Lindsey Richardson said she finds herself in the unusualposition of a compliance consultant calling for more regulation ofher clients.

Richardson is a compliance officer for PolicyWorks, an affiliateof the Iowa Credit Union League that works with about 100 creditunions and a dozen leagues across the country. She was referring toa pilot program now underway by the Federal Financial InstitutionsExaminations Council.

The program calls for FFIEC members–the Office of theComptroller of the Currency, the Federal Reserve Board, the FDIC,the CFPB and the NCUA–to include cybersecurity issues in regularlyscheduled exams at more than 500 community institutions, includingcredit unions.

“Regulators are particularly focusing on risk management andoversight, threat intelligence and collaboration, cybersecuritycontrols, service provider and vendor risk management, and cyberincident management and resilience. Another aim of the pilot is tohelp regulators make risk-informed decisions to enhance theeffectiveness of supervisory programs, guidance and examinertraining,” the FFIEC said in its announcement.

The FFIEC cybersecurity review comprises 40 separate requestsfor information presented in four areas: Cyber risk management andoversight, cybersecurity controls, external dependency managementand threat intelligence and collaboration.

Examiners ask about such topics as crisis management plans andbusiness impact analyses, job descriptions, IT audit reports andexception tracking, cybersecurity training, physical accesscontrols (key cards, biometrics, video cameras), network accesscontrols such as patch management and vulnerability assessments,and access by and management of third-party vendors.

“FFIEC members will continue to assess the risks of cyberattacksto financial institutions and use the information gathered througha number of sources to determine the appropriate next steps andidentify potential gaps in financial supervision,” the councilsaid.

That may be a good thing, Richardson said.

“This is one instance where I hope examiners will find somethingso we can all come together as an industry to create a more secureenvironment. A few years ago, you would see controls such asdual-factor authentication as a sufficient security program.Nowadays it's trending toward multifactor authentication,biometrics and more,” the PolicyWorks compliance officer said.

“With all the data breaches and the new products and servicesthat are coming out every day, this is definitely an area wheremore controls are needed,” Richardson said, adding that she doesn'tknow of any clients of her firm that have yet been part of thepilot examination project.

Read more: More tech providers and the NCUA weigh in…

That's not the case at Ongoing Operations, aprovider of business continuity services to about 450 credit unionsthrough data centers in Maryland, Phoenix and the New York Cityarea whose senior leader said he, too, saw potential benefitsgrowing from the pilot program.

“A surprising number of our clients have mentioned it,” said itsfounder and CEO, Kirk Drake,whose operations face ongoing examinations of its own as a CUSO.“At first glance, the requests for information seem to simplymirror all of the stuff they request in a normal audit. I think ifthey are better able to assess credit unions' cybersecurity riskand push credit unions to improve their risk posture, it would begood.”

That positive view isn't universal. “Personally, I think theprogram is well intended but focused on the wrong industry,” saidGayeDeCesare, president of COMPASS 4 CUs, a subsidiary of the $321million Belvoir Federal Credit Union in Woodbridge, Va.

“For the most part, financial institutions are not the problem.We understand our responsibilities and we have security in place.Some do it better than others, but until the merchants are heldaccountable for breaches, no amount of additional security atfinancial institutions will solve the problem,” added DeCesare, whosaid her firm provides regulatory compliance help to 23 creditunions in 11 states and testing, training and risk assessments toanother 15 to 20 credit unions each year.

“Cybersecurity compliance takes an enormous amount of resourcesin time and money. Some credit unions feel they can't offer onlinebanking or debit and credit cards because the compliance burden istoo high,” she said. “So they are denied opportunities togrow.”

DeCesare said it's hard to tell right now how any resulting newrules would affect credit unions. “It's a learning year forregulators. They'll be asking more questions and using thatinformation as the basis for future exams and presumably newguidelines or rules,” the COMPASS 4 CUs president said.

“Generally speaking, it will affect credit unions by imposingmore requirements, resulting in more expense, with little to showfor it,” she said. “You can add layers of security to existingsecure systems, but does that really make you more secure?”

DeCesare said none of her clients had been contacted so far andthat she was told the same at a recent meeting of the CapitalCompliance Roundtable. “None of the D.C. metro-area credit unionsrepresented there was part of the pilot. I've heard thatapproximately half of the financial institutions will be creditunions, but I haven't heard who.”

John Fairbanks, public affairs specialist at the NCUA, said hedid not have the number of participating credit unions. “The pilotwill be conducted over several weeks this summer and we will have arepresentative sample of credit unions in it,” he said, stressingthat the added queries will be part of normal examinations.

Fairbanks said if an examiner identifies problems covered underexisting guidance and rules, those would be addressed in the exam.“There will be no issue based on the results of the assessment butif the assessment identifies a weakness based on existing policy,that will be addressed,” he said.

“It's important to understand this is an initial pilot test ofan enhanced work plan. This is an assessment tool and the NCUA isnot imposing any new requirements on credit unions. No newrequirements or expectations result from this review,” Fairbanksadded.

Drake at Ongoing Operations concluded, “In general, I think weare on the verge of a major philosophical shift in cybersecurityand a major increase in threats. The industry and threats aremoving to a constant state of attacks, and the requirement is thatcredit unions will need to have a tool kit designed to mitigate thethreats on an ongoing basis.

“If the examiners are able to understand this shift and helpcredit unions prepare and acquire the tool kit, I think it will beeffective.”