Event Date: July 31 – August 07, 2023
Cybersecurity is everyone’s responsibility: from the Board to frontline staff to the examiner. Not only does cybersecurity remain one of NCUA Examination Priorities, recent compromises of SolarWinds and vulnerabilities of Microsoft Exchange stand as reminders the growing pervasiveness of the cyber threat. A sound cybersecurity strategy requires understanding the risk and tailoring policies and procedures to the credit union’s specific vulnerabilities and operational posture.
Stay informed on the latest cybersecurity and learn how to keep your credit union protected at CUNA Cybersecurity eSchool with NASCUS. Beginning July 31, join us to help understand the risks, and procedures to put in place for your credit union’s specific vulnerabilities.
This eSchool is designed for all levels of experience and provides education and training focused on the three pillars of cybersecurity: people, processes, technology. From outsourced service provider relationships to frameworks, ChatGPT to new account and loan fraud, penetration testing to budgeting, don’t miss this dynamic event.
Who Should Attend
This eSchool is beneficial for I.T. and compliance professionals, C-Suite, risk managers and anyone needing cybersecurity training.
Compliance professionals within financial service firms are finding that they need to demonstrate their abilities with new technologies in order to meet regulatory requirements
The expansion of governance, risk, and compliance responsibilities into new technology-related areas beyond traditional functions has created a new burden for financial service firms’ compliance departments, and placed new demands on the skills of compliance professionals.
The intersection of compliance with tech has created a need for expertise and essential coordination across firms while involving artificial intelligence, big data, data privacy, cybersecurity, and algorithmic trading, to name just a few.
Financial service firms must now fully integrate these technologies and demonstrate that the activities employing them meet regulatory requirements. For compliance professionals, it has become essential to understand how the technologies work as well as their limitations and vulnerabilities. It can even help to know the computer code that went into creating them.
Several recent enforcement cases and regulatory initiatives underscore the need for compliance departments to become more tech savvy by taking steps that include technical coordination across the company, embedding technologists within compliance teams, or increasing the tech skills of individual compliance professionals.
DOJ emphasis on data
Deputy Attorney General Lisa Monaco gave a speech last month outlining ambitious plans being embraced by the Department of Justice (DOJ) to fight corporate misconduct. Among the principles, there was significant emphasis placed on the need to demonstrate an overall compliance culture.
The DOJ made clear in its compliance program guidelines released in 2020 that prosecutors should evaluate whether companies have a “data-driven compliance program” to detect potential misconduct and to monitor the effectiveness of their compliance policies. Monaco expanded on that in her speech and in an accompanying memo to federal prosecutors.
In evaluating whether a compliance program is “adequately resourced and empowered,” the DOJ said in 2020, prosecutors should consider the following questions:
“Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
The emphasis on “access” to data can be viewed as a signal that the DOJ needs to see people with skills in place to analyze, monitor, and interpret such data on the part of compliance departments.
Regulators emphasis on monitoring communications
The new policies put forth in Monaco’s memo also focus on monitoring the use of personal devices and third-party messaging platforms — a demanding technology task. “The ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation,” the memo stated. “The rise in use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications, poses a similar challenge.”
Other financial regulators have pursued similar priorities. In December last year, JPMorgan Chase & Co.’s securities unit was slapped with a $200 million penalty over data retention violations related to the use of personal communications and messaging devices. The Securities and Exchange Commission (SEC) imposed a $125 million share of the fine, and the Commodity Futures Trading Commission (CFTC) claimed the remaining $75 million.
The JPMorgan case represented the largest-ever fine for record-keeping violations related to communications reviews. It was followed up last week with an announcement by the SEC and CFTC of similar case settlements involving 16 other large financial institutions, which were fined $1.1 billion and $710 million by the agencies, respectively.
