NCUA Examiner Insight for 2017

The 12th annual CUISPA (Credit Union Information Security Professionals Association) conference was held on February 21 & 22 in San Antonio. SCA routinely participates in this conference to network with credit union information technology and risk management professionals, and just as importantly, to engage NCUA examiners about items on their priority list. This year’s panel of 6 examiners included leadership from the ONES (Office of National Examinations and Supervision) and several RISOs (Regional Information Systems Officer). Following is what was shared during their panel discussion:

An information security program is based on, starts with, policy, standards & procedures and employee use guidelines.

Two Areas of Focus for Better Exam Results:

  1. Annual Risk Assessments are expected. The Risk assessment should identify the actual threats specific to the CU and not generic threats, vulnerabilities associated with the threats and a risk rating showing likelihood of occurrence, impact rating, controls to mitigate and the resulting risk rating. Threats and vulnerabilities should also be correlated with an asset inventory ranked by criticality.
  2. Control tests.

FFIEC Cybersecurity Assessment Tool (CAT):

The CAT is not a risk assessment. It is a tool to complement a credit union’s information security program. Use of the CAT is voluntary, however, some state programs require the CAT. If a credit union gets Domain 1 right, the rest will fall into place. Domain 1, Cyber Risk Management and Oversight, includes policies and risk assessments. The NCUA will roll out the CAT in their exam process in late Q3 or early Q4 of 2017. Until then, they are finalizing the tool which they will actually use, and honoring their commitment to a tight process and well trained examiners before roll out.

It was recommended that social engineering email phishing test frequency is quarterly or at a frequency deemed commensurate for credit union size, complexity and culture. Email phishing tests should include a retest when there is a high failure rate. This provides an opportunity to educate and re-evaluate those employees.

Two other areas examiners are paying attention to are Reg 749 and legacy software. NCUA Reg 749 addresses a credit union’s Records Preservation Program including Record Retention Guidelines and Catastrophic Act Preparedness Guidelines. A thorough Disaster Recovery and Business Continuity Plan including a Business Impact Analysis as well as a thorough Incident Response plan are vital to satisfying Reg 749. Credit unions should regularly test these plans to ensure they are effective and align with the credit union over time. Legacy software such as Windows XP or Server 2003 are no longer supported (i.e. patched) and present easy targets for hackers. Examiners strongly encourage updating to modern versions such as Windows 10 and Server 2012 R2.