Credit/AdobeStock.
News that approximately 60 credit unions have been impacted by a cybersecurity attack on a technology provider has both immediate implications for the industry and should have larger consequences for the entire financial sector. Simply put, this incident is a smaller scale version of what could happen and probably will happen on a much larger scale, unless changes can be made to the dynamics facing the integration of technology into the financial services infrastructure.
Although precisely what happened is not yet known, what we do know based on press reports is that a ransomware attack affected a unit of Trellance, a cloud computing provider used by some credit union vendors. As a result, the impacted credit unions lost access to member account information.
Recommended For You
As for its impact on the credit union industry, NCUA Chairman Todd Harper has been warning for months that the potential for cyberattacks is keeping him up at night. Unfortunately, his insomnia has been justified. Approximately 60 credit unions, in an industry comprised of less than 5,000 financial institutions, have been unable to provide full access to their members' account information. It won't take too many incidents like this to create the perception in the public's mind that credit unions are not a safe and sound place in which to put their money.
This, of course, is the wrong conclusion for policymakers, not to mention the general public, to draw from this incident. Instead, the ransomware attack underscores how the rush of non- depository institutions – which, for simplicity's sake, I will refer to as fintechs – are outpacing the regulatory environment in which they are operating. This past week, it was 60 relatively small credit unions that were impacted by a cyberattack on a third-party vendor. Sometime in the not-so-distant future it may very well be the largest banks in America, victimized by a cyberattack over which they have no control because the cloud service that they depended on has been successfully infiltrated.
Acting controller Michael Hsu has taken to characterizing the growing reliance on fintechs as a sort of banking service supply chain. The metaphor is spot-on. Not only are financial institutions utilizing third-party vendors, but the third-party vendors are using third-party vendors. While this type of arrangement has resulted in much more cost-effective services for financial institutions, it also means that the industry is increasingly interdependent. As Hsu has pointed out, while guidance can mitigate part of this problem, the supply chain model increases risks, especially since many of these technology providers are not depository institutions.
Consequently, the cyber incident also strengthens the argument for the NCUA to have the same ability to oversee third-party vendors to the same extent as the other financial regulators. As the supply chain gets longer and longer, it will be impossible for even the largest institutions to perform due diligence on all the parties that could potentially impact their operations. Greater NCUA oversight of these vendors may mitigate the potential risks posed by these vendors of which credit unions cannot reasonably be aware.
However, vendor oversight is no panacea. In early February, the Treasury Department issued a report on the oversight of cloud-based services. The Treasury interviewed a wide range of financial institutions, including some of the largest in the country. According to the Treasury, even some of the behemoths of the financial sector face challenges in accessing information needed to assess whether their vendors are using appropriate cybersecurity protocols. An increasingly large segment of the supply chain that makes sure your members can access their account information with a touch of their iPhone is reliant on institutions over which there are no effective oversight controls.
One of the few good things about the pandemic was that it educated the American public about our supply-chain economy. Multiple vendors are involved in producing everything from basic medical equipment to workout gear and getting it to your front door. The result has been a comprehensive effort to secure those products and services that are most essential from the twists and turns of the economy. Call me wacky, but I think having direct, easy access to your account information should be a bigger national priority than a delay in getting your Peloton.
While we wait for a comprehensive approach to emerge, there are steps that individual credit unions can take in consultation with their attorney and compliance staff. The best defense remains appropriate due diligence, however, as I've mentioned, there are no simple solutions. One of the questions all financial institutions should be asking themselves is, what vendors and servicers do my third-party vendors contract with? And what services do they provide? Do I know what standards these subcontractors are being held to? In reality, much of this information is difficult to obtain, but depending on the importance of the services being provided, it may be worth asking these questions and seeking to address them directly in your contracts.
Speaking of your contracts, do they directly address the liability of the party with whom you are contracting for the actions of subcontractors? And what kind of damages are you entitled to in the event vital services go down? You certainly can't control the supply chain, but the more you are aware of where your products and services are, the better you can anticipate and react to the inevitable disruptions.
Henry Meier, Esq. Henry Meier is the former General Counsel of the New York Credit Union Association, where he authored the popular New York State of Mind blog. He now provides legal advice to credit unions on a broad range of legal, regulatory and legislative issues. He can be reached at (518) 223-5126 or via email at [email protected].
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
