Responding to recent distributed denial-of-service attacks on at least two credit unions, the NCUA on Wednesday released a risk alert that it said identifies appropriate policies and procedures to guard against them.
It is the first risk alert released in 2013; no risk alerts were released in 2012.
The regulator advised credit unions to employ controls described in the 2011 FFIEC supplement to guidance on Authentication in an Internet Banking Environment.
NCUA rules and regulations already require credit unions to monitor systems to detect actual and attempted attacks on, or intrusions into, member information systems.
“As the goal of DDoS attacks is causing service outages rather than stealing funds or data, typical network security controls – such as firewalls and intrusion detection and prevention systems – may offer inadequate protection,” NCUA Chairman Debbie Matz said in the bulletin, which is posted on the regulator’s website.
However, the NCUA also said in the risk alert that DDoS attacks may also be paired with attempts to steal member funds or data.
Credit unions significantly affected by DDoS or other cyber attacks should notify their NCUA regional office or state supervisory authority, and when applicable, follow regulatory notification proceduresm, the agency said.
The alert suggested credit unions mitigate DDoS risk by performing risk assessments, ensuring incident response programs include a DDoS attack scenario and performing ongoing third-party due diligence, in particular on Internet and Web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.
Credit unions should voluntarily file a Suspicious Activity Report if an attack impacts Internet service delivery, enables fraud, or compromises member information, the NCUA said. The NCUA also encouraged credit unions to participate in information-sharing organizations, such as industry trade groups and the Financial Services Information Sharing and Analysis Center.
In addition, the NCUA said the United States Computer Emergency Readiness Team provides information on the methods used to launch attacks and risk mitigation tactics to reduce their impact.