{"id":174254,"date":"2025-12-30T13:03:00","date_gmt":"2025-12-30T18:03:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2025\/12\/30\/cybersecurity-and-credit-union-system-resilience-annual-report-to-congress\/"},"modified":"2026-01-03T08:45:19","modified_gmt":"2026-01-03T13:45:19","slug":"cybersecurity-and-credit-union-system-resilience-annual-report-to-congress","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2025\/12\/30\/cybersecurity-and-credit-union-system-resilience-annual-report-to-congress\/","title":{"rendered":"Cybersecurity and Credit Union System Resilience Annual Report to Congress"},"content":{"rendered":"<p><a href=\"https:\/\/ncua.gov\/news\/publication-search\/cybersecurity\/cybersecurity-and-credit-union-system-resilience-annual-report-congress-2\">Cybersecurity and Credit Union System Resilience Annual Report to Congress<\/a><\/p>\n<p><a href=\"https:\/\/ncua.gov\/news\/publication-search\/cybersecurity\/cybersecurity-and-credit-union-system-resilience-annual-report-congress-2\">https:\/\/ncua.gov\/news\/publication-search\/cybersecurity\/cybersecurity-and-credit-union-system-resilience-annual-report-congress-2<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2025-12-30 13:03:00<\/a><\/p>\n<p>Source Domain: <a href=\"ncua.gov\">ncua.gov<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. MESSAGE FROM THE CHAIRMAN<br \/>\nOn behalf of the National Credit Union Administration (NCUA), I am submitting our annual, statutorily required Cybersecurity and Credit Union System Resilience Report. This report summarizes the current cybersecurity threat landscape, highlights the agency\u2019s key cybersecurity initiatives, and outlines the agency\u2019s ongoing efforts to enhance cybersecurity preparedness and resilience within the credit union industry.Throughout 2023, our nation\u2014including its financial sector\u2014has faced unprecedented challenges stemming from cyberattacks and other malicious activities targeting critical infrastructure. The credit union system, which serves more than 139 million Americans and plays a vital role in communities across the country, is not immune to these threats. In fact, in the face of an ever-evolving cybersecurity threat landscape, the need for ongoing vigilance in the credit union sector cannot be overstated.The NCUA is committed to ensuring consistency, transparency, and accountability in its cybersecurity examination program and related activities. Further, over the last several years the NCUA has made major strides in promoting a culture of cybersecurity awareness and resilience among credit unions. Through targeted supervision completed using the NCUA\u2019s recently implemented Information Security Examination program, the development of risk-assessment tools like the agency\u2019s Automated Cybersecurity Evaluation Toolbox, the adoption of a cyber incident notification regulation in 2023, ongoing educational outreach, and grants to eligible credit unions, we have worked diligently to improve cybersecurity practices and mitigate risks.Looking ahead, the NCUA remains committed to working closely with Congress, other regulatory agencies, industry stakeholders, and other partners to strengthen cybersecurity defenses and ensure the resilience of the credit union system. To that end, I respectfully ask for this Committee\u2019s support in restoring the NCUA\u2019s vendor authority over third-party service providers.This regulatory blind spot has already had a negative impact on the industry. For example, last years\u2019 third-party core service provider ransomware disruption affecting 60 small credit unions illuminated the NCUA\u2019s challenges as it tried to mitigate issues on behalf of impacted credit unions and their member-owners.Moreover, independent entities such as the Government Accountability Office, the Financial Stability Oversight Council, the NCUA\u2019s Office of Inspector General, and a growing number of credit unions have identified this deficiency as a significant obstacle to the NCUA\u2019s mission to safeguard credit union members and the financial system. All of them have recommended that Congress provide the NCUA with this authority.Besides giving credit union members the same protection as bank customers, this sensible statutory change would significantly improve supervisory oversight and bolster our ability to mitigate cybersecurity risks, ultimately enhancing the credit union system\u2019s overall security posture and the protection of critical infrastructure in the United States more broadly.As we seek to strengthen our cybersecurity resiliency, I want to express my gratitude for your continued support and engagement on this critical issue. Together, we can confront the challenges posed by cybersecurity threats and uphold the safety and soundness of the credit union system for generations to come.Sincerely,Todd M. HarperChairmanNational Credit Union AdministrationINTRODUCTIONThis report details the measures taken to strengthen cybersecurity within credit unions and the NCUA, per the Consolidated Appropriations Act, 2021.1\u00a0This report:outlines the NCUA\u2019s policies and procedures to address cybersecurity risks and activities to ensure their effective implementation;discusses cybersecurity resilience within the credit union system, including the NCUA\u2019s key initiatives to enhance cybersecurity preparedness among credit unions, such as targeted examinations, risk assessments, and educational and outreach efforts;describes current and emerging threats; andhighlights the NCUA\u2019s collaboration with other federal agencies, industry stakeholders, and cybersecurity experts to address emerging threats and promote a culture of cybersecurity awareness and resilience within the credit union industry.As the digital and geopolitical landscapes continues to evolve, the threat of cyberattacks against critical infrastructure, of which financial institutions are a vital part, looms larger than ever before. In response to this growing challenge, the NCUA has undertaken a comprehensive examination of cybersecurity resilience within the credit union system through its Information Security Examination (ISE) program.As a member of the Federal Financial Institutions Examination Council (FFIEC) and the Financial and Banking Information Infrastructure Committee (FBIIC), the NCUA collaborates with other regulatory agencies to develop and implement cybersecurity policies and standards across the financial industry.In addition, the NCUA Chairman serves as a voting member of the Financial Stability Oversight Council (FSOC). The FSOC identifies and responds to threats to the stability of the financial system. The chairman\u2019s position on this body underscores the NCUA\u2019s integral role in safeguarding the overall financial stability of the nation.The credit union system relies extensively on third-party vendors to operate and deliver key member services. The NCUA lacks statutory authority over third-party vendors, which hinders the agency\u2019s