NAFCU Letter to NIST Regarding a RFI on Developing a Cybersecurity Framework
April 8, 2013
Ms. Diane Honeycutt
The National Institute of Standards and Technology
100 Bureau Drive, Stop 8930
Gaithersburg, MD 20899
RE: Developing a Framework to Improve Infrastructure Cybersecurity
Dear Ms. Honeycutt:
On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade association that exclusively represents federal credit unions, I write to you regarding the National Institute of Standards and Technology’s (NIST) request for information for developing a framework to reduce cybersecurity risk against critical infrastructure.
NAFCU would like to express our appreciation to NIST for taking a leadership role on cybersecurity. NAFCU supports legislative and policy measures that would enhance our nation’s safety and protect against cyber-attacks. It is unquestionably in the best interest of our nation’s credit unions and their 94 million members to ensure that necessary, appropriate and effective measures are taken to protect our nation’s infrastructures, including critical infrastructure such as the financial system.
As the NIST is aware, NAFCU is a member of the Financial Services Sector Coordinating Council (FSSCC). FSSCC and the Financial and Banking Information Infrastructure Committee have submitted a comment letter to the NIST. NAFCU would like to affirm our endorsement of the letter.
Credit unions are not-for-profit cooperative institutions that are owned by their member. As such, they engage in actions and take necessary measures to protect their members’ interest, which includes taking actions to protect their credit union’s infrastructure.
Credit unions are among the most regulated entities in our nation. Virtually every aspect of their operations is under regular scrutiny or governed by regulations prescribed by a number of regulators. The National Credit Union Administration (NCUA) examines federally-insured credit unions for safety and soundness. As recently as February of this year, the NCUA issued guidance on cyber-security for credit unions to follow and consult. See NCUA 13-Risk-01, Mitigating Distributed Denial-of-Service Attacks. In addition, credit unions are subject to guidance issued by the Federal Financial Institution Examination Council (FFIEC), of which the NCUA is a member, which has established standards for financial institutions’ information systems, outlining the minimum control requirements and directing a layered approach to managing information risks. These are just some of numerous regulatory or industry-established standards that credit unions have followed for many years.
In establishing a framework, we strongly encourage the NIST to take into account that credit unions (and the financial sector as a whole) have extensive experience in instituting effective measures to protect their infrastructure and their members’ assets. It important, thus, that the NIST does not establish a one-size-fits-all set of standards, even if the standards will be voluntary. Rather, any standards should take into account and differentiate between each sector’s experience, exposure and expertise.
Lastly, and importantly, we would like to reiterate our position that legislation addressing a wide array of cybersecurity issues is needed. One such issue that must be addressed involves the role that merchants’ play, an issue that we believe is important to improve defenses against cyber-attacks. Financial institutions, including credit unions, bear a significant burden as the issuers of payment cards used by millions of consumers. Credit unions suffer steep losses in re-establishing member safety after a data breach occurs and are often forced to charge off fraud related losses, many of which stem from a negligent entities failure to protect sensitive financial and personal information. We believe, as we have expressly stated to Congress, legislation is necessary to address the role of merchants in protecting against cyber-attacks.
NAFCU appreciates the opportunity to comment. Should you have any questions or require additional information please feel free to contact me at email@example.com or (703) 842-2268.
Senior Regulatory Affairs Counsel