Title: Connecticut Cybersecurity Basics Conference for Credit Unions Director Responsibility
1Connecticut Cybersecurity Basics Conference for
Credit UnionsDirector Responsibility
2David A. ReedAttorney at LawReed Jolly,
PLLCdavid_at_reedandjolly.com(703) 675-9578
3The contents of this presentation are intended to
provide you with a general understanding of the
subject matter. However, it is not intended to
provide legal, accounting, or other professional
advice and should not be relied on as such.
4What We Will Discuss Today
- Updates on NCUA and FFIEC guidance on
cybersecurity - Break down the FFIEC Assessment Tool
- The role of the Board and Executive Management in
developing and maintaining a cybersecurity
program - Tips on developing an effective policy
5Our New Vocabulary
6What We Know
- Increasing volume and sophistication of cyber
threats - Existing cyber security vulnerabilities are known
- New remote platforms create new opportunities for
cyber attacks - Bad guys evolve as they observe online behavior
- Evolving malware risks
- Government sponsored cyber attacks
7Recent NCUA Guidance
- January 15, 2015, NCUA Letter No. 15-CU-01,
provided guidance to CU Boards of Directors and
Chief Executive Officers on the NCUA examinations
in 2015 - The first item in the guidance letter
Cybersecurity - In 2015, NCUA will redouble efforts to ensure
that the credit union system is prepared for a
range of cybersecurity threats.
8Recent NCUA Guidance
- Guidance letter identified 6 proactive measures
credit unions can take to protect their data and
their members - encrypting sensitive data
- developing a comprehensive information security
policy - performing due diligence over third parties that
handle credit union data - monitoring cybersecurity risk exposure
- monitoring transactions and,
- testing security measures.
9What Is the FFIEC?
- The FFIEC comprises key representatives of The
Board of Governors of the Federal Reserve System,
Federal Deposit Insurance Corporation, National
Credit Union Administration, Office of the
Comptroller of the Currency, Consumer Financial
Protection Bureau, and State Liaison Committee
(for state banks and credit unions) - When they speak, our world listens!
10FFIEC Risk Assessment Tool
- Goal is to help institutions identify their risks
and determine their cybersecurity preparedness
(maturity) - Assessment Tool provides a repeatable and
measurable process for institutions to measure
their cybersecurity preparedness over time - Draws on other sources, including
- FFIEC Information Technology (IT) Examination
Handbook - National Institute of Standards and Technology
(NIST) Cybersecurity Framework
11A Tale of Two Parts
- The Assessment Tool consists of two parts
- Inherent Risk Profile
- Cybersecurity Maturity
- Make sure you have ALL the tools before you
initiate the assessment - Assessment Tool
- Users Guide
- Overview for CEOs and Boards
- CS Maturity Scale and Inherent Risk Profiles
- Appendices A and B
12Lets Begin
- To complete the Assessment, management first
assesses the credit unions Inherent Risk Profile
based on five categories - Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
13It Rhymes! Cybersecurity Maturity
- After determining the Inherent Risk Profile, the
credit union transitions to the Cybersecurity
Maturity part of the Assessment to determine the
institutions maturity level within each of the
following five domains - Domain 1 Cyber Risk Management and Oversight
- Domain 2 Threat Intelligence and Collaboration
- Domain 3 Cybersecurity Controls
- Domain 4 External Dependency Management
- Domain 5 Cyber Incident Management and Resilience
14The Moving Parts of Security
- Part 748 Security Program
- Part 748.1 Filing of Reports
- Compliance Report
- Catastrophic Act
- Suspicious Activity Report
- Part 748.2 BSA Compliance
- Establish a compliance program
- CIP
- Appendix A Safeguarding Member Information
- Appendix B Response Program Unauth. Access
15Credit Union Regulation
- Gramm-Leach-Bliley Act (1999)
- Required NCUA Board to establish appropriate
standards for federally-insured credit unions
relating to administrative, technical, and
physical safeguards for member accounts and
information - Insure security and confidentiality of member
records and information - Protect against any anticipated threats or
hazards to the security or integrity of such
records - Protect against unauthorized access to or use of
such records or information that could result in
substantial harm or inconvenience to any member
16Credit Union Regulation
- NCUA Regulation Part 748
- Appendix A
- Requirement to establish and implement
administrative, technical and physical safeguards
to protect security, confidentiality and
integrity of member information
17Credit Union Regulation
- NCUA Regulation Part 748
- Appendix B
- Requirement of CU response in the face of an
unauthorized access to member information
including potential notification of the member
and the regulator
18Credit Union Regulation
- NCUA Regulation Part 748
- CU responsible to fully implement an information
security program by July 1, 2001. - CU must monitor the plan and update the plan
- The risk assessment must be updated as necessary,
to account for system changes before they are
implemented or new products or services before
they are offered
19Board Responsibility
- Board is responsible for satisfying the specific
requirements of the regulation designed to ensure
that the information security program is
developed, implemented, and maintained - Approve written information security program
(signed off by Board) - Oversee implementation and maintenance of the
program - Assign specific responsibility for implementation
- Review management reports
- Part 748, Appendix A, Section III.A.
20Board Responsibility
- NCUA Regulation 701.4(b)
- Director has a duty to
- Direct managements operations of the Federal
credit union in conformity with the requirements
set forth in the Federal Credit Union Act, this
chapter, other applicable law, and sound business
practices.
21The Certification
- The chairperson of the Credit Unions Board of
Directors is required to certify compliance with
Part 748 each year. The statement of compliance
is provided at the bottom of the Credit Union
Profile Form that is submitted annually to the
regional director following the credit unions
election of officials. - Source NCUA CU Profile Form 6/14
22- I hereby certify to the best of my knowledge and
belief that this credit union has developed and
administers a security program that equals or
exceeds the standards prescribed by Part 748.0of
the NCUA Rules and Regulations that such
security program has been reduced to writing,
approved by this credit union's Board of
Directors and this credit union has provided for
the installation, maintenance, and operation of
security devices, if appropriate, in each of its
offices. Further, I certify that I am the
president or managing official of the credit
union or that the president or managing official
has authorized me to make this submission on
his/her behalf. - ______________________________________________
- VOLUNTEERS NAME HERE
23Board Responsibility
- Not all breaches can be prevented
- If there is a breach, the CUs security program
will come under close scrutiny - The Board will ultimately be held responsible for
a deficient security program!
24Questions?