Compliance Center: FFIEC Recommends Participation in Cybersecurity Information Sharing Forum

On Monday November 3, the Federal Financial Institutions Examination Council (FFIEC), released observations from the recent cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC).

During the summer of 2014, FFIEC members piloted a cybersecurity assessment at more than 500 community institutions to evaluate the institutions’ preparedness to mitigate cybersecurity risks.  The assessment supplemented regularly scheduled exams and built upon key supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance. 

The FFIEC also recommended that financial institutions of all sizes participate in the FS-ISAC as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities. The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. 

Rapidly evolving cybersecurity risks reinforce the need for all institutions and their critical technology service providers to have appropriate methods for obtaining, monitoring, sharing, and responding to threat and vulnerability information. Financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly.

The document is “not to be construed as guidance” according to the FFIEC.  However, it does provide some useful questions that credit union boards and management may consider when assessing their own credit union’s cybersecurity preparedness. Questions such as:

  • What types of network connections does my credit union have (e.g., virtual private networks, wireless networks, local area networks & “bring your own device” or “BYOD”)?  
  • How are we managing these connections in light of the rapidly evolving threat and vulnerability landscape?
  • How do we evaluate evolving cyber-threats and vulnerabilities in our risk assessment process for the technologies we use and the products and services we offer?
  • How do our connections, products and services offered, and technologies used collectively affect our financial institution’s overall inherent cybersecurity risk?

In addition, the FFIEC assessment reviewed institutions’ current practices and overall preparedness, focusing on risk management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; and cyber-incident management and resilience.  Some questions to consider in these areas included the following:

Risk management: What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our credit union? What is the process for ensuring ongoing employee awareness and effective response to cyber-risks (e.g., routine training and awareness programs)?

Threat intelligence & collaboration: What is the process to gather and analyze threat and vulnerability information from multiple sources? How do we leverage this information to improve risk management practices? What reports are provided to our board on cyber events and trends? Who is accountable for maintaining relationships with law enforcement?

Cybersecurity controls: What is the process for determining and implementing preventive, detective, and corrective controls on our financial institution’s network?

External dependency management: How is our credit union connecting to third parties and ensuring they are managing their cybersecurity controls? What are our third parties’ responsibilities during a cyber-attack? How are these outlined in incident response plans?

Cyber-incident management and resilience: In the event of a cyber-attack, how will our credit union respond internally and with members, third parties, regulators, and law enforcement? How are cyber-incident scenarios incorporated in our credit union’s business continuity and disaster recovery plans? And most importantly, have these plans been tested?

Related Links

Compliance Question of the Week

Does a member’s online transfer from a savings account to a checking account count towards the six transfer limit?

Yes, according to Regulation D, electronic transfers using the credit union’s home banking system from a savings account to another account should be counted as one of the six transfers allowed per month.  A member is allowed to have up to six preauthorized withdrawals, telephone transfers, or transfers initiated by personal computer to another account at the same credit union or to a third party during a calendar month or statement cycle.

There are some transfers that do not count against the six monthly transfers limit.  The exceptions include transfers the member makers in person, at and ATM, by mail, by messenger, or by a phone call that results in a share draft or checking being issued and mailed to the member.  Transfers made as payment for a loan owned by the same financial institution do not count towards the six either.  Additionally, there is no limit on the amount of ACH credits or any other types of funds transfers into the account. 

Related Links:

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA’s November Board Meeting Agenda is now available.

A video of NCUA’s October Board Meeting has been made available.

The NCUA issued a reminder to credit unions that the Office of Small Credit Union Initiatives (OSCUI) consulting assistance applications are due on November 30, 2014.  The next round of consulting will begin on January 1, 2015.

Consumer Financial Protection Bureau (CFPB)

The CFPB has issued a blog posting discussing how older Americans can handle debt collection problems.

The CFPB announced proposed rules for prepaid cards. The proposal includes protections for consumers and “Know Before You Owe” disclosures that clearly state the costs and risks associated with prepaid cards.

The CFPB updated two of its small entity compliance guides: Ability to Repay and Qualified Mortgage Rule and the RESPA and TILA Mortgage Servicing Rules.

Office of the Comptroller of the Currency (OCC)

The OCC issued an alert to inform federal agencies and financial institutions of fictitious correspondence regarding funds in the OCC’s possession. The OCC is asking anyone that receives one of these letters to contact the OCC and file a complaint.

Comptroller of the Currency Thomas Curry delivered remarks at the 25th Special Seminar on International Finance. Curry discussed industry supervision in a global environment and cybersecurity.

Federal Deposit Insurance Corporation (FDIC)

The FDIC released the agenda for its next board meeting which will be held on Tuesday, November 18.

Federal Reserve Board (FRB)

The November issue of FedFlash is now available.

The minutes from the FRB’s November Community Depository Institutions Advisory Council, discussing the current outlook for financial markets, are now available.

Financial Crimes Enforcement Network (FinCEN)

FinCEN issued an Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies. 

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of November 12, 2014. The last update prior to this was November 10, 2014.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News.