Credit unions raise the bar
EDITOR'S NOTE: Carol Jakucs is a freelance writer.
Like other financial institutions, credit unions face a growing number of cyber threats. Cyber criminals and terrorist groups are using malware, social media and other online methods to steal money or personal customer data, invade computer networks, and cause business disruptions.
With these issues in mind, the National Credit Union Administration announced at its September 2016 board meeting it would build an extensive cybersecurity assessment into its examinations of credit unions by sometime in late 2017. The NCUA said in a January update that cybersecurity remains a key supervisory focus, and encouraged credit unions to use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool, while it prepares a structured assessment process.
“Financial markets and transactions are no longer a closed process at a local branch. Everything is now interconnected,” said Tim Segerson, deputy director of examination and insurance at the NCUA. “Our goal is to establish an assessment of specific elements of information technology and security to help ensure that credit unions and their members’ information is safe.”
Cyber criminals and cyber terrorists are increasingly using innovative online services, new ways to transmit financial information and off-the-shelf toolkits to invade computer networks, snatch personal information and steal money.”
— Former NCUA Board Chairman Rick Metsger
With the introduction of the Cybersecurity Assessment Toolby the FFIEC in 2015 to assist financial institutions in identifying and preparing for cyber threats, cybersecurity risk assessment has become an increasingly important issue for the credit union industry.
“The thieves, the hackers and the terrorists are always out there, looking for ways to steal money or information or disrupt networks,” former NCUA Board Chairman and current board member Rick Metsger said in an Oct. 3 news release. “NCUA has made cybersecurity a top supervisory priority for years, and we’re working to update our exam procedures to help credit unions do a better job of detecting and preventing cyberattacks.”
Segerson said using the FFIEC cybersecurity tool is voluntary, but is strongly encouraged because it helps to assess a credit union’s level of risk and preparedness with regards to cybersecurity.
The new cybersecurity assessment for credit union examinations, which is still being developed by the NCUA, is “not replacing the cybersecurity assessment tool or anything else but will help to add another layer of security for credit unions by providing a comprehensive, strategic view in great detail of cybersecurity,” he said.
Cybersecurity assessment
Increased risks
Segerson said with the industry’s shift toward technology-based solutions, such as online banking and the use of social media, it has increased the level of exposure. While many institutions have a strong security posture, others face higher risks. The goal is to have an examination approach that will allow examiners to collect information and document findings for each institution when assessing their cybersecurity measures and internal and technology-based controls, along with other factors such as the credit union’s size, scope and level of risk, he said.
Credit union industry groups seem generally supportive of the NCUA’s heightened focus on cybersecurity.
Lance Noggle, senior director of advocacy and assistant general counsel at the Credit Union National Association said, “in general, financial institutions have been at the forefront of information technology,” and cybersecurity is a major issue. Given that major breaches have occurred at a variety of financial institutions and large corporations, credit unions generally use the same advanced data security measures as other financial institutions.
“CUNA has already worked to put resources in place to help credit unions utilize the current CAT tool from the FFIEC,” Noggle said. “The desired endgoal for any cybersecurity assessment tool is to secure and safeguard information.”
Joey Griffith, compliance officer with Communication Federal Credit Union in Oklahoma City, supports the NCUA’s effort to develop a new cybersecurity assessment.
“We live in a time where cybercrime has increased 200% in the last five years and is expected to cost the global economy $2.1 trillion by 2019,” Griffith said. “We cannot stand idle waiting for the next breach. We in the compliance industry appreciate an examination standard that is evenly applied to all financial institutions. By the NCUA working within the framework of the FFIEC cybersecurity assessment tool, we all know to what standard we should be striving to achieve and to what standard we will be held.”
Griffith said the general consensus is that the new NCUA assessment will help to improve cybersecurity for credit unions, especially for those that may not have dedicated resources to cybersecurity. “Having this tool and evaluation will enable institutions to make the necessary enhancements to protect themselves and their members,” he said.
Read article about the National Credit Union Administration’s top supervisory for credit unions in 2017.
Read More
Our goal is to establish an assessment of specific elements of information technology and security to help ensure that credit unions and their members’ information is safe.”
— Tim Segerson, deputy director of examination and insurance at the NCUA
Some credit unions already have been working to improve their cybersecurity measures.
“Speaking from my experience, we are constantly evaluating the five FFIEC domains; cyberrisk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management and cyber incident management and resilience,” Griffith said. “We are in the fortunate position that we also partner with some of the industry’s top information security and cybersecurity assessment firms, who are always evaluating our current program against current and emerging threats.”
Part of the developmental process for the new cybersecurity assessment is training the NCUA’s examiners in its use and application when examining credit unions, according to Segerson. Once examiners are trained and the new assessment tool is complete and in its final form, he said “it will be made public and shared with the industry” in the spirit of transparency.
Griffith said one concern he has is examiner preparedness.
“Cybersecurity is extremely complex and ever evolving,” he said. “Industry professionals spend countless hours and resources honing their craft. It is my hope that examination staff have invested equally in the same rigorous training.”
Agency creates cybersecurity assessments for credit unions
© 2017 OnCourse Learning Corp. All rights reserved
Contact Us
20225 Water Tower Blvd. Brookfield, WI 53045
By Carol Jakucs
More inside this guide
Prevent cyberattacks
Banks must take proactive steps to stay ahead of cybercriminals
Phishing for trouble
Hackers use phishing emails to steal data, penetrate networks
Banks face new cyber regs
New cybersecurity standards could affect large financial institutions
Leading the way
New York establishes first-of-its-kind cybersecurity standards
What you need to know
Ways financial institutions can identify and respond to cyberthreats
Email fraud and cybercrime
Tips to identify red flags and respond to email and cyberthreats
Understand the threats
Learn ways financial institutions can mitigate cyber risks
Reduce cyber risk
OnCourse Learning webinar focuses on cybersecurity issues
Choose the right vendor
Financial institutions can be held responsible for vendor tech failures
Become cyber secure
OnCourse Learning offers cybersecurity training to meet your needs
Take cybersecurity seriously
Guide helps financial institutions identify cyberthreats
Beware of ransomware
Cyberattacks involving ransomware are a growing concern
Stop the bad actors
Terrorists and other groups threaten the financial system
Credit unions raise the bar
Agency creates cybersecurity assessments for credit unions
Cyber preparedness
Why cybersecurity should be a top priority for your financial institution
Increase cyber awareness
Federal and state agencies offer many cyber resources
Protect online payments
Agency warns of cyberthreats to bank payment networks
Training in the cyber age
Preparation is better than remediation when it comes to cybersecurity
How to Navigate
How to Navigate
Move forward or backward between articles by clicking the arrows.
Click or tap to bring up the Table of Contents.
Share articles by clicking on one of the social media icons in the upper right corner of the page.
Use your mouse wheel, keyboard arrow keys, or scroll bar to move up and down in an article.