Credit Union Cyber Risk Assessments - NCUA Risk Assessment

Wouldn’t it be a dream come true if you could predict the future and know what market changes, natural disasters (or pandemics), and cyber threats will occur around your organization? While we don’t have a hack for this, we do know a risk assessment helps prepare your organization for any unforeseen circumstances such as these.

The widespread adoption of technology and mobile banking has contributed to positioning financial institutions as some of the most sought-after targets. With this in mind, it is also why they are incredibly regulated and under a great deal of pressure to bolster their security. If you represent a credit union, you might be thinking how can I keep up with holistic cybersecurity when I have ongoing audits and the National Credit Union Administration’s (NCUA) regulations to comply with? The answer lies in what is called an NCUA Risk-Focused Program, or what is more commonly known as a Risk Assessment.

Why get a Risk Assessment?

A risk assessment is an integral piece of any credit union's NCUA, Bank Secrecy Act (BSA), and Federal Deposit Insurance Corporation (FDIC) program- as well as numerous other widely mandated regulations. In fact, risk assessments are required in many programs. Since risk is any exposure to danger, a risk assessment identifies and documents any dangers to an organization.

Now we know you might be thinking, “Oh no yet another blog telling me I need to get a risk assessment,” but have you ever considered why “Risk Assessment” is such a business buzzword and why the NCUA mandates it (and no, it’s not because the NCUA is a bureaucracy)? The primary goal of a NCUA credit union risk assessment is to evaluate unanticipated events that may have an adverse effect on your organization's net worth and earnings. This is now pertinent more than ever as credit unions must be able to support the boom of online activities like online banking and e-Commerce as a result of the COVID-19 pandemic.

How to start a credit union cybersecurity risk assessment while also checking the NCUA Risk Assessment box?

A credit union cybersecurity assessment must be approached from a holistic lens. This means you should have complete visibility of internal assets which encompasses personnel, processes, and Information technology (IT). In addition, you need to have a list of the threats to each asset. This could be online adversaries, the failure of a critical service provider which could result in downtime for your business and even your employees could be threats (consider the misuse, modification, or unauthorized disclosure of credit union member personal identifying information). Worst case scenario, an unaddressed or identified threat could physically destroy your credit union, its reputation and even result in going out of business.

Okay so that last sentence was a bit dramatic... but frankly it is the truth. Reputation and customer satisfaction are critical factors in a credit union’s success. Conversely, it is important to remember when conducting a credit union cybersecurity assessment that not all threats are the same and so not all are worth the same amount of consideration.

Fortunately, NCUA cybersecurity requirements can be somewhat flexible, based on an organization's size and complexity. During a credit union IT security audit, an NCUA examiner will focus on the following IT objectives:

  • Evaluate management’s ability to recognize, assess, monitor, and Objectives control information systems and technology (IST) related risks
  • Assess whether the credit union has sufficient expertise to adequately plan, direct, and control IST operations
  • Determine whether the board of directors has adopted and implemented adequate policies and procedures
  • Determine whether practices comply with established policies and procedures
  • Determine adequacy of internal controls and oversight to safeguard assets (including IST assets) and members’ information

Achieving the best of both worlds, NCUA compliance and Genuine Cybersecurity
The above objectives may seem overwhelming or even unrealistic, so it is worth mentioning that the NCUA examiner’s guide explicitly states, “NCUA does not expect examiners to perform a detailed IST review.” Sure, you could do the bare minimum required to pass, but this might give you a false sense of security and trust in your IT. Obviously you don’t have unlimited resources and as a cybersecurity firm, we know that it is impossible to eliminate all risk. However, this is why security and risk management professionals have advocated for years in assessing the likelihood and potential impact of a threat on a vulnerability before exerting capital and time on a control.

For instance, the impact of customers stealing an ink pen is virtually none, so this would not be a place to dedicate extreme controls. On the other side, the impact of ransomware or unauthorized access to your network could be devastating. Ranking any plausible threat in a criticality matrix and documenting its control as well as proof you are regularly monitoring it will support you tremendously in achieving NCUA compliance. It also provides the added benefit of addressing your most dire threats, allowing you to focus on your core business functions.

Monitoring controls and threats to your organization must not be looked over because threats, vulnerabilities, and operations are rapidly changing. At Silent Sector, we do not believe in secure and forget, but regular review of control effectiveness and applicability to your threats. Is your financial institution prepared for tomorrow’s cyberattack, employee mishap, or NCUA risk assessment?

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.