[1]The National Association of Federal Credit Unions [2](NAFCU) and the National Credit Union Association [3] (NCUA) both issued statements responding to the U.S. Government Accountability Office [4]'s (GAO) report on cybersecurity [5] last week. The report highlighted that banks and other depository regulators need better data analytics and depository institutions want more usable threat information.
The GAO found that cyber risks affecting a depository institution can stem from weak security practices of third parties that process information or provide other IT services to the institution. By allowing the NCUA to routinely conduct such examinations, it would ensure that service providers for credit unions are also following good information security practices.
The report also noted that regulators use a risk-based examination approach to oversee the adequacy of information security at depository institutions like banks, thrifts, and credit unions. However, they could better target future examinations by looking at deficiencies across institutions. GAO identified two areas for improvement: data analytics and oversight authority.
“Congress should consider granting NCUA authority to examine third-party technology service providers for credit unions,” the GAO said. “In addition, regulators should explore ways to better collect and analyze data on trends in IT examination findings across institutions. In written comments on a draft of this report, the four regulators stated that they would take steps responsive to this recommendation.”
The National Association of Federal Credit Unions [2]NAFCU Director of Regulatory Affairs Alicia Nealon issued a statement in response [6] to the GAO’s report on cybersecurity that recommended Congress grant the NCUA authority to examine third-party technology service providers for credit unions.
"As we have consistently maintained, NAFCU believes the agency’s bid for third-party vendor examination authority is unnecessary given that NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships,” said Nealon. “While NAFCU acknowledges the importance of cybersecurity and risk management, we firmly believe that cybersecurity and third-party vendor examination authority do not go hand in hand.”
The NCUA Board Chairman Debbie Matz had a positive response [7] to the GAO’s recommendation to Congress, noting that this would help protect the credit union system and obtaining third-party vendor authority one of their top legislative priorities.
“We need to close this regulatory blind spot and better protect the credit union system by providing NCUA with the power to examine and take enforcement actions at third-party vendors,” Matz said. “The GAO report’s recommendation reinforces NCUA’s long-standing request for legislative action and comes on the heels of a similar recommendation by the Financial Stability Oversight Council. Obtaining this authority would allow the agency to proactively address cyber threats and better position credit unions to avoid a crisis.”