NCUA released a letter to credit unions detailing its supervisory priorities for its 2024 examination program (24-CU-01). NCUA will continue to conduct exams both onsite and offsite. The Small Credit Union Exam Program continues to remain in place for most federal credit unions with assets under $50 million; while the risk-focused exam procedures will be used for all other credit unions.
Specific to NCUA’s information security and cybersecurity priorities, BTG has compiled a list of notable actions that credit unions should take in preparation for upcoming exams:
- Review Information Security Examination resources available, which NCUA will continue to utilize during 2024 exams.
- Adopt and complete the Automated Cybersecurity Evaluation Toolbox (ACET) to assess the strength of your credit union’s cybersecurity risk management program.
- Review the Cyber Incident Notification Reporting Rule requirements, effective September 1, 2023. The rule mandates federally insured credit unions notify NCUA of a reportable cyber incident within 72 hours, including cyber incidents experienced by third party providers affecting the credit union. To address this rule:
- Update Incident Response Plans with notification requirements. See the attached quick reference guide for cyber incident reporting requirements, and revisit Appendix B to Part 748 for guidance on cyber incident response and member notification requirements.
- Ensure employees receive awareness training on identification and escalation of cyber incidents.
- Review third party contracts and service level agreements for incident notification requirements and controls.
- Establish a process to monitor for, document, and report on cyber incidents affecting the credit union.
Our goal at BTG is to ensure your credit union is prepared for upcoming exams, and we welcome any questions as you navigate through the 2024 Supervisory Priorities. For additional guidance or assistance in meeting exam expectations and compliance requirements, please contact Elisabeth Esposito, VP Professional Services, at (203) 745-3176 or firstname.lastname@example.org.