January 13, 2016

NAFCU urges agencies to keep cyber assessment tool voluntary

The Federal Financial Institutions Examination Council's cybersecurity assessment tool is helpful for credit unions but should not be made mandatory, said NAFCU Regulatory Affairs Counsel Kavitha Subramanian in a letter to regulators Wednesday.

"NAFCU members strive to ensure the security of their systems and sensitive consumer data as the cyber threat landscape continues to evolve," she wrote. "This voluntary self-assessment tool will be helpful for credit unions of all asset sizes to measure and assess their individual cybersecurity maturity and determine what changes should be implemented based on their internal risk appetite."

Subramanian's letter, sent to the Office of the Comptroller of the Currency, was regarding FFIEC's second notice and request for comment on the collection of information required under the tool. She noted that while the FFIEC has stated that the cyber assessment tool will remain voluntary, NAFCU has concerns that credit unions may be asked to provide a copy of the assessment during examinations if the examiner knows a credit union has completed the assessment – "as they would for any risk self-assessment performed by the financial institution," she wrote.

"We are concerned that examiners may review the financial institution's assessment and pressure the institution toward a particular maturity level, rather than evaluating their ability to identify and manage that risk," she noted.

Subramanian also wrote that NAFCU appreciates FFIEC members, which include NCUA, acknowledging that certain aspects of the tool need to be clarified and looks forward to an FAQ document addressing those issues.