Posts tagged ‘CISA’

How secure are your home offices?

As the person ultimately responsible for mitigating both legal and compliance risks to your credit union, you don’t need to know all the answers, but you need to know what questions to ask. One of the questions you should be asking your IT team about is how safe your virtual private network (VPN) is. 

Recently, the FBI and the CISA issued a joint guidance warning companies in high-profile industries, including the financial sector, that they are being targeted by increasingly sophisticated attempts to gain access to virtual private networks. Think about it – a little more than six months ago, we were all concerned about personally identifiable information being sold on the dark web. According to these reports, there is a growing market for VPN identification. Given the sudden movement towards remote work, this trend was inevitable, but the more remote work becomes the norm rather than the exception, the more examiners will be expecting to see what steps your credit union is taking to prepare. 

As explained in this joint examiner guidance released in June, “examiners will review the steps management has taken to assess and implement effective controls for new and modified operational processes. Examiners will assess actions management has taken to adapt fraud and cybersecurity controls to manage heightened risks related to the adjusted operating environment. Examiners will also review how management has assessed institutions’ third parties’ controls and service delivery.” In addition, NCUA has emphasized that information technology remains a top priority during the pandemic. 

Some of the techniques being used can be guarded against regardless of the size and sophistication of your institution. For example, the highly influential KrebsOnSecurity posted a blog in August describing increasingly brazen vishing attacks in which hackers contact employers pretending to be from the company’s IT department, requesting login information to access the employee’s account. According to Krebs, this technique is particularly effective against newer employees, who are interacting with their IT department for the first time.

Finally, some of the classics are also being used. Good old fashioned emails requesting login information are still being responded to, reminding us yet again that our computer systems are only as safe as our most technologically inept employees allow them to be. Full disclosure – there are weeks when I talk to the IT department more than I talk to my own kids. 

What this means for your day today is that you may want to remind employees not only that they should be aware of suspicious emails, but also who they are talking to, particularly if they receive a proactive phone call. In addition, this is yet another example of why one of the trickiest parts of remote working is going to be onboarding new employees. My personal suggestion is that even if an employee is going to work remotely, a lot of the orientation process should still be done live and in-person. 

September 22, 2020 at 9:51 am Leave a comment

Guidelines for Cyber Information Sharing Released

Is the best way to protect American citizens from cyberattacks to maximize the amount of information that companies can freely share with the federal government or should we instead place restrictions on anyone’s ability to access computer information?  This question is at the forefront of the news this morning and its answer has very practical implications for your credit union both from a compliance and operational standpoint.

Late last year, Congress passed the Cybersecurity Information Sharing Act (CISA).  The purpose of the Act was to facilitate sharing of information about cybersecurity threats and possible defenses among corporations and the federal government.  The legislation advances this goal by exempting entities participating in this program from antitrust laws and giving them liability protection against lawsuits. 

Yesterday, the Department of Homeland Security released the guidelines that entities wishing to participate in this program will have to follow.  If the expanded information sharing network functions as envisioned, the government will be able to provide continuous, real-time updates on the latest cyber security threats.  As a result, if you are interested in participating in the program, there are certain technical specifications with which your credit union must be able to comply.  Have your IT person take a look at this guidance. 

Under the guidelines, participants would be responsible for scrubbing personal information before it is sent for distribution.  The crucial role that banks and credit unions will play in this system is underscored by the fact that DHS emphasizes that financial information constitutes a vast category of information that is both highly sensitive and highly regulated. 

Privacy groups are not fans of this new law.  They argue that it puts too much information in the hands of the federal government and includes too few protections against the accidental disclosure of private information.  Tim Cook, Apple’s CEO, clearly agrees with this viewpoint.  Apple released a public letter a few hours ago in which it explains why it is going to fight an order from the federal government.  According to Apple, the government is seeking to force it to develop an operating system so that it can access the information stored in the iPhone of one of the San Bernandino, CA terrorists. 

Apple’s argument comes down to its contention that the government can’t be trusted to properly safeguard an encryption key.  As he explains in the letter, “the government suggests this tool could only be used once, on one phone.  But that simply is not true.  Once created, the technique could be used over and over again on any number of devices.  In the physical world it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes.  No reasonable person would find that acceptable.”

Frankly, I think Cook has the better side of the argument.  But, Congress apparently disagrees.  In the meantime, you and your members are caught in the middle. 

February 17, 2016 at 9:01 am Leave a comment

On Mammoth Bills And Giant Defeats

A little before three o’clock yesterday I was so disgusted by my Giants-who were trailing 35-7- that I turned off the game secure in the knowledge that their hopes of making the playoffs were over. I was so desperate to wash football from my head that I  searched for the Cybersecurity Information Sharing Act (CISA) which was tucked away in the good old-fashioned mammoth budget bill signed by the President late last week.  CUNA and NAFCU both supported the bill,  which makes it easier for credit unions and businesses to share information with each other and the federal government about cyber threats without violating federal law or getting sued.

Since 9\11,   large corporations and banks have been complaining that existing laws make it difficult for companies and the government to share cyber threat information.  The major thrust of the act is to facilitate the sharing of cyber threat intelligence  by allowing   companies to enter into agreements to monitor each other’s information technology systems without running afoul of federal law or getting sued . For example, the law authorizes “two or more private  entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat.” In addition the law stipulates that  “No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure.”

The next step is for the government to issue proposed guidance and regulations laying out in greater detail what information can be shared and under what circumstances. Given the criticism of the bill from privacy advocates who have described it as the next Patriot Act.  expect an intensive rule making process. The bill is a step in the right direction for those of us who feel that the country needs a more robust and coordinated cyber defense system.

But much more still needs to be done.  Most importantly, it does nothing to address other cyber issues of more pressing concern to many credit unions.  For example it  imposes no cyber security protocols on merchants.  Instead,  the government is tasked with  accessing cyber security  implementation challenges faced by small businesses as part of a broader effort to disseminate cyber security “best practices.”

When I was done reviewing the bill I went  to  a family get together where I started complaining about the Giants getting blown out.  My Father-In-Law looked at me like I was nuts.  In ends up that I missed the  greatest comeback in Giants’ history which is fine with me because they ended up losing anyway when the Panthers kicked a game winning field goal as time expired.

December 21, 2015 at 9:25 am Leave a comment

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers