WASHINGTON, DC (July 7, 2017) — National Association of Federally-Insured Credit Unions (NAFCU) President and CEO Dan Berger – on behalf of the association’s Cybersecurity and Payments Committee – wrote President Donald Trump on Thursday with support for his executive order directing the strengthening of the federal government’s cybersecurity.
The executive order requires federal agencies to adopt the National Institute of Standards and Technology’s cybersecurity framework for managing cybersecurity risks.
“NAFCU anticipates that federal adoption of the Framework will improve our nation’s cybersecurity posture, ensure that agencies and stakeholders are speaking the same language when it comes to cybersecurity, and yield new insights regarding effective risk management,” the letter said.
“Since the Framework was released in 2014,” it added, “the coordinated efforts of prudential regulators, NIST, and other information sharing and analysis centers (ISACs) in the financial sector have demonstrated that financial institutions are capable of voluntarily implementing cybersecurity best practices.”
The NAFCU committee is made up of representatives from member credit unions. Berger, on behalf of the committee, noted the seriousness of recent ransomware attacks and emphasized the importance of government and private sector cooperation.
The letter also urged that any “best practices” not be allowed to turn into “de facto regulation” or to use a “one size fits all” approach, which would not benefit credit unions. Berger urged that any framework remain voluntary.
Many NAFCU member credit unions have used and benefited from NIST’s cybersecurity framework. The association has encouraged NIST to work with other regulators and industry stakeholders to clarify how its framework should be used or adopted, while emphasizing that there is no one-size-fits-all approach to cybersecurity.
NAFCU continues to push for Congress to pass a strong national data security standard for retailers that would hold them to the same standards credit unions already follow under the Gramm-Leach-Bliley Act.
Below please find the full text of the letter:
July 6, 2017
The Honorable Donald J. Trump
President of the United States
The White House
1600 Pennsylvania Avenue, Northwest
Washington, D.C. 20050
RE: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Dear Mr. President:
As President and CEO of the National Association of Federally-Insured Credit Unions (NAFCU), the only national trade association focusing exclusively on federal issues affecting the nation’s federally insured credit unions, I am writing to you regarding the “Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the Order) on behalf of NAFCU’s Cybersecurity and Payments Committee. The Cybersecurity and Payments Committee is a working group comprised of over 20 credit union professionals that bring their combined knowledge to bear on data and cybersecurity issues affecting credit unions and the communities they serve. Its members possess expertise in a wide-range of subjects, from payments technology to IT security and risk management. In addition, the credit unions represented encompass various asset sizes, charter types, and geographical locations. Having reviewed the Order, we appreciate the White House’s decision to make cybersecurity a top priority and move swiftly to engage critical infrastructure partners, such as credit unions, with the Department of Homeland Security’s National Protection and Programs Directorate.
NAFCU supports the Order’s directive requiring federal agencies to adopt the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Framework). NAFCU anticipates that federal adoption of the Framework will improve our nation’s cybersecurity posture, ensure that agencies and stakeholders are speaking the same language when it comes to cybersecurity, and yield new insights regarding effective risk management. NAFCU is also optimistic that the Framework’s collaborative development, which has so far involved both small and large stakeholders, will continue to improve agency understanding of financial sector capabilities and best practices.
NAFCU believes that collaboration between agencies and stakeholders represents the best model for updating the Framework in the future. Since the Framework was released in 2014, the coordinated efforts of prudential regulators, NIST, and other information sharing and analysis centers (ISACs) in the financial sector have demonstrated that financial institutions are capable of voluntarily implementing cybersecurity best practices. NAFCU believes that the Order will complement this partnership by directing agencies to identify authorities and capabilities to support the cybersecurity risk management efforts of critical infrastructure entities, as well as solicit input from stakeholders to identify and evaluate opportunities for collaboration. NAFCU believes that supporting a collaborative framework for cybersecurity risk management is an essential feature of any national cybersecurity policy. As a recent, high-profile ransomware attack demonstrates, leveraging both government and private sector expertise to execute coordinated incident response plans can vastly improve the resiliency of our nation’s critical infrastructure, particularly in the financial sector.
While NAFCU supports current efforts to map cybersecurity capabilities to the Framework, it does not want identification of “best practices” to translate into de-facto regulation, or for agencies adopting the NIST framework to mistakenly assume that cybersecurity means one size fits all. NAFCU supports the idea of a voluntary framework, but believes that legislation should clarify agency authority for memorializing best practices as cybersecurity regulations. NAFCU hopes that by requiring prudential regulators to adopt the NIST Framework, regulated financial institutions will benefit from more consistent application of objective, risk-based principles in future cybersecurity examinations.
NAFCU also believes that clearly-defined, national standards for cybersecurity are essential to preventing future data breaches and ensuring the safety of confidential consumer information. NAFCU has previously recommended that retailers disclose their data security policies to consumers at the point of sale, report data breaches within a defined timeframe, and identify incidents involving unauthorized exposure of personal private information to affected external partners. Accordingly, NAFCU commends the Order for recognizing the importance of promoting market transparency of cyber and data security practices so that consumers can evaluate cybersecurity assurances among merchants and other institutions that are not subject to data privacy regulations like the Gramm-Leach Bliley Act of 1999.
We look forward to continuing to work with the White House and NIST to identify emerging concerns and best practices. Should you have any questions or would like to discuss these issues further, please feel free to contact Executive Vice President of Government Affairs and General Counsel Carrie Hunt at chunt@nafcu.org or (703) 842-2234, or Regulatory Affairs Counsel Andrew Morris at amorris@nafcu.org or (703) 842-2266.
Respectfully,
B. Dan Berger
President and CEO
cc: Members of NAFCU’s Cybersecurity and Payments Committee
NAFCU Cybersecurity and Payments Committee Members
Jim Mooney, Chair, President/CEO; Chevron FCU
John Barnfather, SVP/CIO; Caltech Employees FCU
Carla Corkern, VP – E-Commerce; La Capitol FCU
Edgar Cosner, President/CEO; The United FCU
John Culp, President/CEO; First Atlantic FCU
Gail Enda, SVP – Lending; American Airlines FCU
Robert Fisher, President/CEO; Grow Financial FCU
Greg Gallant, President/CEO; Tulsa FCU
Rifat Ikram, Director of IT; State Department FCU
Michael Kapfer, CIO; Northwest FCU
Janelle Kolstad, Sr. Contract Specialist; Northwest FCU
Joan Krempa, Payments Operation Manager; ESL FCU
Larry Larsen, Director of Cyber Security; Apple FCU
Joe Lewis, Director – IT Security; Northwest FCU
Kim Little, Corporate Retail Officer; Chartway FCU
Chris Petersen, VP – Information Technology; St. Paul FCU
Charles Rutan, President/CEO; Southwest Airlines FCU
Chris Sibila, EVP – Payments/Technology; Elements Financial FCU
Richard Stafford, President/CEO; Tower FCU
Tynika Wilson, Manager – Remittance Processing Branch; Navy FCU
The National Association of Federally-Insured Credit Unions is the only national trade association focusing exclusively on federal issues affecting the nation’s federally-insured credit unions. NAFCU membership is direct and provides credit unions with the best in federal advocacy, education and compliance assistance. For more information on NAFCU, go to www.nafcu.org or @NAFCU on Twitter.
