Go to:

January 2019
< Dec Feb >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

GAO Favors Enhancing NCUA Exam Authority over 3rd-Party Vendors
Tuesday, July 7, 2015 6:45 AM

The Government Accountability Office recommended to Congress that NCUA be granted enhanced examination authority over third-party technology service providers. Released late last week, the new GAO report examines financial institutions and cybersecurity risks. The GAO report is available online here.

In response, NCUA Chairman Matz said, “We need to close this regulatory blind spot and better protect the credit union system by providing NCUA with the power to examine and take enforcement actions at third-party vendors. Obtaining this authority would allow the agency to proactively address cyber threats and better position credit unions to avoid a crisis.”

The summary of the GAO report notes that “... cyber risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers’ information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices.”

In assessing current cybersecurity risks, GAO also references its 1999 and 2003 recommendations to provide NCUA with vendor authority. The 2003 assessment noted that third-party arrangements can help credit unions manage costs, provide expertise, and improve services to credit union members, but they also present risks, such as threats to security systems, weakness of processing, availability, and integrity of the systems.