Raising the Bar – Information Security at Credit Unions

October 16, 2019

The Birth of a Credit Union

Credit unions began as a cooperative; a group that was created by members for a common goal, based on the principle of people helping people. As an alternative to banking and financial government-funded organizations, credit unions first began in Europe in the late 1800s and grew in popularity in the United States and Canada in the early 1900s, with the first credit unions beginning operations in Canada in 1901.[1]

Credit unions, like small community banks, proved they could meet demand for financial services that large money center banks could not: serving all classes of people. The credit unions that served more disadvantaged urban and rural communities became and remain an important source of microfinance.

Credit unions are organized as non-profits; they are not money-making organizations. Therefore every dollar spent on compliance and operational costs is theoretically a dollar that does not directly benefit members, in the form of, for example, low-cost loans or higher earnings on deposits. Because of this, they traditionally experienced less pressure from the federal examining authorities when it came to security compliance standards. This is understandable because of the clear fundamental differences in the business model between banking institutions and credit unions. That is no longer the case today. All financial institutions are facing regulatory scrutiny and strict cyber compliance standards due to the increasingly sophisticated cyber-attacks the industry continues to experience. The National Credit Union Association (NCUA), as the federal regulator and insurer of credit unions, is no exception.

Focus on Cybersecurity

In 2017, the NCUA officially announced that cybersecurity would be one of the agency’s primary focus areas going forward. They launched a new Automated Cybersecurity Examination Tool (ACET) to assist examiners in assessing the effectiveness of credit union cybersecurity programs. Soon, word spread that examiners across the nation were issuing memorandums to credit unions, requiring swift action to enhance cybersecurity controls. All Covered, with our breadth of financial institution, focused solutions, and consulting services, was there to help!

In October 2018, then NCUA Chairman McWatters, made a strong case in Congress to give the NCUA authority to examine technology service providers like its FFIEC counterparts. “Technological and other advancements, including credit union relationships with fin-techs and other third-party vendors, are changing the way financial services are provided,” McWatters said. “While these developments can help credit unions meet the needs of all segments of their membership and communities, they also mean that credit unions and the NCUA must evolve [cybersecurity provisions] to remain effective in the changing financial services landscape.”[2]

As recently as June 2019, NCUA Chairman Hood appointed a Special Advisor to the Chairman for Cybersecurity, and in a press release stated, “Cybersecurity is one of [his] top priorities as Chairman of the NCUA.” Cybersecurity remains one of the topmost critical priorities for all financial institutions and their federal regulators to date.

What Does This All Mean for Credit Unions?

Security is paramount, now more than ever.

And so when it comes to information security, it’s much more than a regulatory compliance issue. There is a real benefit to credit union members, especially with increasingly dangerous attacks being staged by cybercriminals. Credit unions do need to spend time and money to make sure that non-public customer information within their care is kept safe in an increasingly threatening environment. All Covered can help credit unions strengthen their information security posture, from employee cybersecurity training to risk assessments, to automated security solutions, at a reasonable cost.

Credit union executives need to be sure.

If you are a credit union executive, perhaps you are not sure about how well your bank is protecting member information. This type of information can be difficult to gain visibility into and to assess before your examiners give you bad news. Every credit union executive should be asking their IT managers or their third-party provider of IT services as the case may be, about what is being done to protect member information from cybercrime. In particular, inquire about how application and firmware patching is managed, and how vulnerabilities are proactively identified and remedied. Ask how administrator passwords are secured and whether remote access to credit union systems, including Office 365, if applicable, require two-factor authentication. Ask whether devices, such as laptops, tablets, and mobile phones, are required to be encrypted and whether they can be wiped remotely if lost or stolen. All Covered’s virtual Information Security Officer (vISO) service can help provide visibility to executive management and the board about all of these aspects of information security, and more.

[1] https://en.wikipedia.org/wiki/History_of_credit_unions

[2] https://www.ncua.gov/newsroom/speech/2018/ncua-board-chairman-j-mark-mcwatters-statement-ncua-budget-hearing-public-and-stakeholders

get started

Tara E. Spencer
CCBTO, Director, Compliance Services, All Covered Financial Division

Tara Spencer leads the Compliance Services team at All Covered. She has 25 years of financial, operational, and compliance audit and risk management expertise in the community banking space. Ms. Spencer is a graduate of Muhlenberg College with a Bachelor of Arts in Accounting and Economics, a Certified Community Bank Technology Officer (ICBA), and is a member of the Financial Managers Society (FMS).

Prior to joining All Covered, Ms. Spencer was the SVP of Audit and Compliance at First Choice Bank and the Director of Internal Audit and Compliance at Two River Community Bank. In these roles she was responsible for leading teams charged with all aspects of risk management and compliance, including information technology compliance, consumer compliance, enterprise risk management, vendor management, GLBA risk assessments, business continuity planning and disaster recovery for financial institutions. She has authored and enhanced many policies and procedures to guide senior leadership and employees in implementing safe and sound compliance, operational, financial and risk management practices.

Additionally, as the Director of Risk Advisory Services at McGladrey LLP, Ms. Spencer led a client-focused team that provided risk assessments, internal audit, compliance, and Sarbanes Oxley (SOX) consulting services for financial institutions with asset sizes ranging from one hundred million to five billion dollars, including co-sourcing and outsourcing arrangements.