Is CU vendor management a cybersecurity threat?
I finally got around to reading a Government Accountability Office report released last week assessing the effectiveness of financial regulators in overseeing the cybersecurity infrastructures of banks and credit unions. After reading the GAO’s conclusions, I was as surprised as a Japanese soccer fan who missed the first seventeen minutes of last night’s World Cup Final.
Well, maybe not that surprised. After all, the US scored four goals in twenty minutes which is more unusual than the Mets scoring four runs in in a nine inning baseball game or maybe in a week. Still the GAO’s conclusions are important if a bit overstated.
Its first recommendation was for regulators to do a better job of collecting cyber-threat data and sharing it more quickly among themselves and with financial institutions. No surprise there.
Its Second proposal was to urge Congress to give NCUA the same authority to directly examine third- party vendors already exercised by the other financial regulators including the OCC. It contends that. ”Without authority to examine third-party service providers, NCUA risks not being able to effectively monitor the safety and soundness of regulated credit unions.” The GAO contends that this lack of direct vendor oversight is particularly harmful to smaller credit unions which both lack the authority and resources to have in-house IT staff or the financial leverage to demand changes to vendor practices.
First, a reality check. In an age when some banks have IT budgets larger than most credit unions and government coordinated attacks on US financial institutions are commonplace, to suggest that one of the key actions that Congress needs to take for cybersecurity is to give NCUA greater vendor oversight overstates the case. GAO has argued for increased vendor oversight by NCUA for more than a decade now and so far Congress has turned a deaf ear.
That being said, and with the caveat that the opinions I put forward are mine alone, I’ve come to believe that the GAO and NCUA have a point. Why shouldn’t NCUA have the same power to directly oversee vendors as do the other financial regulators?
Giving NCUA this power would take away a potential cudgel from the banking industry. The retired but still blogging Keith Leggett has already highlighted the GAO’s report in his Credit Union Watch blog. The credit union industry is one negligent vendor and a cyber attack away from being put on the defensive over cybersecurity. If this happens it will be a self-inflicted wound.
What exactly is the big deal anyway? If credit unions are using established vendors these vendors are most likely working with banks and are already subject to examiner oversight. If they are using CUSO’s they shouldn’t be afraid of demonstrating the safety and soundness of these organizations.
One more thing NCUA is right about: Enhanced vendor oversight would help protect smaller credit unions from cyber threats precisely when small and medium sized institutions are becoming more attractive cyber targets.
None of this is to say that vendor oversight is an industry panacea. In fact. if NCUA was given this authority tomorrow it is doubtful that it would have the manpower or expertise to maximize its benefits According to the GAO, NCUA has 40 to 50 subject-matter IT examiners, as well as 12 IT specialists in regional offices and 4 in headquarters. These staff focus primarily on the largest credit unions. In addition, “regular” examiner staff consult with the specialists on IT issues that arise at reviews of other institutions. The report points out that those examiners with the most expertise are examining the largest institutions. While this makes sense given limited resources it also means that small and medium size credit unions don’t get the benefit of expert IT examinations.
NCUA plans to offer web-based training to help get examiners up-to-speed, but given the importance of cyber-security this isn’t exactly reassuring. To be fare the problem of staff expertise is hardly unique to NCUA. The Federal Reserve, which regulates more than 5,500 institutions, has 85 IT examiners who have information security or advanced IT expertise and focus primarily on examinations of the largest institutions.
NCUA also does not do well at what the GAO calls “data analytics” but I call data collection. Surprisingly, it does not “maintain a centralized database on data breach reports—each region holds the data—but periodically reviews incident reports.” It told GAO that it “has been has been working to expand its analytic capabilities in this area.” I would hope so. This seems kind of basic to me if we want to know if there are credit union specific vulnerabilities and what can be done about them.