This past summer, about 500 community financial institutions, including credit unions, got some extra scrutiny when they were visited by federal examiners for their regularly scheduled checkups.
And now what those examiners found in that “cybersecurity pilot assessment” is being shared by the Federal Financial Institutions Examinations Council, comprising the Federal Reserve Board, the FDIC, the Office of the Comptroller of the Currency, the CFPB, and of course, the NCUA.
The FFIEC began its Nov. 3 summary report with this: “The cybersecurity assessment found that the level of cybersecurity inherent risk varies significantly across financial institutions.” It concluded with this: “As a result of the cybersecurity assessment, FFIEC members are reviewing and updating current guidance to align with changing cybersecurity risk.”
No date was given for the new guidance, but in the meantime, the FFIEC has some “recommendations.” They’re recommendations, of course, in the same sense that a teacher recommends homework be done by those who don’t want to fail. “Know thyself and know thy vendor,” might be one way to describe the overall tenor, as well as, “Be prepared.”
Basically, credit unions need to work to ensure board members and senior managers really do understand inherent cybersecurity risks, as do pretty much everyone else who works with them or for them. Routinely discussing such issues in meetings is a good way to start.
Business continuity and disaster recovery plans need to include cybersecurity scenarios, the FFIEC adds, and credit unions should join the Financial Services Sharing and Analysis Center, or FS-ISAC, the global threat information sharing network created by the financial services industry.
The FFIEC summary report also includes questions examiners can be expected to ask, in areas ranging from crisis management plans to IT audit reports and exception tracking to training and even physical access controls such as key cards and video cameras.
All this is not out of line, one compliance expert observes. “Honestly, these really reflect best practices,” says Pam Perdue, executive vice president for regulatory insight at Continuity Control in New Haven, Conn. “There’s been a lot of confusion about this in the industry. Guidance is tricky in the area of information security and technology, but it’s really about how we are protecting our institutions and their members.”
A Sign Of The Times
Another says it’s a sign of the times. “It’s not just the CIO or CISO’s job anymore, and cybersecurity needs more ‘air time’ than just a quarterly or annual security threat/readiness report,” says Jim Trautwein, a senior director with Arizona-based Cornerstone Advisors. He says the report and others like it “correctly point to the weakest links in the chain — small institutions with limited resources and unprepared workers and members.”
Meanwhile, mobile computing, bring-your-own-device realities, and a remote workforce, Trautwein says, means “the weakest link has shifted outside of the institutions' walls and is something that few of them have probably delved into enough to understand the risk versus convenience.”
He says credit unions and banks need to have cybersecurity as a standing agenda item in their regular meetings, planning sessions, and management performance reviews. “It’s simply not enough that the CIO or CISO reports that the security program is updated, a risk assessment found a few new items that need to be monitored, and the impact to the institution from a hack like Target or Home Depot,” Trautwein says.
“This gives a board or executive team a false sense of comfort. Ideally, cybersecurity gets the same level of attention as financial performance — which for some is daily,” the Cornerstone consultant says.
“The executives need to set an example by asking the tough questions, educating themselves about what they need to know, networking with others to learn about best practices, emerging threats, what the examiners are asking, and how the risks are shifting,” Trautwein concludes. “Security risk management needs to become cultural so that everyone understands how they mitigate the risk or contribute to it.”
Perdue at Continuity Control adds that the NCUA essentially uses FFIEC guidance as its own in these matters. She adds, “The word ‘guidance’ seems to imply it’s optional. The reality is if you’re not following guidance — if you haven’t put in place a sufficiently controlled environment — then you’re going to be criticized, even to the extent that the regulator could impose some new requirements on you.”
Is this a leading indicator? At one of his first public appearances as the newest NCUA Board member, Mark McWatters, said, “A lesson learned for this agency: Spend more time thinking about things like fraud as opposed to regulation.” He was referring to the insider fraud that has taken down a number of smaller credit unions, but perhaps it’s a harbinger of things to come.
As Perdue says of breaches large and small, “Regulators are embarrassed as anyone when they read these things in the news. That’s especially true for credit unions, whose reputations really can feel much more impact from problems like this than a commercial bank.”
Here’s what examiners currently rely on from the FFIEC Information Technology Examination Handbook:
· Development and Acquisition: http://ithandbook.ffiec.gov/it-booklets/development-and-acquisition.aspx.
· Information Security: http://ithandbook.ffiec.gov/it-booklets/information-security.aspx
·   Operations: http://ithandbook.ffiec.gov/it-booklets/operations.aspx