While we wait for the NCUA to release the official Supervisory Priorities for 2022, we want to share a few critical priorities that we anticipate will be on the radar during upcoming credit union exams. The insights listed below are based on previous priorities, NCUA guidance released within the last year, and feedback shared from credit unions who have had a recent exam.
Cybersecurity and Resiliency
Cyber attacks and costs associated with data breaches reached an all-time high last year. We can expect Information Security and Cybersecurity Programs to be a focal point during exams, including disaster recovery planning and incident response management. Credit unions should anticipate scrutiny of its controls to detect threats and vulnerabilities and its capabilities to recover from potential malicious attacks. Ensure your credit union is prepared with updated and tested Cybersecurity policies, Business Continuity Plans, and Incident Response Plans.
IT Asset and Information Systems Management
Examiners will continue to evaluate the adequacy of data security controls, internal and external authentication and access controls, and operational risk management within systems and applications. Credit unions should ensure its Information Security Program policies and procedures, IT security audits, and technology risk assessments are current and have been reviewed within the last year or as changes to your environment occurred.
Third Party Risk Management
Oversight of third party relationships, specifically managing third party access to information systems and data, will continue to be an exam priority. Credit unions should be prepared to present assessments and documented due diligence efforts during exams. The overall third party risk management program should support the credit union’s awareness of operational and third party risks, including identification of the third-party’s cybersecurity and business continuity controls.
These are just a few compliance considerations that we predict will be a priority during exams. We encourage you to contact us with any additional questions or concerns that your organization may have in planning and preparing for the year ahead. For more information, please contact Elisabeth Esposito, Consulting Engagement Manager, at firstname.lastname@example.org.