The NCUA expects credit unions to have the appropriate procedures in place to anticipate, identify and mitigate vendor risks to their institution and members.
Considering the NCUA Supervisory Letter is slightly dated (07-01) , you should follow not only the guidance in the Letter but also more recent best practices in the industry and from other regulators. You can be certain that the NCUA examiners will turn to more updated practices, such as those in the FFIEC manual.
As a credit union, you are expected to:
Centralize the data on your third parties to efficiently manage, monitor and risk assess your third parties.
Our industry experts and certified team can become your cost-effective staff augmentation answer.
The NCUA expects credit unions to have the appropriate procedures in place to anticipate, identify and mitigate cybersecurity risks to their institution and members.
NCUA examiners are using the FFIEC’s cybersecurity assessment tool as a guide for assessing cybersecurity risks in credit unions.
It’s important that you demonstrate you are taking proactive steps to identify and mitigate potential areas of weakness. Otherwise, when, not if, a breach happens, be prepared to pay in fines, reputation loss, lawsuits, lost members, loss of member confidence and more.
Have a third party risk management policy and program in place
Complete and maintain due diligence
Monitor vendors on an ongoing basis