The NCUA has released its annual Supervisory Priorities to credit unions for 2022. For Information Security & Cybersecurity, the NCUA continues to stress the extreme risk to credit unions, especially when it comes to:

  1. Ransomware
  2. Supply-chain Risk
  3. Business Email Compromise

For the 2022 examination cycle, the NCUA is continuing development of information security examination procedures that are specifically tailored to credit union size and complexity. Examiners are actively piloting these updated procedures with the goal of finalizing them this year.


Ransomware is a type of malware, or malicious software, that is designed to use unauthorized encryption to deny you access to your files and systems. Once a bad actor gains a foothold and holds your files/systems “hostage,” they will demand a ransom in exchange for a key that, in theory, will unlock them.

Withstanding a ransomware attack is all in the preparation. Your organization should be thinking about when they get attacked by ransomware, not if. The industry standard for ransomware preparation falls into three categories: Prevention, Detection, and Response & Recovery. You can read more about TraceSecurity’s prescribed domains for ransomware preparedness here.

Supply-chain Risk

Your supply chain is any vendor that supplies your credit union with products or services. This piece of the puzzle could be anyone from your janitorial service or paper supplier, to your IT MSP or third-party SIEM solution. No matter what they provide you, there is an associated cybersecurity risk with any business relationship. Supply-chain risk calculation involves how important that vendor is to your day-to-day operations, as well as the likelihood of a security breach on their end affecting your business.

Developing a supply-chain risk management (SCRM) program should be an essential part of your company’s security practices. Identify your suppliers, and even their suppliers when you can. By understanding each supplier’s potential impact on your business operations, you can focus your time and resources on your most vulnerable relationships.

It’s imperative that you know which of your suppliers have remote access capabilities into any of your systems, and the key areas that need to be protected from unauthorized access. Whenever possible, supplier access should be maintained separate from your core business operations.

Business Email Compromise

Business Email Compromise (BEC) is a type of phishing that involves a bad actor spoofing the email of an executive or finance-related employee in order to initiate fraudulent transfers. These phishing emails don’t contain any malicious links or attachments, allowing them to fly under the radar of your spam and phishing filters.

Security awareness training and phishing testing are the best ways to prepare your employees for BEC attacks. When it comes to payments and transfers, you should always verify the email address and pay special attention to words of urgency. BEC attacks rely heavily on adherence to routine, and going through the motions could cost your company tens of thousands of dollars.

Marissa Adams, Compliance Analyst

Marissa leads the cybersecurity compliance research at TraceSecurity. With new regulations being imposed every year, she spends time looking into the annual updates and requirements set forth by federal and state regulatory bodies. Her goal is to take these regulations and make them both understandable and actionable for all types of organizations.