From Gigi Hyland, NCUA . . .
Several months ago, I was made aware of a concern regarding identifying the software solution credit unions use in the “Credit Union Online Profile” section of the NCUA website. The concern included worry that hackers or former employees of the software vendors could use their knowledge of the particular system weaknesses to compromise the credit union’s system. The agency looked at the issue extensively and decided to make an important change to publicly available credit union information.
Beginning with the June 30, 2010 Call Report cycle, we removed vendor names from the public view in Credit Union Online and the 5300 Call Report Quarterly Data Files. Similarly, effective in the near future, this vendor information will no longer be available to query from the NCUA website.
Freedom of Information Act (FOIA) requests for vendor data will be denied. The information security threat landscape has changed significantly in recent years. Further, new threats continue to emerge at an alarming rate. Hacking techniques are becoming increasingly sophisticated and their damage more devastating. The financial services industry has been a target in this escalating threat environment.
Restricting vendor information will reduce the exposure of credit unions’ operational and member information to external security risks. NCUA will continue to collect vendor names through Credit Union Online, as they provide useful information in case of a disaster, such as Hurricane Katrina; when a vendor failure appears likely; and as a measure of potential systemic risk, present when one or a few vendors dominate the market for credit union data processing systems.
Credit unions wishing to perform due diligence over current or prospective vendors may be able to obtain existing customer contact information from the vendors themselves.