Steps Credit Unions Need to Take to Protect Themselves from Cyber Vulnerabilities


Cybersecurity. It can sound overwhelming. But, there are simple steps that credit unions can take to protect themselves from vulnerabilities.

Software patching is one of those steps that credit unions can take. Patching is a necessary part of IT management and consists of placing a set of changes to a specific program that fixes security vulnerabilities, improves functionality, or generally updates the program.

Unfortunately, as bad actors in the cybercrime world work to find exploits in various systems, patch management becomes even more necessary. For example, a missed patch needed for one of its internet servers contributed to the Equifax data breach last year. Recently, that internet server provider, Apache, disclosed the need for another patch. Even worse, the bad actors have already figured out how to exploit users who don’t patch the issue and have posted the code needed to do so online.

What does this mean for credit unions? First and foremost, if the credit union uses Apache Struts, it should determine if a patch is needed. However, even if the credit union doesn’t use Apache Struts, it should still ensure that it has a patch management system in place.

“Patching your systems and following a rigorous patch management process is one of the most critical elements of good Cyber-Hygiene,” said Scott Alldridge, President and CEO of IP Services, an IT service management provider and Northwest Credit Union Association Strategic Link business partner. “In fact, research has proven that over 80 percent of breached computer systems and networks are not up-to-date with the latest patches supplied by vendors.”

In fact, the NCUA has been urging credit unions to develop a strong patch management system since at least 2003, when it is issued its Letter to Federally Insured Credit Unions regarding Computer Software Patch Management. In fact, the NCUA’s AIRES IT Exam Checklist includes several questions regarding the credit union’s patch management program, indicating that it is a priority during examinations.

To find out if your credit union has a patch management program in place, check with your IT/IS team or your third-party IT provider to determine if there’s one in place, if it’s effective in determining what patches are needed, and their level of criticality to the overall cyber resilience of the credit union.

Question of the Week

We have a borrower that is receiving a cash gift for a home purchase. How is this recorded on the Loan Estimate?

Reg Z addresses how gifts are handled in its commentary to 1026.37, specifically 37(h)(1)(vii) Adjustments and other credits. Essentially, if the gift is delivered to the borrower prior to closing, it isn’t disclosed on the Loan Estimate or Closing Disclosure. If, however, the gift is brought to the closing table, then it would be disclosed as a negative amount on the Loan Estimate and Closing Disclosure, reducing the total cash to close disclosed to the borrower..

For example, if Jane Smith needs to bring $35,000 cash to close in order to complete the home purchase and she receives the gift from her parents prior to closing, then both documents will reflect that Jane Smith needs to bring $35,000 cash to close (because ultimately, the cash is coming from her account since she already received the gift from her parents). However, if Jane’s parents are bringing the check to closing, Jane’s cash to close will be reduced by the amount of the gift, reflected as a -$30,000 on the disclosures, resulting in Jane only brining $5,000 cash to close.

This is explained in Reg Z’s commentary:

6. Reduction in amounts for adjustments. Adjustments that require additional funds from the consumer in a transaction disclosed using the formula under §1026.37(h)(1)(iii)(A)(1) or pursuant to the real estate purchase and sale contract, such as for additional personal property that will be disclosed on the Closing Disclosure under §1026.38(j)(1)(iii) or adjustments that will be disclosed on the Closing Disclosure under §1026.38(j)(1)(v), are only included in the amount disclosed under §1026.37(h)(1)(vii) if such amounts are not included in the calculation under §1026.37(h)(1)(iii)(A)(2) or (B) or §1026.37(h)(1)(v) as debt being satisfied in the transaction. Other examples of adjustments for additional funds from the consumer include payoffs of secured or unsecured debt in a purchase transaction disclosed using the formula under §1026.37(h)(1)(iii)(A)(1) or prorations for property taxes and homeowner’s association dues. The total amount disclosed under §1026.37(h)(1)(vii) is a sum of adjustments requiring additional funds from the consumer, calculated as positive amounts, and other credits, such as those provided for in comment 37(h)(1)(vii)-1, calculated as negative amounts.

And when you look at 37(h)(1)(vii)-1, it states:

1. Other credits known at the time the Loan Estimate is issued. Amounts expected to be paid at closing by third parties not otherwise associated with the transaction, such as gifts from family members and not otherwise identified under §1026.37(h)(1), are included in the amount disclosed under §1026.37(h)(1)(vii). Amounts expected to be provided in advance of closing by third parties, including family members, not otherwise associated with the transaction are not required to be disclosed under §1026.37(h)(1)(vii).

Related Links:

Commentary to 12 CFR 1026.37

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA released the third quarter issue of its newsletter. The newsletter features articles that discusses hurricane preparedness, examination modernization, FAQs regarding S 2155, and the proposed delay of the risk-based capital rule.

Bureau of Consumer Financial Protection (BCFP)

The BCFP released its Quarterly Consumer Credit Trends publication. This edition focuses on collection of telecommunication debt. The report indicates that 37 percent of consumers who reported being contacted about debt were contracted about a telecommunications debt.

The BCFP issued a final rule, effective Jan. 1, 2019, related to the annual dollar amounts for several Reg Z provisions including TILA, CARD Act, HOEPA, and provisions of the Dodd-Frank Act.

Federal Deposit Insurance Corporation (FDIC)

The FDIC released its Second Quarter 2018 Quarterly Banking Profile, which indicates that the industry has increased its net income, due to higher net operating revenue and a lower effective tax rate.

Federal Reserve Board (FRB)

The FRB, jointly with the OCC and FDIC, issued an interim final rule regarding the treatment of certain municipal securities as high-quality liquid assets.

The FRB released the minutes from the July 31, 2018 Federal Open Market Committee meeting.

The FRB, along with the OCC and FDIC, announced the issuance of an interim final rule-expanding examination cycles for qualifying small banks and U.S. branches and agencies of foreign banks. The expansion of the 18-month, on-site examination cycle would apply to qualified insured depository institutions with less than $3 billion in total assets.

U.S. Department of the Treasury (Treasury)

The Treasury delivered testimony to the Senate Committee Health, Education, Labor, and Pensions Subcommittee on Primary Health and Retirement Security regarding the importance to financial literacy and education programs.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of Aug. 24, 2018. The last update prior to this was Aug. 21, 2018.

Questions? Contact the Compliance Hotline: 1.800.546.4465;

Posted in Compliance News.