Newsroom

October is National Cybersecurity Awareness Month, and a new NAFCU Compliance Blog posted today provides background on rules affecting the way credit unions must safeguard consumer data and respond to service provider breaches.

NAFCU Regulatory Affairs Counsel Andrew Morris explains in the blog how Part 748 of the NCUA's regulations implements the federal Gramm-Leach-Bliley Act, which sets the standards for maintaining and protecting consumers' financial data.

Morris writes that while service providers are required to address incidents of unauthorized access to credit union member information – which encompasses all nonpublic personal information – credit unions are responsible for notifying their members of such a breach.

"Accordingly, it's important that service provider contracts reflect the broader meaning of member information," Morris said. "Credit unions are also advised to monitor service providers based on risk assessments and to determine whether they are properly safeguarding member information."

Given the recent Equifax data breach and the ongoing revelations related to it, Morris points NAFCU-members to a previous blog to help determine whether Equifax is considered a service provider based on the service agreement a credit union has with the company.

Morris also attended the U.S. Chamber of Commerce's Cybersecurity Summit last week, which addressed cybersecurity challenges and the importance of public and private sectors working together to enhance the nation's cybersecurity defenses.

Morris notes that many presentations during the summit focused on the importance of information sharing and analysis organizations (ISAOs), of which the financial sector is already on the cutting edge as many financial institutions are members of at least one ISAO that offers tools to track vulnerabilities and ingest threat data.

To read the new Compliance Blog, click here.