Removing Barriers Blog

GAO Report Suggests NCUA Vendor Authority for Cybersecurity
Posted July 02, 2015 by Chandler Schuette


The Governmental Accountability Office released a report today that suggests that federal depository institution regulators need better data analytics and that depository institutions want more usable threat information.  The report also made a key recommendation related to vendor supervisory authority for NCUA. 

The report identifies two key areas for improvement:

·        Data analytics. Regulators generally focused on IT systems at individual institutions but most lacked readily available information on deficiencies across the banking system. Although federal internal control standards call for organizations to have relevant, reliable, and timely information on activities, regulators were not routinely collecting IT security incident reports and examination deficiencies and classifying them by category of deficiency. Having such data would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions.

·        Oversight authority. Bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, but the National Credit Union Administration (NCUA) lacks this authority. Cyber risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers' information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices.


NCUA has advocated for additional vendor authority for several years, and raised the issue earlier this year in testimony before the Senate Banking Committee, suggesting such authority would represent regulatory relief for credit unions.

CUNA opposes new statutory authority for NCUA to regulate and supervise directly Credit Union Service Organizations (CUSOs) or other third party entities that provide products and services to credit unions.  Credit unions are subject to due diligence requirements with respect to their relationships with third party vendors; we believe that through the supervisory process NCUA has sufficient authority to ensure that the vendors on which credit unions rely follow sound information security practices.