Cybercriminals are known for targeting the financial system in an effort to defraud financial institutions and their members. You play an important role in protecting your credit union from this threat. Compliance can serve as a valuable resource in helping management execute the credit union’s incident response plan.
Establishing compliance’s role in incident response is essential and should happen before a breach occurs. The role, expectations and resources should be reviewed on a regular basis. Below is a summary of expectations and regulatory guidance to help you review your program for compliance. Use the results of your review to improve policy/procedures accordingly.
The Gramm-Leach-Bliley Act (GLBA) and Part 748 of the NCUA’s regulations require federally insured credit unions to:
- Ensure the security and confidentiality of member information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member.
Appendix B to NCUA’s Part 748 provides guidance on response programs for unauthorized access to member information. Appendix B requires every federally insured credit union to develop and implement a “risk-based” response program designed to address incidents of unauthorized access to member information the credit union or its service provider(s) maintain. So, Appendix B would apply if the credit union or its service provider’s information systems were hacked into but would not apply if a member directly disclosed his account information to a third party (e.g., fraudulent website).
When a credit union becomes aware of an incident of unauthorized access to “sensitive member information,” the credit union must conduct a reasonable investigation to promptly determine the likelihood the information has been or will be misused.
Sensitive member information includes:
- A member’s name, address, or telephone number used in conjunction with the member’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account.
- Any combination of components of member information that would allow someone to log onto or access the member’s account, such as user name and password or password and account number.
The credit union’s response program also must include procedures to notify members about incidents of unauthorized access to member information systems that could result in substantial harm or inconvenience to the member. The notice is a key component of the guidance that enables the member to take steps to prevent identity theft when sensitive information has been compromised.
At a minimum, a credit union’s response program should include procedures for:
- Assessing the nature and scope of an incident, and identifying what member information systems and types of member information have been accessed or misused;
- Notifying the appropriate NCUA regional director or applicable state supervisory authority as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of “sensitive” member information;
- Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report (SAR) in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is continuing;
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence, and
- Notifying members when warranted.
It’s the credit union’s responsibility to notify its members and regulator when an incident of unauthorized access involves member information systems maintained by a service provider. The credit union may contract with its service provider to notify the credit union’s members or regulator on its behalf.
When a credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member(s) as soon as possible. A credit union can notify only certain members if it can determine whose data were accessed improperly. If the credit union is unable to identify whose information has been accessed, it should notify all members in the group of files in question.
The credit union may deliver the notice in “any manner designed to ensure that a member could reasonably be expected to receive it.” Therefore, the credit union may choose to contact affected members by mail, telephone, or by e-mail for those who have valid e-mail addresses and have agreed to receive communications electronically.
Member notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the credit union with a written request for the delay. But the credit union should notify its members as soon as member notification will no longer interfere with the investigation.
The content of the member notice should be given in a “clear and conspicuous” manner, explain the incident in general terms, and:
- Describe the type of member information that was the subject of unauthorized access or use;
- Describe generally what the credit union has done to protect the members’ information from further unauthorized access;
- Include a telephone number that members can call for further information and assistance; and
- Inform members of the need to remain vigilant during the next 12 to 24 months, and to promptly report to the credit union incidents of suspected identity theft.
The notice also should include the following, when appropriate:
- A recommendation that members review account statements and immediately report any suspicious activity to the credit union;
- A description of fraud alerts and an explanation of how members may place fraud alerts in their consumer reports to put creditors on notice that they may be fraud victims;
- A recommendation that members periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
- An explanation of how members may obtain a free credit report; and
- Information about the availability of the Federal Trade Commission’s (FTC) online guidance regarding steps consumers can take to protect against identity theft. The notice should encourage members to report any incidents of identity theft to the FTC and should provide the FTC’s website address and toll-free number to access the identity theft guidance and report suspected incidents of identity theft.
NCUA encourages credit unions to notify nationwide consumer reporting agencies prior to sending notices that include their contact information to a large number of members.
Part 748’s Appendix B only applies to member information systems within the control of the credit union or its service provider. But if a substantial number of members’ card numbers are stolen via a merchant breach, the steps outlined above are usually the same including letting your members and regulator know what has occurred.
To read more on cyber event expectations, click here for NCUA expectations and here for FinCEN Advisory. Click here to read the recent National Terrorism Advisory Bulletin addressing current terrorism threats to U.S. Homeland and how cyber attacks could be used as a weapon.
This information was originally published in InfoSight.