April 15, 2020

NCUA outlines teleworking risks to CUs

cybersecurityFollowing NAFCU's discussion last week with the NCUA on its view of managing cybersecurity and privacy risks amid the coronavirus pandemic, the agency Tuesday issued a risk alert for credit unions deploying remote work policies.

NAFCU Senior Regulatory Counsel Elizabeth LaBerge provided additional insights into the discussion in a post of the association's member-online Compliance, Risk & BSA Network. Read it here.

The NCUA's risk alert notes that "[c]redit union employees working remotely should adhere to their organizations’ information security- and privacy-related policies and procedures."

"Policies and procedures should effectively address remote work by preparing employees to prevent security incidents and including provisions for responding to any incidents that do occur," the alert says. "Controls over remote work and use of personal devices should be based on an institution’s risk assessment, and commensurate with the size and complexity of the institution."

The alert flags common cybersecurity risks for remote workers, including malware attacks, phishing and other social engineering attacks, and Advance Persistent Threat (APT) attacks.

It also outlines how to prepare employees to prevent security incidents and how to respond if a cyberattack is suspected. Additional resources on cybersecurity risks and working remotely are available in the alert.

Read the full risk alert.

The FBI has warned of increased business email compromise scams and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) last week issued a joint alert with the United Kingdom's National Cyber Security Centre (NCSC) to highlight the rise of cybercriminals exploiting the coronavirus pandemic.

NAFCU will continue to monitor the risk environment and keep credit unions informed of developing trends.