighting the good fight.

Continue innovating and adapting to a constantly shifting threat landscape.

Continue working together to advance our philosophy on cyberthreats that know no borders.

And, continue ensuring the credit union system stays true to its statutory mission of meeting the credit and savings needs of members, especially those of modest means.

Thank you again for inviting me today, and please enjoy the rest of the conference.

Be safe. Be well. Be kind.

Back over to you, John.


1 Geller, Eric (2022). “Companies warming to cyber incident reporting mandate, CISA chief says.” Politico Pro. June 7, 2022.

Last modified on
06/23/22