ALEXANDRIA, Va.–While the NCUA board was getting an update on cyber-threats to credit unions, one member of the board wanted to know what can be done about inside jobs.
Johnny E. Davis Jr., special advisor to the chairman for cybersecurity and division director, Critical Infrastructure, provided the industry update to the board and addressed a broad array of external threats.
But NCUA Vice Chairman Kyle Hauptman noted the biggest losses to the share insurance fund have been due to internal fraud by employees, including the massive loss from embezzlement by the CEO of C B S Employees FCU and other smaller thefts.
What can be done about those, asked Hauptman.
“I think in addition to the fraud programs we have in place at NCUA that are represented within credit unions, I believe there is an opportunity within our required exam criteria to increase the emphasis on privacy and access management controls that would allow us to monitor fraud,” responded Davis.
Fraud is often caused by failures related to inappropriate access privileges and separation of duties, Davis continued, including ensuring the person who cuts any check isn’t the person who authorizes that check.
NCUA-Hosted Forum Suggested
Davis also advocated for improved insider threat programs. He noted September is National Insider Threat Awareness Month, while October is National Cybersecurity Month and he suggested the agency host a forum with credit unions similar to the kinds of table-top exercises it already hosts “where we can talk through best practices in implementing an insider threat program.”
Such an initiative, he added, could also show trends about behaviors so credit unions can identify abnormalities within their environments.
Davis said the National Institute of Standards and Technology (NIST) also offers resources on guarding against inside threats.