(Aug. 27, 2021) The NASCUS/CUNA cybersecurity eSchool kicks off next week (Sept. 3) for a 10-week run focusing on key tactics in cybercrime prevention and response from the credit union system. Designed for both regulators and credit union practitioners, the virtual eSchool runs through Nov. 9.
As fraud and other cybercrimes continue to evolve, protecting credit unions is becoming more complex, this in-depth program explores a variety of popular and important cybersecurity topics and offers the opportunity to learn the latest strategies and tactics on maintaining data security.
Among other things, the program offers sessions on:
- Requirements of Part 748 and the GLBA;
- Basic terminology of the cybersecurity space;
- Fundamental components of cybersecurity;
- CIS best practices;
- Cybersecurity requirements and how they are woven throughout the enterprise.
LINK:
NASCUS Cybersecurity eSchool, in Partnership with CUNA
(May 28, 2021) Speaking of safe digital money – and cybersecurity in general — NASCUS has developed a new portal on its website dedicated to helping the state system stay abreast of the latest resources and alerts about developments in the area. The portal features updates from the FFIEC, ransomware protection guidance and resources, and cybersecurity alerts from the federal Cybersecurity and Infrastructure Security Agency (CISA)., as well as the FBI and other agencies (updated regularly).
LINK:
NASCUS Cybersecurity Alerts & Resources
(April 23, 2021) Meanwhile, the NCUA Board did hear two briefings during its Thursday meeting: on cybersecurity and on an interim final rule (IFR) it adopted late last week on regulatory relief due to savings surges at credit unions.
Regarding the IFR, the board on April 16 announced it had adopted, by notation vote, the IFR that reduces the earnings retention requirement for credit unions classified as adequately capitalized, and permits an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth during the coronavirus crisis. The rule is substantially similar to a rule adopted in May 2020 but that lapsed at year-end. The rule took effect immediately and remains in place until March 31, 2022.
In a release last week, the agency said that, due to the pandemic’s continued financial and economic disruptions, it was necessary to reintroduce the two temporary relief measures.
Under the first provision of the IFR (reducing the earnings retention requirement for credit unions classified as adequately capitalized), NCUA said those credit unions unable to meet the requirement will not have to submit a written application requesting approval to decrease their earnings retention amount.
Under the second provision (permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth due to the crisis), if a credit union becomes less than adequately capitalized for reasons other than share growth, it must still submit a net worth restoration plan under the current requirements in NCUA’s regulations.
A 60-day comment period, ending June 18, is also open for the IFR.
The briefing on cybersecurity provided a status update (including threats and mitigation trends). Johnny Davis, the agency’s top cybersecurity expert, focused on supply chain risk management in his presentation, noting the agency will host a table-top exercise on the issue in August. He said the agency is looking for credit unions to volunteer to participate in the exercise, to gauge if there are additional items for due diligence consideration by the agency.
Davis noted that NCUA will be working with the Treasury Department, the Department of Homeland Security, and other law enforcement and intelligence agencies to carry out the planned exercise with credit unions.
NASCUS President and CEO Lucy Ito said the association looks forward to the inclusion of state supervisory authorities in this effort and other NCUA table-top exercises to more fully capture the totality of the national credit union environment in modeling supply chain attacks and other possible cyber intrusions.
At the end of the conversation at the meeting, Board Member Hood made a pitch for NCUA to procure examination authority over vendors to credit unions. Davis, in response to Hood’s query, said doing so would require an additional eight to 11 agency staff members, and an annual budget of up to $2 million (although Hood indicated that if NCUA obtains vendor exam authority, he would favor the FDIC’s model of not increasing its budget, at least initially).
“It’s important to note that NCUA would focus only on those significant service providers in core processing and payment arenas that are not already covered in the work that we do jointly with the FFIEC and our banking (regulatory) counterparts,” Davis said.
He added that “selected entities” subject to oversight would need to pose a significant concentration risk to credit unions in regard to service and products being consumed. “Exams would not be on an annual basis; likely a three to five year life cycle,” he said, calling that “very similar to collective audit spread of security controls.”
Davis said that “lifecycle” would also give the agency a chance to continuously monitor effectiveness, noting that “operational efficiencies would occur over time.”
Regarding vendor exam authority for NCUA, NASCUS supports the agency obtaining the power over technology service providers (TSPs) that provide services to federally insured credit unions — provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level. Further, NASCUS supports efforts to strengthen state regulatory exam and supervision of third parties providing services to state-chartered credit unions.
Later this year, NASCUS, in partnership with the Credit Union Natl. Assn. (CUNA), hosts the Sept. 3-Nov. 9 Cybersecurity eSchool, a multi-week, virtual program developed to explore latest popular and important cybersecurity topics, including strategies and tactics on how to keep credit union data safe.
LINKS:
Temporary Regulatory Relief in Response to COVID-19 – Prompt Corrective Action
April 2021 NCUA Board Presentation: Cybersecurity Update (Current Events and Trends)
Cybersecurity eSchool, in Partnership with CUNA
(April 16, 2021) In a development Friday morning, the NCUA Board announced it had adopted an interim final rule (IFR) by notation vote that reduces the earnings retention requirement for credit unions classified as adequately capitalized, and permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth during the coronavirus crisis.
