Lately, I’ve been doing a lot of thinking about the role of the regulator. I think I’ve figured out a different way to describe it: While optimists see the glass as half full, and pessimists see the glass as half empty, regulators instead worry the glass could shatter and cut someone’s hand.
That explains why NCUA is constantly on the lookout for threats to credit unions’ safety and soundness.
So when cyber-thieves stole personal information from cards used by 110 million Target customers, my first thought was: “How will this impact credit unions?”
Well, now we know. It was credit unions—not Target—who had to shell out as much as $15 for every new card. And it was credit unions that faced the reputation risk of having to reassure members that their accounts are still safe.
This serves as a reminder that no matter how far removed a data breach is from credit unions, if it affects members, credit unions can pay dearly.
While cyber-thieves have seen Target’s well-known “bulls-eye” logo as an invitation, they’ve also targeted credit unions.
Hackers broke into a medium-size credit union and used the credit union’s passwords to access a large credit bureau. From there, the hackers stole credit reports on hundreds of people who weren’t even credit union members.
The lesson learned is that cyber-thieves can hack into a credit union as an entry point to access data and systems that have nothing to do with the credit union—just like Target was hacked through its air conditioning vendor.
But there is an even worse scenario: A much different type of attacker—cyber-terrorists—are now targeting credit unions.
When these attackers break through, websites crash. Members are unable to access their accounts. It can take hours to bring systems back online. After the dust settles, foreign extremists claim responsibility and deliver anti-American messages.
These “denial of service” attacks are part of an alarming and growing pattern of cyber-terrorism against our country.
We have already seen cases where denial of service attacks were launched to distract IT staff. Hackers wait until security teams are focused on the attack at the front door, then break in through a back window.
Cyber-terrorism doesn’t just deny services; it destroys security and dismantles systems.
What makes cyber-terrorists different from cyber-thieves is their objective: Terrorists want to use smaller institutions like credit unions to break into larger institutions—with the ultimate goal of bringing down the entire U.S. financial system.
So credit unions and NCUA play a critical role in protecting cyber-security.
NCUA’s first Supervisory Letter for 2014 described our top priorities. Examiners will be looking to see how credit unions are implementing risk mitigation controls to better protect, detect, and recover from cyber-attacks. This includes vendor due diligence, strong password policies, proper patch management, employee training and network monitoring.
I urge credit unions to:
- Make sure IT staff and vendors are on top of emerging cyber-threats.
- Share cyber-security best practices and participate in local, state and national information-sharing forums.
- Get educated. Use the new Cyber-Security Resources on the NCUA website to learn about cyber-threats and hacker tactics.
This is not just a priority for NCUA. Congress is holding hearings and considering legislation on cyber-security. President Obama has made strengthening our nation’s cyber-security framework a national priority.
To achieve the president’s goal of combatting cyber-attacks, the National Institute of Standards and Technology (NIST) recently developed a voluntary national cyber-security framework for private enterprises—including credit unions.
I encourage credit union officials to review the NIST framework and evaluate how these new standards could further protect credit unions and members.
Of course, credit unions are not the only ones examined on important information-security measures. Like other government agencies, NCUA must adhere to stringent security standards. Every year, NCUA’s Inspector General oversees an audit of our information technology controls and security procedures.
NCUA has stringent security measures in place to protect credit union members’ information. To log in, examiners use secure government smart cards, and both their hard drives and thumb drives are encrypted.
In addition, to make sure that personal information will not be exposed, it is always deleted before exams are uploaded to our system.
To further strengthen cyber-security, NCUA partners directly with the law enforcement and intelligence communities, as well as other federal financial services regulators on a new working group.
Our working group will focus on better understanding the cyber-threats and vulnerabilities facing financial institutions. We are tapping industry experts as we review any necessary changes to our supervisory processes in the wake of increasingly sophisticated cyber-attacks. In the coming months, our working group plans to hold a webinar to help financial institutions better understand current cyber-threats and share new ways to work together.
NCUA will also be issuing guidance to credit unions based on the working group’s findings and recommendations.
When it comes to taking security measures to protect the industry, we are all in this together.
It’s like the old story about two men in a canoe: One looks at the other and says, “Hey, you have a problem. There’s a leak on your side of the boat.”
So NCUA needs to be ready. The credit union system needs to be ready. Working together, we will be.