Compliance Blog

Recently we blogged about various compliance considerations for credit unions dealing with ransomware. That blog published mere days after a major oil pipeline serving the Eastern United States was crippled by a ransomware attack, causing gas shortages and price surges on the east coast. In the wake of that attack and others around the globe, the White House issued a memo last week discussing the threat of ransomware and making recommendations for businesses and organizations to become better-prepared for a potential ransomware attack.

The memo states that the President has made “strengthening our nation’s resilience from cyberattacks” a top priority. After discussing the recent increase in ransomware attacks and the fact that “no company is safe,” the memo suggests that businesses “immediately convene their leadership teams” to review the ransomware threat and the organization’s security posture and business continuity plans. The financial services sector is not immune from the threat of ransomware – credit unions may want to consider reviewing their own cybersecurity measures and business continuity plans.

The memo then provides a list of best practices the private sector can use to reduce risk, including:

• Implementing the best practices from a previous executive order: The memo references an executive order from last month which provided best practices for government agencies to prepare for and prevent ransomware attacks. The White House memo suggests that private sector organizations adopt the best practices as well, specifically: multifactor authentication; endpoint detection & response; encryption and a skilled, empowered security team.
• Segmenting networks and keeping back-ups offline: The memo recommends keeping networks with different functions separated so that one network can continue operating even if another network is attacked. Additionally, the White House notes that some variants of ransomware target backups by encrypting or deleting them. Maintaining backups offline can allow an organization to restore it systems by keeping the backups safe from the attack.
• Testing: The White House recommends building an incident response plan with “core questions” in mind, such as whether the credit union can sustain its business operations without access to certain systems. The memo also recommends hiring a third-party penetration tester to test systems and the credit union's ability to defend against a sophisticated attack.
• Timely updates and patches: The memo instructs private sector organizations to perform security updates in a timely manner and to consider a centralized patch management system, as well as using a risk-based assessment strategy to drive the patch management program.

In addition to the White House memo, credit unions may find it useful to review the Cybersecurity & Infrastructure Security Agency’s (CISA) Ransomware Guide which also provides some best practices and a ransomware response checklist.

On a somewhat-related topic, FinCEN has announced that it will hold virtual Innovation Office Hours on September 9, 2021. The event will focus on the preservation of “privacy principles” in the development of innovative financial services technical solutions that counter illicit activity and national security risks. The event will feature meetings with demonstrations on how the innovative solutions work and how they will protect personal privacy, among other things.