The NCUA OIG conducted this self-initiated audit to assess how effectively the NCUA shared cyber threat information. Our objectives were to determine whether the NCUA: 1) effectively used shared cyber threat information for the supervision of credit unions; and 2) implemented effective processes to share cyber threat information to support credit union and financial system resiliency. The scope of our audit covered cyber threat information sharing from March 1, 2022, through December 31, 2024.
Our audit determined that the NCUA needed to mature its governance processes for cyber threat information sharing to support supervision of credit unions more effectively during a cybersecurity event or incident that may increase risk to the Share Insurance Fund and financial services sector stability. Additionally, NCUA did not effectively acquire, analyze, and use cyber threat information for internal analysis and external response. Finally, NCUA continues to need statutory examination and oversight authority over third-party vendors to be able to effectively assess and monitor third-party cybersecurity exposures.
