Cybersecurity Oversight: A Priority for Credit Union Boards

Cybersecurity Oversight: A Priority for Credit Union Boards

The recent letter from NCUA Chairman Todd M. Harper emphasizes the critical need for proactive cybersecurity governance across credit unions. As cybersecurity threats evolve rapidly, credit unions are urged to prioritize cybersecurity oversight as a top responsibility of their boards of directors. This directive, backed by an alarming increase in cyber incidents, underlines that effective cybersecurity is not merely a technical requirement but a governance and risk management priority for protecting our members and maintaining trust.

Chairman Harper's 24-CU-02 letter sets forth clear directives and actionable areas for board engagement in cybersecurity. Here’s my interpretation of the NCUA’s recommendations and key steps credit unions should consider to comply with the guidelines effectively.

Key Takeaways and Actionable Steps for Credit Union Boards

1. Recurring Cybersecurity Training and Awareness

  • What it means: Board members must stay informed about evolving cyber threats and trends. While they don’t need technical expertise, they should be knowledgeable enough to effectively oversee and question the institution’s cybersecurity strategies.
  • Recommended Action: Engage in regular training sessions on current cyber threats, such as ransomware and malvertising, and encourage a culture of security-mindedness across all levels. Make sure board members receive updates on credit union-specific cybersecurity risks and emphasize security awareness for staff through training initiatives.

2. Comprehensive Information Security Program Approval

  • What it means: Boards should assure their credit unions have a robust information security program in place, compliant with NCUA’s Part 748 regulations, addressing risk assessments, incident response plans, and security controls.
  • Recommended Action: Review and approve the information security program annually, ensuring it is adaptive and incorporates lessons from past incidents.

3. Oversee Operational Management with Cyber Resilience in Mind

  • What it means: Effective cyber oversight involves setting clear expectations for management’s handling of cybersecurity, especially regarding third-party vendors, resource allocation, vulnerability management, and incident response.
  • Recommended Action:
  • Third-Party Due Diligence: Set stringent security expectations for vendors, focusing on incident notification and data protection.
  • Vulnerability and Patch Management: Mandate rigorous management of vulnerabilities and prioritize threat intelligence usage.
  • Cyber Resilience as a Core Value: Embed cybersecurity considerations into every organizational decision, aligning resources and expertise with the credit union’s risk profile.

4. Comprehensive Incident Response Planning

  • What it means: Having a well-defined incident response plan, including clear reporting processes for cyber incidents, as required by the NCUA, is essential. Quick and effective communication and recovery are crucial in a cyberattack.
  • Recommended Action: Conduct tabletop exercises to test response plans, refine communication strategies for stakeholders and members, and maintain updated backups with robust access controls. Additionally, evaluate cyber insurance policies to confirm they cover potential cyber threats and align with the credit union’s specific needs, including evaluating cybersecurity policies' exclusions.

My Perspective

The letter from Chairman Harper reminds us how important the board’s role is in protecting credit unions against this growing risk. The IT department is the traditional guardian of credit union cybersecurity, and boards need to stop seeing this as an IT issue and consider it an enterprise wide governance issue. Creating an environment where cyber resilience is an organizational priority will help credit unions protect member assets and the credit union philosophy of ‘people helping people’.

By taking these steps, the board can help ensure that the credit union has a robust cybersecurity posture that protects the credit union and its members. This helps credit unions meet regulatory requirements and maintain the trust and stability essential to our operations and our industry.

Given the ongoing developments in cybersecurity, credit unions are encouraged to take full advantage of the NCUA resources and other cybersecurity frameworks. I challenge credit unions to keep cybersecurity on the front burner this October and throughout the year to ensure credit unions are ready for new challenges where our members’ safety and security is concerned.

Woodley B. Preucil, CFA

Senior Managing Director

2 周

John Giordani, DIA Very interesting. Thank you for sharing

要查看或添加评论,请登录

社区洞察

其他会员也浏览了