Compliance Center: NCUA Discusses Top 10 Cyber Security Areas That Examiners Will Look At

In the August Edition of The NCUA Report, the National Credit Union Administration (NCUA) discusses the ongoing issues with cyber security and the areas their examiners may focus on.

The NCUA listed cyber security as one of their exam focuses earlier in the year. The NCUA examiners may focus on the following areas:

  1. Information security policies – Does the credit union have a board-approved information security policy commensurate with the credit union’s size and complexity and that meets the requirements of NCUA Rules and Regulations Part 748?
  2. Risk assessments – Has management recently performed and documented an information security risk assessment to identify and assess potential threats, their probability, potential effects, and the existing controls and risk remediation plans that the credit union has in place?
  3. IT audit – Has management developed an audit plan that addresses all IT-related areas appropriate to the size and complexity of the credit union? This audit plan should also include continuing assessments of internal and external vulnerabilities.
  4. Virus and malware – Is the network and all critical components such as servers, desktops, laptops and other systems running updated virus and malware protection software?
  5. Passwords – Does the credit union enforce a strong password policy based on its risk assessments that meets or exceeds industry standards? At a minimum, passwords should be at least eight characters with alphanumeric and special characters required for added strength and complexity.
  6. Business continuity planning and disaster recovery test – Is the plan sufficient, up-to-date and recently tested?
  7. Patch management – Does credit union IT personnel manage the installation of all software security patches and updates and ensure that all systems nearing or at the end of their service life are replaced?
  8. Vendor management – Is there a vendor management policy and program that meets the requirements of NCUA Rules and Regulations Part 748?
  9. Information security training – Does the credit union have a continuing information security awareness program?
  10. Incident response and crisis management – Is there an updated incident response plan that complies with NCUA Rules and Regulations Part 748, Appendix B?

In addition, the NCUA suggests that credit union management may wish to consider the possibility of cyber security insurance during their information security review process.  Most blanket insurance policies for financial institutions include a variation of internet or web-presence coverage.

Compliance Question of the Week

What are the procedures if a safe deposit box renter does not pay the rent?

If the amount due on a safe deposit box has not been paid for 1 year, the credit union should start by sending the renter a notice.  The notice should be in writing and sent securely closed, postpaid and certified mail, return receipt requested to the address and person listed as the renter in the credit union records.  The notice should state that if the amount due for the safe deposit box is not paid within 30 days from the date of the notice, the credit union will open the safe or box and the contents will be inventoried, sealed and placed in one of its general safes or boxes.

If the 30 days has expired and the renter failed to pay the amount due, the credit union may, in the presence of two credit union officers, open the safe or box, remove its contents and inventory and seal the contents in a package.  The officers should mark the renter’s name and date of removal, and place the package in a general safe or box at a rental rate not to exceed the original rental rate of the opened safe or box.  The package should remain in the general safe or box for a period of not less than 1 year, unless sooner removed by the renter.  Once the package is put in the general safe or box, two credit union officers should file a certificate with the credit union that states the date of the opening, renter’s name, and a reasonable description of the contents. 

A copy of the certificate should be mailed to the renter’s last known address within 10 days in securely closed, postpaid and certified mail, return receipt requested.  Along with the certificate, the credit union should mail a notice stating that the contents will be kept at the expense of the owner, in a general safe or box in the credit union’s vaults for a period of not less than one year.  Any time after the mailing of the certificate and notice and before the expiration of 1 year, the owner may require the delivery of the contents if they pay all rentals due, the cost of opening the safe or box, and the payment of all further charges accrued during the period the contents remained in the general safe or box of the company.

Once the year has passed the credit union can sell the property stated in the certificate at a public auction.  Notice of the time and place of sale must be published once within 10 days prior to the sale in a newspaper published in the county where the contents of the safe or box are located and where the credit union chooses to conduct the sale.  If the credit union chooses not to sell the contents at public sale, the contents should be delivered to the department of revenue as unclaimed property.

 From the proceeds of the sale, the credit union should deduct the amounts due for rental, the cost of opening and safekeeping the contents since the safe was opened, plus any additional charges accruing during the time of the sale, including advertising and cost of sale.  The balance of the proceeds, together with any unsold property, should be deposited by the credit union within 30 days after the receipt of proceeds, with the department of revenue as unclaimed property.  The credit union should also include the certificate stating the name and last know place of residence of the owner of the property sold, the articles sold, the price obtained and showing that the required notices were duly mailed and that the sale was advertised as required. 

In Oregon, the contents of the safe deposit box are considered abandoned if unclaimed by the owner 2 years after the lease or rental period on the box has expired.

Related Links:

Legal Briefs

National Credit Union Administration (NCUA)

After being sworn in as a new board member, J. Mark McWatters delivered a statement outlining his vision for the NCUA. His statement detailed his focus of providing regulatory relief for credit unions and expanding the scope and financial viability of low-income credit unions.

The NCUA announced that it will be hosting a webinar on Merger Best Practices on Wednesday, September 17, 2014.

Consumer Financial Protection Bureau (CFPB)

The CFPB announced that it will have a field hearing on Thursday, September 18 in Indianapolis on auto finance.

The CFPB published a report to promote financial wellness in the workplace.

The CFPB announced new senior leaders with the Bureau and new advisory board and council members.

Federal Reserve Board (FRB)

The FRB announced that it will hold an open meeting on Wednesday, September 3. The meeting will be able to be viewed via the FRB’s public website.

The FRB’s Financial Services Information Sharing and Analysis Center (FS-ISAC) is hosting its annual cyber security attack simulation. There are two session in September that participants can choose to participate in.

United States Treasury (Treasury)

The Treasury released documents for the 2015 U.S. Financial Sector Assessment Program (FSAP) review. The FSAP is a review that looks at financial sector analysis and international standards in the financial sector.

Financial Crimes Enforcement Network (FinCEN)

FiNCEN issued an administrative ruling regarding MSBs where a company is acting as an independent sales organization and payment processor.

Federal Deposit Insurance Corporation (FDIC)

The FDIC has released its Summer 2014 issue of Consumer News.

Federal Housing Administration (FHA)

The FHA published two mortgage amendments (ARM and prepayments) aimed at bringing their regulations into alignment with the CFPB’s 2014 mortgage rules.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of August 29, 2014. The last update prior to this was August 27, 2014.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, NCUA.