NCUA Chairman Todd M. Harper Statement on the Semi-Annual Cybersecurity Briefing

As Prepared for Delivery on October 20, 2022

Thank you, Kelly, Ernie, and Amber, for your important and informative cybersecurity briefing. October is National Cybersecurity Awareness Month, so this is a good time for everyone in the credit union system and at the NCUA to recommit to maintaining resilience and readiness in responding to ever-changing cybersecurity threats and risks.

Robert Morris, the National Security Agency cryptographer and computer scientist who contributed to the development of the Unix operating system and pioneered many of today’s cybersecurity practices once said, “The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.”

If it were only that simple. Today’s modern, global, and interconnected financial services sector relies on the power of information technology and systems, and shutting those systems down is not feasible because nearly every federally insured credit union relies on computers, has a website, or interacts electronically with third-party vendors.

Morris’s prophetic words do not mean it is futile to defend against cyber threats. Rather those words are an appreciation of the potential severity of cyberattacks. And they highlight the urgent need to stay ahead of bad actors who perpetrate such attacks.

Phishing, ransomware, and distributed denial of service attacks are just some of the many ways cybercriminals exploit vulnerabilities within the credit union industry and the financial system. The changing nature of work, like hybrid work environments and the greater use of remote work, have also increased the number and types of cyber risks for which organizations must account. Lastly, geopolitical tensions around the globe also raise the specter of cyberattacks against our nation’s financial services industry and other critical infrastructure.

I’ve often said the credit union system cannot and must not be the soft underbelly that endangers the broader financial system and our economy. Each of us — the NCUA, state supervisory authorities, vendors, and credit unions — has a responsibility to protect our systems, improve our ability to recover from incidents, educate our teams, share information, and report and address potential vulnerabilities. Our chain is only as strong as our weakest link, so we all must be hypervigilant to prevent a catastrophic failure.

My first question is for Ernie. Ernie, when I speak with credit union leaders about cybersecurity, I often talk about bad actors probing systems and networks looking for vulnerabilities. Is that trend continuing and has it intensified since the start of Russia’s unjust war in Ukraine? And should credit unions continue to be vigilant against this threat?

Thank you for emphasizing that point, Ernie, and reminding us of the continued need to monitor for that very real threat.

As noted in the briefing, the NCUA will soon launch its new Information Security Examination procedures, or ISE for short. This new examination program offers flexibility for credit unions of all asset sizes and complexity levels, while providing examiners with standardized review steps to facilitate advanced data collection and analysis. These new ISE procedures will assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats.

My next question is for Kelly or Ernie. Would you provide additional details on the new ISE examination program? I believe we will have streamlined procedures for smaller credit unions, core procedures for larger credit unions, and additional procedures for the largest credit unions. What can credit unions expect with ISE?

Thank you for explaining that. Stakeholders should look for additional information and guidance on the new ISE procedures in the coming weeks. Credit unions can also find further information and resources to strengthen their cybersecurity preparedness by visiting the NCUA’s Cybersecurity Resource Center at NCUA.gov/cybersecurity.

Yesterday, we held a hearing to discuss the NCUA’s staff draft budget for 2023 and 2024. We spent considerable time discussing the resources the NCUA needs to allocate for cybersecurity activities and staff. Like the NCUA, credit unions are currently setting their budgets for next year. Is there a rule of thumb as to how much a credit union should spend on cybersecurity?

Thank you. I appreciate those insights.

In closing, I will turn back to the wisdom of Robert Morris. In addition to his recommendation to unplug completely to ensure computer security, the famed computer scientist said, “To protect information, one has to be paranoid.” That outlook can easily be interpreted as alarmist. However, that sentiment is anything but crying wolf.

It is the reality of what it takes for all of us to protect credit union members, institutions, and systems. Cybersecurity is what keeps me up at night, and I know I’m not alone. The stakes are high, and our adversaries are diverse, inventive, and relentless.

So, I urge all stakeholders within the credit union system to continue fighting the good fight by innovating and adapting to a constantly shifting landscape where cyber threats know no borders. I look forward to continuing the NCUA’s cybersecurity work with Vice Chairman Hauptman and Board Member Hood.

That concludes my remarks. I now recognize Vice Chairman Hauptman.