Why Data Security—and Third-Party Vendors—Is an NCUA Priority

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cujournal.com/news/opinions/why-data-securityand-third-party-vendorsis-an-ncua-priority-1025583-1.html

We've all become used to, and perhaps overwhelmed by, headlines about major
data breaches at financial institutions, retail firms, health care
organizations, credit rating companies and government agencies. Hacks at JP
Morgan Chase, Dow Jones, Home Depot, Target, health insurer Anthem, and the
Office of Personnel Management exposed personal data, from tens of millions
of Americans to fraudsters and other criminals.

Every day you hear about another data breach or electronic fraud stemming
from a theft or breach of data. Increasingly small and medium credit unions
are targeted by ever more capable cyber criminals and other groups with bad
intentions. More than ever before, small and medium credit unions need to
be aware and prepared to deal with the damage caused by third-party
breaches, as well as, attacks on their own systems.

You may have heard of Lin Mun Poo, a Malaysian hacker, arrested by the FBI
and sentenced to 10 years in prison, for hacking into the Cleveland Federal
Reserve and possessing 400,000 stolen card numbers. Less well-known was the
fact that he also possessed files from a small credit union vendor
including member files from several credit unions held on that vendor's
servers.

The threat to credit unions is real and growing. Reliance on third-party
service providers allows credit unions to offer broader services and
improve convenience to members cost effectively. But it also adds a complex
risk dimension to systems and consumer information for credit unions to
manage.

Estimates of the dollar costs of cyberattacks vary, but the numbers are
always staggering. Most recently, the Ponemon Institute, a privacy and
information security research organization, pegged the annual cost of
cybercrime at large U.S. companies alone at $15.4 million, up 19% from a
year earlier. Estimates for the economy as a whole run into the multiple
billions of dollars.

Today, people understand, or they should understand, that protecting their
personal information needs to be part of their routine lives. The financial
institutions they trust to protect their finances also have a major
responsibility to take every prudent precaution to keep data safe.

Credit unions remain vulnerable to the threat of cyberattacks from
cybercriminals. When the Federal Financial Institutions Examination Council
conducted a cyber security assessment, it found opportunities to enhance
overall institutional and system security. FFIEC recently created
acybersecurity assessment tool to help financial institutions assess the
capability of their security and identify gaps. NCUA, for its part,
maintains a cybersecurity resources page with a large amount of detailed
information.

For the past two years, NCUA has made cybersecurity in credit unions a top
priority for its supervision activities. NCUA field staff focus on
protective measures credit unions can and should take to protect their
information and the personal information of members, including:

Encrypting sensitive data,
Developing a comprehensive information security policy,
Performing due diligence over third parties that handle credit union data,
Monitoring transactions and cybersecurity risk exposure, and
Testing security measures.

NCUA is particularly aware of the role played by third-party vendors who
provide information and security functions for credit unions, such as the
vendor mentioned above, and the agency is also mindful of the potential
vulnerabilities they may have. Unlike our fellow bank regulators, NCUA does
not have authority to examine those third parties and enforce improvements
where deficiencies are evident. NCUAs lack of authority increases the need
and expectation that credit unions are performing comprehensive due
diligence for all critical vendors to ensure their sensitive member
information is appropriately protected.

Good security is an evolutionary process that depends heavily on people
(your staff and members). Establishing good policies and procedures,
educating staff across your organization and also educating your members
can significantly improve your preparedness at little or no additional cost.

NCUA is responsible for protecting a credit union system with more than
$1.2 trillion in assets and the more than 102 million accounts Americans
have opened with federally insured credit unions. In a world growing more
interconnected by the day, and with cyber criminals growing more
sophisticated by the day, cyber security must continue to be a top priority
for this agency and the credit unions we regulate and insure.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.