ability to examine and address cybersecurity risks in the credit union system. As a result, the credit union system\u2014of which more than a third of the American public uses for basic financial services\u2014remains particularly vulnerable to cybersecurity threats to third-party vendors that provide essential services. Because of this regulatory blind spot, the NCUA cannot manage or measure threats within its regulated entities, nor can it warn other government regulators or the Cybersecurity and Infrastructure Security Agency (CISA) of threats the NCUA may identify that may be first used in the credit union system.By examining the current state of cybersecurity within the credit union system and identifying areas for improvement, this report aims to provide valuable insights and recommendations for\u00a0enhancing the security and stability of credit unions nationwide. It underscores the NCUA\u2019s ongoing commitment to protecting the financial well-being of credit union members and upholding the integrity of the broader financial system in the face of cybersecurity threats.POLICIES &#038; PROCEDURESInformation Security and Cybersecurity RegulationsPer the Gramm-Leach-Bliley Act, the NCUA Board established standards for federally insured credit unions relating to administrative, technical, and physical safeguards for credit union member records and information. These standards are incorporate into the NCUA\u2019s regulations at 12 Code of Federal Regulations (C.F.R.) part 748, Appendix A, Guidelines for Safeguarding Member Information.In February 2023, the NCUA Board approved a final rule that requires federally insured credit unions to notify the NCUA as soon as possible, within 72 hours, after a credit union reasonably believes that a reportable cyber incident has occurred. Under this rule, federally insured credit unions must report a cyber incident that (1) results in a substantial loss of confidentiality, integrity, or availability of a network or member information system(s) because of unauthorized access to or exposure of sensitive data, (2) disrupts vital member services, or (3) causes a serious impact on the safety and resiliency of operational systems and processes.This rule became effective September 1, 2023. From September 1, 2023, through May 1, 2024, credit unions reported 892 cyber incidents. Approximately 73 percent of all reported incidents were related to the use or involvement of a third party.Information Security Examination ProgramThe NCUA regularly examines all federally insured credit unions.2 At each examination, the NCUA performs an information security review using the ISE program. The ISE program uses a risk-focused, scalable approach to examine credit unions\u2019 information security programs, which provides examiners the flexibility to focus on areas of current or potential material risk relevant to each credit union\u2019s unique business model.ISE Program. The objectives of the ISE program include:Evaluating management\u2019s ability to recognize, assess, monitor, and manage information technology (IT) and systems-related risks;Assessing whether the credit union has sufficient expertise to adequately plan, direct, and manage information systems and technology operations;Evaluating the adequacy of internal information systems and technology controls and oversight to safeguard member information; andDetermining whether the board of directors is providing adequate governance over information systems and security.The NCUA began using its ISE procedures in early 2023. The ISE procedures were designed to be scalable to enable examiners to tailor the examination based on asset size and complexity, standardize the examination of a credit union\u2019s information security and cybersecurity program, and enhance the identification of control deficiencies and trends at the industry level. The ISE procedures also provide examiners and credit unions with a well-structured examination workflow.The ISE procedures are focused on NCUA regulations 12 C.F.R. parts 748 and 749 and align closely with the Automated Cybersecurity Evaluation Toolbox (ACET) maturity assessment application provided by the NCUA that credit unions can voluntarily use to conduct a cybersecurity maturity assessment. The ISE also references guidance from the NCUA and the FFIEC, as well as other industry-accepted best practices and security frameworks from the National Institute of Standards &#038; Technology (NIST), the Center for Internet Security, and CISA.Credit Union Service Organization (CUSO) Reviews. A CUSO is an entity in which at least one federally insured credit union(s) has an ownership interest in or has extended a loan to and the entity primarily provides products or services to credit unions or members of credit unions. The NCUA periodically performs reviews of CUSOs. While the NCUA has access to the \u201cbooks and records\u201d of a CUSO, the NCUA lacks direct authority over CUSOs. CUSOs, therefore, may reject any of the NCUA\u2019s recommendations that result from a review, including those recommendations related to cybersecurity. As noted in the Chairman\u2019s statement at the start of this report and explained more fully below, the restoration by Congress of the NCUA\u2019s vendor authority powers to examine and supervise third-party vendors, including those CUSOs subject to cybersecurity risks, would close this regulatory blind spot and better protect our financial system and economy.ACET Maturity AssessmentThe ACET maturity assessment is a voluntary tool provided and maintained by the NCUA that allows credit unions to determine the maturity of their information security programs. The ACET incorporates appropriate cybersecurity standards and practices established for financial institutions. It also maps each declarative statement to best practices found in the FFIEC IT Examination Handbook, regulatory guidance, and leading industry standards like the NIST Cybersecurity Framework. The FFIEC IT Handbook Infobase offers various resources, from IT booklets and work programs to information on IT security-related laws, regulations, and guidance. Financial institutions can use these booklets to align their information security and cybersecurity practices with the FFIEC guidelines.Information Technology &#038; Cybersecurity Supervisory GuidanceSince June 2023, the NCUA has issued the following cybersecurity alerts and notices to help protect federally insured credit unions from cybersecurity exposures:ATM and Interactive Teller Machine (ITM) Skimming and Shimming Activities. Skimming and shimming fraud involves capturing card information using unauthorized devices. Since September 2023, 44 incidents were reported to the NCUA, peaking in February 2024. NCUA provided cybersecurity guidance and alert notifications reminding credit unions to conduct inspections, install anti-skimming devices, enhance surveillance, educate members, monitor transactions, and update software.Current Geopolitical Events Increase Likelihood of