As the scope of the SolarWinds cyberattack is still being explored, CUNA’s compliance staff examine what credit unions can do next in a recent CompBlog entry.

The attack affected an estimated 18,000 SolarWinds customers, which include government agencies, Fortune 500 companies, financial institutions, and vendors serving financial institutions.

Credit unions running SolarWinds Orion software should refer to the company’s security advisory to determine whether systems were compromised and obtain the company’s breach mitigation recommendations.

Non-SolarWinds customers should contact their IT vendors to determine whether they utilized the SolarWinds Orion software, and if so, what steps they’re talking to ensure that the credit union’s data is secure.

NCUA’s rules and regulations call on credit unions to have in place procedures to:

• Assess the nature and scope of an incident; identify what member information systems and types of member information have been accessed or misused.
• Notify the appropriate NCUA Regional Director or applicable state supervisory authority as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of "sensitive" member information.
• Notify appropriate law enforcement authorities in situations involving criminal violations requiring immediate attention.
• File a timely Suspicious Activity Report (SAR) for reportable violations.
• Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence.
• Notify affected members when the incident involves unauthorized access to member information systems that could result in substantial harm or inconvenience to the member.