Examiners Dive Into Information Security Risk Assessments


When the NCUA released the supervisory priorities for 2019, they included the following: 

Information Systems and Assurance – Examiners will continue conducting information security maturity assessments with the Automated Cybersecurity Examination Toolbox (ACET). Examiners will use the ACET to assess credit unions with over $250 million in assets that have not previously received an assessment. The security, confidentiality, and integrity of credit union member information remains a key supervisory priority for the NCUA. 

In recent examinations of credit unions, examiners are taking deep dives into the Information Security Risk Assessments that credit unions are performing under 12 CFR 748.0(b)(2): 

(2) Ensure the security and confidentiality of member records, protect against the anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member. 

From InfoSight, the following checklists can assist credit unions when looking at the Information Security Programs and Risk Assessments: 

Risk assessment will consider: 
  1. Strategic goals, objectives, and business needs of the credit union; 
  2. Ability to evaluate and oversee outsourcing relationships;
  3. Importance and creditability of the service to the credit union;
  4. Define requirements for the outsourcing of activity;
  5. Necessary controls and reporting processes;
  6. Contractual obligations and requirements for the service provider;
  7. Contingency plans, including availability of alternative service providers, costs, and resources required to switch service providers;
  8. Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic objectives and service provider performance; and,
  9. Regulatory requirements and guidance for the business lines affected and technologies used. 
NCUA AIRES IT Exam Questionnaire: Part 748 Appendix A – Information Security 

Questions for consideration from the exam questionnaire: 

  1. Does the credit union have documented policies and procedures to address the implementation and ongoing management of the information security program? 
  2. Is the board of directors, or an appropriate board committee, involved in developing and implementing the Member Information Security Program? 
  3. Does management report to the board of directors, at least annually, on the overall status of the information security program and compliance with Part 748, Appendix A and B guidelines?
  4. Does the credit union have a documented risk assessment process that is updated annually? 
  5. Are key controls, systems, and operating procedures for the information security program regularly tested? 
  6. Does the information security program address each of the following:  
    1. Electronic access controls on member information systems. 
    2. Physical access controls to facilities and equipment where data files and archives of member information are maintained. 
    3. Encryption of electronic member information either in transit or storage where unauthorized individuals may gain access. 
    4. Change control and update procedures designed to ensure system and/or software modifications are consistent with the credit union’s information security program. 
    5. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information. 
    6. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems. 
    7. Response programs that specify actions to be taken when the credit union suspects or detects unauthorized access to member information systems, including appropriate reports to regulatory and law enforcement agencies. 
    8. Measures to protect against destruction, loss, or damage of member information due to potential environmental hazards. 
  7. Does staff receive training to comply with the information security program?
  8. Does management have appropriate procedures to dispose of member information? 
  9. Does the credit union effectively oversee critical service provider arrangements? 
  10. Does the credit union monitor, evaluate, and adjust the information security program, as needed? 
  11. Does the credit union use multi-factor authentication, layered security, or other controls to mitigate the risk associated with the use of electronic banking products and services offered to members? 

Question of the Week 

Q. Our member gave her debit card to her daughter to use at the grocery store. The daughter made the intended purchase, but then used the debit card to go on a shopping spree. The mother is now at the credit union disputing the charges that the daughter made as unauthorized. What do we do?

A. Unless your member informed the credit union that the authorization for her daughter to use the card was revoked, the transactions are not unauthorized under Reg E.
The commentary to Reg E’s definition of an unauthorized electronic fund transfer states: 
2. Authority. If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized. 
In this situation, your member would need to work out the dispute with her daughter or law enforcement. 

Related Links

12 CFR 1005.2 

Reg E Official Interpretations 

Legal Briefs 

National Credit Union Administration (NCUA) 

NCUA announced registration open for the Aug. 14 liquidity and interest-rate risk webinar. 

Consumer Financial Protection Bureau (CFPB) 

CFPB extended the comment period for the May 2019 proposed HDMA changes. Comments are now due by Oct. 15, 2019. 

CFPB extended the comment period for the Debt Collection Proposal until Sept. 18, 2019. 

CFPB released the Annual Threshold Adjustments for Regulation Z (Credit Cards, HOEPA, and Qualified Mortgages)  The changes will go into effect on Jan. 1, 2020. 

CFPB released FAQs on providing loan estimates to consumers. 

U.S. Department of Housing and Urban Development (HUD) 

HUD announced joint policy actions designed to reduce risk associated with cash-out refinancing. The Federal Housing Administration (FHA) will lower its maximum loan-to-value (LTV) requirements for cash-out refinancing transactions from 85 percent to 80 percent. 

Office of Foreign Assets Control (OFAC) 

OFAC has updated the SDN list as of Aug. 1, 2019. The last update prior to this was July 29, 2019. 

Questions? Contact the Compliance Hotline: 1.800.546.4465; compliance@nwcua.org.

Posted in Compliance News.