NCUA issues risk alert on remote work, cybersecurity

April 20, 2020

NCUA recently issued a Risk Alert (20-Risk-01) to federally insured credit unions on cybersecurity concerns with remote work. The alert is primarily directed toward credit union boards of directors, CEOs, chief information officers, and chief information security officers

NCUA notes that employees working remotely have a responsibility to address cybersecurity risks for their home networks, personal computing devices, and other internet-connected devices.

“Credit union employees working remotely should adhere to their organizations’ information security- and privacy-related policies and procedures. Policies and procedures should effectively address remote work by preparing employees to prevent security incidents and including provisions for responding to any incidents that do occur,” the alert reads. “Controls over remote work and use of personal devices should be based on an institution’s risk assessment, and commensurate with the size and complexity of the institution.

This Risk Alert highlights cybersecurity best practices for credit unions that leverage employees’ personal networks and devices.1

Common cybersecurity risks for remote workers include:

  • Malware attacks;
  • Phishing and other social engineering attacks; and
  • Advance Persistent Threat attacks.

To minimize the risk of a successful cyberattack while working remotely or with personal equipment, policies and procedures should address employee expectations, such as:

  • Ensuring that family members or others do not use devices designated for work;
  • Implementing session time outs and encryption of sensitive information;
  • Keeping devices physically secure;
  • Working with a user account and not an administrator or privileged account;
  • Establishing strong, unique passwords for all log-ins and devices on their home network;
  • Leveraging firewall capabilities available through internet service providers;
  • Increasing wireless security to the strongest encryption option;
  • Removing unnecessary services and software;
  • Updating software regularly;
  • Maintaining antivirus software and ensuring timely updates to definitions; and
  • Ensuring system and account logs are being collected and maintained.

Credit union management should communicate proactively with employees to verify that remote work is being done securely, and provide guidance and assistance as needed. Additional institution-level controls such as those designed to ensure operating system versions, patch levels, and anti-malware solutions meet security standards, should be considered and addressed in a risk assessment.

The risk alert also contains information for employees that suspect an attack and how to respond to a security incident and links to additional information on cybersecurity and working remotely.