Henry C. Meier, The Law Office of Henry C. Meier

The NCUA released regulatory guidance on Monday emphasizing that boards of directors must make oversight of their credit union’s cybersecurity programs a top management priority. The guidance applies to both state and federally chartered credit unions.

“Cybersecurity is not just an ‘IT’ issue. It must be a critical component of any credit union’s overall governance and risk-management strategy. A cyber incident can have far-reaching consequences, not only affecting your institution’s financial stability but also potentially impacting the entire financial services system while eroding member trust and damaging your credit union’s reputation.”

The guidance is also noteworthy because it highlights the increasing prominence of malvertising, a cyberattack technique in which seemingly legitimate advertisements are used by cybercriminals to steal personal information. According to the NCUA, the technique was recently used in a ransomware attack on a credit union.

While the guidance does not contain any new requirements for credit unions, its tone emphasizes the crucial role boards of directors must play to ensure their credit union has appropriate cybersecurity protections in place.

Specifically, it emphasizes that the board of directors should focus on four key areas, including:

1.     Recurring staff training to make sure that both credit union employees and board members stay aware of emerging cyber risks

2.     Approval of a comprehensive information security program that complies with the requirements of part 748 of the NCUA’s regulations

3.     Overseeing operational management of the credit union’s cybersecurity program

4.     Ensuring the credit union has – and plans to execute – an appropriate incident response plan and a resilience plan that allows the credit union to operate effectively during a cyberattack.

Under these subheadings, the NCUA further emphasizes key components of each requirement. For example, part 748 mandates that credit unions conduct ongoing risk assessments and have incident response plans that, among other things, address the need for appropriate communication to both staff and membership.

As for operational management, the board should have clear expectations for, among other things, appropriate due diligence. The guidance notes that of the 1,072 cyber incidents reported to the NCUA between Sept. 1, 2023, and Oct. 31, 2024, 70% of the incidents were “related to the use or involvement of a third-party vendor.” Other elements of operational management include protecting and managing backup strategies, particularly given the prevalence of ransomware attacks.

The fourth area of concentration covers proper response training and resilience. This includes ensuring that your credit union reports cyber incidents to the NCUA within 72 hours and participates in tabletop exercises to plan for cyberattacks.

Just how important is ongoing oversight of these four areas? According to the NCUA, by focusing on these core areas, “your credit union’s board of directors can significantly improve the credit union’s cybersecurity posture and protect the interests of its members.”

Analysis

Although almost all regulatory guidance is addressed to boards of directors, the stringent and urgent tone of this guidance makes it required reading for all board members. I would suggest including a discussion of it at your next board meeting.

What is also noteworthy about the guidance is how prescriptive it is. For example, it identifies malvertising as a cyber attack technique that credit union cybersecurity teams should focus on by standardizing and securing web browsers and deploying ad-blocking software.

Furthermore, the guidance stresses that boards of directors must adequately budget for a cybersecurity program that allows a credit union to maintain cybersecurity protections commensurate with its risk profile. In fact, boards should “encourage investment in cybersecurity technologies.”

Last year, the NCUA raised some eyebrows when it prioritized consumer protection ahead of cybersecurity on its list of supervisory priorities. With this guidance, boards would be well-advised to put cybersecurity near the top of their management agenda and review how their credit union’s cyber program compares to this guidance.