news.cuna.org/articles/115780-cybersecurity-and-the-board
Cybersecurity and the board

Cybersecurity and the board

The ever-increasing array of cyberthreats makes the board’s ongoing involvement in cybersecurity critical.

March 21, 2019

Although the board may delegate operational functions to management and designated committees, the responsibility for the credit union’s direction remains with the board.

These responsibilities include overseeing the development, implementation, and maintenance of the credit union’s information security/cybersecurity program. With the ever-increasing array of malicious cyberevents—phishing attacks, spyware, viruses, worms, ransomware, and distributed denial of service attacks to name a few—the board’s ongoing involvement in the credit union’s cybersecurity program is more important than ever.

As the Federal Financial Institutions Examination Council (FFIEC) notes, “today’s financial institutions are critically dependent on IT [information technology] to conduct business operations. This dependence, coupled with increasing sector interconnectedness and rapidly evolving cyberthreats, reinforces the need for engagement by the board of directors and senior management.”

Such engagement, FFIEC reports, includes:

  • Understanding your “cybersecurity inherent risk” (the amount of risk posed by the types, volume, and complexity of the credit union’s activities, products, and services, not including mitigating controls).
  • Discussing cybersecurity issues routinely in meetings.
  • Monitoring and maintaining sufficient awareness of threats and vulnerabilities.
  • Establishing and maintaining a dynamic control environment (i.e., have controls in place to manage change).
  • Managing connections to third parties.
  • Developing and testing business continuity and disaster recovery plans that incorporate cyber-incident scenarios.

The board should ensure the credit union integrates cybersecurity throughout its operations as part of enterprise-wide governance, information security, business continuity, and vendor risk management processes.

NCUA Part 748 in a nutshell

Part 748 of NCUA’s regulations requires federally insured credit unions to have a comprehensive written program to protect their physical offices, ensure the security and confidentiality of member records, respond to incidents of unauthorized access to member information (i.e., data breaches), assist in identifying people who commit or attempt crimes, and prevent the destruction of vital records.

Part 748 Appendices A and B provide guidance on the Gramm-Leach-Bliley Act’s requirements to both safeguard member information and respond to incidents of unauthorized access to member information. Member information includes any record containing nonpublic personal information about a member, whether in paper, electronic, or other form, maintained by or on behalf of the credit union.

Appendix A provides guidance for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.

‘Boards must approve and exercise general oversight over the credit union’s information security program.’

Appendix B describes incident response programs, including member notification procedures, that a federally insured credit union should develop and implement to address unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member.

It is the board’s responsibility to approve and exercise general oversight over the credit union’s information security program, including reviewing reports from management. However, NCUA guidelines permit the board or an appropriate board committee to approve the credit union’s written security program.

Additionally, the board may assign specific implementation responsibilities to a committee or individual. The president or managing official must also certify compliance with Part 748’s requirements in its Credit Union Profile annually through NCUA’s online information management system (Section 748.1[a]).

Safeguarding member information

A comprehensive written information security program includes administrative, technical, and physical safeguards appropriate to the credit union’s size and complexity, and the nature and scope of its activities. While every department is not required to implement a uniform set of policies, the credit union should coordinate all elements of the information security program throughout the institution.

A credit union’s information security program should be designed to:

  • Ensure the security and confidentiality of member information.
  • Protect against any anticipated threats or hazards to the security or integrity of such information.
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member.
  • Ensure the proper disposal of member information and consumer information (i.e., derived from consumer reports).

Key elements of developing and implementing a member information security program involve:

  • Identifying the services provided and systems (hardware and software) used.
  • Identifying the risks and threats associated with each system and service.
  • Determining the likelihood that identified risks or threats could occur.
  • Identifying and evaluating various methodologies to mitigate risks or threats.
  • Developing policies and procedures to address risks or threats.
  • Monitoring and adjusting policies and procedures as necessary.
  • Overseeing service provider arrangements (e.g., evaluate performance).
  • Reviewing policies and procedures at least annually.
  • Training staff to implement the program.

Credit union management or other appropriate staff members should report to the board or a designated committee of the board at least annually. This report should describe the overall status of the information security program and the credit union’s compliance with Part 748’s guidelines.

The report should cover issues such as risk assessment and control decisions, service provider arrangements, results of testing, any security breaches or violations and management’s response, and recommendations for changes in the information security program.

Responding to breaches

Credit unions must also develop and implement risk-based response programs to address incidents of unauthorized access (i.e., data breaches) to member information in “member information systems” as part of their information security program.

Member information systems consist of “all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information,” NCUA reports. This includes systems the credit union’s service providers maintain.

At a minimum, a data breach response program should contain procedures for:

  • Assessing the nature and scope of an incident, and identifying what member information systems and types of member information have been accessed or misused.
  • Notifying the appropriate NCUA regional director and, in the case of federally insured state-chartered credit unions, the state supervisory authority. This should occur as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information.
  • Notifying appropriate law enforcement authorities, as well as  filing a timely Suspicious Activity Report, in situations involving suspected federal criminal violations requiring immediate attention, such as an ongoing reportable violation.
  • Taking steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence.
  • Notifying members as soon as possible if the credit union determines that misuse of members’ information has occurred or is reasonably possible.

When an incident of unauthorized access to member information involves member information systems maintained by a contracted service provider, it is the credit union’s responsibility to notify its members and regulator. But a credit union may authorize or contract with its service provider to notify the credit union’s members or regulators on its behalf.

Cybersecurity assessments

NCUA encourages credit unions to use the FFIEC Cybersecurity Assessment Tool (CAT) to identify their cybersecurity inherent risk and determine their level of preparedness (or “cybersecurity maturity level”) to address cyberthreats.     Although use of the tool is voluntary, NCUA’s Automated Cybersecurity Examination Toolbox (ACET), which examiners increasingly use to conduct information security maturity assessments, mirrors the CAT.

Therefore, using the tool should help credit unions expedite the cybersecurity examination process.

This year, examiners will use ACET to assess credit unions with more than $250 million in assets that have not previously received an assessment. NCUA will also focus on the assessment of credit unions’ IT risk management and oversight of service provider
arrangements.

Valerie Y. Moss is CUNA’s senior director of compliance analysis. Contact CUNA’s compliance department at cucomply@cuna.coop.