Cybersecurity Pilot Program Added to Exams
Lindsey Richardson said she finds herself in the unusual position of a compliance consultant calling for more regulation of her clients.
Richardson is a compliance officer for PolicyWorks, an affiliate of the Iowa Credit Union League that works with about 100 credit unions and a dozen leagues across the country. She was referring to a pilot program now underway by the Federal Financial Institutions Examinations Council.
The program calls for FFIEC members–the Office of the Comptroller of the Currency, the Federal Reserve Board, the FDIC, the CFPB and the NCUA–to include cybersecurity issues in regularly scheduled exams at more than 500 community institutions, including credit unions.
“Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance and examiner training,” the FFIEC said in its announcement.
The FFIEC cybersecurity review comprises 40 separate requests for information presented in four areas: Cyber risk management and oversight, cybersecurity controls, external dependency management and threat intelligence and collaboration.
Examiners ask about such topics as crisis management plans and business impact analyses, job descriptions, IT audit reports and exception tracking, cybersecurity training, physical access controls (key cards, biometrics, video cameras), network access controls such as patch management and vulnerability assessments, and access by and management of third-party vendors.
“FFIEC members will continue to assess the risks of cyberattacks to financial institutions and use the information gathered through a number of sources to determine the appropriate next steps and identify potential gaps in financial supervision,” the council said.
That may be a good thing, Richardson said.
“This is one instance where I hope examiners will find something so we can all come together as an industry to create a more secure environment. A few years ago, you would see controls such as dual-factor authentication as a sufficient security program. Nowadays it's trending toward multifactor authentication, biometrics and more,” the PolicyWorks compliance officer said.
“With all the data breaches and the new products and services that are coming out every day, this is definitely an area where more controls are needed,” Richardson said, adding that she doesn't know of any clients of her firm that have yet been part of the pilot examination project.
Read more: More tech providers and the NCUA weigh in ...
That's not the case at Ongoing Operations, a provider of business continuity services to about 450 credit unions through data centers in Maryland, Phoenix and the New York City area whose senior leader said he, too, saw potential benefits growing from the pilot program.
“A surprising number of our clients have mentioned it,” said its founder and CEO, Kirk Drake, whose operations face ongoing examinations of its own as a CUSO. “At first glance, the requests for information seem to simply mirror all of the stuff they request in a normal audit. I think if they are better able to assess credit unions’ cybersecurity risk and push credit unions to improve their risk posture, it would be good.”
That positive view isn't universal. “Personally, I think the program is well intended but focused on the wrong industry,” said Gaye DeCesare, president of COMPASS 4 CUs, a subsidiary of the $321 million Belvoir Federal Credit Union in Woodbridge, Va.
“For the most part, financial institutions are not the problem. We understand our responsibilities and we have security in place. Some do it better than others, but until the merchants are held accountable for breaches, no amount of additional security at financial institutions will solve the problem,” added DeCesare, who said her firm provides regulatory compliance help to 23 credit unions in 11 states and testing, training and risk assessments to another 15 to 20 credit unions each year.
“Cybersecurity compliance takes an enormous amount of resources in time and money. Some credit unions feel they can't offer online banking or debit and credit cards because the compliance burden is too high,” she said. “So they are denied opportunities to grow.”
DeCesare said it's hard to tell right now how any resulting new rules would affect credit unions. “It's a learning year for regulators. They’ll be asking more questions and using that information as the basis for future exams and presumably new guidelines or rules,” the COMPASS 4 CUs president said.
“Generally speaking, it will affect credit unions by imposing more requirements, resulting in more expense, with little to show for it,” she said. “You can add layers of security to existing secure systems, but does that really make you more secure?”
DeCesare said none of her clients had been contacted so far and that she was told the same at a recent meeting of the Capital Compliance Roundtable. “None of the D.C. metro-area credit unions represented there was part of the pilot. I’ve heard that approximately half of the financial institutions will be credit unions, but I haven't heard who.”
John Fairbanks, public affairs specialist at the NCUA, said he did not have the number of participating credit unions. “The pilot will be conducted over several weeks this summer and we will have a representative sample of credit unions in it,” he said, stressing that the added queries will be part of normal examinations.
Fairbanks said if an examiner identifies problems covered under existing guidance and rules, those would be addressed in the exam. “There will be no issue based on the results of the assessment but if the assessment identifies a weakness based on existing policy, that will be addressed,” he said.
“It's important to understand this is an initial pilot test of an enhanced work plan. This is an assessment tool and the NCUA is not imposing any new requirements on credit unions. No new requirements or expectations result from this review,” Fairbanks added.
Drake at Ongoing Operations concluded, “In general, I think we are on the verge of a major philosophical shift in cybersecurity and a major increase in threats. The industry and threats are moving to a constant state of attacks, and the requirement is that credit unions will need to have a tool kit designed to mitigate the threats on an ongoing basis.
“If the examiners are able to understand this shift and help credit unions prepare and acquire the tool kit, I think it will be effective.”