Don't look to examiners to clarify exactly how and when credit unions should protect member information under new national and industry data security guidelines, an NCUA panel of seven told 120 information technology (IT) managers here as part of the first annual Credit Union IT Risk Management Summit.
The meeting was hosted by the Credit Union Information Security Professionals Association (CUISPA).
Instead, CUs should turn to their security risk assessments and vendors for further guidance in authenticating members and encrypting data, said the panel during the Summit's Information Security Compliance session.
Beyond the three-page November guidance Letter to Credit Unions and the Rules and Regulations Part 748 Appendices A & B, which mirror FFIEC guidance in outlining requirements for multi-factor authentication, "the NCUA doesn't have anything in the works to give additional guidance," said Dominick Nigro, Information Systems Officer for the NCUA Office of Examination and Insurance.
Credit unions have been scrambling to figure out which tools meet the requirements of the regulations, which requires financial institutions to implement strong authentication for their members logging on to websites to conduct high-risk transactions, before the Dec. 31 FFIEC deadline.
In addition, CUs must shoulder the responsibility of encrypting high-risk data, whether that data is in storage or in transit, according to the NCUA guidance. For example, core system data may be high-risk, yet is often vulnerable, as no third-party core system offers encryption for data in storage and in transit, the summit participants agreed.
Credit unions at the CUISPA event said they aren't sure which solutions will satisfy the FFIEC and NCUA. At this point, choosing data security solutions is a "roll of the dice," asserted one credit union IT manager at the summit.
"You're telling us we have to implement multi-factor authentication online, but you can't give us a recommendation on how to do it or who is already doing it correctly," Carol Cheek, vice president, Information Technology, for the Missouri Credit Union Association told the panel. "We're left in the lurch."
The NCUA won't publish a list of suitable authentication solutions, nor will it establish industry standards for data encryption, said the panel.
"We can't take a cookie-cutter approach and make a basic recommendation because there are so many sizes of credit unions, each with different risks," as well as different budgets, said Gerry Wyland, Regional Information Security Officer (RISO) for NCUA Region II in Alexandria, Va.
"If we do make recommendations, people take it that we're endorsing a specific product or vendor, and that's not what we do," Nigro added. "We're in business to make sure credit unions have the controls in place to securely provide services to their memberships."
The NCUA this year will begin using a new battery of questionnaires as part of an IT exam program to verify whether CUs have implemented effective information security controls, he continued.
The NCUA panel urged credit unions to look to one another for guidance. "You've got a great group of people to contact right here at this summit," suggested panelist Wayne Trout, RISO for NCUA Region IV in Dallas.
CUs could unite to evaluate vendor products, suggested Summit participants. Nigro agreed: "Forming a user group to conduct a vendor analysis offers a lot of value in terms of cost. But each credit union in that user group needs to look at the results of the analysis and see what it may need that is different from the other users in that group."
Wyland added that CUs should also "hold vendors' feet to the fire to meet the requirements," of multi-factor authentication and data encryption.
For each credit union to determine how and when to protect data in its unique environment, a periodic, customized risk assessment should be completed, the panel emphasized.
"The key is risk assessment and developing some expertise in establishing the risk levels" of each transaction or business process at the credit union, said panelist Elias Perez, NCUA Information Systems Examiner for the Office of Corporate CUs in Alexandria, Va.
For example, Internet banking transactions and new member enrollments are most likely high-risk and would require controls, Nigro said.
The panelists described various approaches to assessing risk across the organization, pointing out that the process should focus on risk, not on compliance with regulations.
"A simplified approach is to take probability and multiply it by impact to get your risk rating, and then categorize your risks as high, medium and low," suggested panelist Patrick Truett, RISO for NCUA Region 3 in Knoxville, Tenn.
CUJ Resources
For info on this story:
* CUISPA at www.cuispa.org
* NCUA at www.ncua.gov
