“Beware: Cyber Scares!”
Written by André B. Cotten, NCCO, Regulatory Compliance Counsel, NAFCU
Happy Halloween, Compliance Friends! With the rise of social media, there seems to be a day and/or month for nearly every thing, occasion or cause. However, the observation of October as National Cybersecurity Awareness Month is definitely noteworthy. National Cybersecurity Awareness Month was created in 2004 by the Department of Homeland Security and the National Cyber Security Alliance to provide a reminder that each of us has the power to make the Internet more secure and possibly safer. The National Cyber Security Alliance identifies five principles for credit unions to stay safe online: identify, protect, detect, respond and recover.
In honor of National Cybersecurity Awareness Month, today’s blog will review cybersecurity regulatory requirements and provide resources in light of the National Cyber Security Alliance principles mentioned above.
Identify, Protect, & Detect
To begin, the National Cyber Security Alliance advises that credit unions identify the information that could be of high-value for cyber criminals. From a federal regulatory perspective, the credit union can find specific information security expectations in the body and appendices of Part 748 of NCUA regulations as well as the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbooks. NCUA requires credit unions to design information security programs that identify and control risks “commensurate with the sensitivity of the information as well as the complexity and scope of the credit union’s activities.” Specific to the cybersecurity context, the credit union’s information security program must consider encrypting electronic member information, including while in transit or in store on networks or systems to which unauthorized individuals may have access. Ultimately, the goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the credit union from cyber risk. The credit union may want to review Appendices A and B of Part 748 of NCUA regulations for more guidance on safeguarding member information and response programs for unauthorized access to member information.
From an examination perspective, cybersecurity has remained a key supervisory priority for NCUA examiners since 2014 . In 2015, the FFIEC released a Cybersecurity Assessment Tool (CAT) for voluntary use by financial institutions seeking to assess their cybersecurity risk and determine their cybersecurity preparedness. NAFCU created its own workbook version of the CAT tool that is editable and self-for credit unions to self-test cyber security risk and readiness.
In addition, NCUA also developed an examination tool based on the CAT called the Automated Cybersecurity Examination Tool (ACET). Similar to the CAT, the ACET is mapped to the National Institute of Standards and Technology cybersecurity framework. The ACET measures cybersecurity risk across the same five categories, and uses declaratory statements to determine the maturity of a cybersecurity program across five domains identified in the CAT.
In 2018, NCUA began using the ACET in examinations of credit unions with over $1 billion in assets. By using the ACET on larger credit unions, NCUA can create a baseline for the cybersecurity maturity level of the most complex and sophisticated credit unions, allowing the agency to test and refine the ACET so it can be scaled properly for smaller, less complex institutions. NCUA has also indicated that once baseline examinations have been established, it may use the ACET to assess those programs bi-annually going forward. For additional details about the ACET, the credit union may want to check out NAFCU free on-demand webinar with NCUA’s Deputy Director, Office of Examination and Insurance.
When it comes to cybersecurity, the more quickly a credit union learns about an incident, the more quickly it can mitigate the impact and get back to business as usual. NCUA maintains a list of cybersecurity resources that a credit union may find helpful when reviewing its cybersecurity risk program. Here are some additional resources that are referenced on NCUA’s AIRES IT Examination Questionnaires:
- FFIEC IT Examination Handbook, "Information Security;"
- NCUA Risk Alert 13-Risk-01, "Mitigating Distributed Denial-of-Service Attacks;"
- NCUA Letter to Credit Unions 11-CU-09, "Online Member Authentication Guidance Compliance Required by January 2012;"
- NCUA Letter to Credit Unions 05-CU-20, "Phishing Guidance for Credit Unions and Their Members;"
- NCUA Letter to Credit Unions 05-CU-18, "Guidance on Authentication in Internet Banking Environment;"
- NCUA Letter to Credit Unions 02-CU-17, "E-Commerce Guide for Credit Unions;" and
- NIST Framework for Improving Critical Infrastructure Cybersecurity.
The NAFCU Cybersecurity Compliance webpage provides tools, including NAFCU Cyber Assessment Workbook, blog posts , and articles may also be helpful to the credit union.
Even with a strong cybersecurity program, incidents can still happen. Being prepared to respond in a thoughtful and comprehensive manner will reduce risks to your credit union and send a positive signal to your members. The National Cyber Security Alliance highlights some quick wins for a credit union to follow during a cyber incident: disconnect affected computers from the network; connect with IT leadership, law enforcement, and legal representation; utilize spares and backup while continuing to capture operational data; if possible, have a process for switching to paper; and be familiar with your state’s data breach notification law. The National Cyber Security Alliance also has some other resources that may be helpful to the credit union.
To better connect with law enforcement, the FBI’s Internet Crime Complaint Center allows third parties, e.g. a credit union, to file a claim on behalf of the victim. The FBI requests the credit union provide financial transaction information, specific details on how a member was victimized, and any other relevant information.
From a federal regulatory compliance perspective, Appendix B to Part 748 of NCUA regulations provides guidance on response programs for unauthorized access to member information and member notice. The Federal Communications Commission also provides a response template that may be helpful to credit unions seeking to enhance its cyber response plan.
The final step of making the credit union more cybersecure includes the recovery efforts after responding to a cyber incident.The goal of recovery is to move from immediate aftermath of a cyber incident to full restoration of normal systems and operation. According to the National Cyber Security Alliance, the recovery step should include: documenting lessons learned; making improvement to policies and procedures and communicating to all parties; establishing continuing education opportunities for staff; and taking steps to repair reputation.
To help credit unions plan their recovery from a cyber incident, NIST has a guide for cybersecurity incident recovery that may helpful to the credit union. The National Cyber Security Alliance landing page also has other helpful resources for planning the recovery phase.
Depending on the size and complexity of the credit union, the sophistication of cybersecurity programs may vary. However, there is a wealth of information and resources for credit union to continually refine their cybersecurity programs to identify, mitigate and respond to cyber risk. National Cybersecurity Awareness month reminds us that every credit union can play an integral role in keeping information safe and its business operations secure.
Question: What do mummies like listening to on Halloween?
Answer: Wrap music!
Self-Study for your NCCO. Earning NAFCU’s award-winning Certified Compliance Officer (NCCO) certification just got easier with our new NCCO Self-Study Bundle. It contains all of the study materials and exams needed to earn the NCCO certification from the comfort of your home in one year.