New FFIEC Mobile Guidance Lists Risk-Based “Shoulds”

Examiners expected to follow new mobile rules from joint regulator council.

 
 

This chief security officer for a California credit union knows what financial institutions “should do” to reduce cybersecurity risk. It’s all those “must do’s” that make it more difficult.

One of his tasks is ensuring proper heed is paid to proclamations such as the new mobile security guidance just issued by the Federal Financial Institutions Examination Council, of which the NCUA is a member.

The new guidance is in the form of the 18-page Appendix E: Mobile Financial Services and is part of the FFIEC’s revised Retail Payment Systems booklet, itself a part of the FFIEC’s series of IT Booklets.

The FFIEC says the guidance aims to help examiners evaluate how financial institutions and their third-party providers are managing risk in retail payment systems. It follows previous guidance on other topics such as cards, remote deposit capture, and general technology changes.

Appendix E address risk identification, measurement, mitigation, monitoring, and reporting, and, the FFIEC says in its news release earlier this month, while its primary audience may be examiners: “Financial institution management should also find this guidance helpful,” the FFIEC announcement says.

“Almost the entire document is filled with ‘should,’” the California CISO says. “But until it’s required, leadership will have a hard time spending money chasing ‘should’ when they need to spend on ‘must’ items.’”

For now, he recommends looking at the new guidance “as a light in the distance that provides guidance, and be prepared mentally to communicate why the organization is where it is.”

Be prepared, he says, to answer this question when the examiners arrive: “Do you recognize risk and are you operating within the risk appetite of the credit union’s leadership?”

Benchmarking Awareness

The NCUA did not respond to questions this week from CreditUnions.com about when the regulator would begin implementing the mobile banking guidance into its examinations. CUNA also says it’s not sure.

“It’s unclear how the NCUA will apply the guidance in upcoming exams,” says Lance Noggle, the trade group’s senior director of advocacy and counsel. But he advises credit unions to prepare to show that proper security measures are in place, especially for payments-related software and applications.

For instance, he says, “It looks they’re pushing biometrics to ensure that a mobile device is being used by its owner and that codes and emails also would not be available to someone in possession of a lost or stolen phone.” Noggle says SMS texting also appears to “present risks that are difficult to overcome.”

That sounds pretty nuts-and-bytes to non-technical board members and managers, but the latest guidance also further illustrates regulators’ recognition that cybersecurity knows no silos.

Michael Emancipator, NAFCU’s senior regulatory affairs counsel, says the guidance provides useful, new benchmarks, and observes, “We continue to hear that cybersecurity issues are no longer limited to IT departments, but are now enterprise-wide priorities requiring more individuals and departments to have at least a basic understanding of potential threats.”

And, indeed, they should, says Lori Gall, president and CEO of The Sollievo Group, a compliance services subsidiary of Mid-Atlantic Federal Credit Union.

“Since mobile services have become such an in-demand product for credit union members, this kind of acknowledgement by regulators is a step in the right direction,” Gall says.

She says the guidance serves as an important resource for credit union employees — especially those whose jobs directly involve compliance — to show what risks and mitigation to those risks are available. “It will help tremendously,” Gall says.

And on the other side of the table, she points to raising awareness of the specific areas of identification, mitigation, and monitoring that serve as the linchpin of any good risk management program.

“The new mobile security guidance lays out specific areas of assessment to test the risk controls a credit union has in place,” Gall says. “Come exam time, I believe these guidelines will allow examiners to make credit unions aware of the mobile security risks.”  

Examiners Gotta Examine

If past is prologue, credit unions can expect the the mobile suggestions to become examination topics. For instance, the NCUA has said that year it will begin incorporating elements of the previously released Cybersecurity Assessment Tool.

That tool was released after a pilot program was conducted in 2014 among 500 credit unions and community banks, and “is a continuation of the increasing focus and consistent theme we’re seeing, that institutions must address the myriad threats posed by changing technologies and more and more sophisticated attacks,” says Donna Cameron, director of regulatory I/O at compliance provider Continuity.

Credit unions can expect the same from the Appendix E, says Gene Fredriksen, vice president and chief information security officer at PSCU. He expects the NCUA and other FFIEC members — which includes the FDIC — to thoroughly examine all technology risk issues.

In the case of mobile, Fredriksen says expects the focus to be on:

  • Enrollment
  • Authentication and authorization
  • Application development and distribution
  • Application security
  • Contracts
  • Consumer awareness
  • Logging and monitoring.

“This will all result in a clearer picture of the risks a mobile platform may expose,” says Fredriksen, who calls the new guidance “a solid model for credit unions to use to evaluate the risk of a specific mobile offering.”

Those risks will just continue to grow along with the mobile channel. “The greater the business penetration into internet and mobile-based tools, the greater the inherent risk,” Fredriksen says. “If we’re to continue protecting the information entrusted to us by members, we must make sure our cybersecurity programs are agile, resilient, and keep pace with emerging threats.”

He says that means taking a serious look at existing and planned systems and identify areas for improvement. “Document your discussions, evaluations, and risk assessment processes,” the veteran technologist says. “Ensure those discussions also take place with the executives of the organization. If you have a complete package that shows your diligent efforts in this area, you will be well prepared for any NCUA discussion during an examination.” 

 
 

May 19, 2016


Comments

 
 
 

No comments have been posted yet. Be the first one.