Compliance Center: What We Learned at the FBI/Secret Service Cybersecurity Symposium

It is fitting that October is cybersecurity awareness month, because the threats of data breaches looming over our heads can be quite the scary thought. To help spread awareness about the important focus on cybersecurity, the FBI and U.S. Secret Service have teamed up to hold cybersecurity symposiums across the nation focused on bridging a partnership between the financial services sector and law enforcement.  The Portland symposium was held on Thursday, October 22nd and provided a forum for valuable knowledge sharing and open discussions.

The goal of the symposium was not only to discuss cybersecurity and various ways to help secure data, but also to help determine the best ways to share information between the financial services sector and law enforcement. One of the best ways to begin the information sharing process is for credit unions to report cyber incidents via the FBI’s ic3.gov portal, which allows a way for organizations and individuals to easily report any type of incident.  Data entered into this system is reviewed by law enforcement and can be used to help identify incidents that require further investigation and/or detect a larger cyber incident pattern.

While the overall meeting was productive and moved the discussion forward in the right direction, the agencies couldn’t help but field questions from organizations that were skeptical regarding the request to willingly share information with law enforcement. Several organizations expressed the feeling of a one-way street with law enforcement, where the organization provides the information but never seems to receive any information back from law enforcement. The agencies did address these concerns and stated that sometimes it is not possible to share due to confidentiality requirements or their duty to protect the victims of the crime/incident.

However, law enforcement did stress that they were happy to continue the dialogue and work with the industry to determine the best way to make both sides happy and encourage information sharing. One idea mentioned was to obtain permission from a victim institution to share their information with another victim institution so that the two institutions could work together to help identify issues and improve their overall security. The agencies also stated that they are open to discussing the institution’s needs during the initial contact, which can help lay some of the groundwork for the best way to share information during an incident response by a law enforcement agency.

The symposium was a great opportunity to share and discuss how law enforcement agencies and financial services organizations can work together to share information in a proactive manner. There were simply too many takeaways from the meeting to list. But there was one takeaway that seemed to be reiterated throughout the meeting: no information is too minor to share.

If a credit union experiences a cyber incident, no matter how minor it appears to be, the FBI and Secret Service both encouraged organizations to file a report through the ic3.gov portal. Law enforcement can use this data to look at the big picture and determine if your incident fits into any larger patterns. There are also many other cybersecurity focused resources available. To get started, the FBI’s website has great information, tips and hints, and helpful links to other cybersecurity resources that credit unions may find useful.  Additionally, the FBI has a local resource available for investigations and intelligence sharing: The Oregon Cyber Task Force, octf.pd@ic.fbi.gov, 503.460.8000.

Compliance Question of the Week

Are we required to post the FBI sticker on the front door of the credit union? 

No, there is no regulatory requirement to post the FBI sign.  The NCUA used to require the sign for federal credit unions in an older version of their Accounting Manual. However, in 2003 the manual was updated and the section discussing the use of the FBI sign was left out, thus removing the requirement for federal credit unions to post the sign.  Additionally, there is no requirement for credit unions chartered in Oregon or Washington.

However, keep in mind that the sign may be used as a way to deter robberies. Additionally, your credit union may have an approved policy that requires the use of the sign.

Legal Briefs

National Credit Union Administration (NCUA)

NCUA Chairman Matz will hold an in-person open forum for credit union stakeholders on Friday, October 30, 2015. Attendees can register here.

Consumer Financial Protection Bureau (CFPB)

CFPB Director Cordray delivered prepared remarks at the Meeting of the Consumer Advisory Board. Cordray’s remarks focused on the CFPB’s recent arbitration proposal.

The CFPB released a financial education curriculum review tool. The tool is aimed at helping teachers and other curriculum developers determine which curriculum will best suit their students.

Director Cordray delivered prepared remarks at the Mortgage Bankers Association Annual Convention. Corday’s remarks focused on the success of the first wave of mortgage rules, how the new TILA/RESPA integrated disclosures will help consumers, and the recently finalized HMDA rule.

The CFPB posted an article on its blog aimed at helping financial caregivers better understand how to manage someone else’s money. The CFP released new tools, in addition to the guides released a few years ago specific to Florida and Virginia, to help caregivers better understand their responsibilities. The CFPB also announced that four more states will soon receive specialized guides for their states.

Federal Housing Finance Agency (FHFA)

The FHFA has issued the final rule regarding the use of its expanded-data House Price Index (HPI) when setting the maximum conforming loan limits for Fannie Mae and Freddie Mac.

U.S. Department of the Treasury (Treasury)

The Treasury announced that its Bureau of the Fiscal Service is conducting a Financial Agent Selection Process for its U.S. Debit Card Program. The program designee(s) will act on behalf of the government and will provide prepaid debit card services for the U.S. Debit Card Program. Institutions that are interested in applying mad do so through Monday, November 23, 2015 at 5 pm EST.

Office of the Comptroller of the Currency (OCC)

OCC Comptroller Curry delivered a speech to the Exchequer Club on the increasing credit risk that the industry is facing.

Federal Deposit Insurance Company (FDIC)

The FDIC Board has approved a final rule that will establish margin requirements for swaps that are not cleared through a clearinghouse.

The FDIC Board also adopted a proposal to increase the Deposit Insurance Fund to 1.35 percent, which is the statutorily required minimum level.

The FDIC has released the video from its October 22, 2015 board meeting.

The FDIC posted its Sunshine Meeting Notice for its open meeting on Friday, October 30, 2015. The meeting will cover the final rule on margin swaps and a proposed rule on total loss-absorbing capacity for global systemically important banking organizations.

The FDIC announced that it will hold a cybersecurity teleconference on October 28, 2015.

Financial Action Task Force (FATF)

The FATF released Emerging Terrorist Financing Risks, its October 2015 report focusing on spreading understanding of how terrorist organizations manage their assets.

The FATF held a Plenary Meeting last week and released a list of the main issues dealt with during the meeting. The issues include an update on AML improvements in Ecuador and Sudan, money laundering through physical cash transportation, and the expansion of the FATF.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of October 20, 2015. The last update prior to this was October 15, 2015.

Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Posted in Compliance.