Two key areas on which NCUA will focus during cybersecurity examinations: Vulnerabilities credit unions face and how they’re protecting member data, according to “Cybersecurity Compliance,” a white paper from the CUNA Technology Council.
In a January 2015 letter to credit unions, the agency noted it would take steps to ensure credit unions were prepared for a range of cyber threats after preliminary findings from a Federal Financial Institutions Examination Council (FFIEC) report revealed “many credit unions and banks were not taking basic cybersecurity actions.”
Vulnerabilities can exist in several areas, including access and connection points and technologies such as ATMs and mobile apps.
In addition to identifying how attackers can gain entry into institutions to carry out attacks, examiners also look at steps credit unions have taken to prevent attacks and prepare to act once an attack has been carried out.
Expect examiners to consider your credit union’s:
• Risk management oversight. This involves board governance (how you leverage information policies and procedures), allocation of resources, and staff training and awareness.
“This helps set the tone from the top and builds a security culture,” "Cybersecurity Compliance” reports.
• Threat intelligence and collaboration. This involves the gathering, monitoring, analyzing, and sharing of information about cyber threats and vulnerabilities.
• Cybersecurity controls,which can be preventive, detective or corrective.
Preventive controls, such as encrypting member information, are used to stymie unauthorized access to information systems while anti-virus and anti-malware tools and regular scans of IT networks help detect vulnerabilities or unusual activities.
Corrective controls are used to address the vulnerabilities that have been identified. All controls must be continuously reviewed and adjusted.
• External dependency management to identify how a credit union is connected to outside sources, such as third-party service providers or members. These relationships carry risks, and credit unions must evaluate each third party’s cybersecurity controls.
• Cyber incident management and resilience. This is how credit unions prepare to detect and respond to breaches, and notify members when these incidents occur.
“To better prepare for your next NCUA Cybersecurity exam, evaluate where you are in your cybersecurity stance, compare it to an industry accepted standard, and take a risk-based approach to remediating vulnerabilities,” says David Gold, vice president of information security at $4 billion asset Mountain America Credit Union in West Jordan, Utah.