NCUA issues annual Cybersecurity and Credit Union System Resilience Report

Last week the NCUA issued its annual Cybersecurity and Credit Union System Resilience Report. The report outlines the current cybersecurity threat landscape, highlights the agency’s key cybersecurity initiatives, and outlines the agency’s ongoing efforts to enhance cybersecurity preparedness and resilience within the credit union industry.

"By examining the current state of cybersecurity within the credit union system and identifying areas for improvement," the report states, "this report aims to provide valuable insights and recommendations for enhancing the security and stability of credit unions nationwide."

They discussed the information security review element of examinations, including the ISE program, the Automated Cybersecurity Evaluation Toolbox (ACET) maturity assessment, and CUSO reviews. They highlighted the cybersecurity alerts and notices they issued in the last year to help protect credit unions from cybersecurity exposures. Finally, they described the agency's cybersecurity program and its compliance with NIST and FISMA.

In the "Current & Emerging Threats" section, the report details some of the increasing threats credit unions and financial services providers face today. "The rapid evolution of technology, coupled with escalating geopolitical tensions, has expanded the threat landscape significantly," the report states. "Financial institutions, including credit unions, are particularly vulnerable due to their increasing reliance on technology and third-party service providers that the NCUA has no authority to examine, supervise, or regulate."

 

The threats listed by the NCUA include:

Third-Party Risk.

NCUA once again used this report to highlight their lack of third-party vendor examination authority, stating that it "limits the NCUA’s ability to assess and mitigate potential risks" associated with third party vendors. 

"Vendors typically decline examination requests or refuse to implement recommended actions, exacerbating credit unions’ exposure to operational, cybersecurity, and compliance risks that can arise from these relationships. Without visibility into these entities and the authority to supervise and enforce corrective actions, the NCUA cannot effectively protect credit unions and their member-owners or provide relevant information to other federal and state regulators of threats encountered in the credit union industry." 

The report states that in the first 7 months following the 2023 final rule requiring credit unions to notify NCUA of reportable cyber incidents within 72 hours, credit unions reported 892 cyber incidents, 73 percent of which involved a third party. The NCUA also specifically highlighted a recent ransomware attack on a fourth party (a vendor's vendor) which impacted 60 credit unions. "This incident exposed significant challenges in the agency’s ability to respond effectively due to the lack of vendor authority," the report states. "During the incident, the NCUA faced substantial difficulties in obtaining crucial information from third-party vendors, which hindered response efforts. Due specifically to the NCUA’s lack of vendor authority, the NCUA encountered delays in communication and inability to obtain data. These obstacles could have been mitigated if the NCUA had the authority to demand timely and reliable information from all relevant parties." The report also ties the lack of third party vendor examination authority to the nation's critical economic infrastructure and national security.

State-Sponsored Cyber Activities. 

The NCUA notes the rise of state-sponsored cyber attacks and encourages credit unions of all sizes to "adopt a heightened state of awareness and to proactively hunt threats to defend against this risk." The NCUA notes that they have provided guidance and resources to credit union to assist in mitigating this threat and has directed credit unions to CISA's Shields Up website for additional resources.

visit site

Ransomware Attacks. 

NCUA's report highlights the increased frequency of ransomware attacks across all sectors, including financial services. They highlight CISA's StopRansomware site as a valuable source for ransomware resources and alerts. 

Quantum Computing and Cryptographic Risks. 

The report states that "the U.S. government remains concerned with the development and trajectory of quantum information technologies and products that could compromise existing encryption and other cybersecurity controls across critical infrastructure sectors."

AI-enabled Attacks.

The report discussed the rise of Generative AI - technology that can create new text, images, video, and other content - and how it is being used by cyber actors to create malware and social engineering attacks. Generative AI poses threats in a number of areas. "In addition to generative AI being used for initial attack vectors, it can also amplify threats once an initial breach has occurred. AI tools can be used to modify code at scale, quickly giving control to attackers," the report states. "These tools can also be trained on a dataset of known vulnerabilities and used to automatically generate new exploit code to target multiple vulnerabilities in rapid succession. Cyber actors can also use generative AI to scan massive amounts of company data, summarizing it to identify employees, relationships, and assets, potentially leading to further social engineering attacks via user impersonation, blackmail, or coercion."

At its conclusion, the report lists a number of resources for credit unions, including links to regulations and reports, NCUA Letters to Credit Unions, NCUA Risk Alerts, NCUA Supervisory Priorities, Interagency Cybersecurity Statements and Press Releases, and FFIEC Cybersecurity Awareness Resources.