Compliance Blog

Written by Tessema Tefferi, Senior Regulatory Affairs Counsel

The headline-grabbing news yesterday, and rightfully so, was that the Federal government is shut down.  However, the Administration and many in Congress have been clear that essential personnel will continue to work and the government’s essential functions will not be discontinued or disrupted.  Thankfully, one of these essential functions is to defend against cyber-attacks!  And thank goodness the government has determined that this function is essential.

Credit unions should also consider cybersecurity as an essential function, if they have not already done so. Whether the threat emanates from any or all corners of the world, in a credit union’s own operating system (for lack of adequate safety guards), or a garage or basement in any of our towns, it is no longer a threat that can be taken lightly.

Credit unions have heard for years about the ongoing cybersecurity threat.  Many have implemented sophisticated and effective safeguards and offer members tips to minimize risk against being hacked, but with October being Cybersecurity Awareness Month, I thought it would be good to point to some helpful resources that might help your credit union bolster the measures it has already taken (note: some of the government websites are ironically not functional during the shutdown!).   

• Internet Crime Complaint Center (IC3)
• FS-ISAC
• FTC - Privacy and Security
• National Cyber Security Alliance Stay Safe Online
• OnGuardOnline.gov
• U.S. Computer Emergency Readiness Team
• Stay Safe Online
• STOP.THINK. CONNECT.™
• Small Biz Cyber Planner (FCC)
• 10 Cybersecurity Strategies for Small Business tip sheet (FCC)

NCUA’s cybersecurity guidance, 13-Risk-01, is also helpful and lists a number of mitigation practices that credit unions should implement, including:

• Maintaining strong information security awareness programs for employees and members.
• Utilizing transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.
• Implementing strong controls over computers used to process commercial payments, including but not limited to:
  • Multifactor authentication.
  • Removal of hardware tokens upon session completion.
  • Prohibited or highly filtered use of Internet browsing.
  • Dedicated, corporate-owned systems without administrator privileges.
• Following network and application security best practices with regard to configuring systems, patch management, and security testing.

NAFCU's 2014 Technology and Security Conference. NAFCU’s work to provide you with pertinent information on cybersecurity is ongoing, but I’d be remiss to not remind you that NAFCU’s 2014 Technology and Security Conference will be heavy on cybersecurity.  Check out more information about the conference and how to register here.

Have a great day!