The FFIEC and its member regulators, including the NCUA, have stepped up their focus and resources on cybersecurity. This was evident in 2015 with the release of a cyber security assessment tool, resources page, video, and more. As recently as November, the FFIEC released a statement alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion. The result of this heightened awareness has meant one critical thing for credit unions: Greater scrutiny on cybersecurity from examiners.
We have witnessed this shift in focus and don’t expect it to change anytime soon. If anything, it is becoming clear that even greater attention will be placed on IT security as a whole in exams. Here are 5 changes your credit union can make that will impact your ability to address cybersecurity and clear any hurdles in IT exams:
1.Have complete systems/network documentation
This seems obvious, but it is amazing how many credit unions still rely on one person on their IT team to be the repository for all IT information, and don’t have anything in writing. If, for example, that one person on your IT side is sick, on vacation or quits – and they just happen to be the only person with the administrative password for your firewall,then you could be in trouble.
2. Refresh your IT security policies and procedures
While on the topic of documentation, detailing what security policies are used, and providing written updates to your plans as new threats emerge will demonstrate to the examiner an awareness that you have on the complexity and necessity of strong cybersecurity practices. Not having a well documented IT security plan in place, or not keeping it updated to include emerging threats, can leave your credit union in real trouble, and not just with your examiner.
3. Test backup and recovery frequently enough
Should a cyber attack occur despite your best efforts, how confident are you that you can recover all your records? Ever heard the phrase, “practice makes perfect”? The more you test your systems for the unknown, the better equipped you will be. Run tests of your data backup randomly throughout the year to make sure your systems will survive and your backups can be quickly recovered if systems are compromised. Test your backup procedures too… when was the last time you tested your backup data on your core processor or file data on your server? Provide this documentation on when the tests occurred to your examiner (any good backup and recovery plan will include reports).
4. Train all CU employees on IT security
“Credit Unions must provide staff with annual training on their information security program to ensure effective implementation and understanding by all staff.” This is an actual citation from a 2015 CU IT Examination received by a credit union we are now working with to provide the required training.
Require your employees to take a 30 minute training on end user IT Security, and present the certificate of completion to your examiner to ensure this is not an issue.
5. Consult outside resources to ensure IT compliance
According to NCUA Chairman Debbie Matz “We hope to get credit union officials attuned to the fact cyber security is an ongoing issue with demands that are changing all the time. Credit unions really need to stay on top of this issue, which means working with experts outside the credit union and not just relying on internal IT staff to protect their systems. If the credit union has a weakness in their internal systems it really is a weakness in the entire credit union system. Because, in terms of cyber security, nothing is isolated.” Whether it’s a third party IT Assessment, or having a firm manage your compliance entirely, demonstrating a second expert opinion during an exam will benefit you.