Cyberattacks on Financial Institutions. Due to evolving geopolitical events, the likelihood of cyberattacks on U.S. financial institutions has increased. The NCUA, CISA, and the Federal Bureau of Investigation (FBI) encouraged credit unions to adopt heightened awareness, reassess business continuity plans, and review CISA\u2019s recommendations to reduce the risk of compromise. Anecdotal warnings from some credit unions indicate that information technology and cybersecurity service providers sometimes have services originating in a foreign country; a significant risk the NCUA cannot manage or measure because the agency does not have third-party vendor authority.Business Email Compromise. Business email compromise attacks targeting credit unions, involving compromised or spoofed email accounts to initiate fraudulent transactions. The NCUA provided credit unions with cybersecurity guidance and alert notifications to enable multi-factor authentication (MFA), educate employees, use anti-malware, and email filtering software, verify financial transactions, and backup data regularly.Compromise at an ATM Provider. A third party experienced a cybersecurity attack potentially compromising systems. Credit unions relying on this vendor were advised to assess the impact, activate incident response teams, enhance monitoring, communicate with members, and comply with regulatory obligations. The NCUA subsequently learned the third party experienced a ransomware attack affecting internal systems and some ITMs and ATMs. The incident was contained, and the vendor worked with the FBI. The NCUA sent an updated notice to credit unions advising them to maintain communication with the vendor, consult cybersecurity experts, and visit CISA\u2019s ransomware resources.This incident is an example of an unnecessary burden potentially placed on credit unions during a crisis when vendors deny NCUA requested information on a cybersecurity event. If the NCUA had third-party vendor authority, the agency can compel information directly from the service provider, relieving impacted credit unions of this burden, and potentially sharing valuable tactics, techniques, and procedures information with other federal and state regulatory agencies to ensure a whole of government approach to protecting critical infrastructure in the United States.File Transfer solution Zero-Day Exploitation by Threat Actors. A zero-day vulnerability in a managed file transfer solution was actively exploited. The vendor released an emergency patch and credit unions using their software were advised to apply the patch, implement access controls, and avoid exposing the administrator console to the internet. When zero-day exploitations occur in third-party service provider operated systems, the NCUA cannot ascertain the risk to the system because of the lack of vendor authority. The NCUA also cannot warn other federal or state regulators about\u00a0the threat that may also be used within other critical infrastructure regulated entities because the agency does not have third-party vendor authority.Recent Uptick in Cyberattacks Against Credit Unions and Third-Party Service Providers. Cyberattacks against credit unions and service providers increased, including incidents with a web application. Credit unions were advised to patch vulnerabilities, implement MFA, train employees, deploy email security measures, develop incident response plans, assess vendor risks, segment networks, maintain data backups, and monitor security updates.MFA Vulnerabilities and Mitigations for Credit Unions. Credit unions were reminded that MFA methods could be bypassed through phishing, social engineering, Subscriber Identity Module Subscriber Identity Module swapping, man-in-the-middle, and brute-force attacks. Credit unions were advised to educate users, use strong MFA methods, implement risk-based authentication, monitor suspicious activities, update software, and segment networks. Anecdotal warnings from some credit unions indicate that some third-party service providers do not utilize basic cybersecurity practices such as MFA; a significant risk the NCUA cannot manage or measure because the agency does not have third-party vendor authority.Phishing Attacks Targeting Credit Unions. Credit unions were targeted by phishing schemes spoofing NCUA addresses, asking recipients to complete a web form to avoid email suspension. Recipients were advised not to click on links and delete such emails. Preventative measures included being cautious of unsolicited contacts, not revealing personal information via email, verifying requests directly, and maintaining anti-virus software and email filters. When phishing attacks occur at third-party service providers, unless the affected provider volunteers information to the NCUA, the agency cannot manage or measure the risk to the system because the agency does not have third-party vendor authority.Agency Cybersecurity ProgramThe NCUA Board has established a low-risk appetite for technology and information management for operational IT and IT systems.3 Additionally, the NCUA must comply with mandatory security standards for federal information and information systems and must meet these minimum information security requirements by using security and privacy controls recommended by NIST and Federal Information Security Modernization Act (FISMA).4, 5The NCUA implements applicable statutes, regulations, and standards using the NIST Risk Management Framework and adherence to NIST Special Publication 800-53 \u2212 Security and\u00a0Privacy Controls for Information Systems and Organizations.6 The NCUA complies with binding operational directives, emergency directives, and cybersecurity coordination, assessment, and response directives issued by CISA.The NCUA documents, categorizes, and authorizes all information systems in the agency, including internally hosted federal systems, contractor-hosted systems, and services provided by other third parties. The NCUA is adopting a zero-trust security model based on the principle of maintaining strict access controls. As part of system authorization, the NCUA considers:information types, assets, and systems;the roles and privileges of those who manage and operate them; andthe interconnection of systems and data.Based on information and system sensitivity, the NCUA selects and implements the security controls necessary to protect the confidentiality, integrity, and availability of the organizational systems and critical infrastructure. The security control implementation statements are documented, reviewed, and tested to ensure they produce the desired outcome.Once authorized, systems are continuously monitored using automated and manual processes with regular testing of controls to validate their continued efficacy. System authorization data is stored in the NCUA\u2019s governance, risk, and compliance repository, which aggregates and analyzes enterprise information security risk information. This provides seamless reporting to NCUA\u2019s senior management