Safeguarding Member Information; Monthly Research Survey
Written by Shari R. Pogach, Regulatory Paralegal
The force was certainly not with Atlanta-based SunTrust Banks (SunTrust) when its chairman and CEO announced during an earnings call that a former employee may have tried to download information on approximately 1.5 million clients from the bank's contact lists to share with a criminal third party. The potentially exposed information included names, addresses, phone numbers and certain account balances but apparently no personally identifying information such as social security numbers, account numbers, PINs, user IDs, passwords or driver's license information. Although no significant fraudulent activity on the impacted accounts has as yet been detected, SunTrust has signed up all of its customers to identity protection services at no cost on an ongoing basis. SunTrust's chairman and CEO acknowledged during the call that "clearly that employee was not authorized to get that level of information; we clearly are reviewing systems and capabilities..."
So let us take SunTrust's difficulties as an opportunity to review what a credit union should do to safeguard member information. Appendix A to Part 748 of the National Credit Union Administration's (NCUA) rules and regulations require a credit union to have a comprehensive written information security program that is appropriate to its size, complexity and to the nature and scope of its activities. Such a program needs to include administrative, technical and physical safeguards to:
- Ensure the security and confidentiality of member information;
- Protect against any anticipated threats or hazards to the security or integrity of member information;
- Protect against unauthorized access to or use of member information that could be harmful or inconvenient to the member; and
- Ensure the proper disposal and destruction of member information.
In order to manage and control risk, a credit union needs to design its information security program to control identified risks in direct correlation to the sensitivity of the information. Then a credit union needs to consider what security measures are appropriate for it to adopt within its policies and procedures. These might include:
- Creating access controls on member information systems, including limiting access to only authorized individuals and including authentication procedures controls;
- Restricting access to member information at physical locations (including buildings, computers and records storage facilities) to only authorized individuals;
- Encrypting electronic member information both while in transit and while in storage;
- Ensuring any changes to credit union systems are consistent with the credit union’s information security program;
- Establishing dual control procedures, segregation of duties and employee background checks for employees with access to member information;
- Monitoring the credit union’s systems to detect unauthorized attempts to access member information;
- Writing response programs which specify the actions the credit union must take when member information has been accessed by an unauthorized individual; and
- Establishing safeguards to protect member information from damage due to fire, water or technical failures.
Any information security program will need to be tweaked and adjusted on a regular basis especially in light of today's rapidly changing technology and ongoing cybersecurity threats. An annual report must also be provided to a credit union's board or appropriate board committee with the overall status of the program and the credit union's compliance with these guidelines. These reports need to address issues relating to the program such as a credit union's: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program. Further guidance about information security can be found in the Operations Booklet of the Federal Financial Institutions Examination Council's (FFIEC) IT Cybersecurity Handbook Infobase.
Safeguarding member information is paramount, no credit union CEO would want to have to tell its members what SunTrust's customers heard from the country's fourteenth biggest bank's CEO: "Ensuring personal information security is fundamental to our purpose as a company of advancing financial well-being. We apologize to clients who may have been affected by this. We have heightened our monitoring of accounts and increased other security measures."
Monthly Research Survey: Help Us Help You! NAFCU's Economic and Research Team conducts monthly surveys of NAFCU member credit unions in order to compile meaningful data reports that you can use to benchmark against your geographic and asset level peers. These survey results are also critical to NAFCU's advocacy efforts on your behalf to federal agencies, such as NCUA, CFPB and the Federal Reserve. Your participation helps us help you!
May 9 is the last day to share your voice on the topic of FCU Bylaws. We rely on your survey responses for our industry analysis and legislative advocacy efforts on behalf of all credit unions.
NAFCU members can participate in this month's Economic and CU Monitor survey with one of the options below:
Submission Deadline: May 9, 2018