This is definitely the most relevant topic impacting the Credit Union industry today. Credit Union Cyber Security exam! I ran a crossed this article today and was most intrigued by the content. I have spent my entire professional career in Information Technology, Credit Unions and now Cyber Security audit priorities have exploded.
Matt hits this article out of the park. The Federal Financial Institutions Examination Council (FFIEC) have provide excellent resources for otherwise short staffed Credit Union IT Departments with a pathway to cybersecurity awareness and compliance within the Credit Union Cyber security audit.
Matt Wilhelm of Encompass, posted with CUInsight:
Have complete systems/network documentation
This seems obvious, but it is amazing how many credit unions still rely on one person on their IT team to be the repository for all IT information, and don’t have anything in writing. If, for example, that one person on your IT side is sick, on vacation or quits – and they just happen to be the only person with the administrative password for your firewall,then you could be in trouble.
Refresh your IT security policies and procedures
While on the topic of documentation, detailing what security policies are used, and providing written updates to your plans as new threats emerge will demonstrate to the examiner an awareness that you have on the complexity and necessity of strong cybersecurity practices. Not having a well documented IT security plan in place, or not keeping it updated to include emerging threats, can leave your credit union in real trouble, and not just with your examiner.
Test backup and recovery frequently enough
Should a cyber attack occur despite your best efforts, how confident are you that you can recover all your records? Ever heard the phrase, “practice makes perfect”? The more you test your systems for the unknown, the better equipped you will be. Run tests of your data backup randomly throughout the year to make sure your systems will survive and your backups can be quickly recovered if systems are compromised. Test your backup procedures too… when was the last time you tested your backup data on your core processor or file data on your server? Provide this documentation on when the tests occurred to your examiner (any good backup and recovery plan will include reports).
Train all CU employees on IT security
“Credit Unions must provide staff with annual training on their information security program to ensure effective implementation and understanding by all staff.” This is an actual citation from a 2015 CU IT Examination received by a credit union we are now working with to provide the required training.
Require your employees to take a 30 minute training on end user IT Security, and present the certificate of completion to your examiner to ensure this is not an issue.
Consult outside resources to ensure IT compliance
According to NCUA Chairman Debbie Matz “We hope to get credit union officials attuned to the fact cyber security is an ongoing issue with demands that are changing all the time. Credit unions really need to stay on top of this issue, which means working with experts outside the credit union and not just relying on internal IT staff to protect their systems. If the credit union has a weakness in their internal systems it really is a weakness in the entire credit union system. Because, in terms of cyber security, nothing is isolated.” Whether it’s a third party IT Assessment, or having a firm manage your compliance entirely, demonstrating a second expert opinion during an exam will benefit you.