and CISA.In addition to technology, the NCUA strengthens information security by designing and disseminating fully developed agency-wide and program-specific policies and procedures to establish appropriate practices for collecting, securing (data is encrypted in transit and at rest), retaining, and destroying data. These policies and procedures are based on applicable requirements in information security laws, or are otherwise mandated by NIST, the Office of Management and Budget, CISA, or the National Archives and Records Administration.ACTIVITIES TO ENSURE EFFECTIVE INFORMATION TECHNOLOGY SECURITYAppointing Qualified StaffThe NCUA has hired staff focused on cybersecurity and privacy. IT security staff include cybersecurity operations and incident responders, cloud security architects, application security architects, and network security engineers. In addition, the agency uses contract staff with specialized skills to support its work in the areas of:Computer forensics;Defensive cyber operations;Malware analysis and mitigation;Security information and event management;Configuration management;Threat hunting; andIncident handling and response.The NCUA\u2019s Enterprise Risk Management Council, a Cybersecurity Council, and IT Oversight Council are comprised of senior executives within the agency with diverse backgrounds, including information technology and security, and are tasked with monitoring, measuring, managing, and prioritizing risks and related investments, including IT security. These internal agency councils meet as often as monthly and are briefed regularly on cybersecurity matters that relate to credit unions, financial services, or the agency.The NCUA also has staff with the requisite national security clearances to support the dissemination of classified information to appropriately cleared staff members on a need-to-know basis, as well as other federal agencies to share relevant information that may be used to warn or proactively mitigate threats in their regulated entities. The Chief Information Officer, the Senior Agency Information Security\/Risk Officer, and the Senior Agency Official for Privacy collaborate to ensure compliance with regulations and drive security performance. An executive-level Cybersecurity Advisor and Coordinator position was established in 2021 to organize, coordinate, and advise on cybersecurity and critical infrastructure matters across all NCUA offices. The Cybersecurity Advisor and Coordinator provides advice directly to the NCUA Board and senior leadership on cybersecurity matters.NCUA Staff TrainingAll Staff. All agency staff receive general and role-based training on information security and cybersecurity at least annually. This training addresses staff\u2019s legal, reputational, and ethical obligations to protect sensitive information. The NCUA provides mandatory privacy and security awareness training to all NCUA system users. The training addresses appropriate information security practices, rules of behavior for access and use of data systems, responsibilities for protecting personally identifiable information, and ethics rules prohibiting unauthorized information disclosures. Staff are trained on policies regarding:Collecting information necessary to perform their planned review;Collecting information in a secure manner using a hierarchy of secure methods that best suit the situation;Transferring and storing any sensitive information only where there is an identified, authorized need to retain such information, and in a manner consistent with agency instructions for handling sensitive information; andDestroying or returning all other non-public sensitive or personally identifiable information after the examination or review, per applicable laws.Staff with Elevated Access. Staff who have elevated access to systems or have management responsibility for systems and data take mandatory role-based training. For NCUA staff serving in cybersecurity roles, individual development plans are developed collaboratively with managers to build domain-specific skills.Field Staff. The NCUA\u2019s training for examiners and others that examine or supervise credit unions includes special training on the ISE program. The training program provides instruction on topics including NCUA regulations parts 748 and 749, agency guidance, and industry best practices related to measuring, monitoring, reporting, and controlling IT risks. Examiner training is designed to maintain and update knowledge of standards, tools, and practices to identify, detect, prevent, and mitigate IT and cybersecurity risks, threats, and vulnerabilities. This training includes classroom, online, and on-the-job training. The training is designed to specifically address competencies in the areas of IT, information security, and cybersecurity. The courses are designed to introduce ISE procedures and expand examiners\u2019 understanding of cybersecurity concepts found in the FFIEC IT Booklets, NIST guidance, and industry best practices.Specialists. The NCUA has a cadre of examiners specially trained in IT security. These regional specialist and subject matter examiners have the technical knowledge and skills necessary to perform in-depth information security examinations for the more complex institutions. The NCUA has recently added the role of Director of Specialist Resources (DSR) in each of the NCUA\u2019s three regions. The DSRs are tasked with overseeing the Regional Information Systems Officers and other specialists. These new supervisory positions facilitate better communication and coordination among NCUA\u2019s cybersecurity teams and contribute to the formulation of policies and operational strategies that significantly impact the safety and soundness of the credit union system. The addition of the DSR role reflects the agency\u2019s proactive approach to cybersecurity management and aligns with its broader goals of protecting the interests of credit union members while promoting systemic financial stability. The NCUA also has specialized personnel in the Office of Examination and Insurance to develop and maintain examination policies and tools, supervisory guidance, and examiner training.Credit Union Training and SupportThe NCUA\u2019s Office of Credit Union Resources and Expansion provides training for credit unions. The NCUA maintains an online system available to credit unions at no cost with over 200 courses available on various topics, including information security. This office also hosts webinars that deliver timely and meaningful information to help credit union professionals stay current on relevant topics affecting the credit union community. These webinars provide credit union management with important information on how to protect their credit unions and members.The NCUA provides credit unions additional resources through its website and by offering technical assistance grants and low-interest loans to low-income designated credit unions.ACET. As noted previously, the NCUA provides credit unions with