The recent cyberattack that took down websites like PayPal, Amazon, Netflix and Twitter was just the latest reminder about the importance and vulnerability of the internet.
Coming, ironically, near the end of National Cybersecurity Awareness Month, the attack also reinforced how important it is that financial institutions regulators and lawmakers continuously up their game to protect our country’s financial networks. It’s little wonder that a recent National Association of Federal Credit Unions survey found data breaches are the top concern among credit unions right now.
Trying to track the number of financial transactions processed over the internet each day would be like trying to count the grains of sand on a beach. Amazon, one of the companies hit last week, processes an estimated 35 orders every second, and that number can increase by a factor of 10 during big sales. Hackers, thieves and terrorists are constantly probing the networks through which those transactions flow, looking for ways to get in and steal money, pilfer information or cause disruption, as in the case in last week’s attack. So, it’s not enough for us to stay constantly vigilant; we also must keep working to do a better job of protection.
For the last three years, cybersecurity has been one of the NCUA’s supervisory priorities, and we maintain a cybersecurity resources page on our website. We also are working with our fellow regulators in the FFIEC to address these threats, and one of the steps we took was the creation of the cybersecurity assessment tool.
While the NCUA does not require credit unions to use this tool, we nonetheless encourage credit unions to employ it to understand their own vulnerabilities and to design strategies to protect themselves and their members. We’ve held briefings and webinars and provided educational training on the tool, which we plan to incorporate into our examination process next year.
The cybersecurity risk posed by third-party vendors is another area of concern. To provide the services their members want, credit unions increasingly rely on vendors to provide services from processing transactions to providing network security. Some vendors even serve hundreds of credit unions.
The Financial Stability Oversight Council’s 2016 annual report identified cybersecurity and financial technology as emergent trends that could threaten financial stability. That report also acknowledged the important role of third-party vendors that provide information technology and financial technology products and services that can be very beneficial to financial institutions in meeting consumer demands.
“The Council encourages financial regulators to continue to monitor and evaluate the implications of how new products and practices affect regulated entities and financial markets, and to assess whether they could pose risks to financial stability,” the report said.
Third-party vendors pose challenges as well as opportunities for credit unions and the NCUA. Smaller credit unions are particularly vulnerable, as they rely on technology service providers to a greater extent, and that brings vulnerabilities. Cybersecurity threats, particularly against smaller financial institutions, are at an all-time high in 2016.
The NCUA has issued a series of supervisory letters and guidance on vendor due diligence, but the agency’s scope of authority over these vendors is limited. Indeed, there is a disparity between the NCUA’s and the other federal financial institutions’ regulators’ powers to examine and supervise third-party vendors. The NCUA’s need for this authority has been reinforced by several studies and reports separately done by the Financial Stability Oversight Council and Government Accountability Office.
Congress is also interested in third-party service providers and the role they play in financial technology and cybersecurity. Recently, two senior members of the Senate Banking Committee, Senators Sherrod Brown of Ohio and Jeff Merkley of Oregon, wrote to federal financial institutions regulators expressing concern about potential gaps in supervision and asking for recommendations as to how to close those gaps. They specifically asked about potential gaps in supervision over third-party vendors, and my response included the NCUA’s proposed revisions to close this gap in our supervisory authority.
As the 115th Congress gets underway in January, consideration of a narrowly tailored bill for authority parallel to that already exercised by the other agencies would be immensely helpful to the NCUA’s efforts to enhance cybersecurity and mitigate cyberattacks.
The hackers won’t rest, and neither will we. It’s up to regulators and policymakers to provide a framework and the tools credit unions and other institutions need to keep themselves and their members safe in a world that is increasingly interconnected and vulnerable.
Rick Metsger is board chairman for the NCUA.
