Sat, May 30, 2015
In recent months, credit unions have battled wave after wave of merchant data breaches, computer viruses, and cyberattacks, generating a wealth of media coverage on cybersecurity.
As a result of these evolving threats, credit unions and examiners alike continue to emphasize the importance of protecting a credit union’s networks, computers, programs, and member data from cyberattacks (NCUA Letter to Credit Unions 15-CU-01: “Supervisory Priorities for 2015”).
Credit unions have always prioritized protecting members’ personal financial information. But gone are the days when embezzlement, robberies, and forged items represented the primary security concerns. Credit unions operate in a rapidly changing environment where technology is an essential element of their operations because members demand more remote services—such as Internet banking and bill pay, mobile banking, and a variety of other technology related services.
Board members should ask themselves:
- How many members conduct transactions without ever stepping foot in a branch office?
- How do members complete those transactions?
- Where does all that confidential member data go?
- Who has an opportunity to look at that data when it’s outside of your control?
If you can’t answer these questions, you need to ask for more information from your management team.
Unfortunately, Internet-based products and services expose credit unions and their members to a whole host of additional risks from hackers and cyberthieves. It might sound like science fiction, but don’t be fooled. With the growing reliance on the electronic delivery of financial services, credit union boards must make sure their institutions are prepared to combat cyberthreats.
NCUA’s security program requirements
To fully understand a credit union’s responsibilities regarding cybersecurity, you must begin by reviewing Part 748 of NCUA’s regulations, and its appendices.
Part 748 requires each federally insured credit union to have a written security program designed to protect credit union offices, ensure the security and confidentiality of member records, assist in identifying people who commit or attempt crimes, and prevent destruction of vital records.
Appendix A specifically requires credit unions to establish and implement administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information. This is typically known as data security.
Appendix B requires credit unions to react to unauthorized access to member information, including potential notification of the member and the regulator. Your credit union must have a fully integrated plan to respond to and effectively manage any data breach.
The board’s responsibility doesn’t end with the creation of a security program. As stated in Part 748, Appendix A, “the board or appropriate committee must oversee the development, implementation, and maintenance of the credit union’s information security program.”
These duties include “assigning specific responsibility for implementing the program and reviewing reports prepared by management.” Management should present this report at least annually, detail compliance with the security program, and highlight matters material to information technology (IT) security. Material items could include risk assessment results, significant IT risk management decisions, vendor security controls, security breaches, and management’s responses to any negative examination finding.
No matter which security program a credit union decides to implement, staff should assist the board in managing cybersecurity risk by organizing information, enabling risk management decisions, addressing threats promptly, and improving the program by learning from previous efforts.
Remember, credit unions still bear the brunt of cybersecurity risk, paying heavily for other organizations’ security lapses—such as reissuing cards after a retailer’s data breach. The Gramm Leach Bliley Act covers all financial institutions, but not retailers. Nevertheless, the credit union system strives to create national data security standards that would apply to any company responsible for a lapse.