BreachExchange mailing list archives
Why Data Security—and Third-Party Vendors—Is an NCUA Priority
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 29 Jan 2016 14:54:02 -0700
http://www.cujournal.com/news/opinions/why-data-securityand-third-party-vendorsis-an-ncua-priority-1025583-1.html We've all become used to, and perhaps overwhelmed by, headlines about major data breaches at financial institutions, retail firms, health care organizations, credit rating companies and government agencies. Hacks at JP Morgan Chase, Dow Jones, Home Depot, Target, health insurer Anthem, and the Office of Personnel Management exposed personal data, from tens of millions of Americans to fraudsters and other criminals. Every day you hear about another data breach or electronic fraud stemming from a theft or breach of data. Increasingly small and medium credit unions are targeted by ever more capable cyber criminals and other groups with bad intentions. More than ever before, small and medium credit unions need to be aware and prepared to deal with the damage caused by third-party breaches, as well as, attacks on their own systems. You may have heard of Lin Mun Poo, a Malaysian hacker, arrested by the FBI and sentenced to 10 years in prison, for hacking into the Cleveland Federal Reserve and possessing 400,000 stolen card numbers. Less well-known was the fact that he also possessed files from a small credit union vendor including member files from several credit unions held on that vendor's servers. The threat to credit unions is real and growing. Reliance on third-party service providers allows credit unions to offer broader services and improve convenience to members cost effectively. But it also adds a complex risk dimension to systems and consumer information for credit unions to manage. Estimates of the dollar costs of cyberattacks vary, but the numbers are always staggering. Most recently, the Ponemon Institute, a privacy and information security research organization, pegged the annual cost of cybercrime at large U.S. companies alone at $15.4 million, up 19% from a year earlier. Estimates for the economy as a whole run into the multiple billions of dollars. Today, people understand, or they should understand, that protecting their personal information needs to be part of their routine lives. The financial institutions they trust to protect their finances also have a major responsibility to take every prudent precaution to keep data safe. Credit unions remain vulnerable to the threat of cyberattacks from cybercriminals. When the Federal Financial Institutions Examination Council conducted a cyber security assessment, it found opportunities to enhance overall institutional and system security. FFIEC recently created acybersecurity assessment tool to help financial institutions assess the capability of their security and identify gaps. NCUA, for its part, maintains a cybersecurity resources page with a large amount of detailed information. For the past two years, NCUA has made cybersecurity in credit unions a top priority for its supervision activities. NCUA field staff focus on protective measures credit unions can and should take to protect their information and the personal information of members, including: Encrypting sensitive data, Developing a comprehensive information security policy, Performing due diligence over third parties that handle credit union data, Monitoring transactions and cybersecurity risk exposure, and Testing security measures. NCUA is particularly aware of the role played by third-party vendors who provide information and security functions for credit unions, such as the vendor mentioned above, and the agency is also mindful of the potential vulnerabilities they may have. Unlike our fellow bank regulators, NCUA does not have authority to examine those third parties and enforce improvements where deficiencies are evident. NCUAs lack of authority increases the need and expectation that credit unions are performing comprehensive due diligence for all critical vendors to ensure their sensitive member information is appropriately protected. Good security is an evolutionary process that depends heavily on people (your staff and members). Establishing good policies and procedures, educating staff across your organization and also educating your members can significantly improve your preparedness at little or no additional cost. NCUA is responsible for protecting a credit union system with more than $1.2 trillion in assets and the more than 102 million accounts Americans have opened with federally insured credit unions. In a world growing more interconnected by the day, and with cyber criminals growing more sophisticated by the day, cyber security must continue to be a top priority for this agency and the credit unions we regulate and insure.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- Why Data Security—and Third-Party Vendors—Is an NCUA Priority Audrey McNeil (Feb 01)