Are You The King Of Your Cyber Security Domain?

August 13, 2015 at 8:57 am 2 comments

That is the question that a tool released by the FFIEC, an organization of federal bank regulators including the NCUA, released late in June.  It is currently available on NCUA’s website.  I would strongly suggest your credit union go through the process for assessing its credit risk outlined by the FFIEC. When it comes to protecting against hackers, the areas the regulators want examined are areas you either have already examined or better start examining.

The FFIEC defines Cybersecurity as the process of protecting consumer and bank information by preventing, detecting, and responding to attacks. What the FFIEC is attempting to do with this assessment tool is prod institutions of all sizes into adopting a standardized approach to periodically reviewing the likelihood that they will be attacked and consider whether they have the appropriate level of resources to deter and defend against such an attack. It’s similar to what credit unions are already expected to do as part of assessing their BSA risks and the Red Flags of Identity Theft, only this assessment is intended to zero in specifically on Cybersecurity. The key is not only doing the assessment but making sure it is periodically reviewed. After all, cyber threats evolve almost as quickly as Donald Trump can find a new group of people to insult and your credit union is dealing with more and more technology.

How do you ascertain your credit union’s Inherent Risk Profile? By reviewing and ranking your credit union’s technologies and connection types (e.g. the number of Internet Service providers and third party connections); delivery channels (e.g. do you provide person to person transfers or do all cash transactions have to be facilitated by a teller?); its mobile and online products and services; organizational characteristics (e.g. how many direct employees and third party providers can access your IT system); and its external threats (e.g. the number of attempted and successful cyber-attacks). You then give each one of these categories a risk level ranging from lowest to highest risk faced by your credit union.

Once you create the risk profile, you assess your credit union’s “maturity” or sophistication in five areas of Cybersecurity. These areas are 1) Cyber Risk Management and Oversight; 2) Threat Intelligence and Collaboration; 3) Cybersecurity Controls; 4) External Dependency Management; and 5) Domain Cyber and Incident Management and Resilience.

According to the FFIEC, it is not concerned with an overall aggregate score. What it wants financial institutions to do is assess whether they are properly aligning their resources. For example, a credit union that is large enough to house its own technology doesn’t need as sophisticated a system for overseeing its “external dependency management” as does a credit union that outsources all its technology. In contrast, a credit union that oversees its own hardware needs a dedicated staff of IT professionals.

If you think your credit union is too small to worry about conducting this assessment, you are out of luck. The tool is intended for use by both big and small credit unions, a point underscored by NCUA’s Office of Small Credit Unions when it hosted a webinar on the basics of Cybersecurity that provided a preview of the tool and how credit unions could use it to strengthen their Cybersecurity.

Using this tool makes sense. An online survey conducted by NCUA as part of the Cybersecurity webinar revealed that only 52% of the participating credit unions had a cyber-security policy. It’s time to put one in place and this assessment can help. If your credit union already has a Cybersecurity protocol than answering the questions being posed by the regulators should not be that difficult.

Entry filed under: Compliance, Regulatory. Tags: , .

Banker Hypocrisy And Municipal Deposits Is Consumer Spending Hitting Credit Union Sweet Spot?

2 Comments Add your own

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 483 other followers