The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim’s network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.
Credit unions should review this Alert in its entirety which provides additional technical details, including threat actor activity and indicators of compromise. Mitigations steps are also discussed along with security best practices – including remote work best practices.
Sad News from NCUA
Early this morning, we learned that NCUA Examiner Andrew Ingram passed away last weekend. “Andrew was a very talented and likeable young man,” said Steve Worden, Supervisory Examiner for the NCUA Western Region. “It’s been a very tough week.”
Andrew is familiar to some of our credit union staff, as he worked on several exams in South Dakota. On behalf of our credit unions, we extend our sympathies to his family. You can find the obituary here.
NCUA Strategic Plan
At its March board meeting, the NCUA Board unanimously approved of the 2022-2026 Strategic Plan, which can be found here.
There has been a lot of discussion in the Dakotas surrounding this proposed plan, especially the language concerning the longer-term risks associated with climate change. The adopted plan continues to identify climate-related financial risks as a longer-term risk facing credit unions, but the narrative was revised to reflect comments made by the board members when the plan was first proposed.
The adopted plan emphasizes that “Credit unions, not the NCUA, are best positioned to assess various risks and opportunities within their field of membership. Credit unions will need to make their own decisions on diversification and expanded fields of membership. The agency does not intend to micromanage credit union lending decisions for climate financial risk, including lending to family farms and others in the agricultural sector as well as businesses tied to the fossil fuel industry. The NCUA Board underscores that nothing in this Strategic Plan should be construed as discouraging activities related to agriculture or fossil fuels.”
We appreciate that the final strategic plan reflects Chairman Harper’s comments he made when the plan was initially proposed. On November 18, 2021, Chairman Harper shared the same position on the topic of climate financial risk, noting “the agency will not micromanage auto lending, mortgage lending, or member business lending for climate financial risk. This includes lending to family farms and others in the agricultural sector, as well as businesses tied to the fossil fuel industry.”
As discussed in the 2022 Annual Performance Plan, this conversation will continue as the NCUA plans to issue a request for information that will seek input from credit union stakeholders about climate-related financial risks.
NCUA Overdraft Webinar
The National Credit Union Administration (NCUA) will be hosting a webinar on March 23 regarding overdraft protection programs.
Online registration for the webinar, “Overdraft Programs: Searching for New Solutions,” is open now. The webinar is scheduled to begin at 2 p.m. Eastern and run approximately 60 minutes.
Luis Dopico, chief economist for the consulting service CU Collaborate, and Taylor Nelms, senior director of research for the Filene Research Institute, will cover a variety of issues and concerns credit unions should understand, including:
April 1 – ND Admin Rule changes
Recent changes made to the credit union North Dakota Administrative Rules will become effective April 1, 2022. The redline version of the tracked changes made can be found here. This impacts ND state chartered credit unions.
To highlight some of the changes:
ND admin rule 13-01.1-01-14 ensures that that digital copies of facts, reports or other records created by the ND DFI or Commissioner have the same level of confidentiality as physical records.
A new provision emphasizes that meetings and conversations involving the commissioner or the department staff discussing examination facts, reports, or other records created by the commissioner or the department may not be recorded without the prior approval of the commissioner, except as allowed by the open meeting laws of this state.
Requirements for advancement of money on security of real property was updated to provide that the credit union must verify that the mortgagor has the right to convey the real property and the credit union must determine the order of priority of the lien established by the mortgage. Previously, it was limited only to situations where the mortgagor was the owner of the real property in fee simple.
Language was revised in 13-03-04-01 regarding the maximum investment in fixed assets, however, the cap remains the same for ND state chartered credit unions. Specifically, no credit union organized and operating under the laws of North Dakota shall invest more than the greater of six percent of assets or fifty percent of net worth, but not to exceed ten percent of assets, in a credit union land and building and other fixed assets, without first applying for and obtaining approval from the state credit union board.
Certain provisions were revised relating to merger and assuming of the acquired credit union’s field of membership. Language as also added to chapter 13-03-15 regarding branching, specifically applications to add a branch can go to the commissioner or state credit union board, previously the only option was the state credit union board.
ND state chartered credit unions need to be aware of a new notice requirement under 13-03-15-07, if the office is going to be closed more than one business day. Specifically, “A credit union that operates physical facilities in any area that is experiencing an epidemic or other emergency may adjust the credit union's operations in any manner that is reasonable to protect the credit union's members, employees, assets, or business. Under this section, a credit union may temporarily close or relocate offices, employees, or operations; restrict access to offices or services; and change the manner in which the credit union provides services. A credit union shall notify the department of financial institutions of any actions the credit union takes under the authority of this section if such action results in a closure greater than one business day. The credit union shall give the department notice promptly and in any case within three business days of the credit union's decision to adjust the credit union's operations. The notice must describe the credit union's actions and the expected duration of the credit union's adjusted operations. Unless extended by the commissioner, a credit union's authority to change the credit union's operations under this section may not exceed sixty days.”
Chapter 13-03-22 Investment Activities, was significantly revised to make updates relating to derivatives and charitable donation accounts.
Provisions related to Supervisory Committee Audits under Chapter 13-03-25 were updated to reflect changes NCUA had previously made, specifically if incorporates Appendix A to Part 715 into ND admin rules. As a reminder the NCUA Supervisory Committee guide was replaced with the “Other Supervisory Committee Audit Minimum Procedures Guide” which can be found here.
Chapter 13-03-28 was updated to now allow ND state chartered credit unions the same flexibility FCUs had with regard to capitalization of interest under loan workouts. If the credit union want to offer the option of capitalizing interest, it must adopt a policy. The update language of chapter 13-03-28-02(1)(f) lists the criteria that must be included in this policy.
As always, DakCU members may contact Amy Kleinschmit with any compliance related concerns or questions.
The Memo is DakCU's newsletter that keeps
Want the Memo delivered straight to your inbox?