Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 14, 2015. 2 David A. Reed Attorney at Law Reed & Jolly, PLLC (703) 675-9578.

Published byOswald Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "September 14, 2015. 2 David A. Reed Attorney at Law Reed & Jolly, PLLC (703) 675-9578."— Presentation transcript:

1 September 14, 2015

2 2 David A. Reed Attorney at Law Reed & Jolly, PLLC david@reedandjolly.com (703) 675-9578

3 The contents of this presentation are intended to provide you with a general understanding of the subject matter. However, it is not intended to provide legal, accounting, or other professional advice and should not be relied on as such.

4  Updates on NCUA and FFIEC guidance on cybersecurity  Break down the FFIEC Assessment Tool  The role of the Board and Executive Management in developing and maintaining a cybersecurity program  Tips on developing an effective policy

5 Risk Appetite De-Risking 5

6  Increasing volume and sophistication of cyber threats  Existing cyber security vulnerabilities are known  New remote platforms create new opportunities for cyber attacks  Bad guys evolve as they observe online behavior  Evolving malware risks  Government sponsored cyber attacks

7  January 15, 2015, NCUA Letter No.: 15-CU- 01, provided guidance to CU Boards of Directors and Chief Executive Officers on the NCUA examinations in 2015  The first item in the guidance letter: Cybersecurity  “In 2015, NCUA will redouble efforts to ensure that the credit union system is prepared for a range of cybersecurity threats.

8  Guidance letter identified 6 “proactive measures credit unions can take to protect their data and their members: ◦ encrypting sensitive data; ◦ developing a comprehensive information security policy; ◦ performing due diligence over third parties that handle credit union data; ◦ monitoring cybersecurity risk exposure; ◦ monitoring transactions; and, ◦ testing security measures.”

9  The FFIEC comprises key representatives of The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee (for state banks and credit unions)  When they speak, our world listens!

10  Goal is to help institutions identify their risks and determine their cybersecurity preparedness (maturity)  Assessment Tool provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time  Draws on other sources, including: ◦ FFIEC Information Technology (IT) Examination Handbook ◦ National Institute of Standards and Technology (NIST) Cybersecurity Framework

11  The Assessment Tool consists of two parts 1.Inherent Risk Profile 2.Cybersecurity Maturity  Make sure you have ALL the tools before you initiate the assessment ◦ Assessment Tool ◦ User’s Guide ◦ Overview for CEOs and Boards ◦ CS Maturity Scale and Inherent Risk Profiles ◦ Appendices A and B

12  To complete the Assessment, management first assesses the credit union’s Inherent Risk Profile based on five categories: ◦ Technologies and Connection Types ◦ Delivery Channels ◦ Online/Mobile Products and Technology Services ◦ Organizational Characteristics ◦ External Threats

13 After determining the Inherent Risk Profile, the credit union transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the following five domains: ◦ Domain 1: Cyber Risk Management and Oversight ◦ Domain 2: Threat Intelligence and Collaboration ◦ Domain 3: Cybersecurity Controls ◦ Domain 4: External Dependency Management ◦ Domain 5: Cyber Incident Management and Resilience

14  Part 748 Security Program  Part 748.1 Filing of Reports ◦ Compliance Report ◦ Catastrophic Act ◦ Suspicious Activity Report  Part 748.2 BSA Compliance ◦ Establish a compliance program ◦ CIP  Appendix A Safeguarding Member Information  Appendix B Response Program – Unauth. Access

15  Gramm-Leach-Bliley Act (1999) ◦ Required NCUA Board to establish appropriate standards for federally-insured credit unions relating to administrative, technical, and physical safeguards for member accounts and information  Insure security and confidentiality of member records and information  Protect against any anticipated threats or hazards to the security or integrity of such records  Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any member

16  NCUA Regulation Part 748 ◦ Appendix A  Requirement to establish and implement administrative, technical and physical safeguards to protect security, confidentiality and integrity of member information

17  NCUA Regulation Part 748 ◦ Appendix B  Requirement of CU response in the face of an unauthorized access to member information including potential notification of the member and the regulator

18  NCUA Regulation Part 748 ◦ CU responsible to fully implement an information security program by July 1, 2001. ◦ CU must monitor the plan and update the plan ◦ The risk assessment must be updated as necessary, to account for system changes before they are implemented or new products or services before they are offered

19  Board is responsible for satisfying the specific requirements of the regulation designed to ensure that the information security program is developed, implemented, and maintained ◦ Approve written information security program (signed off by Board) ◦ Oversee implementation and maintenance of the program  Assign specific responsibility for implementation  Review management reports Part 748, Appendix A, Section III.A.

20  NCUA Regulation 701.4(b) ◦ Director has a duty to  Direct management’s operations of the Federal credit union in conformity with the requirements set forth in the Federal Credit Union Act, this chapter, other applicable law, and sound business practices.

21 “The chairperson of the Credit Union’s Board of Directors is required to certify compliance with Part 748 each year. The statement of compliance is provided at the bottom of the Credit Union Profile Form that is submitted annually to the regional director following the credit union’s election of officials.” Source: NCUA CU Profile Form 6/14

22 I hereby certify to the best of my knowledge and belief that this credit union has developed and administers a security program that equals or exceeds the standards prescribed by Part 748.0of the NCUA Rules and Regulations; that such security program has been reduced to writing, approved by this credit union's Board of Directors; and this credit union has provided for the installation, maintenance, and operation of security devices, if appropriate, in each of its offices. Further, I certify that I am the president or managing official of the credit union or that the president or managing official has authorized me to make this submission on his/her behalf. ______________________________________________ VOLUNTEER’S NAME HERE

23  Not all breaches can be prevented  If there is a breach, the CU’s security program will come under close scrutiny  The Board will ultimately be held responsible for a deficient security program!

24 Questions?

Download ppt "September 14, 2015. 2 David A. Reed Attorney at Law Reed & Jolly, PLLC (703) 675-9578."

Similar presentations

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.
By Laws and Policy Events Requirements Section 5: Contracts with Third Party Providers 1.Contracts shall ensure: protection of data; financial transparency.

By Laws and Policy Events Requirements Section 5: Contracts with Third Party Providers 1.Contracts shall ensure: protection of data; financial transparency.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
WORKING ON WORK PLANS. Supervisory Committee Work Plans “The better the planning, the better the result!” Work plans provide an organized, systematic.

WORKING ON WORK PLANS. Supervisory Committee Work Plans “The better the planning, the better the result!” Work plans provide an organized, systematic.
Areti Moularas, Senior Manager

Areti Moularas, Senior Manager
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
Top 10 Things a New BSA Officer Must Know. What is Associated Risk Group? Premier provider of BSA/AML regulatory best practices to financial institutions.

Top 10 Things a New BSA Officer Must Know. What is Associated Risk Group? Premier provider of BSA/AML regulatory best practices to financial institutions.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Similar presentations

Ads by Google