Cybersecurity Spotlight: NCUA Supervisory Priorities

The NCUA recently released its priorities for 2025 Credit Union oversight. For 2025, there will be a high emphasis on board responsibilities surrounding cybersecurity activities. The NCUA recognizes that a successful cybersecurity program requires the support and oversight of the Board. The following cybersecurity priorities are called out as specific areas requiring the focus of your Board.

Third-Party Due Diligence

 Your Board should clearly outline management expectations regarding third-party contractors’ information security due diligence. The credit union must ensure that agreements with outside contractors have provisions safeguarding member and credit union data and particular cybersecurity obligations, such as prompt notification of any incidents.

Integrate operational resilience and cybersecurity into the organization’s culture

Your credit union’s Board should ensure that cybersecurity is a fundamental principle that informs all decision-making levels. The board minutes should note all discussions regarding cybersecurity.

Material Support

To strengthen the credit union’s defenses, your Board should also support the necessary investment in cybersecurity tools and technologies. This support is critical to establish and sustain a cybersecurity posture appropriate for the credit union’s risk profile. The Board must give the credit union staff access to cybersecurity knowledge and a sufficient budget to buy necessary tools and services.

As you plan your training activities, remember to identify programs for all levels of responsibility. Build programs for Board, management, and operational personnel. Ensure that you track and report on compliance.

Threat Intelligence

The NCUA explicitly calls for credit unions to use threat intelligence to keep up with new risks and vulnerabilities that could affect the organization. Organizations like the National Credit Union Information Sharing and Analysis Organization (NCU-ISAO) provide threat feeds and peer-to-peer sharing among credit unions. As a key part of any risk management program, your Board must make sure that operational management prioritizes careful vulnerability management, which includes patch management, timely software upgrades, and allowlisting and blocklisting websites, applications, and URLs.   Management is responsible for providing meaningful metrics and reports to the Board so they can assess the efficacy of the program.

Audit

The Board should ensure management enlists outside parties with the necessary experience to audit the cybersecurity program. The Board needs an unbiased evaluation of the program’s efficacy, considering the credit union’s size and risk profile.

Cybersecurity risk assessments

These assessments, which involve identifying threats, vulnerabilities, and the effectiveness of measures, should be part of this reporting. The reports should outline the program’s general state and significant issues, such as risk assessments and suggestions for improving the program.

Protecting and Managing Backups

Regular testing of backup systems is necessary to guarantee efficient and timely data restoration. Regular drills will ensure that staff members are knowledgeable about restoration methods and assist in identifying any weaknesses in the backup process.

The Board should also ensure that the credit union must have explicit, documented protocols for recovering data from backups in a ransomware attack or other data loss disaster.

One important key activity should be participation in industry-wide exercises. This is an excellent opportunity to compare your program with others and test your own plan. Encourage one or more board members to participate to gain first-hand knowledge of disaster recovery programs.

Education for Members

Your Board should collaborate with management to periodically educate members about information security to encourage good cybersecurity practices, such as multi-factor authentication and the significance of strong, regularly changed passwords.

Each credit union may have differing priorities based on risk, staffing, and program maturity. Each organization needs to review the document and establish plans to achieve compliance.

Need guidance?

Pure IT is skilled in assisting credit unions with developing cybersecurity programs and plans. Contact us for more help!