The morning after
by: Henry Meier
Just as you should have a plan to rapidly recover your credit union operations in the event of a natural disaster, so too should you have a plan to rapidly get up and running in the event your credit union is victimized by a cyberattack. That’s my main take-away from a joint guidance issued yesterday by the FFEIC, a group of financial regulators that of course includes the NCUA.
In addition to underscoring the importance of cyberattack recovery, the regulators are using the guidance to emphasize the importance of ongoing assessments and monitoring of your existing computer systems. For example, you are expected to maintain an ongoing risk assessment system that considers new and evolving threats and conduct regular audits to review who has access to vital systems.
Now for some more general points, in light of the Supreme Court’s recent decision upholding the right of the Department of Labor to reinterpret existing law simply by issuing a new letter, guidances of all types, including those issued by the FFEIC, are as binding on your credit union as if a new regulation had just been promulgated. The FFEIC typically claims that it is doing nothing more than synthesizing existing requirements, but at the very least make reviewing this memo a compliance priority.
continue reading »