Aug. 28, 2015
The two-day NASCUS/CUNA Cybersecurity Symposium, which opened Monday and Tuesday (Aug. 24-25) in Denver, gave more than 120 regulators, policy makers and IT professionals the opportunity to take a deep dive into the key cybersecurity issues. A highlight of the program: A hacking demonstration (by Brandon Henry of TrustCC) combined with a discussion of tips for detecting and resolving attempted hacks, especially focusing on two common hack schemes: “password guessing” and theft of passwords through network domain name servers (DNS). Another highlight: The outline by NCUA’s Tim Segerson (deputy director for examination and insurance at NCUA) about how the agency plans to incorporate the new FFIEC “cyber assessment tool” (CAT) into its exam procedures. He noted that the agency expects a 9- to 12-month industry implementation of the tool, and would continue national outreach efforts through the end of March, 2016. He said no formal exam or evaluation of credit unions through use of the tool would begin until June, 2016. Another participant-commended session at the event included an overview by Tom Schauer of TrustCC of the cybersecurity landscape. Based on everything that has gone on in the past year (the OPM data breach, activity by foreign governments, Ashley Madison and ‘hacktivism’), Schauer recommended five key points for credit unions to consider for the remainder of 2015 and into 2016: (1) Make sure privilege escalation can be detected; (2) make sure incident response is ready; (3) address the high and medium-high deficiencies; (4) regularly revisit the questions of (a) If I wanted to steal money from the CU, how would I do it and what can prevent this attack; and (b) If I wanted to negatively impact the reputation of the CU, how would I do it and what can prevent this attack? Finally, (5) recruit IT talent to the Board so the Board is well equipped to provide guidance and oversight to management.
Encryption protocols by NCUA effective ‘immediately’
Speaking of cybersecurity, NCUA outlined its encryption protocols for data provided to examiners – “effective immediately” — in a letter sent late last week (Aug. 21) to all federally insured credit unions. “In order to ensure sensitive electronic credit union and member data is well protected, the data held by NCUA needs to be encrypted. The process of exchanging this data also needs to be secure and well controlled,” stated the letter signed by NCUA Examination and Insurance Director Larry Fazio. Agency examiners will accept data files from credit unions only if the files are encrypted first by the credit union and then submitted via electronic transmission or via transfer by removable media (e.g., a thumb drive), the letter states that. Or, if the credit union is unable or does not wish to transfer the data electronically in those ways, “NCUA examiners may then only accept such data electronically if a credit union representative in person provides the data file(s) to the examiner and remains physically present while the examiner transfers the data to NCUA’s encrypted equipment.” In both cases, parties involved will sign a “chain of custody” document (and, in a footnote, the letter advises credit unions against electronically transmitting unencrypted data to examiners). The letter also notes that NCUA is in the process of acquiring a secure file transfer solution (such as an online portal) to facilitate examiner staff and credit unions securely and efficiently exchanging information, with implementation by early 2016. An example of the agency’s Examination Notification and Items Requested Letter, which examiners use to schedule an examination, is attached to the letter.
In a column published this week by the Credit Union Journal, NCUA’s Larry Fazio offers a well-written and carefully considered “brief history of the Overhead Transfer Rate” (OTR). In the piece, he notes how each year “agency staff prepares a Board Action Memorandum explaining in detail how the OTR was calculated, keeping in mind that the formula remains constant from one year to the next. These methodologies are available on the agency’s budget resource center webpage, along with many other documents explaining how the agency arrives at the rate.” His column is another positive step toward continuing transparency – but we still believe that, prior to preparing the board memo, NCUA should make the OTR calculations subject to notice and comment – and thus give stakeholders the opportunity to weigh in on just how the rate was, in fact, calculated for the upcoming year. The fact is, while the formula may remain the same, the information that goes into that formula changes from year-to-year.
Tina G. Miller has officially taken the reins as top credit union supervisor in Tennessee, succeeding Harry “Pat” Murphy as leader of the state financial institutions department’s Credit Union Division, with the title of assistant commissioner. “In this capacity, Ms. Miller will provide leadership and management oversight to the department’s Credit Union Division,” stated Greg Gonzales, commissioner of the Tennessee Department of Financial Institutions (TDFI). “She will also continue to manage the Administrative Division as well as work collectively with me and department leadership to supervise all department operations,” he added. We look forward to working with Tina and share her commitment to a safe, sound system of financial institutions.
Sara M. “Sally” Cline is leaving her post as commissioner of the West Virginia Division of Financial Institutions, effective Aug. 31, to succeed the President and CEO of the WV Bankers Association next year, when that individual retires. No successor to Sally as commissioner has yet been named … Reminder: The hotel cutoff date for the 2015 NASCUS State System Summit is Sept. 19; see the link for more information about the meeting … NASCUS Report is taking a summer break next week; we’ll be back on Sept. 11.
Have a terrific Labor Day Holiday!
Patrick Keefe, Director of Communications, firstname.lastname@example.org or (703) 528-5974
For more information about NASCUS publications, or to obtain permission to reprint a NASCUS publication, please contact NASCUS' Communications Department.