Matz: Responsible parties should cover cost of cybersecurity breaches
NCUA Chairman Says Retailers “Should Be Held Accountable” for Protecting Consumers’ Sensitive Information
ALEXANDRIA, VA (December 9, 2014) — Data breaches at retailers have cost credit unions greatly, and National Credit Union Administration Board Chairman Debbie Matz called for retailers and other third parties that are responsible for such breaches to cover those costs to financial institutions.
“Throughout this year, credit unions and their members have suffered from data breaches they did not cause. However, no matter how far removed a data breach may be from a credit union, that credit union may pay in terms of its balance sheet and its reputation,” Matz said. “When breaches occur in third-party data systems, the responsible third parties should be held accountable.
“Financial institutions are required by law to protect sensitive information,” Matz said. “Yet it is financial institutions, not retailers, who must shell out as much as $15 for every new card issued to affected cardholders. It is financial institutions, not retailers, who must monitor affected accounts and reassure consumers that those accounts are still safe. Retailers should be held to the same high data protection standards. It is time to end the double standard.”
Matz made her remarks Monday night during a speech to the Metropolitan Area Credit Union Management Association. In addition to a report on the state of the credit union system nationally and in the greater Washington, DC, area, Matz covered issues including the coming revised risk-based capital proposed rule and the ongoing threat posed by interest-rate risk. But the cost of cyber-attacks was a major theme in her remarks.
Matz said cybersecurity will continue to be a supervisory priority for NCUA in 2015.
“Next year, NCUA will expect credit unions to implement controls to better detect cyber-attacks, to better protect themselves and their members and to better recover from those attacks,” she said.
Matz said that, despite existing regulatory guidance, many institutions fail to take basic cybersecurity measures, such as encrypting sensitive data before transmission, applying access controls and conducting tests to determine resilience to attacks. That creates a major threat.
“Cyberterrorists are scheming to break into smaller institutions, including credit unions, and use them as an entry point to the entire financial services system,” Matz said.
In addition to examinations, Matz said, NCUA has provided numerous cybersecurity resources and information on the agency’s dedicated webpage.
NCUA, Matz said, is also audited every year on its information technology controls and security procedures, and the agency is active in a cybersecurity working group with other financial services regulators, law enforcement and intelligence organizations to enhance and enforce cybersecurity throughout the financial services industry.
Credit unions will find NCUA an active partner in the effort to improve security, Matz said.
“Working together, we will be ready,” she said. “We all have the same goal of a safe and sound credit union system, and I would be happy to hear from you as to how we can achieve that goal.”
NCUA is the independent federal agency created by the U.S. Congress to regulate, charter and supervise federal credit unions. With the backing of the full faith and credit of the United States, NCUA operates and manages the National Credit Union Share Insurance Fund, insuring the deposits of more than 98 million account holders in all federal credit unions and the overwhelming majority of state-chartered credit unions. At MyCreditUnion.gov and Pocket Cents, NCUA also educates the public on consumer protection and financial literacy issues.