In the release announcing the settlements, the SEC said employees of the penalized firms had routinely communicated about business matters using text messaging applications on their personal devices. “The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws,” the SEC stated. “The failings occurred across all of the 16 firms and involved employees at multiple levels of authority, including supervisors and senior executives.”
Compliance takeaways
The rapidly changing and growing compliance, risk, and audit responsibilities stemming from technology innovation require compliance departments to examine their own expertise, capabilities, and skill requirements.
The 2022 Cost of Compliance Survey, published by Thomson Reuters Regulatory Intelligence, showed frustration that, despite compliance departments’ widening responsibilities, staff numbers are unlikely to grow as staff costs increase and financial service firm budgets remain tight. Therefore, outsourcing, technology, and regulatory technology may step in to plug some of the gaps. Still, there will be a growing need for compliance professionals within firms to become more sophisticated in order to better steer the type of changes required by the new technologies.
As the Compliance Survey noted: “Of the 66% of respondents who expect the cost of senior compliance staff to increase in the next 12 months, nearly half (47%) gave the demand for skilled staff and knowledge as the top reason.”
Although the use of outsourcing and third-party management has been a popular strategy for many firms due to the complexities of software development, cloud computing, and data privacy and storage, regulators still expect compliance departments to have a thorough understanding and knowledge to oversee and “own” these outsourced functions.
Courtesy of Todd Ehret, Senior Regulatory Intelligence Expert, ThomsonReuters
Globally, over half of the passwords are reused, exposing personal and corporate data at risk.
After analyzing hundreds of millions of anonymous data points, privacy firm Dashlane released a report on password health.
The average password health score globally falls within the “needs improvement” range, meaning that passwords might be weak, compromised, or reused.
In fact, the report found that globally 51% of passwords are reused. An average person in the US has 70-80 online accounts, so one compromised password could lead to dozens of hacked accounts.
What is more, nearly 20% of passwords are compromised. Dashlane considers it an incredibly high number, given that an average Dashlane user has around 240 online accounts.
“Passwords are often the weak link in an organization’s or individual’s cybersecurity — in fact, for Basic Web Application Attacks (BWAA), over 80% of breaches can be attributed to stolen credentials,” the report reads.
The company warned that the number of online accounts per person is growing, so password security should be an essential part of an organization’s cybersecurity strategy.
How to protect yourself
If you can remember your password, consider it weak.
“Use unique generated passwords that you cannot pronounce yourself. Another crucial thing is to use multifactor authentication whenever possible. So even if your accounts get breached, you will still have this additional layer of security,” Gediminas Brencius, Head of Product for NordPass, once told Cybernews.
He also suggested using compartments for your information. If you have many different social accounts, you should use a specific email address for those.
Cybernews researchers have also documented the most commonly used passwords. If you noticed that your own personal passwords have similar patterns to the ones we analyzed, we recommend you visit our Data Leak Checker to see if your email address and other personal data has been exposed in a data breach.
And if you don’t want to end up on that list – the largest database of known breached accounts, with more than 15 billion compromised accounts – we also recommend using password managers.
Courtesy of Jurgita Lapienytė, CyberNews.com
Oct. 20, 2022 – The National Credit Union Administration Board held its ninth open meeting—and second in person—of 2022, and approved the agency’s Enterprise Risk Appetite Statement, which helps the agency align risks and opportunities when making decisions and allocating resources to achieve the agency’s strategic goals and objectives.
The NCUA Board was also briefed on the state of the Central Liquidity Facility (CLF) and cybersecurity trends affecting federally insured credit unions and the broader financial system.
Read the remarks by the NCUA Board Members Here
Board Approves New Enterprise Risk Appetite Statement
The NCUA Board unanimously approved the NCUA’s new enterprise risk appetite statement prepared by the agency’s Enterprise Risk Management Council. The statement is a management tool that provides guidance from agency leadership to managers and staff on the amount of risk the NCUA is willing to undertake in pursuit of its objectives.
