• Sat, June 14 2025
  • Contact Us
  • Advertise
Subscribe
CU Daily – theCUDaily.com logo

NCUA OIG Has 8 Recommendations to Improve Sharing of Information on Cyber Threats

WASHINGTON–NCUA’s Office of Inspector General has made eight recommendations for governance and process improvements when it comes to sharing information on cyber-threats at credit unions.

In its new report, the OIG said it performed a self-initiated audit to see how effective the agency is in sharing threats related to cyber threats with the credit unions it regulates.

In addition, the report examined whether NCUA had implemented effective processes to share cyber threat information to support credit union and financial system resiliency.

The review covered NCUA’s performance from March 1, 2022, through Dec. 31, 2024.

According to a preface to the report by the NCUA OIG, the agency needs to “mature its governance processes for cyber threat information sharing to support supervision of credit unions more effectively during a cybersecurity event or incident that may increase risk to the National Credit Union Share Insurance Fund (Share Insurance Fund or SIF) and financial services sector stability.

NCUA also needs to do better in its ability to acquire, analyze, and use cyber threat information for internal analysis and external response, the report states.

Examples Cited

As examples of the risks it found, the OIG pointed to:

  • A Nov. 26, 2023 cyber incident involving a third-party provider of disaster recovery and cloud services to credit unions
  • A July 2024 “pre-victim notification” to credit unions about a potential threat; and the agency’s ongoing lack of authority over third-party vendors.

In addition, the OIG again said NCUA needs to have oversight of third-party vendors—which the credit union trade groups oppose—saying third-party vendors are not required to provide information to NCUA. As an example, it pointed to a November 2023 event during which it said the agency was unable to obtain any related information from banking regulators, because the vendor primarily serves the credit union industry. Other related problems were also uncovered, the report added.

High Percentage

According to the report, NCUA’s cyber incident reporting system data “demonstrated that approximately 70% of the over 1,000 incidents reported between Sept. 1, 2023, and August 31, 2024, were related to third-party vendors. This high number of incidents was tied to 13 specific events, which indicated their wide-spread impact.”

The full report can be found here.

Facebook
Twitter
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CU Daily – theCUDaily.com logo

Never miss any important news. Subscribe to our newletter today!

Subscribe Now
Copyright 2025 The CUDaily. All Rights Reserved.