Eight recommendations for governance and process improvements and a discussion of the federal credit union regulator’s continuing need for third-party oversight authority are highlights of a new inspector general report on the agency’s cyber threat information sharing.
In the report, dated June 9, the National Credit Union Administration’s (NCUA) Office of Inspector General (OIG) – currently led by Acting IG Marta Erceg – said it conducted a self-initiated audit to determine the agency’s effectiveness in sharing cyber threat information. Objectives, the report states, were to determine whether the agency 1) effectively used shared cyber threat information for the supervision of credit unions; and 2) implemented effective processes to share cyber threat information to support credit union and financial system resiliency.
The review, covering the NCUA’s cyber threat information sharing from March 1, 2022, through Dec. 31, 2024, showed a need for the agency to “mature its governance processes for cyber threat information sharing to support supervision of credit unions more effectively during a cybersecurity event or incident that may increase risk to the National Credit Union Share Insurance Fund (Share Insurance Fund or SIF) and financial services sector stability,” according to a memo from Erceg at the front of the report. “Additionally, the NCUA should improve its ability to acquire, analyze, and use cyber threat information for internal analysis and external response.”
The OIG report cites a Nov. 26, 2023, cyber incident affecting a third-party provider of disaster recovery and cloud services to credit unions; a July 2024 “pre-victim notification” to credit unions about a potential threat; and the agency’s ongoing lack of authority over third-party vendors. Among the issues asserted in the report, in addition to the agency’s own deficiencies in communication and governance regarding cyber threat information sharing, is that third-party vendors serving credit unions are not required to provide information to the NCUA. In the November 2023 event, it said, the NCUA was unable, among other things, to obtain any related information from banking regulators because the vendor primarily serves the credit union industry.
The report notes that the cyber incident reporting system data “demonstrated that approximately 70 percent of the over 1,000 incidents reported between September 1, 2023, and August 31, 2024, were related to third-party vendors. This high number of incidents was tied to 13 specific events, which indicated their wide-spread impact.”
Audit of the NCUA’s Cyber Threat Information Sharing (Report #OIG-25-07)