“The enterprise risk appetite statement presented today is part of the NCUA’s overall management approach. And, I am especially pleased that we will have an averse risk appetite when addressing identified safety and soundness concerns at credit unions,” NCUA Chairman Todd M. Harper said. “This means we will be risk-focused and ready to act expeditiously if needed. I also appreciate that through this statement we will remain focused on ensuring compliance with and enforcement of federal consumer financial protection laws and regulations at credit unions.”
The NCUA’s Enterprise Risk Management Council developed a risk appetite statement through careful consideration and evaluation of the risks the agency faces and focused on achieving several programmatic goals, which included:
- Communicating guidelines about the levels of risk the NCUA is willing to accept in pursuit of its mission and goals;
- Promoting consistency in understanding, measuring, and managing risk across the enterprise;
- Informing agency responses to risks and decision-making to balance limited time and resources; and
- Driving a more risk-aware culture.
Briefing Highlights Central Liquidity Fund’s Status for 3rd Quarter
The Central Liquidity Facility President briefed the NCUA Board on the status of the Central Liquidity Fund as of September 30, 2022. The briefing covered liquidity and contingency funding plans, liquidity sources and needs, CLF advances, and membership requirements. The CLF president also discussed enhancements to the CLF’s processes and structures to ensure it can serve as an effective liquidity backstop for the credit union system should the need arise.
Said Chairman Harper, “The CLF is a vital source of emergency liquidity within the credit union system. However, the pending expiration of the temporary CLF enhancements authorized by Congress at the start of the COVID-19 pandemic remains a very real concern. While we are grateful to Congress for allowing the CLF enhancements of the last few years, there is a real need to keep in place the ability of corporate credit unions to serve as a CLF agent for a subset of their members. That authority will allow us to provide emergency liquidity quickly when needed.”
Financial highlights for the CLF in the third quarter include:
- $1.243 billion in total assets;
- $1.1 million in year-to-date net income;
- $40.5 million in retained earnings;
- 2.24 percent dividend was paid to members of the CLF in the third quarter;
- 3,991 corporate credit unions and consumer credit unions have access to the CLF; and
- $29.1 billion in borrowing authority for the CLF.
The Central Liquidity Facility is an NCUA-operated, mixed-ownership government corporation that was created to improve the general financial stability of credit unions by serving as a liquidity lender to credit unions experiencing unusual or unexpected liquidity shortfalls. Member credit unions own the CLF, which exists within the NCUA. The CLF’s President manages the facility under the oversight of the NCUA Board.
Cybersecurity Threats Continue, NCUA Launches ISE Program at Year-end
Ransomware, cloud migration, and distributed denial-of-service attacks are contributing to a dynamic threat landscape that creates evolving risks for federally insured credit unions, according to a briefing provided to the NCUA Board by the agency’s Critical Infrastructure Division. Additionally, rising geopolitical tensions continue to increase the potential for cyberattacks on the financial system and other parts of the nation’s critical infrastructure.
“Each of us — the NCUA, state supervisory authorities, vendors, and credit unions — has a responsibility to protect our systems, improve our ability to recover from incidents, educate our teams, share information, and report and address potential vulnerabilities,” Chairman Harper said. “Our chain is only as strong as our weakest link, so we all must be hypervigilant to prevent a catastrophic failure.”
The briefing also outlined good cyber hygiene practices, summarized the NCUA’s proposed cyber incident reporting rule, and provided an update on the NCUA’s Information Security Examination (ISE) Program. This new examination program offers flexibility for credit unions of all asset sizes and complexity levels while providing examiners with standardized review steps to facilitate advanced data collection and analysis. These new examination procedures will assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats. The ISE examination procedures will be deployed at the end of 2022.
The NCUA strongly encourages credit unions to strengthen their cybersecurity programs and preparedness and immediately report known details of cyber incidents to the NCUA, the FBI, and the Cybersecurity and Infrastructure Security Agency.
