Third-Party Risk Management Considerations in the NCUA’s 2024 Supervisory Priorities

Supervisory priorities from regulators such as the National Credit Union Administration (NCUA), U.S. Securities and Exchange Commission (SEC), and Office of the Comptroller of the Currency (OCC) are generally influenced by the previous year’s events, with considerations for new risks and the current economic environment. The NCUA’s 2024 Supervisory Priorities appear almost identical to last year’s list, with two notable exceptions – the exclusion of fraud prevention and detection and the inclusion of third parties under Information Security (Cybersecurity).

By including third parties into the 2024 Supervisory Priorities and the recently passed Cyber Incident Notification Requirements, the NCUA appears to send a clear message – third-party risk management (TPRM) is an essential practice for credit unions. 

Let’s review some third-party risk management considerations in the 2024 Supervisory Priorities and some best practices that your credit union can implement to satisfy regulators. 

The NCUA’s Guidelines to Manage Third-Party Information Security Risk

The NCUA states that information security (inclusive of cybersecurity) will continue to be a focus area for examiners to protect both credit unions and members. As cybersecurity threats grow and evolve, the NCUA expects credit unions to protect themselves and their members with programs that are effective and adaptable. These cybersecurity programs should also include standards to protect against third-party cyber incidents, like data breaches and ransomware attacks, that can impact credit unions and their members. 

Third-party information security risk is a broad topic that covers many angles, but here are a few key areas where regulators may focus:

• Response plans – Your credit union’s incident response plans should include processes and procedures on how your organization will respond to third-party cyber incidents. Response plans should include details on what is considered a reportable incident and timeframes for notifying the NCUA. Confirm your third parties’ incident response plans are adequate as well. 
• Third-party contracts – It’s important to ensure your third party will notify your credit union of a cyber incident in a timely manner. Data breach notification requirements should be included in your third-party contracts, which may contain specific details about timeframes, the description of the incident, if your data was compromised, remediation efforts, and how the third party will prevent future incidents. 
  
  
  Pro Tip: In 2023, the NCUA passed requirements for cyber incident reporting. Credit unions are expected to report covered incidents within 72 hours after it was discovered. This should be factored into third-party contracts to ensure compliance. 
• Incident monitoring and reporting – Your credit union should evaluate the effectiveness of its third parties’ incident monitoring and reporting procedures. For instance, consider the tools that your third party uses to monitor and report incidents and whether these tools are adequately tested. 
• Incident documentation – Third parties should not only identify and monitor incidents, but formally document them for future response and reporting activities. Your credit union should ensure your third parties are properly documenting incidents and have policies in place to retain that information. 

Additional Best Practices to Mitigate Third-Party Information Security Risk and Comply With the NCUA

The NCUA’s guidelines for cyber incident notification requirements are a good starting point for managing third-party information security risk. However, these guidelines are generally focused on how to respond to an incident. It’s also important to consider a few other best practices that focus on incident prevention. 
Third-party cyber incidents are not 100% avoidable, but the following tips can help add an extra layer of protection: 

• Be thorough in your due diligence reviews. Pre-contract due diligence is an essential process that will inform you of your third party’s security practices. Your credit union should always be thorough in reviewing the third party’s information security documents such as data retention and destruction policies, security awareness training procedures, and planning documents for business continuity and disaster recovery. Remember that due diligence should also be performed periodically after the contract is signed to ensure the third party is continuing to maintain your security standards.
• Identify fourth-party risk. Your third parties are probably outsourcing certain products and services to other vendors, so it’s possible that these subcontractors also have access to your data. Although your credit union cannot directly manage these fourth parties, it’s important to ensure third parties have proper vendor management practices in place, such as risk assessments, due diligence, and ongoing monitoring. 
• Consider the next steps. If due diligence reviews or risk monitoring reveal a third party has poor or insufficient security practices, your credit union should consider how it should proceed with the relationship. Depending on the situation, your credit union may just need to request additional information from the third party or increase the frequency of your ongoing monitoring activities. Significant issues may need to be escalated to senior management or the board, who can decide whether to reconsider the relationship.

The 2024 Supervisory Priorities are another good reminder of the importance of third-party risk management in mitigating information security risk. As cyber incidents grow more prevalent and complex, credit unions can better protect themselves and their members with an effective TPRM program.