U.S. Department of the Treasury

Introduction

Thank you for inviting me to address you today as part of your Congressional Caucus meetings.  With approximately 6,300 credit unions in existence today representing over $1 trillion in combined assets, credit unions play a critical role in our Nation’s financial landscape – your presence in all parts of the country, embedded in the communities that you serve, likens you to a vast arterial network supplying the financial oxygen of credit to the over 100 million customers you serve.  And because of the special relationship you have built with your members over the years, you have a unique ability to make underwriting decisions that in many cases allow you to supply credit to customers who would not have otherwise received it, do so at more competitive rates, or both.  In light of the importance of your role in our economy, today, I would like to review the current state of the credit union sector and how it has evolved since the financial crisis, as well as look ahead to some key risks facing the industry with a particular focus on cyber security.

State of the Industry and Progress since the Downturn

Let me begin by recounting how far the American economy and taxpayers have come since the financial crisis.  America’s businesses have created more than 13.1 million new jobs over five and a half years – extending the longest streak on record,  and second quarter GDP growth was recently revised sharply higher to 3.7 percent reflecting strong underlying growth in the economy.   

The ongoing recovery stands in stark contrast to where we were in late 2008, when businesses were cutting more than 700,000 jobs per month, credit was frozen, and millions of Americans were losing their homes and their life savings.  No type of financial institution was immune to the financial crisis.  There were 102 credit unions that failed during the crisis,  and by mid-2010, nearly 350 consumer credit unions holding roughly $50 billion in assets came close to failing.   Five corporate credit unions, representing 75 percent of all assets of corporate credit unions, failed largely because of over-concentrated investments in private mortgage-backed securities.   

But like our overall economy, credit unions have come a long way since then.  Let’s look at a few financial metrics.  Between the second quarter of 2009 and the first quarter of 2015, return on average assets tripled to 0.8 percent, and asset quality has improved, with the delinquency ratio now standing at 0.7 percent, less than half of what it was in the aftermath of the crisis.   Most importantly, lending is up – total loans have grown by more than 25 percent – and membership is at an all-time high.   

While undoubtedly some of this improvement is a function of the rebound in the overall economy, it is also a result of changes that have taken place in the sector in response to the financial crisis.  First, many credit unions have improved their risk analysis capabilities, both voluntarily and as a result of new regulation, with the aim of increasing asset quality and avoiding the types of underwriting decisions that led many to the brink of failure.  Second, in light of the failure of a number of the corporate credit unions that the sector relied upon to manage its short-term liquidity needs, many have established contingent liquidity sources (through either the Federal Reserve’s Discount Window or the National Credit Union Administration’s (NCUA) Central Liquidity Fund).   Third, credit unions have increased their financial buffers and are better capitalized today, with the sector’s net worth standing at nearly 11 percent of assets as compared to less than 10 percent in the crisis.   Finally, consolidation in the sector has continued, particularly among smaller credit unions, perhaps driven defensively to take advantage of greater economies of scale.  

Selected Issues Facing Credit Unions

These changes have been positive: the industry has performed admirably since the recession and appears to be on solid footing.  But this is no time for complacency.  I would like to highlight a few issues that I would encourage you to focus on as you look forward.  

First, interest rate risk.  How is your portfolio constructed in light of an expected increase in rates, and what is the impact to your business if rates rise faster than expected?  Chair Matz of the NCUA has recently emphasized the potential for outsized losses at large credit unions when rates do rise, and I echo her call for your institutions to make the necessary decisions today to manage this risk effectively.   

Second, regulatory compliance.  While Dodd Frank reforms have increased the safety and resiliency of our financial sector, we recognize they have contributed to a more challenging compliance environment for financial institutions.  Managing your business in this context will require changes to your operating and risk management protocols, and the best among you will find ways to embrace these changes in ways that improve your businesses.  We at Treasury are supportive of regulatory tailoring and reducing undue regulatory burden where consistent with safety and soundness principles; as such, we are supportive of the NCUA’s voluntary participation in the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) process and other regulatory review mechanisms such as the NCUA’s Regulatory Modernization Initiative.  

