WASHINGTON–The head of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection told credit unions here when it comes to cybersecurity there is one area where many organizations, including credit unions, often come up short.
In response to an audience member asking about how often CUs should be stress-testing their own systems, Brian Peretti said the answer to that is to first know the credit union’s own level of risk tolerance. But there is another issue that is often overlooked, he said.
“You should also stress-test your response,” Peretti said. “I suggest you probably have a board retreat and walk through the response and recovery program.”
When it comes to cybersecurity, Treasury is as dependent upon organizations providing feedback as those organizations are on Treasury, he said.
The First Thing
“The first thing we talk about is engagement: How do we go out and talk to you about what you need, what your challenges are and how we can meet them?” he told NAFCU’s Congressional Caucus. “We ask over and over again for feedback. If it’s important to you we want to know that. And if it’s important to you there are probably a lot of other organizations that have that same challenge.”
Peretti said Treasury has sought to be more proactive, especially in addressing cyberthreats before they manifest themselves. “We take very seriously the threats to the financial system. We work very hard to encourage firms to get the best information possible,” he said.
Peretti said there are three systemic issues Treasury has focused on include:
- Reducing the frequency and impact of cyberbreaches
- Accelerating response times
- Improving information sharing and collection
‘Don’t Get Blindsided’
“We are doing all of that first by looking at vulnerabilities and asking how we can increase resiliency,” said Peretti, who prior to joining Treasury was general counsel for Wright Patman Congressional FCU and worked in the same building that houses NAFCU’s headquarters in Arlington, Va. “The second piece of that is third-party risk management. How can we help you to manage those better and know the risks inherent there? And the third thing we work on there is exercises, including response and recovery plans. A crisis is not a good time to find out whether a process or a phone works. We want to stress-test the thoughts going into a process. We want to know how we can provide you more information so you don’t get blindsided.”