ARLINGTON, Va.—It’s no secret NCUA examiners are putting increased emphasis on cybersecurity.
It’s also no secret why: data breaches have become rampant, and a significant breach at a credit union could do far more harm than to just its reputation.
“Security and privacy of member information is a paramount consideration and required by law,” said Tim Segerson, NCUA’s deputy director of Examination and Insurance. “It is also critical to maintain confidence in the financial system.”
The agency is aware of the expense to credit unions of investing in cybersecurity upgrades, which could affect the future of many CUs (see related item). But that doesn’t mean those investments can be put off.
Segerson explained that CU “cost and burden” are in part driven by the evolving threat landscape and in part by the level of complexity and potential exposure a specific credit union possesses.
“Good security starts with adopting strong controls and practices, which are not costly but require discipline,” said Segerson. “Examples include strong patching regime, member and employee awareness, strong credential management, and a good continuity plan that is practiced frequently, including all critical operational functions and connections.”
Segerson said there have been no changes in any regulatory requirements in the cybersecurity area. “However, as we refine the examination approach, examiners will review cybersecurity strategies and make recommendations for improvement.”
Sources who spoke to CUTdoay.info acknowledged they understand NCUA’s desire to increase cybersecurity across credit unions and that the agency is working diligently so a major breach does not occur. Yet there is concern that not all examiners—particularly safety and soundness field staff—have strong ability to analyze a credit union’s security processes and make recommendations that are effective but reasonable.
Examiner ‘Checklist’
A concern of sources is that examiners may be following a “checklist” more than they are partnering with the CU to understand the security environment and internal processes to recommend needed changes that also fit within the CU’s bottom line.
Several analysts pointed to the fact JPMorgan Chase’s plans over the next five years to double its $250-million annual spending on cybersecurity, and yet that bank has been breached.
“So how much do you spend?” said one CU executive, who asked not to be named. “What is reasonable? You can’t eliminate risk but you can spend a lot of the membership’s money trying.”
Jonathan Hughes, managing partner and senior executive IT auditor at Compass IT Compliance, an IT auditor, said he would not challenge credit union claims that some examiners appear to be following a checklist regarding cybersecurity recommendations. “A lot of the examiners are younger and are sent out to the field with a pad and pen and go through a checklist.”
Hughes, as well, said he would not challenge claims some examiners are not focusing on the reality of the costs associated with cybersecurity recommendations. “I am not sure that examiners think that when they say, ‘Put this program in place,’ that it may cost a credit union tens of thousands of dollars. In a perfect world I don’t think anyone would disagree with the value of recommendations to prevent crime, but I think we need to deal with the economics of this situation, as well. It’s a balancing act.”
One CU executive, asking for anonymity, feels CUs will be better off when examiners, in addition to their cybersecurity training, receive education in strategic planning and risk management within the IT area.
“Instead of managing risk from risk assessment and risk management perspectives, we are now managing risk through audit and examiner findings,” the source stated. “And no risk manager wants to be in that position. That is where the problem is.”
NCUA’s ‘Risk-Based’ Approach
The concern over safety and soundness examiners lacking a strong understanding of the IT area to make all the right decisions was posed to Segerson.
At the recent NASCUS Credit Union Cyber Security Symposium, Segerson stated the agency is taking a "risk-based approach" to cybersecurity exams instead of adding a large number of specialized examiners.
“NCUA continues, as a steward of industry resources, to operate as efficiently as possible while properly addressing emerging industry risk,” Segerson told CUToday.info. “As the interrelationships, interconnectivity, and complexity of risks grow, NCUA will continue to refine approaches, guidance, policies and resources to meet those needs. We have consistently placed resources to address risk appropriately while maintaining cost effectiveness. NCUA will continue to monitor, evaluate and adapt to the changing landscape.”
Segerson explained that NCUA, in general, maintains three levels of examiners: safety and soundness examiners who possess a working knowledge of the issues, specialized examiners who possess an intermediate knowledge of the subject matter, and specialists who possess expert knowledge of the subject matter.
“All three levels of examiners work seamlessly to effectively supervise risk in a specific subject area,” Segerson said. “All of NCUA’s examiners are capable. As we move forward, we will continue to evaluate risks, and risk metrics and adjust supervisory policies accordingly.”
Paul Reymann, from McGovern Smith Advisors in Washington, believes NCUA is taking the proper approach with its field team on cybersecurity exams. Reymann contends the agency provides the entire field staff with the necessary IT training, but brings in specialized examiners for more difficult situations.
“You have the bulk of the team trained to go in and identify any red flags and then have subject matter experts available for more challenging situations,” said Reymann.
Reymann considered it unrealistic for NCUA to extensively “retrain an army of examiners” on one specific area, such as IT. “But make sure you have the subject matter expert a call, a flight, or a drive away. And I see that happening in the field.”
Reymann also said he has seen NCUA bring on more IT security experts. The agency’s 2015 budget accounts for a cybersecurity manager in the Office of Examination and Insurance.
Cybersecurity Costs Will Climb Further
Sources indicated cybersecurity will climb even higher as the findings from the FFIEC’s recent cybersecurity assessment of 500 financial institutions (http://www.cutoday.info/Fresh-Today/FFIEC-Releases-Cybersecurity-Assessment) filter down to regulators, leading examiners to recommend even more IT changes.
As part of its increased focus on cybersecurity, NCUA in January issued a Letter to Credit Unions (14-CU-02) that outlined where the agency will focus during exams. The letter stated field staff will evaluate credit unions’ ability to assess and mitigate cybersecurity risk and respond to cyber-attacks: “Credit unions of all sizes will be expected to implement appropriate risk mitigation controls – including vendor due diligence, strong password processes, proper patch management and network monitoring – to better prevent, detect, and recover from cyber-attacks.”
Asked if the recent FFIEC study will impact examinations, and NCUA spokesperson John Fairbanks responded, “Our examination process, while NCUA-specific, is built with the same building blocks as the other agencies and is based on FFIEC’s IT Examination Handbooks. Examiners and specialized examiners refer to the handbook and use them as resources when expanded reviews are in order. So NCUA is consistent with the handbooks.”
However, one CU staffer, aware of what NCUA examiners are looking at now and of the recommendations being made, warned that the FFIEC study is already impacting examiner decisions. “The effects of the FFIEC study are coming our way, and they aren’t cheap.”
Related
NASCUS CU Cyber Security Symposium