Core processing systems handle a vast volume of data each and every day. Credit unions have to store that data somewhere, and the pandemic has made securing such confidential information more complicated.
The rush to remote working for thousands of credit union staffers who work with and otherwise have access to that treasure trove of information has increased what experts call the “attack surface” for hackers. It’s also made now a good time for financial cooperatives to think about what they’re keeping and how long they keep it.
Jason Sharabani, Manager of Internal Audit and Compliance, Member Driven Technologies
“Cyber-threat activity related to COVID-19 has become its own pandemic,” says Jason Sharabani, manager of internal audit and compliance for the past nine years at Member Driven Technologies, a suburban Detroit CUSO that hosts the Symitar Episys platform and multiple other solutions for more than 100 credit unions across the country. With the boundaries between what’s inside an organization’s firewall and what’s outside becoming less and less obvious, an organization’s attack surface now extends to the outer reaches of the internet, including employees’ homes.
That reality adds urgency to reviewing what must stay and what can go with an eye toward shifting away from the “keep everything” philosophy that drives storage practices at many cooperatives.
Accumulated Risk. Unnecessary Expense.
It’s easy to understand why many credit unions want to keep everything when it comes to data.
Mike Sprunger, Senior Manager and Practice Lead for Governance, Risk, and Compliance, Insight Enterprises
“Data retention, like protection and privacy, is a shared responsibility across the entirety of the credit union,” says Mike Sprunger, senior manager and practice lead for governance, risk, and compliance at Insight Enterprises, an Arizona-based business that provides hardware, software, cloud, and IT services to clients in the fields of finance, government, education, and health care. “When these requirements aren’t known or shared, IT has no choice but to adopt a ‘keep everything’ approach.”
That approach adds not only security risk but also ever-increasing costs to maintain the confidentiality, integrity, and availability of that information, Sprunger says.
For credit unions that manage their own storage, Sprunger says those costs come both in the form of significant capital expense for on-premise storage capacity as well as significant operational expense for the data center floor space, utilities, maintenance, and personnel. For shops that outsource their storage, operational expenses take the form of higher consumption costs billed by the cloud services provider.
“Either way, data grows exponentially,” says the Insight manager. “If data is retained forever regardless of the reason, someone has to pay to house and protect it.”
The More The Merrier, If You’re A Hacker
As credit union add more devices — including work-from-home computers — to their networks, the attack surface grows. A comprehensive and up-to-date inventory of assets and configurations is imperative to keep up with what Jason Sharabani, internal audit and compliance manager at Member Driven Technologies, says are more than 100 attack vectors and breach methods that hackers can use.
Here are 11 of the most common:
Weak and stolen passwords.
Missing or poor encryption.
Brute force attack.
Distributed Denial of Service (DDoS).
“It's easier for attackers to find vulnerabilities in the defenses of a network that has a lot of data interfaces than a network that only has a few very controlled access points,” Sharabani says.
Beyond in-house expenses, what to keep and what to virtually shred comes down to satisfying regulatory requirements.
The NCUA and other federal regulators, along with state and even local governments, all influence what a credit union should and should not store long-term. Sprunger suggests credit unions work with legal counsel and regulators to clearly understand the rules for various record types. This can include normal member transactions — including but not limited to deposits, withdrawals, transfers, payments, and more — records dealing with loans — including applications, credit scores, origination, and closure documentation — operational bookkeeping type records — such as accounts payable/receivable and payroll — and records focused on human resources, which can vary widely from state to state.
Sprunger also encourages credit unions to develop or augment existing policies and procedures that address retention, protection, and secure destruction of records when their useful life has ended.
“If the policy says you destroy a type of record after five years, then destroy it,” Sprunger says. “If you become involved in litigation where it is discovered the documented practice isn’t followed, then subpoenas for discovery can be widened by the plaintiff’s counsel.”
And finally, Sprunger says to account for the secure destruction of the old data.
“Any auditor will tell you that if you can’t prove it was destroyed, it wasn’t destroyed,” he says.
If this sounds like a lot, that’s because it is.
“The financial market is one of the most highly regulated markets next to health care and the federal government,” Sprunger says. “This means credit unions need to validate specifics with their regulatory bodies and legal counsel.”
Federally insured credit unions lean heavily toward the NCUA for guidance and guidelines, and MDT’s Sharabani points to the regulator’s record retention guidelines in the Gramm-Leach-Bliley Act, Part 749, Appendix A.
That’s where the NCUA describes a cooperative’s obligation to maintain a records preservation program to identify, store, and reconstruct vital records in the event the credit union's records are destroyed.
Sharabani says the NCUA recognizes credit unions must strike a balance among the competing demands of space, resource allocation, and the desire to retain all the records they might need to conduct their business successfully.
“Efficiency requires all records that are no longer useful be discarded,” he says. “Just as both efficiency and safety require useful records be preserved and kept readily available.”
That said, destroying records might impact the credit union’s legal standing to collect on loans or defend itself in court, Sharabani adds.
“Since each state can impose its own rules, it’s prudent for a credit union to consider consulting with local requirements when setting minimum retention periods,” the MDT audit and compliance manager says.
How To Tackle Data Doubling
Sound practices in managing core and other data is becoming more imperative as credit unions store more data. It doesn’t matter if the data itself is stored offsite or the people accessing it are working from home.
“The dilemma that most businesses face is understanding what data needs to be kept active and accessible — hot data — and what data can be moved to archive storage because it is being kept as a record but isn’t in use — cold data,” Sharabani says.
According to Sharabani, unstructured data is nearly doubling every year, making a good data management solution critical in efficiently managing data growth and risk.
What Can Go And What Must Stay
Jason Sharabani, internal audit and compliance manager at MDT, highlights a few records credit unions should retain permanently and a few records they can destroy after they’ve been made available for annual supervisory committee audits and NCUA examinations.
Charters, bylaws, and amendments.
Certificates or licenses to operate under programs of various government agencies, such as a certificate to act as issuing agent for the sale of U.S. savings bonds.
Current manuals, circular letters, and other official instructions of a permanent character received from the NCUA and other governmental agencies.
Minutes of meetings of the membership, board of directors, credit committee and supervisory committee.
One copy of each NCUA 5300 financial report or its equivalent
One copy of each supervisory committee comprehensive annual audit report and attachments.
Copies of the periodic statements of members or the individual share and loan ledger (a complete record of the account should be kept permanently).
Listing of records destroyed.
Destroyed At The Appropriate Time:
Applications for paid-off loans and the paid notes.
Various consumer disclosure forms (unless retention is required by law).
Cash received vouchers.
Canceled checks and statements.
Outdated manuals, canceled instructions, and nonpayment-related correspondence from the NCUA and other governmental agencies.
Want more credit union strategies? Sign up for the CreditUnions.com free newsletter.