A Direct Line Blog

NCUA reminded credit union boards of directors last week of your obligation with protecting member data and the ongoing and very real threat of cyber incidents. Between September 1, 2023 (when the NCUA cyber incident notification rule became effective) and August 31, 2024, the agency saw over 1,000 cyber incidents reported. As the letter to credit unions noted, “Board members don’t need to be technical experts, but they must know enough about cybersecurity to provide effective oversight and direction for the executive team and subject matter experts.”

The letter provides direction on some specific areas for directors to focus their oversight, including the following:

• Provide for Recurring Training
• Approve Information Security Program
• Oversee Operational Management
• Incident Response Planning and Resilience

They also urged cybersecurity not to be seen as simply an IT issue and to “be a critical component of any credit union’s overall governance and risk management strategy.” You are encouraged to read the details of the letter, review your own credit union’s policy and strategy, and visit the NCUA’s cybersecurity resources page for additional details.