Failing To Patch Things Up
Who says credit union board members and technology don't mix?
An overflow crowd packed one session during NAFCU's annual meeting here entitled, "Security Issues: Thinking Like A Board Member."
The gist of what they were told: Board members have a fundamental responsibility to monitor their credit union's IT security, yet the information they are getting may be inaccurate and woefully out of date.
And that's unlikely to change, noted Michael P. Flaherty, executive VP, generatl counsel and chief administrative officer with XACTA/Telos Corp., Ashburn, Va.
"Software is now the lifeblood of financial institutions," he told the assembled directors. "Most of the problems in IT security are the result of poorly written software and code. But when was the last time you heard of a lawsuit over an IT breach? Where is the liability? Who has the liability? Both consumers and institutions have not had the leverage."
Flaherty noted that when the federal government gave out grades for computer security, the Department of Homeland Security was given an F. "And they are in charge of computer security," he said.
"It's not that people don't have a security plan," Flaherty said. "The real issue is how do you test it. Is there some type of dashboard to monitor it? Even if NCUA says you are in compliance and you are a CAMEL 1, there is no guarantee you won't be sued due to some third-party relationship."
Flaherty shared with his audience the "three I's" he said his own father had shared with him: "You are not as intelligent as you think you are, you are not as invincible as you think you are, and you are not as invisible as you think you are."
He stressed that "software patches" seldom are sufficient. "If it takes six months to get the software patch out, what's been happening in the meantime," he said of computer vulnerabilities. "And those are just the patches for the situations you know about. What about all those you don't know about; what about the ones the software writers don't want to admit to? Do you ever ask at a board meeting about patches? We're assured that they're getting done and that's it, but our IT folks are not getting timely information."