That is the question that a tool released by the FFIEC, an organization of federal bank regulators including the NCUA, released late in June.  It is currently available on NCUA’s website.  I would strongly suggest your credit union go through the process for assessing its credit risk outlined by the FFIEC. When it comes to protecting against hackers, the areas the regulators want examined are areas you either have already examined or better start examining.

The FFIEC defines Cybersecurity as the process of protecting consumer and bank information by preventing, detecting, and responding to attacks. What the FFIEC is attempting to do with this assessment tool is prod institutions of all sizes into adopting a standardized approach to periodically reviewing the likelihood that they will be attacked and consider whether they have the appropriate level of resources to deter and defend against such an attack. It’s similar to what credit unions are already expected to do as part of assessing their BSA risks and the Red Flags of Identity Theft, only this assessment is intended to zero in specifically on Cybersecurity. The key is not only doing the assessment but making sure it is periodically reviewed. After all, cyber threats evolve almost as quickly as Donald Trump can find a new group of people to insult and your credit union is dealing with more and more technology.

How do you ascertain your credit union’s Inherent Risk Profile? By reviewing and ranking your credit union’s technologies and connection types (e.g. the number of Internet Service providers and third party connections); delivery channels (e.g. do you provide person to person transfers or do all cash transactions have to be facilitated by a teller?); its mobile and online products and services; organizational characteristics (e.g. how many direct employees and third party providers can access your IT system); and its external threats (e.g. the number of attempted and successful cyber-attacks). You then give each one of these categories a risk level ranging from lowest to highest risk faced by your credit union.

continue reading »