To piggyback off the topic of cyber security from last month, both the National Association of Federal Credit Unions (NAFCU) and the National Credit Union Association (NCUA) issued statements in response to the US Government Accountability Office’s (GAO) report on cybersecurity. The report highlighted that banks and other depository regulators are in need of improved data analytics.
Cyber risks affecting a depository institution can stem from weak security practices of third parties that process highly confidential information. The NCUA wants to have routine examinations in order to ensure that service providers are adhering to better security practices. The report also mentioned that regulators use a risk-based examination approach to check in on information security at banks, thrifts and credit unions. But according to the GAO, there is room for improvement, specifically in data analytics and oversight authority.
“Congress should consider granting NCUA authority to examine third-party technology service providers for credit unions,” said the GAO. “In addition, regulators should explore ways to better collect and analyze data on trends in IT examination findings across institutions. In written comments on a draft of this report, the four regulator stated that they would take steps responsive to this recommendation.”
The Director of Regulatory Affairs at NAFCU, Alicia Nealon, responded to the GAO’s report that recommended Congress grant the NCUA authority to examine third party technology service providers. She said, “As we have consistently maintained, NAFCU believes the agency’s bid for third-party vendor examination authority is unnecessary given that NCUA is already authorized to thoroughly regulate credit unions and their third-party relationships. While NAFCU acknowledges the importance of cybersecurity and risk management, we firmly believe that cybersecurity and third-party vendor examination authority do not go hand in hand.”
While it is clear that there is a blind spot that needs to be fixed, The NAFCU and NCUA have not yet figured out the best method to acquire safe cyber security. As we mentioned last month, cyber security is one of First Title & Escrow’s main concerns and we believe that handling it internally is best.