Compliance Center: Cybersecurity Resources

The Federal Financial Institutions Examination Council (FFIEC) released a cybersecurity assessment tool in late June of 2015. For those of us that are familiar with FFIEC’s risk assessment releases in the past (ex: Multifactor Authentication), fear was not far behind the release of the tool. Will credit unions have to use this tool? Will examiners use this tool to measure a credit union’s cybersecurity program?

The answer doesn’t boil down to a simple yes or no. Currently, this assessment tool is just guidance (phew!), but that could change. The NCUA has stated that they will use the assessment tool in the future to help determine a credit union’s risk profile regarding cybersecurity. However, as long as you address and mitigate your risks and have a plan in place, you don’t have to use the FFIEC’s assessment tool. But why recreate the wheel, right?

The bigger focus of the assessment tool is to help institutions navigate the cybersecurity waters. We are not all IT experts, but cybersecurity isn’t just a concern of those with the technical savvy to understand all the technical jargon that surrounds this sensitive security issue. Cybersecurity is an everybody issue. Because it is an everybody issue, it is important that all employees within the credit union understand the risks associated with their specific jobs, how to identify and mitigate potential risks, report possible breaches, and their role in the credit union’s incident response plan. The FFIEC assessment, along with other resources available, help credit union’s achieve this level of preparedness, as well as providing ways to share information and report potential breaches, no matter how minor they seem.

To help get credit unions started, or to add on to what they have already started, we have created a Cybersecurity Resource Center aimed at providing information and resources in one easy-to-access location. Our resource page provides links to the regulatory resources, such as the FFIEC Assessment Tool, information sharing resources (such as public-private information sharing opportunities), information for reporting breaches, best practices for prevention, detection, and responses to cybersecurity incidents and information on cybersecurity insurance.

The cybersecurity landscape is constantly changing as new information is released, new threats are identified, and new tools are developed to help mitigate the risk. As such, our cybersecurity resource page will be updated frequently to include up-to-date information, including alerts and bulletins issued by law enforcement on potential threats. And in the spirit of information sharing, if your credit union has any cybersecurity best practices that we didn’t list, please feel free to email Katie Clark at to have the best practice added to the resource page.

Compliance Question of the Week

The FFIEC released a Cybersecurity Assessment Tool and encouraged financial institutions to use the tool. Is the credit union required to use this tool?

While the FFIEC’s Cybersecurity Assessment Tool is not required, credit unions are encourage to use the tool or at least a tool similar to the FFIEC’s tool to help determine their level of mitigate their risk of a cybersecurity attack. The NCUA has been making cybersecurity a supervisory priority and will most likely continue to do so, making it imperative that credit unions take meaningful steps to secure its data, monitor cybersecurity risk exposure, and mitigage the risk when and where possible.

Additionally, if a credit union isn’t already assessing its cybersecurity risk, this tool does provide a great starting point. The NCUA examiners plan to use this tool going forward as well, to help them determine a credit union’s level of risk.

Related Links:

Legal Briefs

Federal Reserve Board (FRB)

Federal Reserve Vice Chairman Stanley Fisher delivered a speech at the Annual Meeting of the American Economic Association. In the speech, Fisher discussed the question of long-term lower interest rate, raising the inflation target, and raising the equilibrium real rate.

Federal Trade Commission (FTC)

The FTC issued its biennial report to Congress on the use of the Do Not Call Registry.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC has released the new 2016 HMDA reporting software. 

Office of Foreign Assets Control (OFAC)

OFAC issued a final rule that implements an Executive Order issued in April, 2015 regarding the blocking of property belonging to persons engaged in cyber attacks. The final rule, effective on its publication date of December 31, 2015, requires the blocking of property located in the United States of persons listed on the CYBER portion of the SDN List.

OFAC has updated the SDN list as of December 22, 2015. The last update prior to this was December 18, 2015.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Federal, NCUA.