ALEXANDRIA, Va. — NCUA plans to propose new data security rules for credit unions that would include requiring encryption or password protection for sensitive member data during examinations.
An audit from the regulator's Office of the Inspector General released last week recommended that the regulator issue new data security rules, along with revising its own internal data security protocols and establishing a secure online portal for information sharing.
The NCUA is expected to release the new rules by the end of the year and have redefined expectations for exam security procedures finalized by July 31.
The audit was spurred by
Instituting better data security policies and procedures for credit union examinations was the No. 1 recommendation listed in the OIG's audit.
The audit recommends that the regulator "Require federally-insured credit unions to provide sensitive, confidential, or personally identifiable electronic credit union member information to NCUA/NCUA staff in an encrypted or otherwise secure manner (e.g., file(s) protected with strong password(s)) whether using the credit unions' own secure tools or measures or using available NCUA secure tools or measures."
Trades Weigh In
Representatives from credit union trade groups said they were in favor of measures that help secure data, as long as they don't create an additional regulatory burdens.
"This puts some broad strokes out there, but it's hard to tell certain things from the report," said Lance Noggle, senior director of advocacy and counsel at CUNA.
Carrie Hunt, SVP of government affairs and general counsel at NAFCU, noted that the audit makes seven recommendations, six of which focus on how NCUA can improve its training, policies and procedures for protecting member data.
But the encryption rule "is certainly the one that has the potential to have the most impact on credit unions, depending on what that turns out to look like."
When asked even about the benefits of the new rule in providing stronger protections for member data, Noggle replied: "Absent handing the data over to the examiner, the protections in place that the credit union has aren't at issue. It seems to be that the handoff of data caused the problem here. It may be that there's a better way to give data to an examiner.... Even an encrypted thumb drive could be problematic, because the data is still out there leaving the credit union."
Hunt reminded that Palm Springs FCU didn't cause the data breach.
"While certainly data security is the responsibility of everyone, it certainly can't be overlooked that [in the case of Palm Springs FCU]... NCUA lost this data," she said.
This report follows
Small CU, Big Burden?
While almost all large credit unions have the resources to put data encryption in place, smaller institutions could find themselves with more of a burden once the rule is finalized and implemented, say industry insiders.
"I would imagine that larger credit unions probably would have the ability to push the data out to NCUA in an encrypted way," said Noggle. "The less sophisticated, obviously, the harder it's going to be, and I would hope [NCUA] could offer assistance through OSCUI [the Office of Small Credit Union Initiatives] to help credit unions meet any new requirements."
Low-income CUs can apply for grant funding to increase cybersecurity, including monies to acquire encryption packages or encrypted flash drives, according to NCUA spokesman John Fairbanks. He added that these technologies generally should not be cost-prohibitive to credit unions.
"A commercially available 16 gigabyte FIPS-140-2 Level 3 flash drive can be purchased for under $100," Fairbanks said via e-mail. "This type of drive would prevent access to sensitive data under nearly any circumstances."
Hunt agreed that OSCUI assistance could be beneficial to some CUs, but emphasized that NAFCU's hope is that any NCUA rulemaking will be crafted in a way that isn't burdensome. CUs already follow strict requirements for data protection, she said, adding that a new rule would put the focus on credit unions when it should be on the regulator.
"We think that if a credit union is adequately analyzing its risk then we certainly don't need a new regulation if it's not going to prove to be helpful or if it is specifically designed to regulate one entity as opposed to addressing an issue on the other side," she said.
Hunt's remarks echoed those of Alicia Nealon, director of regulatory affairs at NAFCU, who said in a statement that new encryption rules "would impose unnecessary costs and burdens" on CUs.
"Credit unions must already follow stringent data security and privacy requirements," Nealon said, adding: "Rather than add new additional regulatory burdens on credit unions, NCUA should focus on implementing the Inspector General's recommendations for improving the agency's internal policies and training to better protect the credit union data in its care." (See related story).
Taking A Cue From CUNA?
NCUA is also continuing to move forward with a web-based portal that will allow secure transfer of sensitive, confidential or personally identifiable electronic credit union member information. That project is expected to be implemented by the end of this year.
NCUA has not provided extensive details on the portal, but
Noggle said the portal "would be a step in the right direction."
"It has to be usable, it has to be secure, and with the majority of our members being small, it has to be something these people can use," he said, noting that smaller CUs also need to be able to align that portal with their core.
NCUA's Fairbanks said the portal is "intended to securely transfer data between credit union and examiner, eliminating the need for most credit unions to transfer data directly to examiners." Fairbanks said there is also a possibility that if the portal is successful it may ultimately lead to reduced data collection for CUs and shorter time on-site for exams, but "the early benefits of such analysis will be limited until NCUA has deployed new examination tools."
For her part, Hunt said that the portal might be a better option than new rulemaking.
"We certainly hope that [NCUA] would give credit unions the tools that they need to access [the portal] effectively and inexpensively," said Hunt.
Whether through data security or a portal or some other method, Hunt and Noggle said the focus needs to be on protecting credit union members' data and ensuring that CUs don't end up being inadvertently punished for something that wasn't their fault. And that starts, they said, with making sure the regulatory burden isn't increased.
"Increasing the burden for small credit unions could mean that they can't do it," said Noggle. You've added some complication to a very small, limited resource institution that they can't accomplish easily, distracting from whatever else they're doing. We'd like to see something that's accessible to all."
Hunt said that while all parties should always pursue any attempts to improve data security, there isn't currently enough risk to justify new regulation.
"Instead of throwing another rule on the books, we need to look at where the real issue is," she said. "It appears that potentially credit unions are being punished for an issue that stemmed and started at the regulator."
