Image Image





ii Releases  Tips  Statutes  Regulations  Letters to CUs  Samples  Resources

(Topic may not have all sections)


ii Releases

0149   Disposal of Records

This release describes state and federal law relating to proper disposal of records containing consumer report information or other personal data.

0155   NCUA Guidelines for Safeguarding Member Information & Responding to Unauthorized Access

This release describes the NCUA’s guidance on protecting member information and responding to unauthorized access. See:

  • Exhibit A - Information Security Worksheet.
  • Exhibit B - Sample Policy on Safeguarding Member Information
  • Exhibit C - Sample Response Program for Unauthorized Access to Member Information
  • 0171   Authentication in Internet Banking

    This release applies to all credit unions, state and federal, that allow members to remotely access Internet-based financial services. It describes federal guidance on the identity authentication procedures that credit unions should use.

    Wisconsin Statutes

    134 Miscellaneous Trade Regulations.

    134.98 Notice of unauthorized acquisition of personal information -

    • (1) Definitions.
    • (2) Notice Required.
    • (3) Timing and Manner of Notice; Other Requirements.
    • (3m) Regulated Entities Exempt.
    • (4) Effect on Civil Claims.
    • (5) Request by Law Enforcement Not To Notify.
    • (6m) Local Ordinances or Regulations Prohibited.
    • (7m) Effect of Federal Legislation.

    Letters to Credit Unions

    NCUA: Letter to Credit Unions No. 00-CU-11 - Risk Management of Outsourced Technology Services (December 2000)

    The purpose of this letter is to make you aware of guidance recently released by the Federal Financial Institutions Examination Council (“FFIEC”) to financial institutions regarding risk management of outsourced technology services. If your credit union currently uses, or is considering using, outsourcing relationships for technology services, you should review the enclosed FFIEC guidance paper carefully.

    NCUA: Letter to Credit Unions No. 05-CU-18 - Guidance on Authentication in Internet Banking Environment (November 2005)

    Authentication is the process of verifying a member’s identity using a variety of methodologies and technologies before the member gains access to the system. It is a way to ensure members are who they say they are. A single-factor authentication such as user name and password used as a security control mechanism may not be adequate for high-risk transactions involving access to member information or fund transfers.

    To assist credit unions’ efforts in implementing an appropriate authentication system, the NCUA and other Federal Financial Institutions Examination Council (FFIEC) member agencies have developed authentication guidance.

    To view the enclosure, FFIEC Authentication in an Internet Banking Environment, click here or on the name of the enclosure in the NCUA letter.

    NCUA: Letter to Credit Unions No. 05-CU-20 - Phishing Guidance for Credit Unions and Their Members, (December 2005)

    In our Letter to Credit Unions #04-CU-12 Phishing Guidance for Credit Union Members, we highlighted the need to educate your membership about phishing activities. As the number and sophistication of phishing scams continues to increase, we would like to emphasize the importance of educating your employees and members on how to avoid phishing scams as well as action you and/or your members may take should they become a victim.

    Appendix A of this document contains information you may share with your members to help them from becoming a victim of phishing scams. Appendix B contains information you may share with your members who may have become a victim of phishing scams.

    NCUA: Letter to Credit Unions No. 06-CU-10 - IT Security Compliance Guide (June 2006)

    NCUA recently updated its IS&T Examination Program. The program update results from significant technology changes and revisions to the National Credit Union Administration Rules and Regulations. The new questionnaires replace the e-Commerce I (EC1), e-Commerce II (EC2), and EDP Review (EDPR) used to review a credit union’s overall IS&T systems with more focus on Security, Audit, Information Technology, and Member Services. Examiners will use the IS&T Questionnaire workbook (enclosed) to complete their review. Examiners will tailor their review based on the credit unions risk and use appropriate questionnaires.

    League Resources

    Examiners will assess cybersecurity risks in new pilot program

    Compliance Courier 7/07/14

    The Federal Financial Institutions Examination Council (FFIEC) recently announced that federal regulators, including the NCUA, will begin a cybersecurity pilot program this summer, in which examiners will assess the cybersecurity vulnerabilities and risk mitigation efforts at 500 community financial institutions. About half of the selected institutions will be credit unions, and it is likely that some credit unions in Wisconsin will be involved.

    The vulnerability and risk mitigation assessments will be done during normal examinations, incorporated into the information technology reviews that are already done. Regulators have said that the assessments will not result in any new examination ratings.


    CUNA Mutual Group: Loss Prevention Library

    User ID and password required.

    This library has resources on robbery and burglary, plastic card fraud, payment fraud, workers, safety, disaster planning, etc.

    CUNA Mutual Group: RISK Alerts

    User ID and password required.

    A risk and fraud awareness program that proactively positions the latest credit union risk trends, losses and exposures.

    CUNA: Fraud Trends: New and Repurposed Scams and Schemes. CUNA Councils White Papers, OpSS, September 2013

    CUNA Council members have complimentary access to over 200 white papers (research papers/e-books) from all Councils.

    CUNA: The Smart Card Timeline: Moving From Mag-Stripe to EMV Technology. CUNA Councils White Papers, OpSS, November 2012

    CUNA Council members have complimentary access to over 200 white papers (research papers/e-books) from all Councils.

