Navigating Cybersecurity: Integrating NCUA Supervisory Insights with Third-Party and CUSO Risks

By Zach Duke, CEO and Founder, Finosec

In the evolving landscape of financial services, the National Credit Union Administration (NCUA) has spotlighted critical supervisory priorities for 2024. These insights, combined with challenges observed from recent cybersecurity incidents and focus areas from examinations, underline the pressing need for credit unions to bolster their cybersecurity governance and processes. This article aims to synthesize these perspectives, offering a comprehensive overview of areas requiring focused attention.

Supervisory Focus Areas:

•    Asset Inventory Management: Emphasized by regulatory expectations, creating an asset inventory has been a common issue. In today’s world of cloud computing and fintech innovation, legacy hardware and software inventory is no longer sufficient. The regulators have been clear in their expectation for an understanding and cataloging of all organizational applications and assets for effective risk management.

•    Incident Response and Notification: Cybersecurity incidents are on the rise and the NCUA cyber event notification requirements were updated last year. The guidance and updates are detailed and actionable.  A great place to start with this is to make sure your next incident response test includes the notification process. 

•    Third-Party Risk Management:  Third party oversight and governance continue to highlight the necessity of diligent oversight on third-party vendors, including CUSOs, to mitigate indirect risks. Credit unions need to be diligent in documentation and management of risk, and even fourth party risk (for the vendors of their critical vendors).  These fourth party risks have been highlighted in several high-profile breaches.

•    Vulnerability and Patch Management: Proactive identification and remediation of vulnerabilities and patching are still front and center but have expanded to include the third-party risk management.

•    Access Control: The FFIEC authentication guidance that was released in August of 2021, has become the focus during recent examination trends. There has been a clear attention of regulators for stringent identity access controls, including multi-factor authentication and managing access to the least privilege needed [CM1] for both credit union employees and third-party partners.

•    Preparing for Emerging Technologies: The rapid pace of technological advancement and fintech partnerships requires credit unions to stay ahead, preparing for the integration and management of new technologies securely, and to make sure that credit is received by documenting the risk management processes used. 

Learning from Recent Incidents:

Recent breaches and ransomware attacks, such as those involving MOVEit and other third-party applications, serve as stark reminders of the risks associated with third-party services and the importance of cybersecurity vigilance. These incidents highlight the need for:

·       Enhanced cybersecurity measures for external access and data movement including email and file transfer applications. The authentication guidance has great actionable controls to implement including starting with managing identity access controls, multifactor authentication, and governance reporting.

·       Comprehensive third-party vendor assessments and contract reviews help to ensure the credit union manages the risks of the third-party vendor with the same scrutiny that is performed for internal risk management.

·       Incident response strategies that include rapid action and communication plans both internally, to members, and with the updated guidance, to the regulators as well.

The NCUA's supervisory insights, coupled with lessons learned from recent cybersecurity incidents, provide a clear roadmap for credit unions in 2024. By focusing on the areas of asset inventory management, incident response, third-party risk management including authentication and access controls, credit unions can strengthen their cybersecurity posture and increase their likelihood of successful examinations and audits. There is a silver lining in the regulatory focus, allowing for a collaborative approach encouraged by regulators, emphasizing preparation, vigilance, and adaptation. By being prepared for the regulatory expectations credit unions can be proactive versus reacting to regulatory expectations during an exam or audit.

Zach Duke is CEO and Founder of Finosec. Finosec’s mission is to change the way information security and cybersecurity governance are managed for financial institutions. Finosec’s Governance 360 platform automates and simplifies the tedious manual processes and labor-intensive tasks of managing information security.