With cybersecurity a top priority in 2017 for the financial services industry, CUNA’s compliance staff explored what credit unions should do in the event of a data breach at the institution or its service provider in a recent CompBlog entry.
Part 748 of NCUA's regulations requires federally insured credit unions to develop and implement “risk-based” response programs to address “instances of unauthorized access to member information in member information systems.”
“Member information systems” consist of “all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information,” including systems maintained by the credit union and/or its service providers.
When a credit union becomes aware of an incident of unauthorized access to sensitive member information in member information systems, the institution is required to conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.
Sensitive member information includes:
Credit unions must have a response system that includes procedures to notify
to notify members about incidents of unauthorized access to member information systems that could result in substantial harm or inconvenience to the member.
At a minimum, a credit union’s response program should contain procedures for:
When an incident of unauthorized access to member information involves member information systems maintained by a contracted service provider(s), it is the credit union’s responsibility to notify its members and regulator. However, a credit union may authorize or contract with its service provider to notify the credit union’s members or regulators on its behalf.
Additional details can be found at CUNA’s CompBlog.