At least 60 credit unions were knocked out of commission by ransomware attacks late last year, all associated with one third-party service provider. Almost 100,000 credit union membersicon denoting link is offsite were unable to access digital accounts for approximately three weeks beginning in late November.

Third-party service providers pose challenges to institutions of all sizes. In its 2023 report, the Office of Financial Researchicon denoting link is offsite noted, for example, that smaller institutions face heightened vulnerability to ransomware because of "greater reliance on third-party service providers, which, in turn, are susceptible targets for ransomware attacks." This vulnerability applies to smaller banker and credit unions.

Interagency guidance icon denoting Adobe PDF file formaticon denoting link is offsite from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, issued in June 2023, notes that "a banking organization's use of third parties does not diminish its responsibility to [operate in a safe and sound manner and in compliance with applicable laws and regulations] to the same extent as if its activities were performed by the banking organization in-house."

Unlike bank regulators, however, the National Credit Union Administration (NCUA) has no enforcement authority over third-party service providers. The Examination Parity Act of 1998 gave the NCUA temporary authority over credit union service organizations and third-party vendors as part of Y2K readiness. That authority expired on December 31, 2001 icon denoting Adobe PDF file formaticon denoting link is offsite.

In its 2023 annual report icon denoting Adobe PDF file formaticon denoting link is offsite, released December 14, 2023 (ironically, just as credit unions were recovering from the ransomware attack), the Financial Stability Oversight Council (FSOC) recommended that Congress pass legislation assuring adequate examination and enforcement powers to the NCUA, Federal Housing Finance Agency, and other relevant agencies "to oversee third-party service providers that interact with regulated entities." The report called regulatory line of sight into third-party vendors "critical for the supervisory community."

During an open session icon denoting link is to a video fileicon denoting link is offsite of the FSOC, also on December 14, Todd M. Harper, chairman of the NCUA board of directors, referred to the third-party risks: "Given the events of the last few weeks, in which a ransomware attack of a third-party service provider negatively impacted scores of credit unions, this issue has become more urgent...The time has come to close this regulatory blind spot and place the NCUA on a par with the authorities of other banking regulators." (You can hear Chairman Harper's remarks about 30 minutes into the webcast icon denoting link is to a video fileicon denoting link is offsite.)

Many, if not all, of us have experienced the repercussions of breaches and service disruptions caused by third-party vulnerabilities. Perhaps you had a card compromised in the Target data breachicon denoting link is offsite in 2014, which was precipitated via access to the systems of an HVAC vendor. Perhaps you rushed to change your Comcasticon denoting link is offsite password last month, after a third-party data breach disclosed personal data of almost 36 million customers.

There's a real risk of smaller institutions being held back by cyber risk created by third parties, not only in terms of harm to both institutions and consumers but also in terms of stifling innovation. What do you think is needed to support credit unions to manage third-party risk?

Portrait photo of Claire Greene
By Claire Greene, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed