Connecticut Cybersecurity Basics Conference for Credit Unions
Director Responsibility
September 14, 2015
The contents of this presentation are intended to provide you with a general understanding of the subject matter. However, it is not intended to provide legal, accounting, or other professional advice and should not be relied on as such.
Updates on NCUA and FFIEC guidance on cybersecurity
Break down the FFIEC Assessment Tool The role of the Board and Executive
Management in developing and maintaining a cybersecurity program
Tips on developing an effective policy
What We Will Discuss Today
Risk Appetite
De-Risking
5
Our New Vocabulary
Increasing volume and sophistication of cyber threats
Existing cyber security vulnerabilities are known
New remote platforms create new opportunities for cyber attacks
Bad guys evolve as they observe online behavior
Evolving malware risks Government sponsored cyber attacks
What We Know
January 15, 2015, NCUA Letter No.: 15-CU-01, provided guidance to CU Boards of Directors and Chief Executive Officers on the NCUA examinations in 2015
The first item in the guidance letter: Cybersecurity
“In 2015, NCUA will redouble efforts to ensure that the credit union system is prepared for a range of cybersecurity threats.
Recent NCUA Guidance
Guidance letter identified 6 “proactive measures credit unions can take to protect their data and their members:◦ encrypting sensitive data;◦ developing a comprehensive information security
policy;◦ performing due diligence over third parties that
handle credit union data;◦ monitoring cybersecurity risk exposure;◦ monitoring transactions; and,◦ testing security measures.”
Recent NCUA Guidance
The FFIEC comprises key representatives of The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee (for state banks and credit unions)
When they speak, our world listens!
What Is the FFIEC?
Goal is to help institutions identify their risks and determine their cybersecurity preparedness (maturity)
Assessment Tool provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time
Draws on other sources, including:◦ FFIEC Information Technology (IT) Examination
Handbook ◦ National Institute of Standards and Technology (NIST)
Cybersecurity Framework
FFIEC Risk Assessment Tool
The Assessment Tool consists of two parts1. Inherent Risk Profile2. Cybersecurity Maturity
Make sure you have ALL the tools before you initiate the assessment
◦ Assessment Tool◦ User’s Guide◦ Overview for CEOs and Boards◦ CS Maturity Scale and Inherent Risk Profiles◦ Appendices A and B
A Tale of Two Parts
To complete the Assessment, management first assesses the credit union’s Inherent Risk Profile based on five categories:◦ Technologies and Connection Types ◦ Delivery Channels◦ Online/Mobile Products and Technology Services◦ Organizational Characteristics◦ External Threats
Let’s Begin
After determining the Inherent Risk Profile, the credit union transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the following five domains:
◦ Domain 1: Cyber Risk Management and Oversight◦ Domain 2: Threat Intelligence and Collaboration◦ Domain 3: Cybersecurity Controls ◦ Domain 4: External Dependency Management ◦ Domain 5: Cyber Incident Management and
Resilience
It Rhymes! Cybersecurity Maturity
Part 748 Security Program Part 748.1 Filing of Reports
◦ Compliance Report◦ Catastrophic Act◦ Suspicious Activity Report
Part 748.2 BSA Compliance◦ Establish a compliance program◦ CIP
Appendix A Safeguarding Member Information Appendix B Response Program – Unauth.
Access
The Moving Parts of Security
Gramm-Leach-Bliley Act (1999)◦ Required NCUA Board to establish appropriate standards
for federally-insured credit unions relating to administrative, technical, and physical safeguards for member accounts and information Insure security and confidentiality of member records
and information Protect against any anticipated threats or hazards to
the security or integrity of such records Protect against unauthorized access to or use of such
records or information that could result in substantial harm or inconvenience to any member
Credit Union Regulation
NCUA Regulation Part 748 ◦ Appendix A
Requirement to establish and implement administrative, technical and physical safeguards to protect security, confidentiality and integrity of member information
Credit Union Regulation
NCUA Regulation Part 748 ◦ Appendix B
Requirement of CU response in the face of an unauthorized access to member information including potential notification of the member and the regulator
Credit Union Regulation
NCUA Regulation Part 748 ◦ CU responsible to fully implement an information
security program by July 1, 2001.
◦ CU must monitor the plan and update the plan◦ The risk assessment must be updated as
necessary, to account for system changes before they are implemented or new products or services before they are offered
Credit Union Regulation
Board is responsible for satisfying the specific requirements of the regulation designed to ensure that the information security program is developed, implemented, and maintained◦ Approve written information security program (signed off
by Board)◦ Oversee implementation and maintenance of the program
Assign specific responsibility for implementation Review management reports
Part 748, Appendix A, Section III.A.
Board Responsibility
NCUA Regulation 701.4(b)◦ Director has a duty to
Direct management’s operations of the Federal credit union in conformity with the requirements set forth in the Federal Credit Union Act, this chapter, other applicable law, and sound business practices.
Board Responsibility
“The chairperson of the Credit Union’s Board of Directors is required to certify compliance with Part 748 each year. The statement of compliance is provided at the bottom of the Credit Union Profile Form that is submitted annually to the regional director following the credit union’s election of officials.”
Source: NCUA CU Profile Form 6/14
The Certification
I hereby certify to the best of my knowledge and belief that this credit union has developed and administers a security program that equals or exceeds the standards prescribed by Part 748.0of the NCUA Rules and Regulations; that such security program has been reduced to writing, approved by this credit union's Board of Directors; and this credit union has provided for the installation, maintenance, and operation of security devices, if appropriate, in each of its offices. Further, I certify that I am the president or managing official of the credit union or that the president or managing official has authorized me to make this submission on his/her behalf.
______________________________________________VOLUNTEER’S NAME HERE
Not all breaches can be prevented
If there is a breach, the CU’s security program will come under close scrutiny
The Board will ultimately be held responsible for a deficient security program!
Board Responsibility
Questions?