Letter to Credit Unions (24-CU-02) Board of Director Engagement in cybersecurity oversight
ALEXANDRIA, VA (October 24, 2024) — Dear Boards of Directors and Chief Executive Officers:
The frequency, speed, and sophistication of cyberattacks have increased at an exponential rate. Foreign adversaries and cyber-fraudsters continue to target all sectors of our nation’s critical infrastructure — including credit unions and other financial institutions. From September 1, 2023, the effective date of the NCUA’s cyber incident notification rule, through August 31, 2024, federally insured credit unions reported 1,072 cyber incidents. Seven out of ten of these cyber incident reports were related to the use or involvement of a third-party vendor.
A recent ransomware attack on a credit union has been attributed to “malvertising,” a relatively new cyberattack technique that injects malicious code within digital ads. For this type of attack to work, the user doesn’t even have to physically click on a link for the system to become infected. Instead, a simple internet search can result in malvertising that exploits the vulnerabilities in an internet browser. Credit union cybersecurity teams should focus on standardizing and securing web browsers and deploying ad blocking software to protect against this threat.
Read the Letter to Credit Unions
About National Credit Union Administration (NCUA)
The NCUA is the independent federal agency created by the U.S. Congress to regulate, charter and supervise federal credit unions. With the backing of the full faith and credit of the United States, the NCUA operates and manages the National Credit Union Share Insurance Fund, insuring the deposits of more than 135 million account holders in all federal credit unions and the overwhelming majority of state-chartered credit unions. The NCUA also protects consumers and educates the public on consumer protection and financial literacy issues.