free access to the ACET maturity assessment. This tool helps a credit union determine its risk exposure by\u00a0identifying the type, volume, and complexity of the institution\u2019s operations, and enables the credit union to assess the adequacy of corresponding controls. ACET is based on the U.S. Department of Homeland Security (DHS) Cyber Security Evaluation Tool. It provides a multitude of cybersecurity standards and other resources for a credit union to conduct self-assessments, including the Ransomware Readiness Assessment.NCUA.gov. The NCUA website provides cybersecurity resources for research and informational purposes. Specifically, the Cybersecurity Resources page centralizes and contains applicable references to NCUA regulations and guidance, federal government requirements and guidelines, information sharing, cybersecurity threats, best practices, and privacy and protection.Grants and Loans. The NCUA provides technical assistance grants and low-interest loans to support credit unions\u2019 efforts to improve and expand service through the Community Development Revolving Loan Fund. Year after year, demand for this funding continues to exceed supply. During the 2023 grant round, the agency received 316 applications totaling more than $10.3 million, and awarded more than $3.5 million in technical assistance grants to 146 low-income-designated credit unions. Of that amount, 79 grants totaling nearly $800,000 were specifically earmarked for digital services and cybersecurity projects.Agency Investment in Information Technology SecurityThe NCUA has invested significant resources in prioritizing agency cybersecurity resiliency and adopting Zero-Trust Architecture (ZTA). These investments are designed to identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated cyber campaigns. The aim is to meet and exceed the standards outlined in the latest Office of Management and Budget directives advocating for a robust ZTA across federal agencies.All basic user accounts must use multi-factor, certificate-based authentication to access network resources. Elevated privilege accounts (system and network administrators and engineers) are issued session-based credentials with specific expiration timeframes. To mitigate vulnerabilities, NCUA network users remotely access network services and resources protected by encrypted virtual private network (VPN) tunnels. Internal and external network traffic is managed and monitored. VPN connectivity on NCUA laptops is mandatory for all users. This system continually enforces technical policies and ensures traffic and data are encrypted and secure.The NCUA uses a security information and event management solution to enhance visibility, investigative, and remediation capabilities. This solution provides insights, automated analytics, and actionable intelligence through correlation and machine learning to efficiently identify anomalous behavior in agency networks, infrastructure, and applications.The NCUA uses a threat intelligence platform to automate threat analysis and identify threat exposure. This platform enables better decision-making and improves security capabilities to reduce the risk of compromise. In support of national efforts to remove barriers to threat information sharing, the NCUA leverages automated indicator sharing from DHS. The NCUA also leverages DHS\u2019s Protective Domain Name System and Trusted Internet Connection 3.0 to\u00a0enhance cybersecurity analysis, situational awareness, and security response in internet traffic and connections.To support cybersecurity resiliency and mitigate risks resulting from infrastructure failure, the NCUA has redundant data center facilities that are failovers for essential NCUA network resources and services. Essential public-facing web services have been migrated to cloud-based infrastructure to leverage both inherent geographic dispersion and infrastructure failure risk mitigation. For critical business productivity and collaboration client resilience, the NCUA migrated to Microsoft\u2019s Office 365 government cloud environment.The NCUA\u2019s approach to data loss prevention limits local downloading of business information; however, when necessary due to limited network connectivity, any downloads are to centrally tracked and managed encrypted devices. For email data loss and exfiltration, the NCUA uses a third-party technology that monitors, notifies, logs, and prevents business information from malicious and inadvertent transfer to external email domains. The NCUA uses Domain-based Message Authentication, Reporting, and Conformance to combat spam, phishing, and spoofing of NCUA email domains.To mitigate the risk of endpoint malware-based data exfiltration, the NCUA uses a robust real-time Endpoint Detection and Response tool with integrated open-source intelligence feeds, creating opportunities for malware auto-response at the user and server endpoints. The NCUA has enhanced the security of mobile devices by hardening the devices and implementing an adaptable mobile security solution to detect and protect against mobile threats, including phishing, malicious mobile apps, device compromise, and risky connections.Finally, the NCUA evaluates new systems and services to determine if they are candidates for the Office of Management and Budget\u2019s Cloud Smart initiative. As part of the initiative to move to a ZTA and accelerate movement to secure cloud services, the NCUA is carefully evaluating the need for additional investment in both technology and personnel.Audits and Reviews of the NCUA\u2019s Cybersecurity ProgramThe NCUA\u2019s Office of the Inspector General (OIG) conducts independent audits, investigations, and other activities to verify the NCUA\u2019s compliance with applicable laws, regulations, and standards, including those related to privacy and information security, to determine whether the NCUA effectively implemented all appropriate security and privacy controls.There are five FISMA maturity levels, and the NCUA was evaluated as Maturity Level 4 \u201cManaged and Measurable\u201d as of fiscal year 2023. This rating reflects that the NCUA implemented an effective information security program and substantially complied with information security and privacy practices, policies, and procedures. In addition, as indicated in the financial statement audits, the NCUA complies with the requirements of the Federal Managers\u2019 Financial Integrity Act of 1982. Credit unions and their members can review OIG audit reports, semiannual reports, and letters to Congress on the NCUA\u2019s OIG reports page.NCUA senior leadership are briefed on the status of open findings every quarter, and resources are allocated as appropriate to ensure mitigation.Binding Operational Directive 18-02 requires the federal government to identify high value assets and submit to a DHS-led assessment once every 3 years. The NCUA\u2019s General Support System was assessed by a CISA-led team during the week of February 26, 2024 \u2013 March 1, 2024. After