Credit unions are also encouraged to download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET. The ACET is an excellent resource for small credit unions or those credit unions with limited resources to take the first steps in understanding their level of cyber preparedness. Additional cyber-related information and resources are available on the NCUA’s cybersecurity resources webpage.
Reimbursing cyber scams
As banks are under pressure to compensate their scammed consumers, rising cybercrime rates translate to rising costs for the industry. More than half (58%) of those who conduct their banking online encounter scams via email or SMS at least once per week, and 23% report having fallen victim to a cyberattack.
Banks currently reimburse authorized push payment (APP) fraud at an average rate of 46%. Although many banking institutions are refusing reimbursements for online fraud, this is due to change soon, or else the situation will backfire. For example, measures supported by the UK government will require banks to reimburse everyone. This is only one illustration of the fact that if banks are to secure their consumers and their business line in 2022, they must prioritize cybersecurity more highly.
To exchange efficient strategies, banks will need to collaborate with governments and industry organizations. The public must continue to get education on preventative measures, but ultimately it is the banks’ responsibility to establish security models that will give them and their clients the greatest level of safety.
Maintain compliance with strict privacy regulations
The use of social engineering and account takeover fraud will increase over the next years. Financial institutions must not only conduct comprehensive data checks beyond document verification at account opening to fight this but also keep track of customer identities throughout the customer lifecycle.
Banks must decide how to manage sensitive personal data like biometrics as GDPR and other privacy regulations are being established throughout the world. As a result, many institutions believe that finding a partner that can protect this sensitive personal information is more practical than modernizing internal systems and processes.
Finally, the public is becoming more concerned about how technology corporations utilize personal data. More difficult questions will be raised as a result, and any responses must pass a strict ethical standard. The application of AI to compliance and fraud will need to be explained by banks. Ascertaining whether their partners and vendors have complete control over the technology they provide will also have an impact on vendor onboarding. Every bank will need to be able to justify decisions made to regulators and the broader public.
Leveraging AI to combat cyber fraud
Instead of being a subset of financial crime, banking fraud now coexists with ransomware, phishing, and other types of cybercrime. Fraudsters are functioning methodically, getting more skilled at spotting loopholes in the automated systems that financial institutions are putting in place, and getting better at learning through repetition.
For example, banks and mortgage lenders have started to link more of their fraud charges to the fact that their clients are doing more transactions using mobile banking apps. According to a LexisNexis survey, more than half of the respondents who worked for US banks and credit lenders say that mobile channel fraud has increased by 10% or more this year.
Today’s fraudsters collaborate with criminal gangs that provide crime as a service. As a result, frauds and forgeries become increasingly sophisticated, making them impossible for humans to detect without artificial intelligence (AI) to support their decision-making.
Decentralized currencies are at the center of attacks
Meanwhile, cryptocurrency has become a primary target of cyberattacks. Huge sums of money are frequently present on cryptocurrency exchanges and wallets, making them a powerful attraction for attackers trying to make money from their attacks.
These are sometimes straightforward social engineering attacks, and other times they are far more sophisticated technically. We expect to see more cyberattacks on decentralized currencies given the amount of money that can be stolen in a single successful attack (possibly reaching millions of dollars). For example, in December 2021 criminals stole nearly $200 million from the crypto trading platform Bitmart.
However, we should anticipate law enforcement and governments to become more actively involved in both the investigation of cryptocurrency assaults and the use of cryptocurrency vulnerabilities. For example, government agencies like the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) may try to regulate cryptocurrencies more strictly as they regulate traditional currencies.
Attacks bypassing MFA
Although multi-factor authentication is a prerequisite for enabling strong customer authentication, the latest attacks against Cisco and Uber have profoundly demonstrated that fraudsters can bypass MFA. Using sophisticated tactics and tools like auto-diallers, criminals have managed to intercept one-time passwords (OTP) and compromise banking accounts. Automating the process and creating what is known as MFA fatigue they force customers to give up OTPs to malicious bots.