Third, and the area where I will focus the remainder of my comments, cybersecurity.  

Cybersecurity – the Problem

Cybersecurity has become a central concern in the financial services sector, not only for large institutions, but for credit unions as well.  The volume and scope of malicious cyber activity is accelerating rapidly, as we read about in the papers all too regularly. This is a concern not just for the firms being targeted in a given incident – and we know that most everyone is targeted at one time or another – but in many cases an attack against a single vulnerable institution serves as an entry point and risk for the system as a whole given the interconnectedness and global nature of our networks.  The nature of this threat exposes financial institutions of all sizes to malicious cyber actors who may seek to steal customer data and divert financial resources or even block transactions and disrupt systems. 

Not only is our financial system interconnected at the technical level, but we’re also financially interconnected.  Estimates have placed the cost of the Target breach to credit unions at nearly $30 million, and the Home Depot breach is estimated to have cost twice that amount, and I’m sure many of you here shared in bearing these costs.   And the harm to credit unions has the potential to extend beyond the direct costs.  Payment systems and other market infrastructures that credit unions depend upon need to be continually available, otherwise consumers’ and businesses’ trust and confidence in your institutions could be jeopardized.  This confidence could also be called into question if the large amount of sensitive consumer data that you safeguard is in any way compromised.  

Cybersecurity - Treasury’s Efforts

Mandated by a presidential policy directive, Treasury is responsible for coordinating the Federal government’s cybersecurity efforts in the financial sector.  This role is executed at Treasury by the Office of Critical Infrastructure Protection and Compliance Policy (OCIP).  Treasury’s OCIP team monitors intelligence community and law enforcement sources for information on threats to the financial sector, which we then pass along to the sector to improve cyber defenses.  We also collaborate with other parts of the government such as DHS, law enforcement, and the financial regulators, including the NCUA, in responding to major cyber incidents and helping to develop policies and programs to improve security.  We also collaborate closely with the private sector in these efforts, since cybersecurity is a shared public-private challenge.  

I would like to highlight two areas where you can take actions to improve our Nation’s cybersecurity and play a key part in our public-private collaboration.  Last September, we discussed with NAFCU the merits of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework).  Today, I would like to drill down on a few particular functions identified in the NIST Framework: first, “protect” – or establishing appropriate safeguards to ensure ongoing delivery of critical infrastructure services before an incident occurs, and second, “response” and “recovery” – or establishing processes for business continuity and data protection and integrity in the period after an incident occurs.  

Cybersecurity - Protect

It is critical for credit unions to have in place strong baseline protections against cyber threats.  

There are a number of questions that the leadership of credit unions can ask about the nature and effectiveness of their baseline protections.  They start with the simplest: how strong are the passwords on your systems?  This question leads to other issues of access control.  How are access identities and credentials managed, including for remote access on mobile devices and by third parties?  Threat actors have ways to gain access to user identities and credentials through spearphishing attacks, underscoring the need to segment network architecture and restrict access privileges only to those who need them.  The pace of technological change necessitates constant software and hardware updates, ranging from security patches to major system upgrades; how do you protect information while updating your systems and network architecture?  What is your process for rolling out software patches in timely fashion?  

For many of you, considering these questions naturally leads to third-party technology service providers, who often have primary responsibility for maintaining and upgrading the security of credit unions’ systems.  But simply assuming that your service providers are handling these issues is not enough, and we recommend that you engage with them directly.  You should have a clear way of assessing the cyber risks you are exposed to through your service providers and the rigor of their cyber controls – all of them, not only your technology service providers.  With regard to your technology service providers specifically, each of the questions above should be asked of them.  Additional questions to consider are: Do your contracts with them clearly specify their security-related responsibilities?  Do these contracts clearly lay out what liabilities the technology service providers are responsible for if they falter in this respect?  

The sharing of cyber threat information is a critical component of best practices – it allows you to benefit from information collected by your fellow financial institutions to incorporate into your own system defenses and vice versa.  If you are not already part of the Financial Services Information Sharing and Analysis Center (FS-ISAC), which is approximately 5,500 members strong and plays a critical information sharing role in the financial sector, you should be.  