a review of the General Support System documentation, an in-depth technical exchange meeting with NCUA subject matter experts, and a targeted penetration test, CISA determined that the NCUA has a thorough and well-documented risk management program that includes participation, involvement, and awareness from the system-level up to senior leadership. The NCUA received no critical or high reportable findings. The NCUA will continue to report quarterly the status and compliance of its high-value assets.Interagency Coordination EffortsThe NCUA coordinates with other federal and state regulatory agencies to strengthen cybersecurity, including the development and dissemination of best practices and sharing threat information. Examples include the:FFIEC. In particular, the NCUA participates on the FFIEC\u2019s Information Technology Subcommittee. This group addresses information systems and technology policy issues as they relate to financial institutions and their technology service providers. The NCUA also participates on the Cybersecurity Critical Infrastructure Subcommittee. This group addresses policy relating to cybersecurity, critical infrastructure security, and the resilience of financial institutions and technology service providers.FSOC. Because a weakness in the information security of financial systems or data could lead to an incident that could potentially threaten the stability of the U.S. financial system, cybersecurity falls under the charge of FSOC. In its 2023 annual report, FSOC provides several cybersecurity related recommendations focused on maintaining and improving the cyber resilience of the financial system, including that Congress provide the NCUA with third-party vendor authority.FBIIC. The NCUA is one of the 18 FBIIC member organizations from across the financial regulatory community, both federal and state. Through monthly meetings, staff from FBIIC member organizations work on operational and tactical issues related to critical infrastructure matters, including cybersecurity, within the financial services industry. The FBIIC also leads the financial sector\u2019s cybersecurity exercises, of which the NCUA regularly participates.Financial Services Sector Coordinating Council. The NCUA collaborates and coordinates with the private sector through the Financial Services Sector Coordinating Council (FSSCC). The FSSCC works collaboratively with key government agencies to protect the nation\u2019s critical infrastructure from cybersecurity and physical threats. The FSSCC is comprised of more than 70 members from financial trade associations, financial utilities, and the most critical financial firms. Through government relationships, the FSSCC directly assists the sector\u2019s response to natural disasters.U.S. Department of Treasury and CISA. As a federal agency, the NCUA follows CISA and the U.S. Department of the Treasury\u2019s direction during government-wide incident response activities. In addition, the NCUA identifies potential, actual, and emerging threats, issues, or challenges to analyze underlying causes and develop innovative\u00a0short- and long-term solutions. This analysis supports the shaping of the NCUA\u2019s internal policies and procedures related to cybersecurity, critical infrastructure protection, supply chain risks, national security, insider threats, counterintelligence, continuity of operations, and emergency response. The NCUA\u2019s staff also participate in the following interagency initiatives: CISA security operations center information and collaboration sessions;Treasury sector cybersecurity collaboration and information sessions;The Federal Chief Information Security Officer Council; andThe Small Agency Chief Information Security Officer collaboration forum.Industry EffortsCredit union participation in the following initiatives reflect the credit union system\u2019s proactive engagement with the broader information security community to enhance cybersecurity and resilience.Information Sharing and Analysis Centers &#038; Organizations. Credit unions actively participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), where the financial sector shares intelligence, knowledge, and practices. The National Credit Union Information Sharing and Analysis Organization was established to tailor these efforts to the unique needs of credit unions and provides security coordination and collaboration to identify, protect, detect, respond, and recover from threats and vulnerabilities.Sheltered Harbor. Comprised of financial institutions, core service providers, national trade associations, alliance partners, and solution providers dedicated to enhancing financial sector stability and resiliency, Sheltered Harbor is a subsidiary of the FS-ISAC. It developed standards to assist financial institutions prepare for catastrophic events. The standards are designed to help institutions to plan for and recover from catastrophic events, and to be able to continue to provide essential services until normal operations can be reestablished.Hamilton Series Exercises. The NCUA supports the Hamilton Series exercises through its membership on the joint FSSCC \u2212 FBIIC Exercise Committee. These one-day exercises simulate various cyberattack scenarios to enhance cybersecurity threat responses within the U.S. financial sector. They also aim to improve public-private coordination strategies by including diverse participants from both sectors.7CISA Cyber Hygiene Services. Over 200 credit unions have engaged with CISA\u2019s Cyber Hygiene Services program, which offers vulnerability scanning and web application scanning to help institutions mitigate cybersecurity threats.CURRENT &#038; EMERGING THREATSIn today\u2019s digital age, the financial sector faces an increasingly sophisticated array of cybersecurity threats that demand vigilance. The rapid evolution of technology, coupled with escalating geopolitical tensions, has expanded the threat landscape significantly. Financial institutions, including credit unions, are particularly vulnerable due to their increasing reliance on technology and third-party service providers that the NCUA has no authority to examine, supervise, or regulate.The NCUA remains concerned about the risks cyberattacks pose to the financial system. Cybersecurity risks grow as threats evolve, become more sophisticated, and cause greater damage to a variety of industries. Geopolitical tensions increase the possibility of nation-states and other sophisticated actors conducting malicious cyberattacks against U.S. critical infrastructure, of which credit unions are a significant part. To ensure the industry\u2019s long-term success, credit unions must deliver member services using appropriate controls.The evolving array of cybersecurity threats that require continued vigilance by credit unions include:Third-Party Risk. Credit unions\u2019 dependency on third-party vendors and the integral nature of the supply chain introduces considerable risk as cyber actors continue to exploit the