Massive Cyberattack on Netflix and others; FFIEC Cybersecurity Assessment Tool FAQs; ANPR on Enhanced Cyber Risk Management Standards
Written by Pamela Yu, Special Counsel for Compliance and Research
If you were trying to spend last Friday evening catching up on your binge watching (Have you seen the throwback-fabulous Ã¢ÂÂStranger ThingsÃ¢ÂÂ yet?), tweeting, and doing a bit of online shopping, you may have noticed a slowdown due to the two massive cyberattacks that hit Netflix, Amazon, PayPal, Twitter, and others.
Unfortunately, distributed denial of service (DDoS) attacks and other cybercrimes are growing in frequency, size, and sophistication.Â Cybersecurity is a major concern for credit unions, who are already increasing their information technology (IT) spending and hiring more personnel to address the heightened risk and vigilance of cyber attackers. Â NAFCUÃ¢ÂÂs October Economic and CU Monitor survey shows that the percentage of respondentsÃ¢ÂÂ overall operating budget devoted to IT/cybersecurity has nearly doubled over the past five years alone. Â Meanwhile, NCUA has made cybersecurity a supervisory priority since 2013, and the agency recently reminded credit unions that Ã¢ÂÂtechnological innovation, the expansion of social networking and growing interconnectivity are fueling fundamental change in cybersecurity procedures and processes,Ã¢ÂÂ and with that change, credit unions are potentially impacted with Ã¢ÂÂhigher mitigation costs and lower consumer confidence, as well as greater financial and legal risks.Ã¢ÂÂ Â Also, yesterday, NCUAÂ warned thatÂ credit unions face a dangerous threat to the safety and security of their data and information in the form of ransomware.
To address these growing cybersecurity threats, in June 2015, NCUA and the other members of the Federal Financial Institutions Examination Council (FFIEC) released a voluntary Cybersecurity Assessment Tool (CAT) to enhance financial institutionsÃ¢ÂÂ cybersecurity oversight and management capabilities, and to identify any gaps in an institutionÃ¢ÂÂs risk-management practices. Â According to NAFCU's survey, many credit unions are already using this tool, as well as NAFCUÃ¢ÂÂs user-friendly FFIEC Cybersecurity Assessment Tool Workbook, to enhance their cybersecurity preparedness.
On October 17, the FFIEC released a new frequently asked questions (FAQ) guide related to the FFIEC CAT. Consisting of eighteen questions and answers, the FAQs clarify points in the FFIEC CAT and supporting materials based on questions received by the FFIEC members over the past year.Â Among other things, the FAQs clarify expectations with respect to an institutionÃ¢ÂÂs Cybersecurity Maturity levels and Inherent Risk levels:
Ã¢ÂÂWhile there are no expected maturity levels for an institution, Inherent Risk levels should beÂ balanced with maturity. If management determines that the institutionÃ¢ÂÂs maturity levels areÂ not appropriate in relation to the Inherent Risk Profile, management should consider reducingÂ inherent risk or developing a strategy to improve their levels of maturity. Â
Management may choose to evaluate the institutionÃ¢ÂÂs inherent risk overall, as well asÂ inherent risk for specific activities, services, or products. In general, when the inherent riskÂ of an activity, service, or product rises the maturity level of related controls and riskÂ mitigation activities should increase, as well.Ã¢ÂÂ
The FAQs also clarify what several terms mean with respect to the FFIEC CAT, including: Ã¢ÂÂtrust services,Ã¢ÂÂ Ã¢ÂÂmerchant acquirer,Ã¢ÂÂ Ã¢ÂÂtreasury services,Ã¢ÂÂ and Ã¢ÂÂasset life-cycle process.Ã¢ÂÂ
In other cybersecurity news, the Federal Reserve, FDIC, and OCC last week jointly released an advance notice of proposed rulemaking (ANPR) inviting public comment on potential enhanced cybersecurity risk-management and resilience standards that would apply to large ($50 billion or more in assets) and interconnected entities under the supervision of the three federal banking regulators.Â The standards would also apply to third parties providing services to these entities, but would not apply to community banks and credit unions.Â The ANPR addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
Under the proposal being considered, the enhanced standards would be tiered, with more vigorous standards for systems that provide key functionality to the financial sector.Â For these sector-critical systems, the Fed, FDIC, and OCC are considering a rule to require banks to mitigate the risk of a disruption or failure due to a cyber event.Â Comments on the ANPR are due January 17, 2017.
While credit unions are not covered by the ANPR, in light of FridayÃ¢ÂÂs DDoS attack and NCUAÃ¢ÂÂs continued supervisory focus on cybersecurity, we can expect that credit unions may face increasing pressures to enhance their own standards to mitigate cyber threats.
NAFCUÃ¢ÂÂs Compliance Seminar and BSA Conference Continues
NAFCUÃ¢ÂÂs compliance team continues to be onsite in beautiful New Orleans for NAFCU's concurrent Regulatory Compliance and BSA Seminars!Â We appreciate your continued patience as the team works to answer your compliance questions between giving presentations.