January 14, 2021

Morris provides update on SolarWinds breach, cybersecurity landscape

data securityAs details on the data breach of IT vendor SolarWinds – which compromised several U.S. government agencies – continue to develop, NAFCU Senior Counsel for Research and Policy Andrew Morris provided member credit unions with insights into the breach and the cybersecurity landscape in a new post on the NAFCU Cybersecurity & IT Network.

KrebsOnSecurity has a recent article outlining the timeline and components of the data breach. The malware has been found on several government networks, including those of the Commerce, Energy, Treasury, and Justice Departments.

Just days after SolarWinds was notified of the breach last month, NAFCU and member credit unions held a meeting with Treasury cybersecurity staff. While the breach was not on the agenda, the meeting did cover credit unions' cybersecurity compliance observations and recommendations for interagency coordination. Morris noted "the unprecedented nature of the compromise and its sophistication served as a rather striking backdrop for discussion of NAFCU's regulatory priorities."

While the SolarWinds attack continues to be investigated and new details emerge on its reach, Morris offered resources from the Cybersecurity and Infrastructure Security Agency and private sector advisories to help credit unions review their systems and determine how to move forward if their institution was impacted.

The NCUA has not yet offered specific guidance on this incident; Morris pointed credit unions to the agency's Guidelines for Safeguarding Member Information and Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice to review internal responses. For those interested in a general refresher on how these guidelines might apply to service providers, NAFCU has a Compliance Blog post on the topic.

NAFCU is working to ensure credit unions have access to the resources they need to stay on top of cybersecurity issues. The association's complimentary, member-only network – the Cybersecurity & IT Network – aims to bring industry professionals together to connect on ways to better protect members' financial data and strengthen systems.

Additional insights into credit unions' cybersecurity efforts can be found in the association's 2020 Report on Credit Unions. NAFCU will continue to call for a legislative solution to reform the nation's data security system and consistently reiterate its principles for a data security standard – which includes holding negligent companies accountable and ensuring consumers are made aware of breaches in a timely manner – to lawmakers.