The Morning After
Just as you should have a plan to rapidly recover your credit union operations in the event of a natural disaster, so too should you have a plan to rapidly get up and running in the event your credit union is victimized by a cyberattack. That’s my main take-away from a joint guidance issued yesterday by the FFEIC, a group of financial regulators that of course includes the NCUA.
In addition to underscoring the importance of cyberattack recovery, the regulators are using the guidance to emphasize the importance of ongoing assessments and monitoring of your existing computer systems. For example, you are expected to maintain an ongoing risk assessment system that considers new and evolving threats and conduct regular audits to review who has access to vital systems.
Now for some more general points, in light of the Supreme Court’s recent decision upholding the right of the Department of Labor to reinterpret existing law simply by issuing a new letter, guidances of all types, including those issued by the FFEIC, are as binding on your credit union as if a new regulation had just been promulgated. The FFEIC typically claims that it is doing nothing more than synthesizing existing requirements, but at the very least make reviewing this memo a compliance priority.
In addition, notice how the regulators are not going to let smaller institutions off the hook. Obviously, the steps a $20 million credit union takes to both guard against and recover from malware attacks are not going to be as extensive as the steps taken by a $1 billion institution, but steps need to be taken nonetheless. The regulators have a point since the bad guys have demonstrated an increasing willingness to go after the data stored by smaller institutions, I’m concerned that without a serious attempt on the part of the industry to pool resources, increasing computer costs in conjunction with existing compliance mandates will make it that much more difficult for any small credit unions, or true community banks for that matter, to survive.