Written by Pamela Yu, Special Counsel for Compliance and Research
If you were trying to spend last Friday evening catching up on your binge watching (Have you seen the throwback-fabulous ‘Stranger Things’ yet?), tweeting, and doing a bit of online shopping, you may have noticed a slowdown due to the two massive cyberattacks that hit Netflix, Amazon, PayPal, Twitter, and others.
Unfortunately, distributed denial of service (DDoS) attacks and other cybercrimes are growing in frequency, size, and sophistication. Cybersecurity is a major concern for credit unions, who are already increasing their information technology (IT) spending and hiring more personnel to address the heightened risk and vigilance of cyber attackers. NAFCU’s October Economic and CU Monitor survey shows that the percentage of respondents’ overall operating budget devoted to IT/cybersecurity has nearly doubled over the past five years alone. Meanwhile, NCUA has made cybersecurity a supervisory priority since 2013, and the agency recently reminded credit unions that “technological innovation, the expansion of social networking and growing interconnectivity are fueling fundamental change in cybersecurity procedures and processes,” and with that change, credit unions are potentially impacted with “higher mitigation costs and lower consumer confidence, as well as greater financial and legal risks.” Also, yesterday, NCUA warned that credit unions face a dangerous threat to the safety and security of their data and information in the form of ransomware.
To address these growing cybersecurity threats, in June 2015, NCUA and the other members of the Federal Financial Institutions Examination Council (FFIEC) released a voluntary Cybersecurity Assessment Tool (CAT) to enhance financial institutions’ cybersecurity oversight and management capabilities, and to identify any gaps in an institution’s risk-management practices. According to NAFCU's survey, many credit unions are already using this tool, as well as NAFCU’s user-friendly FFIEC Cybersecurity Assessment Tool Workbook, to enhance their cybersecurity preparedness.
On October 17, the FFIEC released a new frequently asked questions (FAQ) guide related to the FFIEC CAT. Consisting of eighteen questions and answers, the FAQs clarify points in the FFIEC CAT and supporting materials based on questions received by the FFIEC members over the past year. Among other things, the FAQs clarify expectations with respect to an institution’s Cybersecurity Maturity levels and Inherent Risk levels:
“While there are no expected maturity levels for an institution, Inherent Risk levels should be balanced with maturity. If management determines that the institution’s maturity levels are not appropriate in relation to the Inherent Risk Profile, management should consider reducing inherent risk or developing a strategy to improve their levels of maturity.
Management may choose to evaluate the institution’s inherent risk overall, as well as inherent risk for specific activities, services, or products. In general, when the inherent risk of an activity, service, or product rises the maturity level of related controls and risk mitigation activities should increase, as well.”
The FAQs also clarify what several terms mean with respect to the FFIEC CAT, including: “trust services,” “merchant acquirer,” “treasury services,” and “asset life-cycle process.”
In other cybersecurity news, the Federal Reserve, FDIC, and OCC last week jointly released an advance notice of proposed rulemaking (ANPR) inviting public comment on potential enhanced cybersecurity risk-management and resilience standards that would apply to large ($50 billion or more in assets) and interconnected entities under the supervision of the three federal banking regulators. The standards would also apply to third parties providing services to these entities, but would not apply to community banks and credit unions. The ANPR addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
Under the proposal being considered, the enhanced standards would be tiered, with more vigorous standards for systems that provide key functionality to the financial sector. For these sector-critical systems, the Fed, FDIC, and OCC are considering a rule to require banks to mitigate the risk of a disruption or failure due to a cyber event. Comments on the ANPR are due January 17, 2017.
While credit unions are not covered by the ANPR, in light of Friday’s DDoS attack and NCUA’s continued supervisory focus on cybersecurity, we can expect that credit unions may face increasing pressures to enhance their own standards to mitigate cyber threats.
NAFCU’s Compliance Seminar and BSA Conference Continues
NAFCU’s compliance team continues to be onsite in beautiful New Orleans for NAFCU's concurrent Regulatory Compliance and BSA Seminars! We appreciate your continued patience as the team works to answer your compliance questions between giving presentations.