NCUA Encourages Board Member Engagement in Cybersecurity Oversight

In its letter to credit unions (24-CU-02), the National Credit Union Administration (NCUA) is encouraging greater board member engagement in a credit union's efforts to combat cybersecurity threats. The letter provides four key areas that board members should focus on:

• Ongoing education - board members should stay up to date on the most recent cybersecurity threats, trends, and best practices
• Information security program - board members are charged with approving a comprehensive information security program for the credit union that meets the requirements outlined in Part 748. This program must include risk assessments, security controls, and incident response plans. It should be reviewed at least annually
• Oversight - the board is responsible for overseeing the credit union's management of cybersecurity, including but not limited to third-party due diligence, vulnerability management, ongoing audit of the effectiveness of the credit union's cybersecurity program, monitoring the number of cybersecurity incidents that occur, and protecting member data
• Incident response - the board must ensure that the credit union has an effective incident response plan. This includes establishing a crisis management team, conducting tabletop exercises to test the resiliency of its incident response plan, and ensuring effective communication about cybersecurity incidents to both the credit union's membership and the NCUA

Of note in the letter, since the NCUA finalized its cybersecurity incident notification rule, the agency has received 1,072 reports. The rule, effective on September 1, 2023, requires federally insured credit unions to report cyber incidents to the NCUA within 72 hours of their occurrence.