OTP interception is now trivial compared to what it has been historically, and that innovation fundamentally shifts the economics in the favor of the attackers. The LexisNexis report highlighted this concern saying that balancing fraud detection with customer friction is a top challenge for banks. Banks need to embrace phishing-resistant MFA methods that eliminate the risk of being defrauded while offering a superb customer experience for all possible use cases and authentication journeys.
A bigger attack surface and higher attack sophistication levels are a result of the rising use of complicated technologies and interaction with third-party systems. Today, maintaining a strong cybersecurity posture entails more than merely defending sensitive systems and data from damaging external attacks. Additionally, it entails better data privacy, identity protection, and vulnerability management. Banks and financial institutions can outsource part of the burden of staying compliant with regulations and securing customer financial data by partnering with a trusted managed services provider. These companies aggregate experience and expertise to help banking institutions stay one step ahead of their adversaries.
CFPB Weighs in on Data Security; Will Firms with Poor Security Be in the Crosshairs?
Friday, October 14, 2022 | 1:00 – 2:00 p.m. ET
There is no cost for this webinar.
Program Description
In the late summer, the Consumer Financial Protection Bureau (CFPB) issued a circular that concluded in no uncertain terms that insufficient data protection or information security could be considered an unfair practice under the Consumer Financial Protection Act. Circulars are general statements of policy circulated to other agencies, state and federal, that have overlapping authority with the CFPB to enforce federal consumer financial law, such as the Federal Trade Commission (FTC), Department of Justice, and state attorneys general, to name a few.
The CFPB specifically called out the need to implement specific “cost-efficient measures to protect consumer data”: multi-factor authentication, password management, and timely software updates. Additionally, the new Safeguards Rule enforced by the FTC remains the primary federal source of affirmative requirements for nonbanks. Join lawyers from Venable’s Financial Services Group and cybersecurity experts from the firm’s Cybersecurity Risk Management Group for a webinar that will discuss the impact of this circular and provide a primer on data security measures companies that collect and use consumer data should adopt or enhance.
For more information contact: [email protected]
Speakers
- Andrew E. Bigart, Partner, Venable LLP
- Jeremy A. Grant, Managing Director of Technology Business Strategy, Venable LLP
- Alexandra Megaris, Partner, Venable LLP
- Ross B. Nodurft, Senior Director of Cybersecurity Services, Venable LLP
CLE Accreditation
This activity has been approved for Minimum Continuing Legal Education credit by the State Bar of California in the amount of one hour, of which one hour applies to the general credit requirement, by the State Bar of New York in the amount of one credit hour, of which one credit hour can be applied toward the areas of professional practice credit requirement, and by the MCLE Board of the Supreme Court of Illinois in the amount of one credit hour, of which one credit hour can be applied toward the general credit requirement. Venable certifies this activity conforms to the standards for approved education activities prescribed by the rules and regulations of the State Bar of California, State Bar of New York, and MCLE Board of the Supreme Court of Illinois, which govern minimum continuing legal education. Venable is a State Bar of California, State Bar of New York, and MCLE Board of the Supreme Court of Illinois accredited MCLE provider. This program is appropriate for both experienced and newly admitted attorneys.
For more information on CLE accreditation, please click here.
Courtesy of Zack Needles, Credit Union Times
Like malware and computer viruses themselves, the consequences of cyberbreaches have a way of spreading in unpredictable ways.
A recent ransomware attack on third-party payroll and timekeeping software provider Kronos has led to several wage-and-hour class actions in recent weeks against everyone from PepsiCo to The Giant Company, alleging that the hack resulted in overtime pay violations for hourly workers.
As of April 6, there have been seven lawsuits (most in April, though a few were filed in late March) all stemming from the December 2021 cyberattack on Kronos.
While plenty has been written about potential cyber liability exposure for companies whose vendors are compromised, this latest crop of litigation shows how third-party cyberbreaches can also lead to other causes of action, such as labor & employment claims.
