NCUA Chairman Todd M. Harper Statement on the Semi-Annual Cybersecurity Briefing

As Prepared for Delivery on April 20, 2023

Thank you, Ernie, for that informative briefing on the cybersecurity issues confronting the National Credit Union Administration and its stakeholders. And, welcome to the table, Kelly.

I often say that cybersecurity keeps me up at night. These semi-annual briefings are a reminder that the potential for cyberattacks in the financial services industry and the credit union system are high and will likely be that way for the foreseeable future. Therefore, all of us must improve our cybersecurity hygiene and practices.

With that in mind, let me start my questions at a higher level. I know that the White House has issued a National Cybersecurity Strategy. What are the implications of this strategy for the financial services industry and credit unions?

Thank you. Second, I’d like to get an assessment as to whether ransomware attacks at credit unions remain a concern. Are credit unions of all sizes potentially at risk for ransomware? And what might the costs be for a credit union subject to such an attack?

Adopting new technology is also essential for credit unions to remain competitive. However, the credit union system cannot and must not be the soft underbelly that endangers the broader financial system and our economy.

Each of us — the NCUA, state supervisory authorities, vendors, and credit unions — has a responsibility to protect our systems, improve our ability to recover from incidents, educate our teams, share information, and report and address potential vulnerabilities. For our part, the NCUA team is working to deploy the new Information Security Examination system, and we recently approved the Cyber Incident Notification Rule, which goes into effect in September.

What concerns me more are the countless threats we do not know about. And these risks are likely to continue and accelerate, especially as more credit union operations migrate to credit union service organizations and vendors. Unfortunately, CUSOs and third-party service providers do not have the same level of oversight as bank vendors. This growing regulatory blind spot in the financial system exacerbates the vulnerability of exploitation by bad actors who threaten our nation’s economic security and the financial well-being of our citizens.

On the issue of CUSOs and third-party vendors, I have a few questions. First, as someone with a deep understanding of the cyber risks facing our nation’s critical infrastructure — of which the financial system and credit unions are a part — what are the risks associated with the NCUA’s inability to examine third-party vendors that keep you awake at night?

It is essential that stakeholders understand that the risks resulting from the NCUA’s lack of vendor authority are real. And, they can have significant implications for the health and stability of individual vendors and credit unions, as well as the credit union industry and the broader financial system.

Why is visibility into the operations of service providers so important? What can we gain after the fact if one of these vendors — or a credit union, for that matter — has already been hacked?

Until this growing regulatory blind spot is closed, thousands of credit unions, tens of millions of consumers who use credit unions, and roughly $2 trillion in assets are exposed to potentially devastating risks. The Government Accountability Office, the Financial Stability Oversight Council, and the NCUA’s Inspector General have all recommended congressional action to provide the NCUA with this examination authority.

I agree with these experts. Restoring the NCUA’s authority over CUSOs and third-party vendors will bolster our nation’s national economic security. It will also give credit union members the same protection that bank customers enjoy. The NCUA will continue to engage with Congress on this important legislative issue.

That concludes my remarks. I now recognize Vice Chairman Hauptman.