In today’s digital landscape, credit unions face numerous cybersecurity threats, including the rising risk of ransomware attacks and vulnerabilities in their information and communications technology supply chain. To help credit unions protect themselves against these risks, the National Credit Union Administration (NCUA) has compiled an FAQ. This checklist covers the essential steps to safeguard against ransomware attacks, additional resources for cybersecurity, understanding supply chain risk management, developing effective practices, mitigating risks associated with using a Managed Service Provider (MSP), and other insights based on their FAQ. By following this checklist, credit unions can enhance their overall security posture and minimize the potential impact of cyber threats.

1. Protect against ransomware attacks:
– Update software and operating systems regularly with the latest patches.
– Avoid clicking on links or opening attachments in unsolicited emails.
– Follow safe browsing practices.
– Replace equipment running older unsupported operating systems.
– Verify the security practices of vendors and third-party service providers.
– Maintain complete and tested backups of critical systems and data.

2. Additional resources for cybersecurity:
– Use the Ransomware Self-Assessment Tool (R-SAT) from the Conference of State Bank Supervisors.
– Read the Center for Internet Security white paper on ransomware.
– Visit the cybersecurity pages of the National Security Agency Central Security Service and the Cybersecurity & Infrastructure Security Agency. (CISA)
– Refer to the Treasury Department’s advisory on potential sanctions risks for facilitating ransomware payments.

3. Understand Technology Supply Chain Risk Management (SCRM):
– Recognize that technology supply chain vulnerabilities can pose risks to the entire institution.
– Consider the risks associated with third-party vendors and the entire technology supply chain.
– Identify vulnerabilities in all phases of the product life cycle.

4. Develop an effective Technology Supply Chain Risk Management Practice:
– Build a team with representatives from various roles and functions.
– Document policies and procedures based on industry standards and best practices.
– Create a list of technology components and understand their criticality and remote access capability.
– Identify suppliers and verify their security practices.
– Assess and evaluate the SCRM program regularly.

5. Risks associated with using a Managed Service Provider (MSP):
– APT actors actively attempt to infiltrate IT service provider networks.
– Conduct proper due diligence and ongoing monitoring of MSPs.
– Understand the risks of centralizing information with an MSP.
– Recognize that compromises in an MSP’s network can have cascading effects.

6. Mitigate the risk of using an MSP:
– Manage supply chain risk by working with the MSP to address security concerns.
– Implement architecture measures to restrict access and protect networks.
– Use dedicated VPNs for MSP connections and restrict VPN traffic.
– Ensure proper authentication, authorization, and accounting practices.
– Implement operational controls, such as continuous monitoring and software updates.

7. Additional references for Information and Communications Technology Supply Chain Risk Management:
– Refer to guidance from the NCUA, NIST, and CISA.
– Evaluate third-party relationships and outsourcing technology services.
– Learn about supply chain threats and cyber supply chain risk management.

Note: This checklist is a summary of the information provided. For more detailed guidance, refer to the full content on the NCUA website.

* We used some AI tools to gather the information for this article.