Credit unions are a tremendous force for good, serving the financial needs of consumers and small businesses in communities across our country. They have a reputation for putting the interests of members first, which has earned them a level of trust not widely enjoyed in the financial services industry. It's important to remember that one of the most precious resources that members entrust to their CUs is the sensitive and confidential information that is at the heart of the financial services industry.
It's vital to a CU's mission to be proactive in procuring and properly maintaining technological capabilities that allow convenient member access while ensuring sound controls over the security of members' sensitive information. A strong cyber security program helps reduce vulnerability to cyber threats while preventing unauthorized access to sensitive and confidential member information.
Cyber-attacks present a real and growing threat to the financial services industry and to the payments landscape. Financial institutions are among the favorite targets due to the wealth of sensitive and confidential information in their possession.
Accordingly, credit union boards of directors and managers should begin their cyber security efforts with an objective, expert assessment of the comprehensiveness and effectiveness of the credit union's existing security infrastructure relative to the sensitivity and confidentiality of information in its possession. An analysis of the threat environment in combination with an objective assessment of the control environment provides a sound basis for developing a comprehensive and resilient security plan.
Because building and maintaining a safe and resilient technology infrastructure can be costly, CUs may consider leveraging one of their strongest areas of competitive advantage — that being collaboration with their peers. While hardware and applications are costly (and even the best hardware and applications, when used incorrectly, can fall far short of the intended objective of preserving confidential member information), hiring and retaining the expertise to most effectively deploy and refresh the technology are often more costly and challenging.
While there is no regulatory expectation that CU board members be security experts, the board is responsible for oversight of the development, implementation, and maintenance of the credit union's information security program, to include approval of written information security policies.
In support of this oversight role, credit union management must report at least annually to the board of directors on the status of the credit union's program and compliance with guidelines codified in the appendices to 12 CFR Part 748, which are Appendix A, "Guidelines for Safeguarding Member Information," and Appendix B, "Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice."
In its Supervisory Focus for 2014, NCUA identified cybersecurity threats among its highest priority areas of examination focus, noting that "Credit unions of all sizes will be expected to implement appropriate risk mitigation controls... to better prevent, detect, and recover from cyber-attacks."
Credit unions exist to provide consumers and small businesses quality financial services at competitive pricing in a member-centric manner. It's essential that credit unions undertake every reasonable effort to minimize disruptions in the availability of financial services to members while ensuring that the confidentiality of member information is protected from unauthorized access or inappropriate use. These efforts should be undertaken in service to the membership — not just to satisfy state and federal regulatory requirements. Credit unions are trusted advisors and an invaluable resource to members. Maintaining that trust requires commitment by credit union boards of directors and management to properly and prudently invest in infrastructure that protects sensitive and confidential information that members entrust to their credit union.
To learn more about industry best practices as well as regulatory requirements and expectations for cyber security, visit the National Association of State Credit Union Supervisors (NASCUS) website at www.nascus.org, and register for the NASCUS Cyber Security Symposium, which will be held Nov. 13-14 at the Hyatt Arlington, located at 1325 Wilson Blvd., in Arlington, Va.
Stephen S. Pleger is senior deputy commissioner for the Georgia Department of Banking and Finance. He currently serves as chairman of the NASCUS Board. He can be reached at spleger@dbf.state.ga.us, or by phone at (770) 986-1629.
