Connecticut Cybersecurity Basics Conference for Credit Unions Director Responsibility - PowerPoint PPT Presentation


PPT – Connecticut Cybersecurity Basics Conference for Credit Unions Director Responsibility PowerPoint presentation | free to view - id: 7cb680-MzJkM


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Connecticut Cybersecurity Basics Conference for Credit Unions Director Responsibility


After determining the Inherent Risk Profile, the credit union transitions to the Cybersecurity Maturity part of the Assessment to determine the institution ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 25
Provided by: nasc151


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Connecticut Cybersecurity Basics Conference for Credit Unions Director Responsibility

Connecticut Cybersecurity Basics Conference for
Credit UnionsDirector Responsibility
  • September 14, 2015

David A. ReedAttorney at LawReed Jolly, 675-9578
The contents of this presentation are intended to
provide you with a general understanding of the
subject matter. However, it is not intended to
provide legal, accounting, or other professional
advice and should not be relied on as such.
What We Will Discuss Today
  • Updates on NCUA and FFIEC guidance on
  • Break down the FFIEC Assessment Tool
  • The role of the Board and Executive Management in
    developing and maintaining a cybersecurity
  • Tips on developing an effective policy

Our New Vocabulary
  • Risk Appetite
  • De-Risking

What We Know
  • Increasing volume and sophistication of cyber
  • Existing cyber security vulnerabilities are known
  • New remote platforms create new opportunities for
    cyber attacks
  • Bad guys evolve as they observe online behavior
  • Evolving malware risks
  • Government sponsored cyber attacks

Recent NCUA Guidance
  • January 15, 2015, NCUA Letter No. 15-CU-01,
    provided guidance to CU Boards of Directors and
    Chief Executive Officers on the NCUA examinations
    in 2015
  • The first item in the guidance letter
  • In 2015, NCUA will redouble efforts to ensure
    that the credit union system is prepared for a
    range of cybersecurity threats.

Recent NCUA Guidance
  • Guidance letter identified 6 proactive measures
    credit unions can take to protect their data and
    their members
  • encrypting sensitive data
  • developing a comprehensive information security
  • performing due diligence over third parties that
    handle credit union data
  • monitoring cybersecurity risk exposure
  • monitoring transactions and,
  • testing security measures.

What Is the FFIEC?
  • The FFIEC comprises key representatives of The
    Board of Governors of the Federal Reserve System,
    Federal Deposit Insurance Corporation, National
    Credit Union Administration, Office of the
    Comptroller of the Currency, Consumer Financial
    Protection Bureau, and State Liaison Committee
    (for state banks and credit unions)
  • When they speak, our world listens!

FFIEC Risk Assessment Tool
  • Goal is to help institutions identify their risks
    and determine their cybersecurity preparedness
  • Assessment Tool provides a repeatable and
    measurable process for institutions to measure
    their cybersecurity preparedness over time
  • Draws on other sources, including
  • FFIEC Information Technology (IT) Examination
  • National Institute of Standards and Technology
    (NIST) Cybersecurity Framework

A Tale of Two Parts
  • The Assessment Tool consists of two parts
  • Inherent Risk Profile
  • Cybersecurity Maturity
  • Make sure you have ALL the tools before you
    initiate the assessment
  • Assessment Tool
  • Users Guide
  • Overview for CEOs and Boards
  • CS Maturity Scale and Inherent Risk Profiles
  • Appendices A and B

Lets Begin
  • To complete the Assessment, management first
    assesses the credit unions Inherent Risk Profile
    based on five categories
  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

It Rhymes! Cybersecurity Maturity
  • After determining the Inherent Risk Profile, the
    credit union transitions to the Cybersecurity
    Maturity part of the Assessment to determine the
    institutions maturity level within each of the
    following five domains
  • Domain 1 Cyber Risk Management and Oversight
  • Domain 2 Threat Intelligence and Collaboration
  • Domain 3 Cybersecurity Controls
  • Domain 4 External Dependency Management
  • Domain 5 Cyber Incident Management and Resilience

The Moving Parts of Security
  • Part 748 Security Program
  • Part 748.1 Filing of Reports
  • Compliance Report
  • Catastrophic Act
  • Suspicious Activity Report
  • Part 748.2 BSA Compliance
  • Establish a compliance program
  • CIP
  • Appendix A Safeguarding Member Information
  • Appendix B Response Program Unauth. Access

Credit Union Regulation
  • Gramm-Leach-Bliley Act (1999)
  • Required NCUA Board to establish appropriate
    standards for federally-insured credit unions
    relating to administrative, technical, and
    physical safeguards for member accounts and
  • Insure security and confidentiality of member
    records and information
  • Protect against any anticipated threats or
    hazards to the security or integrity of such
  • Protect against unauthorized access to or use of
    such records or information that could result in
    substantial harm or inconvenience to any member

Credit Union Regulation
  • NCUA Regulation Part 748
  • Appendix A
  • Requirement to establish and implement
    administrative, technical and physical safeguards
    to protect security, confidentiality and
    integrity of member information

Credit Union Regulation
  • NCUA Regulation Part 748
  • Appendix B
  • Requirement of CU response in the face of an
    unauthorized access to member information
    including potential notification of the member
    and the regulator

Credit Union Regulation
  • NCUA Regulation Part 748
  • CU responsible to fully implement an information
    security program by July 1, 2001.
  • CU must monitor the plan and update the plan
  • The risk assessment must be updated as necessary,
    to account for system changes before they are
    implemented or new products or services before
    they are offered

Board Responsibility
  • Board is responsible for satisfying the specific
    requirements of the regulation designed to ensure
    that the information security program is
    developed, implemented, and maintained
  • Approve written information security program
    (signed off by Board)
  • Oversee implementation and maintenance of the
  • Assign specific responsibility for implementation
  • Review management reports
  • Part 748, Appendix A, Section III.A.

Board Responsibility
  • NCUA Regulation 701.4(b)
  • Director has a duty to
  • Direct managements operations of the Federal
    credit union in conformity with the requirements
    set forth in the Federal Credit Union Act, this
    chapter, other applicable law, and sound business

The Certification
  • The chairperson of the Credit Unions Board of
    Directors is required to certify compliance with
    Part 748 each year. The statement of compliance
    is provided at the bottom of the Credit Union
    Profile Form that is submitted annually to the
    regional director following the credit unions
    election of officials.
  • Source NCUA CU Profile Form 6/14

  • I hereby certify to the best of my knowledge and
    belief that this credit union has developed and
    administers a security program that equals or
    exceeds the standards prescribed by Part 748.0of
    the NCUA Rules and Regulations that such
    security program has been reduced to writing,
    approved by this credit union's Board of
    Directors and this credit union has provided for
    the installation, maintenance, and operation of
    security devices, if appropriate, in each of its
    offices. Further, I certify that I am the
    president or managing official of the credit
    union or that the president or managing official
    has authorized me to make this submission on
    his/her behalf.
  • ______________________________________________

Board Responsibility
  • Not all breaches can be prevented
  • If there is a breach, the CUs security program
    will come under close scrutiny
  • The Board will ultimately be held responsible for
    a deficient security program!