Compliance Blog

Aug 29, 2014

August 2014 NCUA Report; Top 10 Cyber Security Areas that Examiners Look At; Interagency Guidance Regarding Unfair or Deceptive Credit Practices; Programming Note

Written by Bernadette Clair, Senior Regulatory Compliance Counsel

Last week, NCUA released its August 2014 Report. Featured articles include:

***

Top 10 Cyber Security Areas that Examiners Look At. One of the articles in this month’s NCUA Report that caught my eye lists the top cyber security areas NCUA examiners look at, which include:

“Information Security Policies — Does the credit union have a board-approved Information Security Policy commensurate with the credit union’s size and complexity and that meets the requirements of NCUA Rules and Regulations Part 748?

Risk Assessments— Has management recently performed and documented an information-security risk assessment to identify and assess potential threats, their probability, potential effects, and the existing controls and risk remediation plans the credit union has in place?

IT Audit— Has management developed an audit plan that addresses all IT-related areas appropriate to the size and complexity of the credit union? This audit plan should also include ongoing assessments of internal and external vulnerabilities.

Virus and Malware — Is the network and all critical components like servers, desktops, laptops and other systems running updated virus and malware protection software?

Passwords — Does the credit union enforce a strong password policy based on the credit union’s risk assessments that meets or exceeds industry standards? At a minimum, passwords should be at least eight characters with alphanumeric and special characters required for added strength and complexity.

Business Continuity Planning and Disaster Recovery Test— Is the plan sufficient, up-to-date and recently tested?

Patch Management — Does credit union IT personnel manage the installation of all software security patches and updates, and ensure all systems nearing or at the end of their service life are replaced?

Vendor Management— Is there a vendor management policy and program that meets the requirements of NCUA Rules and Regulations Part 748?

Information Security Training — Does the credit union have an ongoing information security awareness program?

Incident Response and Crisis Management — Is there an updated incident response plan that complies with NCUA Rules and Regulations Part 748, Appendix B? Incident response and crisis management plans are essential to an institution’s cyber security program. A credit union’s efficient response and containment of damages can potentially reduce the cost of a breach.”

***

Interagency Guidance Regarding Unfair or Deceptive Credit Practices. NCUA, along with other federal regulators, recently released interagency guidance on the credit practices rules for banks, savings associations and Federal credit unions.  The Dodd-Frank Act repealed the rulemaking authority of the NCUA (and others) under the FTC Act, and as a result, the various agencies plan to repeal their versions of the credit practices rule.  Note that the FTC’s credit practices rule remains in effect for creditors within the FTC’s jurisdiction.

Despite the repeal of these regulations, the guidance points out that the agencies have supervisory and enforcement authority regarding unfair or deceptive acts or practices, and these could include practices previously addressed in the credit practices rules. From the guidance:

 â€œThe Agencies are issuing this statement to clarify that the repeal of credit practices rules applicable to banks, savings associations, and Federal credit unions should not be construed as a determination by the Agencies that the credit practices described in these former regulations are permissible. The regulations were issued on the basis of extensive findings that identified the unfair or deceptive practices prohibited in the rules.10 The Agencies believe that, depending on the facts and circumstances, if banks, savings associations, and Federal credit unions engage in the unfair or deceptive practices described in these former credit practices rules, such conduct may violate the prohibition against unfair or deceptive practices in Section 5 of the FTC Act and Sections 1031 and 1036 of the Dodd-Frank Act.11 The Agencies may determine that statutory violations exist even in the absence of a specific regulation governing the conduct.” (Footnotes omitted).

***

Programming Note. NAFCU's office will close at noon today and will also be closed on Monday for the long holiday weekend. We will be back to blogging on Wednesday. Have a great long weekend!