vulnerabilities of third-party providers. The absence of third-party vendor authority limits the NCUA\u2019s ability to assess and mitigate potential risks associated with these vendors. Vendors typically decline examination requests or refuse to implement recommended actions, exacerbating credit unions\u2019 exposure to operational, cybersecurity, and compliance risks that can arise from these relationships. Without visibility into these entities and the authority to supervise and enforce corrective actions, the NCUA cannot effectively protect credit unions and their member-owners or provide relevant information to other federal and state regulators of threats encountered in the credit union industry.Based on cyber incident reports submitted by credit unions since September 1, 2023, compromises within third-party services have led to systemic risks across the credit union ecosystem. In fact, incidents related to third-party vendors accounted for approximately 73 percent of total reported incidents.A recent cyber incident has underscored the importance of the NCUA obtaining vendor authority to address these risks. On November 26, 2023, a major service provider for the credit union industry was targeted by a ransomware attack, resulting in a prolonged service outage that affected 60 credit unions. This incident exposed significant challenges in the agency\u2019s ability to respond effectively due to the lack of vendor authority. During the incident, the NCUA faced substantial difficulties in obtaining crucial information from third-party vendors, which hindered response efforts. Due specifically to the NCUA\u2019s lack of vendor authority, the NCUA encountered delays in communication and inability to obtain data. These obstacles could have been mitigated if the NCUA had the authority to demand timely and reliable information from all relevant parties.Moreover, the lack of vendor authority also impacts the nation\u2019s critical economic infrastructure and national security, as the interconnectedness of financial services\u00a0expands with other industries and national infrastructure. Currently, more than one in three Americans use a credit union for basic financial services, and there are many credit unions with fields of membership that are tied to high-risk populations such as congressional staff, the U.S. military, the State Department, and members of the U.S. Intelligence Community. Many of these credit unions use third-party service providers to provide critical member services. A sophisticated cyberattack against a vendor can have measurable impacts on the personnel who are critical to government operations and national security. By current estimates, roughly 90 percent (or approximately $1.9 trillion) of industry assets are in some way managed or affected by unregulated third-party service providers.State-Sponsored Cyber Activities. Over the past year, U.S. government organizations, including CISA, the National Security Agency, and the FBI produced a joint advisory to alert the public that cyber actors sponsored by the People\u2019s Republic of China are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States or its allies. This advisory was published following months of observations and incident response activities at U.S. critical infrastructure organizations which had been compromised. State-sponsored cyber activities against critical infrastructure are a real threat to the credit union system\u2014due, primarily, to the number of Americans that can be impacted and the resulting effects on the U.S. economy. Along with CISA, the FBI, and the National Security Agency, the NCUA has encouraged credit unions of all sizes to adopt a heightened state of awareness and to proactively hunt threats to defend against this risk. Additionally, the NCUA provided guidance and resources to credit unions to assist in mitigating this threat and specifically recommended credit unions report cyber incidents to CISA. The NCUA has also directed credit unions to CISA\u2019s Shields Up website for additional guidance, reporting options, and mitigation measures.Ransomware Attacks. Ransomware is an increasingly serious threat to credit unions. Ransomware attacks continue across all sectors, including the financial sector, and have left victims without the data they need to operate. Over the past year, ransomware attacks and payments have escalated in frequency, scope, and volume across all critical infrastructure sectors. One of the primary causes of this sharp growth is the increase in cyber actors using ransomware to carry out attacks and, in turn, profit from their actions. Ransomware as a service is a cybercrime business model in which a ransomware group sells its code or malware to other hackers, who then use it to carry out their own ransomware attacks. This has made it easier for bad actors to carry out ransomware attacks. Designed to help public and private organizations defend against the rise in ransomware cases, CISA\u2019s StopRansomware provides a whole-of-government approach to tackle ransomware more effectively and serves as one central location for ransomware resources and alerts.Quantum Computing and Cryptographic Risks. The U.S. government remains concerned with the development and trajectory of quantum information technologies and products that could compromise existing encryption and other cybersecurity controls across critical infrastructure sectors.Artificial Intelligence (AI)-enabled Attacks. Generative AI creates new text, images, video, and other content. Generative AI has gone mainstream and is increasingly being used by cyber actors to create complex malware and advanced social engineering attacks, including phishing and spoofing. By making these attacks more effective, they are also harder to detect and prevent. In addition to generative AI being used for initial attack vectors, it can also amplify threats once an initial breach has occurred. AI tools can be used to modify code at scale, quickly giving control to attackers. These tools can also be trained on a dataset of known vulnerabilities and used to automatically generate new exploit code to target multiple vulnerabilities in rapid succession. Cyber actors can also use generative AI to scan massive amounts of company data, summarizing it to identify employees, relationships, and assets, potentially leading to further social engineering attacks via user impersonation, blackmail, or coercion. However, generative AI is not used exclusively by bad actors\u2014organizations are increasingly using the same technology to build better cybersecurity defenses.The evolving nature of cybersecurity threats demands a dynamic and informed response strategy from both credit unions and the NCUA. By focusing on third-party vulnerabilities, geopolitical risks, advanced cybercrime tactics, and by maintaining robust communication channels, credit unions can enhance their resilience against a broad spectrum of cybersecurity threats. This integrated approach not only addresses current