Connecticut Cybersecurity Basics Conference for Credit Unions Director Responsibility

1
Connecticut Cybersecurity Basics Conference for
Credit UnionsDirector Responsibility

• September 14, 2015

2
David A. ReedAttorney at LawReed Jolly,
PLLCdavid_at_reedandjolly.com(703) 675-9578
3
The contents of this presentation are intended to
provide you with a general understanding of the
subject matter. However, it is not intended to
provide legal, accounting, or other professional
advice and should not be relied on as such.
4
What We Will Discuss Today

• Updates on NCUA and FFIEC guidance on
  cybersecurity
• Break down the FFIEC Assessment Tool
• The role of the Board and Executive Management in
  developing and maintaining a cybersecurity
  program
• Tips on developing an effective policy

5
Our New Vocabulary

• Risk Appetite
• De-Risking

6
What We Know

• Increasing volume and sophistication of cyber
  threats
• Existing cyber security vulnerabilities are known
• New remote platforms create new opportunities for
  cyber attacks
• Bad guys evolve as they observe online behavior
• Evolving malware risks
• Government sponsored cyber attacks

7
Recent NCUA Guidance

• January 15, 2015, NCUA Letter No. 15-CU-01,
  provided guidance to CU Boards of Directors and
  Chief Executive Officers on the NCUA examinations
  in 2015
• The first item in the guidance letter
  Cybersecurity
• In 2015, NCUA will redouble efforts to ensure
  that the credit union system is prepared for a
  range of cybersecurity threats.

8
Recent NCUA Guidance

• Guidance letter identified 6 proactive measures
  credit unions can take to protect their data and
  their members
• encrypting sensitive data
• developing a comprehensive information security
  policy
• performing due diligence over third parties that
  handle credit union data
• monitoring cybersecurity risk exposure
• monitoring transactions and,
• testing security measures.

9
What Is the FFIEC?

• The FFIEC comprises key representatives of The
  Board of Governors of the Federal Reserve System,
  Federal Deposit Insurance Corporation, National
  Credit Union Administration, Office of the
  Comptroller of the Currency, Consumer Financial
  Protection Bureau, and State Liaison Committee
  (for state banks and credit unions)
• When they speak, our world listens!

10
FFIEC Risk Assessment Tool

• Goal is to help institutions identify their risks
  and determine their cybersecurity preparedness
  (maturity)
• Assessment Tool provides a repeatable and
  measurable process for institutions to measure
  their cybersecurity preparedness over time
• Draws on other sources, including
• FFIEC Information Technology (IT) Examination
  Handbook
• National Institute of Standards and Technology
  (NIST) Cybersecurity Framework

11
A Tale of Two Parts

• The Assessment Tool consists of two parts
• Inherent Risk Profile
• Cybersecurity Maturity
• Make sure you have ALL the tools before you
  initiate the assessment
• Assessment Tool
• Users Guide
• Overview for CEOs and Boards
• CS Maturity Scale and Inherent Risk Profiles
• Appendices A and B

12
Lets Begin

• To complete the Assessment, management first
  assesses the credit unions Inherent Risk Profile
  based on five categories
• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats

13
It Rhymes! Cybersecurity Maturity

• After determining the Inherent Risk Profile, the
  credit union transitions to the Cybersecurity
  Maturity part of the Assessment to determine the
  institutions maturity level within each of the
  following five domains
• Domain 1 Cyber Risk Management and Oversight
• Domain 2 Threat Intelligence and Collaboration
• Domain 3 Cybersecurity Controls
• Domain 4 External Dependency Management
• Domain 5 Cyber Incident Management and Resilience

14
The Moving Parts of Security

• Part 748 Security Program
• Part 748.1 Filing of Reports
• Compliance Report
• Catastrophic Act
• Suspicious Activity Report
• Part 748.2 BSA Compliance
• Establish a compliance program
• CIP
• Appendix A Safeguarding Member Information
• Appendix B Response Program Unauth. Access

15
Credit Union Regulation

• Gramm-Leach-Bliley Act (1999)
• Required NCUA Board to establish appropriate
  standards for federally-insured credit unions
  relating to administrative, technical, and
  physical safeguards for member accounts and
  information
• Insure security and confidentiality of member
  records and information
• Protect against any anticipated threats or
  hazards to the security or integrity of such
  records
• Protect against unauthorized access to or use of
  such records or information that could result in
  substantial harm or inconvenience to any member

16
Credit Union Regulation

• NCUA Regulation Part 748
• Appendix A
• Requirement to establish and implement
  administrative, technical and physical safeguards
  to protect security, confidentiality and
  integrity of member information

17
Credit Union Regulation

• NCUA Regulation Part 748
• Appendix B
• Requirement of CU response in the face of an
  unauthorized access to member information
  including potential notification of the member
  and the regulator

18
Credit Union Regulation

• NCUA Regulation Part 748
• CU responsible to fully implement an information
  security program by July 1, 2001.
• CU must monitor the plan and update the plan
• The risk assessment must be updated as necessary,
  to account for system changes before they are
  implemented or new products or services before
  they are offered

19
Board Responsibility

• Board is responsible for satisfying the specific
  requirements of the regulation designed to ensure
  that the information security program is
  developed, implemented, and maintained
• Approve written information security program
  (signed off by Board)
• Oversee implementation and maintenance of the
  program
• Assign specific responsibility for implementation
• Review management reports
• Part 748, Appendix A, Section III.A.

20
Board Responsibility

• NCUA Regulation 701.4(b)
• Director has a duty to
• Direct managements operations of the Federal
  credit union in conformity with the requirements
  set forth in the Federal Credit Union Act, this
  chapter, other applicable law, and sound business
  practices.

21
The Certification

• The chairperson of the Credit Unions Board of
  Directors is required to certify compliance with
  Part 748 each year. The statement of compliance
  is provided at the bottom of the Credit Union
  Profile Form that is submitted annually to the
  regional director following the credit unions
  election of officials.
• Source NCUA CU Profile Form 6/14

22

• I hereby certify to the best of my knowledge and
  belief that this credit union has developed and
  administers a security program that equals or
  exceeds the standards prescribed by Part 748.0of
  the NCUA Rules and Regulations that such
  security program has been reduced to writing,
  approved by this credit union's Board of
  Directors and this credit union has provided for
  the installation, maintenance, and operation of
  security devices, if appropriate, in each of its
  offices. Further, I certify that I am the
  president or managing official of the credit
  union or that the president or managing official
  has authorized me to make this submission on
  his/her behalf.
• ______________________________________________
• VOLUNTEERS NAME HERE

23
Board Responsibility

• Not all breaches can be prevented
• If there is a breach, the CUs security program
  will come under close scrutiny
• The Board will ultimately be held responsible for
  a deficient security program!

24
Questions?