Audit of the NCUA's Cyber Threat Information Sharing

View Report

Date Issued

Monday, June 9, 2025

Submitting OIG

National Credit Union Administration OIG

Agencies Reviewed/Investigated

National Credit Union Administration

Report Number

OIG-25-07

Report Description

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) conducted this self-initiated audit to assess how effectively the NCUA shared cyber threat information. Our objectives were to determine whether the NCUA: 1) effectively used shared cyber threat information for the supervision of credit unions; and 2) implemented effective processes to share cyber threat information to support credit union and financial system resiliency.

Our audit determined that the NCUA needs to mature its governance processes for cyber threat information sharing to support supervision of credit unions more effectively during a cybersecurity event or incident that may increase risk to the National Credit Union Share Insurance Fund (Share Insurance Fund or SIF) and financial services sector stability. Additionally, the NCUA should improve its ability to acquire, analyze, and use cyber threat information for internal analysis and external response. We made eight recommendations in our report and management agreed to all the recommendations.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://ncua.gov/files/audit-reports/oig-audit-25-07-cyber-threat-information-s…

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1.OIG-25-07	No	$0	$0
Develop and finalize policies and procedures that address cyber threat information sharing. These policies and procedures should, at a minimum, include: Formally documenting internal and external sharing practices, clarifying the criteria and threshold to inform individual credit unions or external stakeholders of a cyber threat, and clarifying the method and timing of informing credit unions or external stakeholders. Determining the criteria for internal assessment for escalation and communication of cyber threat information.
2.OIG-25-07	No	$0	$0
Formally establish and clarify operational roles and responsibilities across offices for cyber threat information sharing and any delegation of authorities to determine when issues must be escalated. This should, at a minimum, address: Establishing operational responsibilities at all stages of cyber threat-related events, including pre-incident declaration. Clarifying delegation of authorities for efficient and timely decision making and issue escalation. Identifying single point dependencies and addressing appropriate resourcing. Determining appropriate communication and coordination protocols between offices.
3.OIG-25-07	No	$0	$0
Ensure timely finalization and implementation of recommendations identified in the after-action and lessons learned reports for cyber-related incidents, including the draft (b)(8) after-action report and the draft pre-victim notification lessons learned report.
4.OIG-25-07	No	$0	$0
Update and document incident reporting triage protocols to provide consistent and useable data in the Cyber Incidents for Credit Unions Reporting System.
5.OIG-25-07	No	$0	$0
Document and implement internal data management protocols that ensure the appropriate sharing, assessment, and response of available cyber threat information.
6.OIG-25-07	No	$0	$0
Evaluate and determine if cyber threat information in suspicious activity reports should be used in NCUA’s general examination and supervision of credit unions.
7.OIG-25-07	No	$0	$0
Develop a process to assess credit unions' and other stakeholders' feedback on NCUA's cyber threat information sharing and update information sharing processes to reflect any necessary changes.
8.OIG-25-07	No	$0	$0
Ensure the Office of Examination and Insurance provides timely updates to examination and supervisory guidance to address cyber risks.