New NCUA cybersecurity rule proposals for credit unions

The National Credit Union Association (NCUA) is putting a greater emphasis on cybersecurity in 2023, proposing new rules for cyber and establishing a department specifically to address cybersecurity issues.

However, too many credit unions are still slow to take steps to prevent a major data breach, thinking that if there hasn’t been an incident, there are no problems to worry about.

Vulnerabilities are always there, and a threat actor only needs to find that vulnerability once to do serious damage.

Dennis Dollar, principal partner with Dollar Associates and former chair of the NCUA Board, recently participated in a Q&A session with SEI to explain why the NCUA is making the move to focus on cybersecurity and how it will benefit credit unions. 

For the past few years, the NCUA has been vocal about its focus on cybersecurity. What can credit unions expect to happen in 2023 in terms of rules and regulations?

Dollar: I think credit unions are going to see cybersecurity from two directions. One is regulations, which is rule-making. In the cybersecurity arena, NCUA has already passed two regulations, both focused on identifying what a breach of confidentiality of member data is and how that it is to be reported. NCUA will very likely enact several more regulations, up to five over the next two years. Right now, the regulations are focused on reporting cyber incidents.

The second direction will come from supervision, with examiners looking very closely at anything of a cyber nature. In fact, the NCUA put out its supervisory priorities for 2023-24 and cybersecurity was highlighted as a focus of the agency.

Why do you think credit unions are apprehensive about the new legislation and rules that the NCUA has put into place? A lot of times, people look at it as the Big Bad Wolf coming in to blow the house down. How can we dispel those fears surrounding cyber regulations? 

Dollar: Using the Big Bad Wolf analogy, NCUA is in the process of setting up an entire department of wolves. They’ve stated their intention to put in place subject matter experts to conduct specific cybersecurity examinations.

Credit unions are apprehensive about increased examiner scrutiny in cybersecurity for a couple of reasons. Will the examiners understand cyber well enough to be effective judges of their program? And will the credit union understand their expectations surrounding cybersecurity to be able to answer the examiner’s questions? 

When an examination takes place in which there is concern about both the examiner and the examined in their basic understanding of the issue, there will be apprehension. The most important thing for credit unions to recognize is that cybersecurity is something they should be focused on for their members. If they had properly invested in cybersecurity and risk mitigation, and have solid programs in place, then their members are protected; when members are protected, NCUA will be less of a concern.

The directors, who are the fiduciaries, have a responsibility to members to protect their data. The reputational risk of a major data breach is potentially much more costly than an examiner’s findings around upgrading its cybersecurity program and contracting with new security vendors. We tell our clients that they should look at cybersecurity from their fiduciary responsibilities first, and, if they meet that standard of care, they should be okay with the examiners. 

How can credit unions be more prepared for cyberattacks?

Dollar: The most important thing a credit union can have is a partnership with a cybersecurity provider who understands the credit union’s risk. The credit union should never simply delegate authority and responsibility to the security vendor, thinking they don’t have to worry about their security ever again. The cyber challenge is too demanding—especially on a global level, with the Ukraine war and tensions in China and Iran. The bad guys are getting better at what they do. Credit unions need to recognize that and build on their relationship with their third-party security vendor.

There’s a tendency to for credit unions to fall into a comfort zone when they haven’t had a cyber incident over the past decade. They believe if they haven’t had one recently, they won’t have one now. I often use the water heater analogy to explain cybersecurity—as long as we turn on the faucet and get hot water, we don’t think of the state of the water heater on a regular basis. Nor do we replace our water heaters very often or examine them for possible damage. We don’t notice there’s a problem until after it breaks down. Replacing a hot water heater is expensive, but there are also new technologies that make heating water more efficient and offer cost savings in the long run. It will be more devastating to wait until after it bursts.

It’s the same with cybersecurity. If there has been no attack, it’s easy to get lulled into believing the system is working just fine. But there might be vulnerabilities you don’t see, and all it takes is one hacker to find the flaw to do its damage. 

A credit union needs to make sure that what they have in their cybersecurity products, programs, and partnerships is up to date and can deal with the increasing sophistication of the bad guys who are trying to infiltrate your networks. 

Who should be responsible for cybersecurity in credit unions?

Dollar: Normally, cybersecurity is the responsibility of the CIO, who may have long-standing relationships with vendors. These providers may be very capable in some areas of security, but not in others. The CEO has to make sure the CIO isn’t falling into that comfort zone and allowing these partnerships to keep them from doing their due diligence for the best cybersecurity programs. But it is the Board of Directors that has the fiduciary responsibility for every program at the credit union, including cybersecurity. So it flows down from the top, making sure all the right people are in place to cover all types of risks. 

What is your biggest piece of advice for credit unions when tackling their cyber planning for 2023 and beyond?

Dollar: Evaluate your cyber vendors at least once every two years and compare them with at least two other vendors. And most importantly, don’t become complacent.

Becoming better cyber fiduciaries

Credit unions may be feeling reluctant about a growing emphasis on cybersecurity within their industry, but it’s beneficial to embrace this shift and rely on more than just a clean bill of health to defend against today’s threat landscape. Greater regulations and supervision are an opportunity for credit unions to become better cyber fiduciaries to their clients in a relationship where trust is fundamental. Likewise, credit unions should choose a cybersecurity provider that also has their best interests at heart.