CBC LoginVCC Login
Contact Us 1-800-525-9775
Shop Products/Policies

Cart

Information TechnologyManagement & PlanningAdviceBlogConsultationIT Program Design & ImplementationIT AuditCybersecurity & Information Security

Credit Unions: Prepare for Increased Cybersecurity Exam Scrutiny in 2025

February 24, 2025

By Mike Detrow, CISSP; Director of IT & IT Audit, Young & Associates

Is Your Credit Union Ready for Stricter NCUA Cybersecurity Examinations?

There have been some signals over the past few years that the NCUA is focusing more attention on cybersecurity and may be increasing scrutiny in this area during upcoming exams. In this article, I will identify these signals and also provide steps that credit unions can take to prepare for this potential in their next exam.

Looking back at the NCUA’s Letters to Credit Unions from January 2022 through present, we see the following regarding cybersecurity:

  • January 2022: The NCUA continues to develop updated information security examination procedures
  • January 2023: The NCUA will continue to have cybersecurity as an examination priority
  • January 2024: The NCUA will continue to prioritize cybersecurity as a key examination focus
  • October 2024: The NCUA provided the following reporting statistics regarding the cyber incident response notification rule: “From September 1, 2023, the effective date of the NCUA’s cyber incident notification rule, through August 31, 2024, federally insured credit unions reported 1,072 cyber incidents. Seven out of ten of these cyber incident reports were related to the use or involvement of a third-party vendor.”
    • This letter also identifies the following four key focus areas for boards of directors:
      • Ongoing cybersecurity education for the board of directors and credit union employees
      • Approval of a comprehensive information security program that includes risk assessments, security controls, and incident response plans and is reviewed and updated at least annually
      • Oversight of operational management
      • Ensuring that an effective incident response plan is in place and includes specific requirements
  • January 2025: Cybersecurity remains a top supervisory priority and the NCUA urges each credit union’s board of directors to prioritize cybersecurity as a top oversight and governance responsibility

What Do These Trends Mean for Credit Unions?

While the NCUA has identified cybersecurity as an examination focus area or priority in their supervisory priority statements for 2023, 2024, and yet again for 2025, the key information that identifies the potential for a more significant regulatory change is identified in the October 2024 letter. This letter states that 1,072 cyber incidents were reported over a one-year period and that seven out of ten of these incidents were related to the use or involvement of a third-party vendor.

While the information provided does not include any details about the severity of these incidents or how many may be attributed to a single vendor or single credit union, it would be hard for this number of reported cyber incidents not to get the attention of examiners and credit union management when it averages out to nearly three incidents per day. At a minimum, these statistics identify the need for better oversight of vendors by credit unions and potentially regulators. It also indicates that approximately 320 of the reported cyber incidents were not specifically attributable to the use or involvement of a vendor, which points to potential deficiencies in cybersecurity controls at the affected credit unions.

How Credit Unions Can Prepare for 2025 Cybersecurity Exams

The identification of key focus areas for boards of directors in the October 2024 letter is also noteworthy. This spells out specific recommendations for a credit union’s training program, information security program, oversight of operational management, and the incident response plan.

The recommendations for the oversight of operational management are very specific and include the following:

  • Set clear expectations regarding the due diligence of third-party vendors with respect to information security
  • Ensure that cybersecurity is a core value within the credit union and influences decision-making
  • Provide access to cybersecurity expertise and an adequate budget for the appropriate cybersecurity technologies and tools
  • Place an emphasis on vulnerability management, patch management, application and website whitelisting and blacklisting, and threat intelligence
  • Engage external parties with appropriate expertise to conduct audits of the cybersecurity program
  • Establish a framework for ongoing reporting of the status of the cybersecurity program including risk assessments, risk management and control decisions, service provider arrangements, results of testing, and any recommended changes to the program
  • Protection of data backups including secure storage and other controls to protect from ransomware as well as periodic testing to verify the recoverability of data
  • Ongoing training for members to promote sound cybersecurity practices

This is a potential indication that there will be more regulatory focus on evaluating the effectiveness of the board’s cybersecurity oversight and additional efforts to hold the board accountable if it does not take steps to promote cybersecurity as a core value within the credit union to mitigate potential cybersecurity threats.

How Should Credit Union Leaders Prepare?

The board of directors and senior management should ensure that each of the recommendations identified in the October 2024 Board of Director Engagement in Cybersecurity Oversight (24-CU-02) letter is put into practice at the credit union. While some credit unions may have internal resources to help with this process, many credit unions will benefit from having an independent consultant review their information security program, policies and procedures, incident response plan, vendor management practices, and technical security controls to identify areas for improvement to comply with the NCUA’s recommendations. The consultant can then provide templates and other resources for management to use to implement the recommended improvements, or the consultant can be engaged to assist the credit union with the implementation of the recommended improvements.

How can Young & Associates Help?

Young & Associates offers the following services to both evaluate and improve your cybersecurity program and security controls by identifying weaknesses and assisting with corrective actions to help you better protect your credit union from current cybersecurity threats.

  • IT Audits
  • Internal and External Vulnerability Assessments
  • Internal and External Network Penetration Testing
  • Social Engineering Tests
  • Policy templates, including an Incident Response Plan designed specifically for credit unions
  • Cybersecurity Program Development

For more information about our cybersecurity consulting services, contact us today.

Get Our Insights
previous
Incorporating Core Competencies into Performance Reviews

Connect with a consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution