OIG makes 7 recommendations for NCUA data safety during exams

June 15, 2015

ALEXANDRIA, Va. (6/15/15)--An audit by the Office of Inspector General (OIG) of the National Credit Union Administration’s measures to protect sensitive, confidential or personally identifiable electronic credit union member information during the examination process has yielded seven recommendations.

The recommendations mean that federally insured credit unions could face a proposed rule that would require them to provide encrypted, password-protected or other protected data to the agency during their exams.

Given the wave of data breaches at a variety of institutions and retail companies, “CUNA agrees that credit union member data should be protected during the exam process. However, we don’t want another regulation added to the regulatory burden that credit unions already face,” said Lance Noggle, CUNA’s senior director of advocacy and counsel.

OIG’s June 8 report said the NCUA has provided examiners with the appropriate tools for securely receiving electronic information from credit unions during the examination process. However, it noted that the agency does not require credit unions to provide sensitive member information to the agency in a protected or encrypted manner and does not require use of the tools for protecting the information.

The NCUA needs to improve its policies, procedures and training to help ensure its staff appropriately protect sensitive data during the examination and improve its guidance to require staff to use specific tools to transfer the sensitive data, said OIG.

The seven recommendations, and the NCUA’s responses are:

  1. Require federally insured credit unions to provide the sensitive electronic member information to the NCUA and its staff “in an encrypted or otherwise secure manner,” such as with files protected by strong passwords, whether using the credit union’s secure tools or the agency’s. Agency management said in the report that the Office of Examination and Insurance will update its “Day 1” letter to credit unions clearly defining expectations regarding protection of the information, depending on completion of any bargaining obligation with the National Treasury Employees Union (NTEU).
  2. Complete revision of the NCUA’s Instruction 13500.9 to consolidate, include or reference; 1) the agency’s specific policy, procedure or alternate practical guidance--depending on the examination scenario--agency staff must adhere to or follow to help ensure protection of the information; and 2) the consequences the NCUA staff face for failing to follow the agency’s requirements, procedures or guidance for protecting the information. The NCUA management has revised the instruction and will implement it after the NTEU bargaining obligation.
  3. Enhance the NCUA annual security awareness training or provide additional supplementary periodic training that reinforces the data protection requirements in NCUA Instruction 13500.9 and provides staff with practical guidance for addressing issues within the context of their job responsibilities as they handle the information during examinations. The agency said the Office of the Chief Information Officer (OCIO) will update its annual security training to incorporate the recommendations in its 2015 annual security training by the end of the year.
  4. Enhance the NCUA’s annual privacy training to stress protecting sensitive member information; address and reinforce to staff the consequences of violating or failing to follow policy, requirements and procedures for protecting information; and address potential consequences the NCUA and credit unions face if staff fail to protect the information. The NCUA said its Senior Agency Official for Privacy will update the annual privacy training by the end of the year.
  5. Continue to pursue and implement the secure file transfer solution NCUA is assessing to transfer sensitive, confidential or personally identifiable electronic credit union member information. The NCUA said its OCIO will complete the implementation by the end of the year.
  6. Complete revising Instruction 13500.09 to require and provide guidance on secure tools or alternative procedures NCUA staff must use under various circumstances to transfer the sensitive information during examinations. The NCUA indicated it has revised the instruction and will implement it after the NTEU bargaining obligation.
  7. Enhance the NCUA’s annual security awareness training to reinforce to NCUA staff the availability, use and applicability of secure NCUA tools to transfer the information. The NCUA management said the updated training will be implemented by OCIO by the end of the year.