The board adopted the IFR – which is substantially similar to a rule adopted last May but that lapsed at year-end 2020 – in a notation vote. The IFR is also the subject of a briefing for the board at its regular monthly meeting Thursday (April 22). That same meeting will also include a board briefing on cybersecurity.
The IFR takes effect immediately; the vote also keeps the temporary measures in place until March 31, 2022.
Last May, the board issued an IFR that waived the earnings retention requirement for “adequately capitalized” credit unions and eased net worth restoration plan requirements for some “undercapitalized” credit unions. That rule, approved with an expiration date of Dec. 31, 2020, was intended to help ensure that federally insured credit unions (FICUs) remained operational and liquid during the COVID-19 crisis.
NCUA called this week’s rule “substantially similar” to the regulation adopted nearly a year ago. The agency said that, due to the pandemic’s continued financial and economic disruptions, it was necessary to reintroduce the two temporary relief measures.
Under the first provision of the IFR (reducing the earnings retention requirement for credit unions classified as adequately capitalized), NCUA said those credit unions unable to meet the requirement will not have to submit a written application requesting approval to decrease their earnings retention amount.
“However, if a credit union either poses an undue risk to the National Credit Union Share Insurance Fund or exhibits material safety and soundness concerns, the appropriate NCUA Regional Director may require the credit union to submit an earnings transfer waiver request,” the agency said.
Under the second provision (permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth due to the crisis), if a credit union becomes less than adequately capitalized for reasons other than share growth, it must still submit a net worth restoration plan under the current requirements in NCUA’s regulations.
In a statement, NCUA Board Chairman Todd Harper said the changes reflect the impact of the influx of savings by members into their credit unions from stimulus payments and other sources. “The latest round of stimulus spending has further expanded credit unions’ balance sheets,” Harper said. “As a result, many well-run credit unions with positive earnings now have lower net worth ratios. Given the continued uncertainty with the pandemic and share growth many credit unions are seeing, this targeted, tailored and temporary rule will provide critical relief so eligible credit unions can focus their limited resources on their members’ needs instead of planning for earnings transfers and developing detailed net worth restoration plans.”
Board Vice Chairman Kyle Hauptman characterized the rule as a method for allowing credit unions to stay focused on serving members. Board Member Rodney Hood observed that “while this temporary relief wasn’t widely utilized last year when it expired, it now appears we need this tool now for credit unions.”
The IFR has a 60-day comment period, ending on June 18.
LINKS:
Temporary Regulatory Relief in Response to COVID-19 – Prompt Corrective Action
NCUA Board April 22 open meeting agenda
(Feb. 19, 2021) While four funds administered by NCUA all earned unmodified or “clean” audit opinions for 2020, the agency’s inspector general still outlined a number of 2021 challenges for credit unions that could have an impact on continuing that audit performance, according to a report issued this week.
The agency said its auditor, KPMG LLP, issued unmodified opinions for the National Credit Union Share Insurance Fund (NCUSIF), the agency’s operating fund, the Central Liquidity Facility (CLF), and the Community Development Revolving Loan Fund (CFRLF).
In issuing the audit opinions, the agency’s office of inspector general (OIG) also outlined as the major challenges in 2021 for credit unions (and the funds) to be: cyber threats, technology-driven changes to the financial landscape, interest-rate risk, membership trends, and a recovery from the coronavirus crisis.
“We believe the economy and credit unions’ recovery from the COVID-19 pandemic will be the NCUA’s greatest management challenge going forward in 2021 and possibly beyond,” the OIG report states.
“Even if the economy continues to recover as expected, the operating environment for credit unions over the next two years could prove to be more difficult than in prior years, and credit union performance could deteriorate,” the report adds. “Credit unions should plan for a range of economic outcomes that could affect their performance and resource needs.”
In the other areas, the report notes:
Cyber threats: “Credit unions’ increasing use of technology exposes the credit union system to increasing cyber-attacks. Specifically, malware, ransomware, distributed denial of service (DDOS) attacks, and other forms of cyber intrusion affect credit unions of all sizes and will continue to require ongoing measures for containment,” and pose significant dangers to the safety and soundness of credit unions, according to the report. The report urges credit unions to continue to harden, monitor, and enhance the security of their systems.
Technology changes: In addition to products that pose competitive challenges to credit unions by mimicking deposit and loan accounts (mobile payment systems, pre-paid shopping cards, peer-to-peer lending), credit unions will also face challenges from financial technology (fintech) companies in underwriting and lending, the report asserts. “Fintech companies may be able to automate these services at a cost below levels associated with more traditional financial institutions but may not be subject to the same regulations and safeguards that credit unions and other traditional financial institutions face. As these companies and products gain popularity, credit unions may have to be more active in marketing their products and services and rethink their business models.”
Interest-rate risk (IRR): NCUA and credit unions will need to focus on managing and mitigating interest-rate risk, the report states. Deposit rates have fallen since the start of 2020 and will likely remain low, pressuring credit unions to offer competitive deposit rates to avoid deposit attrition. Meanwhile, credit unions that rely primarily on investment income may find their net income remaining low or falling.
Membership: NCUA and credit unions face the challenge of an aging demographic, the report states, “and unfortunately, these same membership concerns continue.” The report claims that although overall credit union membership continues to grow strongly, close to half of federally insured credit unions had fewer members at the end of the third quarter of 2020 than a year earlier. “All credit unions need to consider whether their product mix is consistent with their members’ needs and demographic profile,” the report states.