Recap on Cybersecurity, CLF, and Risk Appetite Statement

The National Credit Union Administration (NCUA) board met for its October board meeting this week, with key takeaways addressed herein.
Briefing on Cybersecurity
The board received a comprehensive cybersecurity briefing. The briefing addressed specific cyber threats: ransomware and cloud migration; evolving DDOS attack vectors; and cryptocurrency/decentralized finance (De-Fi) risks.
Regarding the Information Security Examination (ISE) Program, NCUA staff indicated the following:
- Pilot testing completed this September (250 credit unions were examined this year).
- The program is scalable for credit unions of all sizes and complexity.
- The program aligns with the NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET).
- The program is planned for deployment by year-end.
In response to a question from NCUA Board Member Rodney Hood, staff noted that ACET will remain. Specifically, the assessment component of ACET will continue to exist, and ISE will be the new examination component.
Briefing on Central Liquidity Facility (CLF)
The board was also briefed on the Central Liquidity Facility (CLF). The briefing included a comprehensive overview of the CLF, what it is used for, and how credit unions can take advantage of it. The latest financial highlights of the CLF:
- Total Assets: $1.243 billion.
- Year-to-Date Net Income: $1.1 million.
- Retained Earnings: $40.5 million.
- Third Quarter 2022 Dividend: 2.24 percent.
- Third Quarter Total Membership: 3,991 (roughly 350 regular members and 3,640 memberships through corporate agents).
- Borrowing Authority: $29.1 billion.
The enhancements to the CLF provided by the CARES Act and extended by the Consolidated Appropriations Act pertaining to corporate agent membership are set to expire at the end of 2022. This will cause the roughly 3,640 credit unions with memberships through corporate agents to lose their ability to borrow, it will also reduce the borrowing authority of the CLF by almost $10 billion.
Statement on Risk Appetite
The board discussed the agency’s new Risk Appetite Statement.
Through NCUA’s Enterprise Risk Management (ERM) program, the agency proactively manages risks to achieve its mission, as well as to maximize opportunities across the agency. “An important part of a successful ERM program is a thorough risk appetite statement. That statement is a management tool that provides guidance from agency leadership to managers and staff on the amount of risk NCUA is willing to undertake in pursuit of its objectives.”
NCUA’s Risk Appetite Statement is organized around eight risk categories:
- Technology and Information Management Risk.
- Supervision Risks.
- Human Capital Risk.
- Legal and Regulatory Compliance Risk.
- Operational Risk.
- Governance and Strategic Risk.
- Financial Management Risk.
- External Risk.
For each risk category, NCUA identified associated activities it carries out, and defined whether it has an averse, moderate, or tolerant appetite for risks that could impact activities. The Risk Appetite Statement will help NCUA align risks and opportunities when making decisions and allocating resources to achieve the agency’s strategic goals.