All of the complaints allege that hourly employees were shorted on overtime pay as a result of the Kronos breach.
Johnson Controls International, an Ireland-headquartered building equipment manufacturer, was sued April 3 in the Eastern District Court for the District of Wisconsin on behalf of a putative class of current and former non-exempt hourly employees. The case is Henderson v. Johnson Controls, Inc.
Frito-Lay North America Inc., a subsidiary of PepsiCo, was sued April 4 in the U.S. District Court for the Eastern District of Texas. The suit was filed on behalf of a putative class of current and former non-exempt hourly employees.
PepsiCo itself has been sued three times so far:
- First, it was sued March 23 in the U.S. District Court for the Southern District of New York on behalf of a class of current and former non-exempt hourly employees.
- Then, it was sued in the U.S. District Court for the Central District of California on March 30 on behalf of a class of current and former non-exempt hourly employees.
- It was also sued on April 4 in the U.S. District Court for the District of New Jersey; the case is Ellis et al v. PepsiCo, Inc.
That same day, a suit was filed against Baptist Health Systems in the U.S. District Court for the Middle District of Florida on behalf of current and former non-exempt hourly employees. The case is Mitchell v. Baptist Health System, Inc.
Also on April 4, The Giant Company LLC, parent company of the Giant supermarket chain, was sued in the U.S. District Court for the Middle District of Pennsylvania, again on behalf of current and former non-exempt hourly employees.
Many of the complaints are very similarly worded, alleging that, after the Kronos breach in December 2021, defendants “could have easily implemented a system for recording hours and paying wages to non-exempt employees until issues related to the hack were resolved,” but didn’t.
Some complaints allege the defendant employer “made the economic burden of the Kronos hack fall on frontline workers—average Americans—who rely on the full and timely payment of their wages to make ends meet.”
Similarly, another complaint read ”[b]ecause PepsiCo could not access Plaintiff’s and the members of the putative Class’ and Collective’s time records during the outage period, and because PepsiCo failed to adopt and have in place a functional back-up plan for recording hourly employee time and timely processing hourly employee payroll, PepsiCo could not—and did not—accurately pay its hourly employees during the outage period.”
The class actions, according to the complaints, seek “to recover the unpaid wages and other damages owed by [defendant] to all these workers, along with the penalties, interest, and other remedies provided by federal and [state[ law.”
All but one of the suits allege that, by failing to pay overtime, the defendants violated the Fair Labor Standards Act in addition to various state laws.
The New Jersey suit against PepsiCo, however, only claims violations of the New Jersey State Wage and Hour Law.
The on-going conflict in Ukraine has raised concerns about potential cyberattacks in the U.S., including those against the financial services sector. All credit unions and vendors, regardless of size, are potential targets for cyberattacks, like social engineering and phishing attacks, and must remain vigilant. Credit unions should report any cyber incidents to the NCUA, your local FBI field office or the Internet Crime Complaint Center, and the Cybersecurity and Infrastructure Security Agency (CISA).
Phishing is a technique that uses email or malicious websites to solicit personal information or to get victims to download malicious software by posing as a trustworthy entity. Another variant of phishing, known as smishing, uses SMS or other text messaging applications to get victims to click on malicious links to achieve similar goals to email phishing. NCUA’s Risk Alert outlines common indicators to watch out for along with tips to avoid being a victim of phishing.
The NCUA encourages credit unions to review CISA’s Shields-Up website, which provides information about cybersecurity threats, including several resources and mitigation strategies. The NCUA recently created the Automated Cybersecurity Evaluation Toolbox or ACET, a free tool for federally insured credit unions to use when evaluating their levels of cybersecurity preparedness. The ACET is a downloadable, standalone app developed to be a holistic cybersecurity resource for credit unions.
Additional cybersecurity resources are also available at www.ncua.gov/cybersecurity.