ALEXANDRIA, Va.–NCUA has offered an update on the types of technology and security examinations that lie ahead for credit unions, with new examination procedures currently scheduled for approximately a year from now.
During the agency’s board meeting Thursday, Tim Segerson, deputy director of NCUA’s Office of Examination and Insurance, and Wayne H. Trout, supervisor, Division of Critical Infrastructure & Cybersecurity with the agency, noted the digital security environment remains a “fairly fluid environment” and that the market is marked by new disruptions from “every side.”
Also outlined: all the new disruption “from every side,” using an illustration from Fortune.com to make the point.
“The threat that exists for financial services continues to grow and mature,” said Segerson in a presentation to the board. “Something that has become evident in recent years is that well-funded and organized organizations are now capable of compromising organizations at will and of doing major exfiltrations, disruptions and damage. By sheer numbers they could strip mine vulnerabilities, especially in unprepared institutions.”
Crooks Focusing On Smaller FIs
Segerson said that as larger institutions, especially banks, have invested in improved securities, cyberthieves have increasingly focused on smaller institutions, including credit unions. Trout noted that a number of credit unions, for instance, have been the targets of ransomware attacks, for instance.
“We have the expectation we are going to see growing risks in this area for our institutions and the institutions we insure,” said Segerson.
NCUA Board Member Mark McWatters asked both staff representatives about what credit unions should really expect from this process.
“If I’m running a credit union, I’m worried about cybersecurity, and I’m constantly working on this,” said McWatters. “At the same time I have a regulator coming in, and they are going to examine me and set a best practices standard as to how well I’m doing my cybersecurity duties. So my question is, before you start doing this in 2017, what kind of guidance will the credit union community receive in how you’re going to conduct a cybersecurity exam?”
Segerson responded by saying, “it’s still going to take us the better part of nine months to a year to pull the trigger on the formal examination process. At that point our goal is to conduct outreach to the industry and to be perfectly transparent as to how we want to approach this examination process. Our plan is to fully share the tools, which is essentially a guided exam process for the examiner. It takes each of the 494 statements in the CAT and breaks that down into general terms. (We will also make clear) the types of documents an examiner should expect to see. Our goal is not to use a hammer with institutions or to have DORs, but to have a continuing discussion. We will be founded in what has been our established guidance that is out there today, or regulatory requirements.”
Risk Trends
During their presentation to the board, Segerson and Trout said that among the risk trends the agency said it is seeing:
- Existing vulnerabilities continue to be exploited.
- New platforms create new ways to exploit FIs and consumers.
- Lines between cyber actors are blurring as attack tools are commercialized.
- Interconnectivity is expanding the sources of risk.
- Technology advances speed of transactions and minimize intermediaries.
- Use of social networking enables more effective and targeted attacks.
- Malware continues to evolve and now includes data destruction and encryption and backoffice functions.
- Global unrest results in U.S. symbols, including financial institutions, being targeted.
NCUA is not going it alone in bringing new cybersecurity exams and requirements to its insured credit unions. The agency is part of the Cybersecurity Critical Infrastructure Working Group (CCIWG), which in 2014 created the first cybersecurity assessment tool (CAT).
According to Trout, the objective of the FFIEC Cybersecurity Assessment Tool is to help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness.
FFIEC Tool
The FFIEC Cybersecurity Assessment Tool has five risk profile risk levels (Least, Minimal, Moderate, Significant and Most). The type, volume and complexity of operations and threats directed at the institution contribute to the risk level, explained Trout.
“One thing to take away is this comparison of inherent risk levels can be created for each component, outcome or domain,” said Trout.
According to Segerson, the CAT is not mandatory. “It’s voluntary, but something we discussed among the agencies over what a good first step would be,” said Segerson.
Segerson said the agency’s overall objectives are to:
- Build internal awareness and capacity.
- Drive industry awareness and resilience.
- A structured approach toward resilience and industry “hardening” using scalable expert systems/tools.
- Stimulate an ongoing industry dialogue.
- Improve knowledge and data to make informed supervisory decisions.
Overall, the objective, he added, is to measure the risk to every component of the digital footprint, and to have examiners conduct the reviews as they become increasingly capable of developing skills and insights into digital security.
Segerson said the baseline examiner review will primarily focus on compliance, such as with NCUA ret. 748 around privacy. A specialized examiner review will look at risk-focused targeted review, as will a higher-level specialist review.
“It’s likely examiners will ask for things they may not have asked for before,” said Segerson.
CAT Reviews
Segerson offered some insights into what’s ahead with CAT Reviews. He said more data will be requested in advance; an advance review will take place of available information; there will be an initial risk classification, as well as an initial attribute identification.
During the exam, he said, there will be new discussions in new areas, a review of results, with the output verified, and the examiner will observe and verify activity-based attributes.
Post-exam steps will aggregate data across the industry and institutional features, and will be used to inform the supervisory process and industry guidance.
NCUA is in the process of developing more extensive examiner training, said Segerson. The agency will test field reviews and data collection through mid-2017. It will test the tool and the processes for improvements in the early third quarter of 2017, and then will do a process rollout in Q3 or Q4 of 2017.
NCUA said that “should-do’s” for credit unions include:
- Commit to effective security.
- Identify a comprehensive risk-management approach.
- Identify risks and risk posture.
- Identify its strengths and weaknesses.
- Benchmark current and desired future state.
- Implement a plan.
- Set expectations and monitor external dependencies.
More information can be found here.
NAFCU, CUNA Respond
NAFCU said it appreciates NCUA keeping the use of the FFIEC Tool voluntary.
“With the agency’s recently adopted use of the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool during credit union exams, we are gratified the agency has heeded our concerns and plans to keep the use of the tool voluntary for credit unions," said NAFCU Executive Vice President of Government Affairs and General Counsel Carrie Hunt.
CUNA said the trade association encourages NCUA to be as transparent as possible while finalizing the exam standards so that credit unions can have certainty with what to expect.
“We’re pleased the NCUA continues to view the cybersecurity assessment tool as voluntary, and hope the agency continues working to reduce the examination burden on credit unions.” said Elizabeth Eurgubian, CUNA’s deputy chief advocacy officer.