www.marktreichel.comhttps://www.linkedin.com/in/mark-treichel/Hello, this is Samantha Shares. This episode covers the National Credit Union Administration’s Letter to credit unions 24 dash C U 2 Board of Director Engagement in Cybersecurity Oversight The following is an audio version of that letter. This podcast is educational and is not legal advice. We are sponsored by Credit Union Exam Solutions Incorporated, whose team has over two hundred and Forty years of National Credit Union Administration experience. We assist our clients with N C U A so they save time and money. If you are worried about a recent, upcoming or in process N C U A examination, reach out to learn how they can assist at Mark Treichel DOT COM. Also check out our other podcast called With Flying Colors where we provide tips on how to achieve success with N C U A. And now the letter.Board of Director Engagement in Cybersecurity OversightToFederally Insured Credit UnionsSubjectCybersecurityDear Boards of Directors and Chief Executive Officers:The frequency, speed, and sophistication of cyberattacks have increased at an exponential rate. Foreign adversaries and cyber-fraudsters continue to target all sectors of our nation’s critical infrastructure — including credit unions and other financial institutions. From September 1, 2023, the effective date of the N C U A’s cyber incident notification rule, through August 31, 2024, federally insured credit unions reported 1,072 cyber incidents. Seven out of ten of these cyber incident reports were related to the use or involvement of a third-party vendor.A recent ransomware attack on a credit union has been attributed to malvertising a relatively new cyberattack technique that injects malicious code within digital ads. For this type of attack to work, the user doesn’t even have to physically click on a link for the system to become infected. Instead, a simple internet search can result in malvertising that exploits the vulnerabilities in an internet browser. Credit union cybersecurity teams should focus on standardizing and securing web browsers and deploying ad blocking software to protect against this threat.Given the proliferation of sophisticated information security threats and the importance of safeguarding the assets and information of your members, the N C U A urges credit union boards of directors to prioritize cybersecurity as a top oversight and governance responsibility. Credit union board directors like you must ensure that a credit union’s senior leadership is highly focused on managing cyber risks and that your credit union has the necessary resources to maintain an effective cybersecurity program that aligns with the products, services, and risk profile of your institution.The following are four key areas your board of directors should focus on:Provide for Recurring TrainingYour board should engage in ongoing education about current cybersecurity threats, trends, and best practices. The N C U A provides various resources to assist, including training webinars, web-based learning resources(Opens new window), and written guidance. Your credit union board needs to stay aware of the specific cyber risks that pertain to your credit union’s operations and the implications of these risks. Board members don’t need to be technical experts, but they must know enough about cybersecurity to provide effective oversight and direction for the executive team and subject matter experts.Furthermore, your board should ensure the credit union’s employees receive regular cybersecurity education to maintain high awareness and preparedness across the organization. This education should emphasize the importance of a security-minded culture and adherence to important information security practices to mitigate the risk of cyber incidents.Approve Information Security ProgramYour board must approve a comprehensive information security program that meets the requirements of part 748of the N C U A’s regulations, which includes risk assessments, security controls, and incident response plans. Your credit union board should review the program at least annually to ensure it adapts to the evolving threat landscape and incorporates lessons learned from past incidents.Oversee Operational ManagementYour board is responsible for overseeing management of the credit union, focusing on the following cybersecurity areas:Third-Party Due Diligence. Your board should set clear expectations for management about the due diligence of third-party vendors with respect to information security. The credit union must ensure that contracts with third-party vendors include specific cybersecurity requirements, like timely notification to the credit union of any incidents, and clauses that protect credit union and member data.Embed Cybersecurity and Operational Resilience into the Organizational Culture. Your board and management should ensure that cybersecurity is a core value within the credit ...