NCUA Supervisory Priorities 2021

The NCUA released their annual Supervisory Priorities letter to credit unions in January. For Information Systems and Assurance, the NCUA calls to attention the most pertinent cybersecurity risks to the financial industry:

1. Increase in remote work force
2. Growing use of mobile applications for financial transactions

Remote Work Security

Over the past year, we have seen an increase in people working from home across all industries. This has expanded the need for remote access to company systems, but with more available access, there are more potential entry points for malicious attackers.

Having remote employees inherently means you as a company have less control over IT security. Employees are bringing devices home, using personal wireless networks, and having to access sensitive company information outside of your Local Area Network (LAN). VPNs are great, but it’s imperative that they be configured properly so that remote connections are secured.

TraceSecurity offers both VPN Configuration Reviews and Remote Access Assessments to verify the security of your remote workforce.

Mobile App Security

The world is getting more and more mobile, and your members wanted seamless financial transactions from their phones. Mobile applications can do amazing things in the financial industry, allowing for real-time transfers, tap-to-pay, and push notifications of suspicious activity. Members love the ease of access that mobile apps give them, but it’s also that much easier for a malicious attacker to get in.

The security of your mobile banking apps should be top of mind during development, and throughout implementation. It’s standard best practice to perform mobile application testing at least once per year, or anytime there are major updates or configuration changes.

TraceSecurity offers Mobile Application Testing to find and exploit any potential vulnerabilities on your apps, offering our expertise and recommendations for improvement. We also offer API Testing to ensure the APIs used to connect mobile banking apps with internal systems are secure. TraceSecurity Application Testing is based on the OWASP Top 10 Frameworks for web applications, mobile applications, and APIs.

2021 Examination Cycle

As cited in the 2020 Supervisory Priorities, the NCUA is reprioritizing away from the ACET cybersecurity maturity assessments, and is currently piloting the Information Technology Risk Examination for Credit Unions (InTREx-CU). The InTREx Program has been employed by the FDIC since 2016, and harmonizes the IT and cybersecurity examination procedures from the FDIC, FRS, and many state financial regulators. InTREx-CU was developed to establish a consistent approach across all community-based financial institutions in the United States.

The InTREx-CU is still being piloted for examinations in 2021. This means that examiners are not yet using the InTREx-CU Program to complete your review. Once the program has been fully defined, TraceSecurity will be incorporating InTREx-CU into our frameworks to satisfy your examiners.

Examiners will still be looking for your self-assessment, and the NCUA continues to support the ACET as your self-assessment resource. TraceSecurity’s FREE Cybersecurity Assessment Tool meets your self-assessment requirements, with CAT and ACET reporting options to meet compliance. As more information on the InTREx-CU becomes available, we will be developing our tool accordingly. If you have already purchased a CSAT Plus or Premium engagement from us, we are able to switch that service to the InTREx-CU when the time comes.