Compliance Blog

As I am sure we remember all too well, there have been a few rather high profile data breaches in recent years, including Target in 2013, Home Depot and JP Morgan in 2014, OPM in 2015, and Yahoo in 2016. Given the amount of personal and financial information available from companies such as these, hackers can obtain a significant amount of information by accessing a single company's records. In the breaches mentioned above, information was obtained from over one billion individuals. The information included debit and credit card numbers, full names, dates of birth, addresses, e-mail addresses, phone numbers, and Social Security numbers.

So, the question is… how can a credit union protect its members' personal and financial information? First, a starting point is NCUA's requirements on security programs. Part 748 covers the requirements and standards for a credit union's security program. Second, there is a wealth of resources to take advantage of on this topic. NCUA and the FFIEC have numerous resources available to assist credit unions in evaluating risk and protecting information. Finally, in some cases it may be appropriate to take action. In some cases, it may be necessary to report an incident.

NCUA Requirements and Guidance. Earlier this year, NCUA once again listed cybersecurity as one of its supervisory priorities for 2017. For examinations, NCUA will continue to evaluate a credit union's cybersecurity risk management practices. NCUA also hopes to implement a structured cybersecurity assessment process this year. It has not yet explained what this new process will look like but will keep credit unions updated throughout the year.

Part 748 of NCUA's regulations requires a credit union to have a written security program. Among other things, the rule requires a credit union’s security program to "ensure the security and confidentiality of member records, protect against the anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member." In short, NCUA requires credit unions to protect members' information.

Appendix A to Part 748 provides the minimum standards for a credit union's security program and explains how the program should be developed and implemented. While a security program should ultimately be tailored to the unique size, complexity, and activities of a particular credit union, it should, at a minimum, include administrative, technical, and physical safeguards. In order to properly tailor its program, the Appendix identifies a few key things for credit unions to do:

• Identify its internal and external threats,
• Assess the potential damage of these threats, and
• Assess its ability to manage and control risks.

The rule requires the security program to be approved by the board of the directors and that the board should receive an annual report on the security program. The rule also requires a credit union to properly train staff, oversee vendors, and continually monitor the program's adequacy.

Resources. There are an abundance of resources available to assist credit unions in protecting member information. NCUA's cybersecurity webpageprovides a number of useful resources. Chapter 6 of the examiners guide provides a good starting point for evaluating your information systems and technology. The AIRES questionnaire provides insight into what the examiners are looking for when they review your IT programs. The webpage also provides link to resources such as the Financial Services Information Sharing and Analysis Center, the Department of Homeland Security's United States Computer Emergency Readiness Team, and a number of NIST publications.

The FFIEC's cybersecurity awareness webpage provides information and resources to assist financial institutions in identifying, assessing, and mitigating cyber threats. The IT Handbook provides guidance on topics such as business continuity planning, e-banking, information security, and outsourcing technology services. NCUA has also encouraged credit unions use the FFIEC's Cybersecurity Assessment Tool. While not mandatory, the CAT will be used by NCUA in exams and may help a credit union in identifying its specific risks and determining its cybersecurity preparedness. The webpage also has links to the joint statement on cyber attacks involving extortion, a cybersecurity webinar, and the cybersecurity brochure which contains additional resources.

For NAFCU members, NAFCU also has several resources available on its cybersecurity compliance webpage. Here you will find an interactive version of the FFIEC's CAT. This version, developed by NAFCU's compliance team, is an editable, self-tallying version. The webpage also has links to articles and online trainings on cybersecurity.

Take Action. Appendix B to Part 748 provides guidance on what to do when the credit union’s member information has been accessed and requires a credit union's security program to include a response program. The rule requires the response program to contain procedures that include, at a minimum:

• Assessing the incident;
• Identifying what information has been accessed;
• Notifying the appropriate NCUA Regional Director, or state authority for state-chartered credit unions;
• Filing a SAR, if required;
• Notifying law enforcement, if necessary;
• Controlling the incident to prevent further access; and
• Notifying members when warranted.

When a security incident has occurred, timely notice to members can help manage risks. When member information has been accessed, the rule requires a credit union to investigate the incident to determine what information has been, or may be, misused. Members should be promptly notified unless law enforcement requests, in writing, that notice should be delayed to allow the authorities to complete their investigation.

The rule states that the notice should describe the incident, identify what information has been accessed, and inform members of the actions the credit union has taken to protect their information from further access. When necessary, the notice should also contain information on steps a member can take to further protect his or her information, such as reviewing statements or obtaining a credit report. The rule permits limiting notification only to the affected members, however, a credit may consider informing other members because, as they say, better safe than sorry.