ALEXANDRIA, Va. (8/20/14)--With National Credit Union Administration examiners trying to identify and assess cybersecurity risks, the agency has released a list of cybersecurity areas examiners look at. The information is featured in this month's
The NCUA Report
The assessment includes the following questions:
- Does the credit union have a board-approved information security policy commensurate with its size and complexity that meets the NCUA requirements?
- Has management recently performed and documented an information security risk assessment to identity threats, assess potential effects and are risk-remediation plans in place?
- Is the network and critical components such as servers and computers running updated virus and malware protection software?
- Does the credit union have a password policy that meets or exceeds industry standards? According to the NCUA, this means passwords with at least eight alphanumeric and special characters; and
- Is there a vendor management program, information security awareness training program, incident response and crisis management plan, and do they comply with NCUA regulations?
The article also recommends credit union management consider the possibility of cybersecurity insurance, which should cover costs associated with business interruptions, legal fees, public relations initiatives and hiring of additional staff or vendors.
A recent Ponemon Institute study cited by the agency estimates the average cost of a data breach is $3.5 million, which includes costs for investigations, notifications to members and reissuing credit and debit cards.
The NCUA Report
also featured monthly commentary from Chair Debbie Matz. Her column listed several aspects of the agency's risk-based capital proposal that would likely be changed in response to feedback received through comment letters and the three Listening Sessions held during the summer.
She acknowledged that all risk weights in the proposal should be reviewed, and that the agency is considering lowering risk weights for investments, mortgages, member business loans, credit union service organizations and corporate credit unions.
"Examiners would have to undergo a rigorous process to convince their supervisory examiner, regional director and ultimately the NCUA board, if they believe a credit union needs to hold more capital than required by regulation," she wrote.
She also said the rule's implementation period will go "well beyond" the originally proposed 18 months, and that it would be enough time to give the NCUA time to update the call report system, train examiners on the revised rule and allow affected credit unions time to adjust their balance sheets.
- A summary of the agency's fixed-assets proposal;
- An update on the Office of Small Credit Union Initiatives FAQ+ search engine;
- A summary of the $1.1 million in mid-year operating budget reductions;
- A report on economic growth and rising interest rates;
- The basics of media relations for credit union management; and
- Information about the NCUA's video series on preventing fraud.
Use the resource link below to access the full issue.