This release applies to all credit unions, state and federal, that allow members to remotely access Internet-based financial services. It describes federal guidance on the identity authentication procedures that credit unions should use.
The purpose of this letter is to make you aware of guidance recently released by the Federal Financial Institutions Examination Council (“FFIEC”) to financial institutions regarding risk management of outsourced technology services. If your credit union
currently uses, or is considering using, outsourcing relationships for technology services, you should review the enclosed FFIEC guidance paper carefully.
Authentication is the process of verifying a member’s identity using a variety of methodologies and technologies before the member gains access to the system. It is a way to ensure members are who they say they are. A single-factor authentication such as user name and password used as a security control mechanism may not be adequate for high-risk transactions involving access to member information or fund transfers.
To assist credit unions’ efforts in implementing an appropriate authentication system, the NCUA and other Federal Financial Institutions Examination Council (FFIEC) member agencies have developed authentication guidance.
To view the enclosure, FFIEC Authentication in an Internet Banking Environment, click here or on the name of the enclosure in the NCUA letter.
In our Letter to Credit Unions #04-CU-12 Phishing Guidance for Credit Union Members, we highlighted the need to educate your membership about phishing activities. As the number and sophistication of phishing scams continues to increase, we would like to emphasize the importance of educating your employees and members on how to avoid phishing scams as well as action you and/or your members may take should they become a victim.
Appendix A of this document contains information you may share with your members to help them from becoming a victim of phishing scams. Appendix B contains information you may share with your members who may have become a victim of phishing scams.
NCUA recently updated its IS&T Examination Program. The program update results from significant technology changes and revisions to the National Credit Union Administration Rules and Regulations. The new questionnaires replace the e-Commerce I (EC1), e-Commerce II (EC2), and EDP Review (EDPR) used to review a credit union’s overall IS&T systems with more focus on Security, Audit, Information Technology, and Member Services. Examiners will use the IS&T Questionnaire workbook (enclosed) to complete their review. Examiners will tailor their review based on the credit unions risk and use appropriate questionnaires.
The Federal Financial Institutions Examination Council (FFIEC) recently announced that federal regulators, including the NCUA, will begin a cybersecurity pilot program this summer, in which examiners will assess the cybersecurity vulnerabilities and risk mitigation efforts at 500 community financial institutions. About half of the selected institutions will be credit unions, and it is likely that some credit unions in Wisconsin will be involved.
The vulnerability and risk mitigation assessments will be done during normal examinations, incorporated into the information technology reviews that are already done. Regulators have said that the assessments will not result in any new examination ratings.
The launch of this Web page coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations. Information from the pilot effort will assist regulators in assessing how community financial insitutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance, and examiner training.
The Federal Financial Institutions Examination Council (FFIEC) today highlighted efforts to enhance financial institutions’ cybersecurity during a webinar for approximately 5,000 chief executive officers and senior managers from community financial institutions. The FFIEC offered this webinar to raise awareness about the pervasiveness of cyber threats, discuss the role of executive leadership in managing these risks, and to share actions being taken by the FFIEC.
The Federal Financial Institutions Examination Council (FFIEC) is pleased to support Cybersecurity Awareness Month, which engages public and private sector partners to raise awareness and educate Americans about cybersecurity and increase the resiliency of the Nation and its cyber infrastructure.
“Cybersecurity Awareness Month is an opportunity for financial institutions to take stock of their level of understanding of cyber threats and their ability to respond to potential cyber attacks,”said FFIEC Chairman, Comptroller of the Currency Thomas J. Curry. “Keeping ourselves and our country safe from cyber attacks is a shared responsibility.
The Federal Financial Institutions Examination Council (FFIEC) members expect financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability. Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.
The Federal Financial Institutions Examination Council (FFIEC) today issued a joint statement concerning Microsoft’s discontinuation of support for its Windows XP operating system as of April 8, 2014. The FFIEC agencies expect financial institutions and their technology service providers to identify, assess, and manage the potential operational risks associated with the discontinuation of XP support to ensure that safety and soundness and the ability to deliver products and services are not compromised.
The Federal Financial Institutions Examination Council (FFIEC) members are issuing statements to notify financial institutions of the risks associated with cyber-attacks on Automated Teller Machine (ATM) and card authorization systems and the continued distributed denial of service (DDoS) attacks on public-facing websites. The statements describe steps the members expect institutions to take to address these attacks and highlight resources institutions can use to help mitigate the risks posed by such attacks.
The Cybersecurity Assessment builds upon key aspects of existing supervisory expectations addressed in the FFIEC IT Handbook and other regulatory guidance and also:
1. Assesses the complexity of an institution’s operating environment, including the types of communication connections and payments initiated, as well as how the institution manages its information technology products and services.
2. Assesses an institution’s current practices and overall cybersecurity preparedness, with a focus on the following key areas:
• Risk Management and Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience
The FFIEC Examiner Education Office created the FFIEC InfoBase, which is a vehicle that enables prompt delivery of introductory, reference, and educational training material on specific topics of interest to field examiners from the FFIEC member agencies. The IT Handbooks are updated and maintained electronically using the InfoBase vehicle.
Risk Mitigation - This alert identifies appropriate policies and procedures to guard against DDoS attacks. Such attacks are sophisticated, requiring the vigilance of credit unions offering Internet-based financial services. As the goal of DDoS attacks is causing service outages rather than stealing funds or data, typical network security controls – such as Firewalls and Intrusion Detection and Prevention Systems – may offer inadequate protection.
Threat Monitoring - Appendix A to Part 748 of NCUA’s Rules and Regulations requires credit unions to monitor systems to detect actual and attempted attacks on or intrusions into member information systems. NCUA also encourages credit unions to participate in information-sharing organizations, such as industry trade groups and the Financial Services Information Sharing and Analysis Center (FS-ISAC), http://www.fsisac.com.