NCUA Letter to CUs Encourages Reliance on FDIC Guidance for Security Patches

ALEXANDRIA, Va.-In a new Letter to Credit Unions (03-CU-14), NCUA recommended that credit unions reference guidance recently issued by the Federal Deposit Insurance Corporation to assist in developing effective software patch management programs. FDIC's guidance covers appropriate policies, procedures and practices for mitigating the risks that come with software weaknesses. "During the past year, many companies and some credit unions have experienced security breaches that could have been prevented through the timely identification and patching of software vulnerabilities. This guidance provides information about the importance of maintaining an effective computer software patch management program and information technology (IT) infrastructure," NCUA Chairman Dennis Dollar said. Though companies create updates, called "patches," the software user is still responsible for ensuring the patches are installed as soon as possible, the letter reminded. FDIC's guidance recognized, "Most financial institutions use multiple commercial software packages. Therefore, it can be challenging to identify, test, and install all of the applicable patches that are necessary to maintain each software package. A patch management program should be part of an institution's overall computer security program." FDIC also outlined several areas of risk from an inadequate patch maintenance program. It can cause system unavailability, create weaknesses in security, or corrupt critical system components or data. "Software vulnerabilities that result in security weaknesses can leave computer systems unprotected and open to access and criminal misuse of bank information by unauthorized parties, such as computer hackers," according to FDIC. FDIC's guidance is enclosed with the letter.