    FFIEC: Executive Leadership of Cybersecurity - What Today's CEOs Need to Know About the Threats They Don't See, webinar (5/07/14)

    • Current Threats
    • Cyber Risk Management
    • Public/Private Partnerships

    • Matt Biliouris, NCUA
    • Phillip Hinkle, Texas Department of Banking
    • Chris Olson, FRB
    • Bill Nelson, FS-ISAC
    • Doreen Eberley, FDIC

    FFIEC: FFIEC Launches Cybersecurity Web Page and Commences Cybersecurity Assessment, Press Release (6/24/14)

    The launch of this Web page coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations. Information from the pilot effort will assist regulators in assessing how community financial insitutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance, and examiner training.

    FFIEC: FFIEC Promotes Cybersecurity Preparedness for Community Financial Institutions, Press Release (5/07/14)

    The Federal Financial Institutions Examination Council (FFIEC) today highlighted efforts to enhance financial institutions’ cybersecurity during a webinar for approximately 5,000 chief executive officers and senior managers from community financial institutions. The FFIEC offered this webinar to raise awareness about the pervasiveness of cyber threats, discuss the role of executive leadership in managing these risks, and to share actions being taken by the FFIEC.

    FFIEC: FFIEC Supports National Cybersecurity Awareness Month, Press Release (10/02/13)

    The Federal Financial Institutions Examination Council (FFIEC) is pleased to support Cybersecurity Awareness Month, which engages public and private sector partners to raise awareness and educate Americans about cybersecurity and increase the resiliency of the Nation and its cyber infrastructure.

    “Cybersecurity Awareness Month is an opportunity for financial institutions to take stock of their level of understanding of cyber threats and their ability to respond to potential cyber attacks,”said FFIEC Chairman, Comptroller of the Currency Thomas J. Curry. “Keeping ourselves and our country safe from cyber attacks is a shared responsibility.

    FFIEC: Financial Regulators Expect Firms to Address OpenSSL "Heartbleed" Vunerability, Press Release (4/10/14)

    The Federal Financial Institutions Examination Council (FFIEC) members expect financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability. Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.

    FFIEC: Financial Regulators Release Statement on End of Microsoft Support for Windows XP Operating System, Press Release (10/07/13)

    The Federal Financial Institutions Examination Council (FFIEC) today issued a joint statement concerning Microsoft’s discontinuation of support for its Windows XP operating system as of April 8, 2014. The FFIEC agencies expect financial institutions and their technology service providers to identify, assess, and manage the potential operational risks associated with the discontinuation of XP support to ensure that safety and soundness and the ability to deliver products and services are not compromised.

    FFIEC: Financial Regulators Release Statements on Cyber-Attacks on Automated Teller Machine Card, Press Release (4/02/14)

    The Federal Financial Institutions Examination Council (FFIEC) members are issuing statements to notify financial institutions of the risks associated with cyber-attacks on Automated Teller Machine (ATM) and card authorization systems and the continued distributed denial of service (DDoS) attacks on public-facing websites. The statements describe steps the members expect institutions to take to address these attacks and highlight resources institutions can use to help mitigate the risks posed by such attacks.

    FFIEC: Information Security Booklet

    • Introduction
    • Security Process
    • Information Security Risk Assessment
    • Information Security Strategy
    • Security Controls Implementation
    • Security Monitoring
    • Security Process Monitoring and Updating
    • Appendix A: Examination Procedures
    • Appendix B: Glossary
    • Appendix C: Laws, Regulations, and Guidance

    FFIEC: Introduction to the FFIEC’s Cybersecurity Assessment

    The Cybersecurity Assessment builds upon key aspects of existing supervisory expectations addressed in the FFIEC IT Handbook and other regulatory guidance and also:

    1. Assesses the complexity of an institution’s operating environment, including the types of communication connections and payments initiated, as well as how the institution manages its information technology products and services.

    2. Assesses an institution’s current practices and overall cybersecurity preparedness, with a focus on the following key areas:

    • Risk Management and Oversight
    • Threat Intelligence and Collaboration
    • Cybersecurity Controls
    • External Dependency Management
    • Cyber Incident Management and

    FFIEC: IT Examination Handbook InfoBase

    The FFIEC Examiner Education Office created the FFIEC InfoBase, which is a vehicle that enables prompt delivery of introductory, reference, and educational training material on specific topics of interest to field examiners from the FFIEC member agencies. The IT Handbooks are updated and maintained electronically using the InfoBase vehicle.

    Internet Crime Complaint Center (IC3)

    The IC3 is an FBI - NW3C partnership.

    NCUA: Legal Opinion Letter No. 06-0332 – Components of Security Response Program (April 2006)

    NCUA: Risk Alert to FCUs No. 13-Risk-01 - Mitigating Distributed Denial-of-Service Attacks (February 2013)

    Risk Mitigation - This alert identifies appropriate policies and procedures to guard against DDoS attacks. Such attacks are sophisticated, requiring the vigilance of credit unions offering Internet-based financial services. As the goal of DDoS attacks is causing service outages rather than stealing funds or data, typical network security controls – such as Firewalls and Intrusion Detection and Prevention Systems – may offer inadequate protection.

    Threat Monitoring - Appendix A to Part 748 of NCUA’s Rules and Regulations requires credit unions to monitor systems to detect actual and attempted attacks on or intrusions into member information systems. NCUA also encourages credit unions to participate in information-sharing organizations, such as industry trade groups and the Financial Services Information Sharing and Analysis Center (FS-ISAC),

    ©2005 Wisconsin Credit Union League. All rights reserved.
    Site powered by iMIS.