But setting up strong baseline protections only partially has to do with technology.  While strong system protections are a prerequisite, it is important to adopt a comprehensive approach to security and awareness training because the success of cyber attackers often depends upon exploiting human error – consider an employee unwittingly connecting remotely through an unsecured access point or clicking on an email that appears to be benign but is in fact a spearphishing email.  Thus, I would encourage you all to ask yourself to what extent cyber vigilance is a part of your corporate culture and what you can do to improve it.  

Cybersecurity – Respond and Recover 

Establishing best practices and baseline protections helps reduce cyber risk before an attack occurs.  But malicious cyber attackers are persistent, and when incidents do occur, credit unions should be prepared.  This means establishing a clear set of response and recovery procedures – a manual of sorts – as part of your overall business continuity regimen.  This manual should cover, for example, the following questions:  Which key individuals internally need to be involved and how will they communicate with each other if corporate email and phone systems are not working?  Which key stakeholders externally, such as law enforcement, third party technology service providers, and regulators, need to be involved?  Is there a communication plan in place for customers?   How will they be assured that their accounts are safe?  What if the attack compromises the institution’s data integrity?  There are various other questions along these lines that should be surfaced and incorporated into the “response manuals,” including considering the proper sequencing of these activities.  

Beyond simply identifying the key questions, response procedures should be thoroughly exercised.  We have seen the value of such exercises firsthand.  Treasury, working closely with the Financial Services Sector Coordinating Council (FSSCC), has led a series of public-private tabletop exercises, the Hamilton Program, designed to simulate cyber incidents and identify key challenges for effective public-private response and coordination.  We are in the process of developing an exercise program targeted at smaller financial institutions, including credit unions.  Exercising your response and recovery plans will undoubtedly expose oversights, weak links, and faulty assumptions – and so are critical to perform periodically.  I would add that it is important to have your technology service providers as an integral part of these exercises, given the role they play in many of your businesses.  

In addition to your technology service providers, law enforcement agencies are important partners as you consider your cyber response efforts.  In October, as part of National Cybersecurity Awareness Month, the Treasury Department is joining forces with the FBI, the U.S. Secret Service, and the FSSCC to kick off nation-wide open house events that will welcome credit unions and other financial institutions to FBI field offices across the country to build and expand ties between these institutions and their local law enforcement officials, so that the aftermath of an cyber incident is not the first time that you will have met each other.  You should receive an invitation soon – if you haven’t already.  

Conclusion 

In addition to law enforcement and your technology service providers, your regulator is a key partner in your cybersecurity efforts.  The NCUA has made cybersecurity one of its top three examination priorities.  As part of the Federal Financial Institutions Examination Council (FFIEC), it played a key role in the development of the FFIEC’s Cybersecurity Assessment Tool to help credit unions identify key cyber risks and provide a repeatable, measureable process to determine the level of cyber preparedness.  This tool maps to the NIST Framework, and we strongly encourage you to embrace it – recognizing credit unions operate on a tight budget, it can help you create the “response manual” and exercise programs that I mentioned earlier in resource-efficient ways.  Finally, Treasury supports legislative action to provide the NCUA with examination and enforcement authority over technology service providers and other third-party vendors that provide critical services to credit unions, akin to the authority exercised by other financial regulators.  The top five technology service providers serve credit unions representing more than 75 percent of the credit union system’s total assets,  presenting a sizeable potential risk to the sector, so granting the NCUA this authority would be in the best interests of the industry’s cyber posture.  

Not to end on a down note – after all, I have applauded the strong progress the industry has made since the financial crisis – but I would like to conclude with a question on risk.  And this is perhaps the most important question to consider with regard to cybersecurity, one that subsumes the various other questions I’ve asked you to consider today: is cybersecurity fully embedded in your risk management regime?  When this occurs, when cybersecurity is part of your institution’s DNA, rather than appended to existing controls in modular fashion, there is an institutional firewall created, a synergy between people, process and technology, that’s hard to crack.   I am hopeful that when we all meet again next year around this time, you can all answer this question in the affirmative.  

Thank you.