threats but also positions the credit union sector to adapt to future challenges, ensuring long-term security and operational success.CONCLUSIONThe NCUA is committed to fortifying cybersecurity resilience within the agency and the credit union system. Through targeted examinations, comprehensive risk assessments, and robust educational outreach initiatives, the NCUA is working diligently to strengthen cybersecurity practices and mitigate potential vulnerabilities across the industry.Within the limits of its current statutory authorities, the NCUA remains proactive in furthering effective IT security within the credit union system. By leveraging partnerships with other federal agencies, industry stakeholders, and cybersecurity experts, the NCUA continues to foster a collaborative environment conducive to information sharing and coordination. This collaborative approach enables the NCUA to stay abreast of current and emerging threats, enhancing its ability to anticipate and respond effectively to cybersecurity risks.However, challenges persist, particularly concerning the lack of authority over third-party vendors.8 The reliance of credit unions on third-party vendors for essential services exposes them to additional cybersecurity risks and is a growing regulatory blind spot for the NCUA.As the digital landscape continues to evolve, the NCUA remains committed to adapting its cybersecurity approach to effectively address emerging threats and challenges. By remaining vigilant and proactive, the NCUA aims to defend the security and stability of the credit union system, promoting the financial well-being of credit union members, and safeguarding the integrity of the broader financial system for generations to come.In order to achieve these worthy goals, the NCUA will continue to request that Congress provide the long overdue ability for the NCUA to supervise and examine third-party service providers in the credit union industry. This authority is needed to manage, measure, and proactively mitigate risks within the credit union system, and to be able to share relevant information with government partners to add to the whole of government approach to protecting critical infrastructure in the United States.APPENDIX: RESOURCESLaws, Regulations, and ReportsRecent NCUA Letters to Credit UnionsRecent NCUA Risk Alerts &#038; NoticesYearReferenceAlert202222-RISK-01Heightened Risk of Social Engineering and Phishing Attacks202121-RISK-01Business Email Compromise through Exploitation of Cloud-Based Email Services202020-RISK-02Cybersecurity Considerations for Remote Work201919-RISK-01Business Email Compromise Fraud2024*AlertAutomated Teller Machine and Interactive Teller Machine Skimming and Shimming Activities2023*NotificationUpcoming Webinar with FBI on Ransomware Trends and Mitigation Recommendations2023*AlertUpdate to Ransomware Compromise at Significant ATM and Banking Equipment Provider2023*AlertCompromise at ATM Provider QSI \u2013\u00a0Immediate Action Required if Your Credit Union Uses Equipment provided by QSI2023*NotificationMOVEit Cybersecurity Incident Considerations\u00a02023*AlertRecent Uptick in Cyberattacks Against Credit Unions and Third-Party Service Providers2023*NCUA ExpressMOVEit Transfer Web Application Vulnerability2023*AlertBusiness Email Compromise \u2013 Targeting Credit Unions2023*AlertMulti-Factor Authentication Vulnerabilities and Mitigations for Credit Unions2023*AlertForta GoAnywhere Zero-Day Exploitation by Threat Actors2023*InformationInformation Security Examination Beginning in 2023\u00a02022*NotificationFFIEC Industry Outreach Webinar: Critical Infrastructure Security and Resilience Multifactor Authentication (MFA)2022*InformationCybersecurity Month \u2013 \u201cRansomware in the Financial Sector\u201d Webinar2022*AlertFFIEC Releases Cybersecurity Resource Guide for Financial Institutions2022*NCUA ExpressNCUA Express: Sign Up to Receive Call Report and Cybersecurity Information2022*AlertRecent Phishing Email Targeting Credit Unions2022*AlertUnpatched VMware Vulnerabilities Being Exploited for Full System Control2022*AlertRegister for the Ransomware Outreach Event2022*AlertCurrent Geopolitical Events Increase Likelihood of Imminent Cyberattacks on Financial Institutions2022*AlertCurrent Geopolitical Events Increase Likelihood of Cyberattacks* Denotes GovDelivery Notices that have limited distribution and are not linked to a public facing website.NCUA Supervisory PrioritiesInteragency Cybersecurity Statements and Press ReleasesFFIEC Cybersecurity Awareness: ResourcesFFIEC Cybersecurity Resource Guide for Financial InstitutionsFFIEC Authentication and Access to Financial Institution Services and Systems GuidanceFFIEC Statement on Security in a Cloud Computing EnvironmentFFIEC Office of Foreign Assets Control Cyber-Related Sanctions Program Risk ManagementFFIEC Statement on Cyber Insurance and Its Potential Role in Risk Management ProgramsFFIEC Cybersecurity Assessment Tool Frequently Asked QuestionsCybersecurity of Interbank Messaging and Wholesale Payment NetworksFFIEC Cybersecurity Assessment Tool PresentationFFIEC Statement on Destructive MalwareFFIEC IT Examination Handbook InfoBaseIntroduction to the FFIEC\u2019s Cybersecurity AssessmentFFIEC Cybersecurity Assessment General ObservationsCybersecurity of Interbank Messaging and Wholesale Payment NetworksFFIEC Cybersecurity Assessment Tool PresentationWebinar: Executive Leadership of CybersecurityFFIEC IT Booklets: Audit, Architecture, Infrastructure, and Operations, Business Continuity Management, Information Security, Retail Payment Systems, Management, Supervision of Technology Service Providers, Outsourcing Technology Services, Development and Acquisition, Wholesale Payment Systems<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity and Credit Union System Resilience Annual Report to Congress https:\/\/ncua.gov\/news\/publication-search\/cybersecurity\/cybersecurity-and-credit-union-system-resilience-annual-report-congress-2 Publish Date: 2025-12-30 13:03:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":174255,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/ncua.gov\/themes\/main\/images\/og-default.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,30,24,31,32,29,25,27],"class_list":["post-174254","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-breach","tag-cybersecurity","tag-exploit","tag-malware","tag-network-security","tag-phishing","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174254"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=174254"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174254\/revisions"}],"predecessor-version":[{"id":174256,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174254\/revisions\/174256"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/174255"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=174254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=174254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=174254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}