Is CU vendor management a cybersecurity threat?

July 6, 2015 at 9:39 am Leave a comment

I finally got around to reading a Government Accountability Office report released last week assessing the effectiveness of financial regulators in overseeing   the  cybersecurity infrastructures of banks and credit unions. After reading the GAO’s conclusions, I was as surprised as a Japanese soccer fan who missed the first seventeen minutes of last night’s World Cup Final.

Well, maybe not that surprised.  After all, the US scored four goals  in twenty minutes which is more unusual than the Mets scoring four  runs in in a nine  inning  baseball game or maybe  in a week.  Still the GAO’s conclusions are important if a bit overstated.

Its first recommendation was for regulators to do a better job of collecting cyber-threat data and sharing it more quickly among themselves and with financial institutions. No surprise there.

Its Second proposal was to urge Congress to give NCUA the same authority to directly examine third- party vendors already exercised by the other financial regulators including the OCC.   It contends that. ”Without authority to examine third-party service providers,  NCUA risks not being able to effectively monitor the safety and soundness of regulated credit unions.” The GAO contends that this lack of direct vendor oversight is particularly harmful to smaller credit unions which both lack the authority and resources to have in-house IT staff or the financial leverage to demand changes to vendor practices.

First, a reality check.  In an  age when some banks have IT budgets larger than most credit unions and  government coordinated  attacks on US financial institutions are commonplace,  to suggest that one of the key actions that Congress needs to take for cybersecurity  is to give NCUA greater vendor oversight  overstates the case.  GAO has argued for increased vendor oversight by NCUA for more than a decade now and so far Congress has turned a deaf ear.

That being said, and with the caveat that the opinions I put forward are mine alone, I’ve come to believe that the GAO and NCUA have a point. Why shouldn’t NCUA have the same power to directly oversee vendors as do the other financial regulators?

Giving NCUA this power would take away a potential cudgel from the banking industry.  The retired but still blogging Keith Leggett has already highlighted the GAO’s report in his Credit Union Watch blog. The credit union industry is one negligent vendor and a cyber attack away   from being put on the defensive over cybersecurity. If this happens it will be a self-inflicted wound.

What exactly is the big deal anyway? If credit unions are using established vendors these vendors are most likely working with banks and are already subject to examiner oversight.  If they are using CUSO’s they shouldn’t be afraid of demonstrating the safety and soundness of these organizations.

One more thing NCUA is right about: Enhanced vendor oversight would help protect smaller credit unions from cyber threats precisely when small and medium sized institutions are becoming more attractive cyber targets.

None of this is to say that vendor oversight is an industry panacea. In fact. if NCUA was given this authority tomorrow it is doubtful that it  would have the manpower or expertise to maximize its benefits  According to the GAO,   NCUA  has 40 to 50 subject-matter IT examiners, as well as 12 IT specialists in regional offices and 4 in headquarters. These staff focus primarily on the largest credit unions.  In addition, “regular” examiner staff consult with the specialists on IT issues that arise at reviews of other institutions. The report points out that those examiners with the most expertise are examining the largest institutions.  While this makes sense given limited resources it also means that small and medium size credit unions don’t get the benefit of expert IT examinations.

NCUA plans to offer web-based training to help get examiners up-to-speed, but given the importance of cyber-security this isn’t exactly reassuring.  To be fare the problem of staff expertise is hardly unique to NCUA.  The Federal Reserve, which regulates more than 5,500 institutions, has 85 IT examiners who have information security or advanced IT expertise and focus primarily on examinations of the largest institutions.

NCUA also does not do well at what the GAO calls “data analytics” but I call data collection.  Surprisingly, it does not “maintain a centralized database on data breach reports—each region holds the data—but periodically reviews incident reports.”  It told GAO that it “has been has been working to expand its analytic capabilities in this area.” I would hope so.  This seems kind of basic to me if we want to know if there are credit union specific vulnerabilities and what can be done about them.


Entry filed under: General, Regulatory, Technology. Tags: , .

Is Vacation Mandatory? What Is The Future Of Same-Day Processing?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers


%d bloggers like this: