Although the board may delegate operational functions to management and designated committees, the responsibility for the credit union’s direction remains with the board.
These responsibilities include overseeing the development, implementation, and maintenance of the credit union’s information security/cybersecurity program. With the ever-increasing array of malicious cyberevents—phishing attacks, spyware, viruses, worms, ransomware, and distributed denial of service attacks to name a few—the board’s ongoing involvement in the credit union’s cybersecurity program is more important than ever.
As the Federal Financial Institutions Examination Council (FFIEC) notes, “today’s financial institutions are critically dependent on IT [information technology] to conduct business operations. This dependence, coupled with increasing sector interconnectedness and rapidly evolving cyberthreats, reinforces the need for engagement by the board of directors and senior management.”
Such engagement, FFIEC reports, includes:
The board should ensure the credit union integrates cybersecurity throughout its operations as part of enterprise-wide governance, information security, business continuity, and vendor risk management processes.
Part 748 of NCUA’s regulations requires federally insured credit unions to have a comprehensive written program to protect their physical offices, ensure the security and confidentiality of member records, respond to incidents of unauthorized access to member information (i.e., data breaches), assist in identifying people who commit or attempt crimes, and prevent the destruction of vital records.
Part 748 Appendices A and B provide guidance on the Gramm-Leach-Bliley Act’s requirements to both safeguard member information and respond to incidents of unauthorized access to member information. Member information includes any record containing nonpublic personal information about a member, whether in paper, electronic, or other form, maintained by or on behalf of the credit union.
Appendix A provides guidance for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.
Appendix B describes incident response programs, including member notification procedures, that a federally insured credit union should develop and implement to address unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member.
It is the board’s responsibility to approve and exercise general oversight over the credit union’s information security program, including reviewing reports from management. However, NCUA guidelines permit the board or an appropriate board committee to approve the credit union’s written security program.
Additionally, the board may assign specific implementation responsibilities to a committee or individual. The president or managing official must also certify compliance with Part 748’s requirements in its Credit Union Profile annually through NCUA’s online information management system (Section 748.1[a]).
A comprehensive written information security program includes administrative, technical, and physical safeguards appropriate to the credit union’s size and complexity, and the nature and scope of its activities. While every department is not required to implement a uniform set of policies, the credit union should coordinate all elements of the information security program throughout the institution.
A credit union’s information security program should be designed to:
Key elements of developing and implementing a member information security program involve:
Credit union management or other appropriate staff members should report to the board or a designated committee of the board at least annually. This report should describe the overall status of the information security program and the credit union’s compliance with Part 748’s guidelines.
The report should cover issues such as risk assessment and control decisions, service provider arrangements, results of testing, any security breaches or violations and management’s response, and recommendations for changes in the information security program.
Credit unions must also develop and implement risk-based response programs to address incidents of unauthorized access (i.e., data breaches) to member information in “member information systems” as part of their information security program.
Member information systems consist of “all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information,” NCUA reports. This includes systems the credit union’s service providers maintain.
At a minimum, a data breach response program should contain procedures for:
When an incident of unauthorized access to member information involves member information systems maintained by a contracted service provider, it is the credit union’s responsibility to notify its members and regulator. But a credit union may authorize or contract with its service provider to notify the credit union’s members or regulators on its behalf.
NCUA encourages credit unions to use the FFIEC Cybersecurity Assessment Tool (CAT) to identify their cybersecurity inherent risk and determine their level of preparedness (or “cybersecurity maturity level”) to address cyberthreats. Although use of the tool is voluntary, NCUA’s Automated Cybersecurity Examination Toolbox (ACET), which examiners increasingly use to conduct information security maturity assessments, mirrors the CAT.
Therefore, using the tool should help credit unions expedite the cybersecurity examination process.
This year, examiners will use ACET to assess credit unions with more than $250 million in assets that have not previously received an assessment. NCUA will also focus on the assessment of credit unions’ IT risk management and oversight of service provider
Valerie Y. Moss is CUNA’s senior director of compliance analysis. Contact CUNA’s compliance department at email@example.com.