NCUA Board Member Rodney E. Hood Statement Following the October Board Briefing, Cybersecurity Update

As Prepared for Delivery on October 19, 2023

Before we begin, Mr. Chairman, I understand that just a few miles away from this very boardroom, the Senate Banking, Housing, and Urban Affairs Committee is considering the nomination of my successor, Tanya Otsuka, at this very moment. I want to offer my sincere congratulations on Tanya’s nomination to the NCUA Board and wish her the best during the confirmation process.

Now, to the item before us today, this month is Cybersecurity Awareness Month. As I have said many times before, like my fellow Board Members, I, too, am deeply concerned about cybersecurity — it’s a matter that often keeps me awake at night. I often say that we can mitigate a lot of risks, such as interest rate risk, but cybersecurity breaches are difficult to mitigate once systems are penetrated.

Today's briefing underscores a clear message: the landscape of cybersecurity threats is constantly evolving, and complacency is not an option. It's imperative for credit unions and the NCUA to remain vigilant and prepared. Given the current geopolitical climate, which has only gotten more turbulent since our last cyber briefing, the risk associated with cyber warfare has surged. Moreover, as financial technology tools become more pervasive, integrating seamlessly into the fabric of our financial operations, our exposure to threats amplifies. However, there's a silver lining: as these threats grow, so does our capacity to thwart them.

I do have some questions:

Based on today’s briefing, the theme seems the same for credit unions of all sizes regarding credit unions cybersecurity risk assessments and presenting this information to credit unions’ boards of directors. My concern is not only that credit unions aren’t providing these materials to their boards, but also why aren’t the credit union board members asking for these items from credit union management? Should we consider sending a Letter to Credit Unions on this matter?

I know the NCUA is subject to audits in cybersecurity and information technology, and staff does other reviews. What are areas for continuous enhancement identified by the most recent audit?

We added several new cybersecurity positions during the mid-year budget. Can you discuss why this was done and if it was done because of the aforementioned cyber assessment?

Thank you, Mr. Chairman, that concludes my comments and questions.