NCUA Shares Cybersecurity Top 10 List

ALEXANDRIA, Va.—With NCUA focusing on cybersecurity at credit unions, the agency has outlined key areas on which examiners will focus when analyzing a CU's fraud defense.

The information is shared in the August issue of The NCUA Report, outlining the top 10 areas of focus, including questions that examiners could ask.

They are:

1. Information security policies: Does the CU have a board-approved information security policy commensurate with the CU's size and complexity and that meets the requirements of NCUA Rules and Regulations Part 748?
2. Risk assessments: Has management recently performed and documented an information security risk assessment to identify and assess potential threats, their probability, potential effects, and the existing controls and risk remediation plans that the CU has in place?
3. IT audit: Has management developed an audit plan that addresses all information technology-related areas appropriate to the size and complexity of the CU? This audit plan should also include continuing assessments of internal and external vulnerabilities.
4. Virus and malware: Are the network and all critical components such as servers, desktops, laptops and other systems running updated virus and malware protection software?
5. Passwords: Does the CU enforce a strong password policy based on its risk assessments that meets or exceeds industry standards? At a minimum, passwords should be at least eight characters with alphanumeric and special characters required for added strength and complexity.
6. Business continuity planning and disaster recovery test: Is the plan sufficient, up-to-date and recently tested?
7. Patch management: Does CU IT personnel manage the installation of all software security patches and updates and ensure that all systems nearing or at the end of their service life are replaced?
8. Vendor management: Is there a vendor management policy and program that meets the requirements of NCUA Rules and Regulations Part 748?
9. Information security training: Does the CU have a continuing information security awareness program?
10. Incident response and crisis management: Is there an updated incident response plan that complies with NCUA Rules and Regulations Part 748, Appendix B?