ALEXANDRIA, Va. — Cybersecurity risk is set to be a critical area of focus for NCUA in 2014.
The agency announced as much in a recent Letter to Credit Unions, and Tim Segerson, deputy director in the NCUA's Office of Examination and Insurance, told Credit Union Journal that while the agency has long been interested in the topic, it will be increasing its emphasis there in 2014.
"A lot of attention has been paid to the remnants of the mortgage market crisis — credit unions are heavy investors and carriers of consumer mortgages, and it has been a challenging few years for them. That created maybe a greater focus on financial challenges, and we want to increase the focus and awareness related to information security and cyber security," said Segerson.
Size Doesn't Matter
Segerson explained that it has become increasingly clear in the last year or so "that even proportionally small players in the marketplace can be targeted by hackers, cyber terrorists and cybercriminals.... Our goal here is to increase awareness and reinforce that with the institutions we supervise so that we don't have major problems in this area."
NCUA will be working in concert with the Federal Financial Institution Examination Council's (FFIEC) Cybersecurity and Critical Infrastructure Working Group, which includes not only NCUA, but the FDIC, CFPB, Federal Reserve and more.
The plan, explained Segerson, is for the regulators to meet to discuss topics where guidance is needed, with individual agencies proposing topics and then — if the group as a whole agrees with the proposal — establishing guidance. If the group does not want to take up that topic, individual agencies may establish their own guidance.
Segerson emphasized that most of the guidance will likely be uniform across the financial services industry, since in most cases a cybersecurity best practice for a credit union is also a best practice for a bank, and vice versa.
Similarly, he said, most of the cybersecurity issues credit unions face are the same, regardless of the size of the CU. While the very smallest CUs — those that have minimal web presence but don't offer cards or have web banking — may face different risks than a multi-billion-dollar credit union, CUs of all sizes offer many of the same tech-related products and services, and so face similar risks.
"When you're talking about the same basic technologies and the same basic good practices for managing security and establishing good internal controls, those are universal across all institutions [regardless of size]," he said.
When it comes to exams, Segerson said that the agency is working on two fronts. Last year, he said, NCUA established a new set of exam steps for e-banking that will soon be put in place, and the agency will continue to increase emphasis on delivery channels such as mobile banking, as well as protecting member information, and credit unions' systems and security.
Because a great many credit unions rely on third parties for various services, the regulator is also planning to increase emphasis on ensuring that those that touch member data have good internal controls and present hardened targets for cyber criminals.
From an examination perspective, Segerson said, the bottom line is ensuring that all CUs "have policies and procedures in place that are appropriate for the size and representative risk of that institution."
For smaller, less tech-oriented institutions, that means an emphasis on how they're managing internal security, including access controls, patch management, firewall management and dual controls.
All institutions, including larger CUs, said Segerson, need good incident-response programs in addition to making sure effective third-party due diligence programs are in place. NCUA also expects larger CUs to have "much more in-depth programs to ensure that you have larger amounts of dollars and personally identifiable information... as protected as best it can be," said Segerson. "Security is never 100% assured; it's always a situation where you can go to the Nth power to try to secure information and never get a 100% guarantee. But it should be reasonable given the size and level of risk in those institutions.
That means starting with a risk assessment and then compartmentalizing and identifying the information that is most sensitive and at greatest risk, along with layering and enhancing security procedures around areas where the most sensitive information can be accessed, he added.
Starting Soon
NCUA and the FFIEC working group will likely begin to issue guidance sometime during the second quarter, according to Segerson, adding that this is not a new topic for the regulator.
"There's a full body of information out there. This is not something we've ignored," he said. "As a matter of fact, we probably have more Letters to Credit Unions and Supervisory Letters in this area than any other topic."
Part of what the agency is doing now, Segerson said, is going back through that material to determine where there are gaps or where updates are needed as a result of advancements in technology.
