Removing Barriers Blog

FFIEC Cybersecurity Assessment Tool Should Remain Voluntary
Posted September 17, 2015 by CUNA Advocacy

Credit unions understand the significance of a cyber or data breach and “take very seriously their responsibility to safeguard their members’ information from such threats,” CUNA stated in a letter to the Office of the Comptroller of the Currency, which is collecting comments on behalf of the Federal Financial Institutions Examination Council (FFIEC). As required by the Paperwork Reduction Act, the FFIEC is currently soliciting input on the reporting burden associated with its recently released Cybersecurity Assessment Tool.

CUNA supports the FFIEC’s focus on the importance of cybersecurity and its effort to develop resources for use by FFIEC-regulated entities. Further, we appreciate the FFIEC’s recent work to create a comprehensive tool dedicated to cybersecurity. However, as stated in our letter, we have a number of concerns with the Assessment.

In regard to the reporting burden, we believe the FFIEC’s estimate of 80 hours to complete the Assessment is “severely understated.” While the Assessment is currently voluntary, the NCUA and other FFIEC agencies have indicated that they will begin incorporating the Assessment into institutions’ exams in the near future. CUNA urges the NCUA to maintain the Assessment as a voluntary tool that credit unions can use for guidance.

The Assessment spells out a number of expectations for financial institutions’ boards of directors. Since, unlike other financial institutions, credit unions have volunteer boards, we ask NCUA, in coordination with the FFIEC, to limit the specific board responsibilities as detailed in the Assessment.

Lastly, if the Assessment becomes mandatory, as the agencies have indicated, we urge NCUA and others to solicit input from the public. It is critical that NCUA, as credit unions’ prudential regulator as well as a member of the FFIEC, fully vet the Assessment, including through a thorough review of public comments from credit unions and other stakeholders.