- NCUA submits annual cyber resilience report warning
threats continue to intensify
- Todd M. Harper urges Congress to restore NCUA authority
over third party vendors
- Credit unions reported 892 cyber incidents from Sept
2023 to May 2024
- About 73 percent of reported incidents involved third
parties
- Ransomware outage at a core provider disrupted service
for 60 credit unions
The National Credit Union Administration has delivered its annual
Cybersecurity and Credit Union System Resilience Report to Congress, warning
that cyber threats targeting critical infrastructure continue to intensify and
that credit unions remain heavily exposed through third party service
providers.
“Throughout 2023, our nation including its financial sector has
faced unprecedented challenges stemming from cyberattacks and other malicious
activities targeting critical infrastructure,” Todd M. Harper, Chairman of the
National Credit Union Administration, said in his transmittal letter.
“In the face of an ever evolving cybersecurity threat landscape,
the need for ongoing vigilance in the credit union sector cannot be
overstated.”
Harper said the agency’s report outlines current and emerging
threats, highlights key NCUA cybersecurity initiatives, and details efforts to
improve preparedness and resilience across a system that serves more than 139
million Americans.
A central message in the report is that the credit union sector’s
reliance on vendors has created a regulatory gap that weakens cyber defenses at
the system level.
“I respectfully ask for this Committee’s support in restoring the
NCUA’s vendor authority over third party service providers,” Harper said,
arguing that the change would strengthen supervisory oversight and improve the
agency’s ability to mitigate cybersecurity risks.
Harper pointed to a ransomware disruption at a third party core
service provider that affected 60 small credit unions, saying the episode
highlighted how limits on vendor authority can hinder incident response and
burden institutions during crises.
He said that independent bodies, including the Government
Accountability Office, the Financial Stability Oversight Council, and the
NCUA’s Office of Inspector General, as well as a growing number of credit
unions, have identified the lack of vendor authority as a significant obstacle
to the agency’s mission.
The report also details a major shift in supervisory execution
through the agency’s Information Security Examination program, which the NCUA
began using in early 2023.
The senior regulator said the program is designed to standardize
reviews while remaining scalable by asset size and complexity, helping
examiners identify control deficiencies and industry trends.
The NCUA also cited the rollout of its Automated Cybersecurity
Evaluation Toolbox, a voluntary maturity assessment tool mapped to widely used
frameworks and best practices, including the FFIEC IT Examination Handbook and
the NIST Cybersecurity Framework.
A 2023 rule requiring federally insured credit unions to notify
the NCUA within 72 hours after reasonably believing a reportable cyber incident
has occurred is already generating significant incident data.
The rule became effective Sept. 1, 2023, and through May 1, 2024,
credit unions reported 892 cyber incidents, the report said.
About 73 percent of reported incidents involved a third party,
underscoring vendor exposure as a primary risk channel.
Beyond vendor risk, the NCUA highlighted threats linked to
geopolitical tensions and state sponsored cyber activity, the continued spread
of ransomware, and the growing risk of AI enabled attacks that can strengthen
phishing, spoofing, and social engineering campaigns.
Harper said the agency will continue coordinating with government
and industry partners to strengthen defenses and improve resilience across the
credit union system.
“Together, we can confront the challenges posed by cybersecurity
threats and uphold the safety and soundness of the credit union system for
generations to come,” he said.