The vulnerability of United States’ financial institutions resulting from cybersecurity attacks continues to remain top of mind for credit union executives, professionals and most importantly the NCUA. Financial institutions remain vulnerable to cybersecurity attacks. As such, it is no surprise credit unions and the NCUA are focusing on efforts to manage the associated risks. It is critical to the success of these efforts that credit unions understand their legal requirements and, in particular, include cybersecurity as a key component of their due diligence in mergers and acquisitions. With a firm understanding of these requirements, credit union executives can enhance their due diligence process with questions yielding valuable data on the cybersecurity risks of their own organization and those they may wish to acquire.
Foundational Legal Requirements and Considerations
To begin, credit unions need to start with the basics. The ways in which credit union member information is collected, processed, transferred, stored, retained and protected through required security programs must be fully understood. In both daily practice and as part of a merger or acquisition, these legal requirements and established controls effectively serve as goal posts for credit unions to identify cybersecurity risks and compliance issues.
Under 12 CFR Part 748, credit unions are required to develop a written information security program to protect themselves from robberies, burglaries, larcenies and embezzlement. Within this security program, credit unions are further required to ensure the security and confidentiality of member records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member. The credit union must also be able to respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member, and be able to assist in the identification of persons who commit or attempt such actions or crimes. Finally, credit unions must prevent destruction of vital records and properly dispose of consumer information they maintain or possess under the law.
The Guidelines for Safeguarding Member Information contained in Appendix A to Part 748 set forth the standards pursuant to sections 501 and 506 (b) codified at 15 U.S.C. 6801 and 6805 (b) of the Gramm-Leach-Bliley Act. These guidelines provide standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of member information. In addition, the guidelines address standards with respect to the proper disposal of consumer information pursuant to sections 621 (b) and 628 of the Fair Credit Reporting Act. Member information maintained by or on behalf of federally-insured credit unions, along with the proper disposal of such information, are subject to the guidelines as well.
Thus, it is essential to understand what vulnerabilities and weaknesses may exist within the data environment prior to acquisition – from both a cyber-risk and legal compliance perspective. Combine this knowledge with a thorough understanding of the specific vulnerabilities and complexities of the credit union’s data environment, and only then can credit unions effectively ensure the appropriate representations, warranties and remedies can be drafted in an agreement of merger or acquisition. Doing so is vital to protecting the acquiring or merging credit union, and a missed step in the process has often proven detrimental in other industries where cybersecurity risks are also prevalent. Understanding the nuances of the data environment are also crucial to the post-acquisition process during which the absorption and integration of separate data environments occurs, and the current compliance programs are expanded to accommodate the newly-acquired or merged systems. This essential exercise requires knowledge sufficient to mitigate and remediate any previously identified risks.
Nine Essential Privacy and Security Diligence Requests
1. Request descriptions of the security controls in place for each of the targeted credit unions’ member data collection platforms. Understanding the existing security framework for how member data is collected can quickly identify the credit union’s maturity and compliance framework surrounding its security program. To the extent controls are weak or underdeveloped, this could be a red flag in the early stages of the deal. Moreover, to the extent a third party is responsible for any hosting, operating and maintaining the credit union’s data collection platform, these underlying agreements should be closely reviewed by counsel.
2. Request all third-party vendor agreements, and copies of any of the vendor’s data security protocols or requirements related to such agreements. The credit union should be fully aware to what extent vendors obtain, process or store consumer data on behalf of the credit union. Attorneys will need to closely examine those agreements to ensure the target credit union represents the level to which third party access and management of the “data supply chain” is controlled by a third party. Additionally, the underlying agreements should be scrutinized to ensure they adequately address liability and any legal obligation in the event of a breach or mishandling of the credit union’s data.
3. Request copies of all documented information, governance guidelines and standards, including information governance categories, retention and destruction requirements for each classification. A key element in the early stages of the deal is to understand where data resides and how it is governed within the credit union, and to investigate whether such data is governed in accordance with applicable law. A well-developed, legally compliant information governance program can make the location and life cycle of key documents necessary for the transaction simple and easy to identify. Conversely, if there is no data governance program, this can add valuable time, cost and effort in due diligence by the parties and potentially delay closing.
4. Ask for summaries of the credit union’s internal or external risk assessments and risk management program documents, FFIEC cybersecurity assessment tool results and NCUA examiner evaluation reports, including copies of any reports issued in connection to them, for the last five years. These documents are due diligence gold and can provide detailed locations for any potential “land mines.” Additionally, if a credit union can provide evidence of remediation of risks identified in these documents, it may be good evidence of the credit union’s seriousness in addressing identified risks.
5. Ask for a description of the credit union’s IT business continuity plan, including a description of any testing in connection to it. This may be the single most consolidated source for use as a roadmap in understanding key systems and requirements of the target credit union. Understanding this document and recognizing its ability to communicate existing risks and details regarding critical systems will save considerable time and energy post-acquisition, and provide a jump start for IT and business teams seeking to quickly integrate these systems.
6. Request copies of any documented physical security guidelines (or, if unavailable, a summary of such controls) to ensure security of any buildings, data centers, computer rooms, critical computer infrastructure, etc. Physical security is an important factor and key indicator of how a credit union manages data risk. From a cost perspective, it is important to understand what the physical security requirements post-acquisition may be and how these continuing costs should be apportioned or considered for the purposes of valuation.
7. Request copies of the target credit union’s incident response plan. The creation of an incident response plan demonstrates the target credit union has complied with its regulatory requirement and taken the time to fully consider the components of a response program as required under Appendix B to Part 48: Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.
8. Request descriptions of any known event(s) that could give rise to an insurance claim as a result of a privacy or information security incident or data breach. This is the time for complete transparency. Discovering any known event in the due diligence phase will allow a buyer to appropriately assess and mitigate the risk prior to closing. Depending on the disclosures, third parties may need to be considered in order to perform an investigation.
9. Request information on claims history involving privacy, information security or data breaches for the past five years. Understanding the target’s claims experience on privacy, information security or data breach matters can flush out any red flags on security matters. Claims experience will also demonstrate the current security protocols are effective, or if modifications in the post-acquisition period are appropriate.
Implementing Due Diligence Efforts
The information produced in response to these requests will provide the credit union with a diagnostic picture of the overall data health of the credit unions subject to an acquisition or merger. With this information readily available, the credit union will have a baseline understanding of the potential vulnerabilities and compliance challenges present in the data environment, will be able to communicate the risks to the various stakeholders on the management and governance teams, and will be able to develop a potential plan for remediation of the data environment post-acquisition, if necessary.
David Katz is a Partner at Adams and Reese. He can be reached at 470-427-3726 or email@example.com.