WASHINGTON—With cybersecurity becoming a growing concern for CUs, CUNA’s compliance team outlined what credit unions should do in the event of a data breach.
Credit unions must have a response system that includes procedures to notify members about incidents of unauthorized access to member information systems that could result in substantial harm or inconvenience to the member, CUNA stated, saying at a minimum, a credit union’s response program should contain procedures for:
-
Assessing the nature and scope of an incident.
-
Notifying the appropriate NCUA regional director, and, in the case of federally insured state-chartered credit unions, its applicable state supervisory authority, as soon as possible.
-
Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report in situations involving federal criminal violations requiring immediate attention.
-
Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence.
- Notifying members when warranted, as mentioned above.
“When an incident of unauthorized access to member information involves member information systems maintained by a contracted service provider, it is the credit union’s responsibility to notify its members and regulator,” CUNA added. “However, a credit union may authorize or contract with its service provider to notify the credit union’s members or regulators on its behalf.”