DETROIT — Though NCUA has not focused much attention on cybersecurity at small credit unions, these institutions are no longer off the radar for criminals and hackers who are now homing in with distributed denial of service — otherwise known as DDoS — attacks.
"They've begun to look at [small] credit unions, and if you're not sophisticated, they will try to attack you," said Larry Schoeberl, an NCUA supervisory analyst at the Annual Conference of the National Federation of Community Development Credit Unions here on Thursday.
And while NCUA has made cybersecurity risk an area of focus for 2014, the agency will not be requiring any particular certifications to ensure that credit unions meet specific security standards.
Schoeberl said that rather than look for specific certification, the regulator will ask CUs to show contracts and other measures they have taken to ensure vendor due diligence in these areas.
Vendor due diligence will also protect members against card breaches, according to Schoeberl, adding that the agency will be looking for strong password processes, along with proper patch management, network monitoring and more.
He noted that despite the fact that small CUs ($50 million in assets or less) constitute a tiny portion of the overall asset value within the credit union community, they occupy 40% of the agency's time.
They also represent less than 25% of total losses, though the number of small credit unions has shrunk by nearly 50% in the last decade, from nearly 8,000 to about 4,400 today, Schoeberl said.
Small CUs must be aware of the risks around members engaged in money-services businesses such as check cashing, currency dealerships and others, he added.
That includes being aware not only of reputational risks, but also being cognizant of the possibility of money laundering or the fact that high levels of transactions could be covering up illegal activity.
NCUA examiners will look to determine whether credit unions have identified all MSB members and conducted risk assessments for those members to determine risk levels and when enhanced due diligence may be necessary, according to Schoeberl.