Consider the following riddle. What do the Department of Defense, J.P. Morgan Chase and the FDIC all have in common? The answer is, most regrettably, that each of these organizations has had a breach of their information technology (IT) systems that compromised individuals’ nonpublic personal information.
As is well appreciated, IT security must always be an operational area at the top of your mind as a credit union board member or member of management. NCUA makes this point perfectly clear in its rules and regulations.
It goes without saying that it is critical that those charged with the institution’s operations fully understand the breadth of their obligations in connection with safeguarding member information. Certainly, NCUA provides clear and well-defined guidance in its rules at Part 748 Appendices A & B.
Appendix A, Guidelines for Safeguarding Member Information lays out a ‘road map’ of those areas that must be addressed in establishing an IT protective shield. Importantly, the obligational parameters not only include matters relating to the credit union’s operations themselves to include: assessing, managing and controlling risk; updating programs; and, the involvement and reports to the board of directors. Actionable safeguards must also extend to third party providers that carry out IT programs.
Appendix B, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice establishes a credit union’s responsibilities to limit the exposure of information when there appears to be or has been a breach of the security program as well as those duties related to notifying NCUA and those who may have been adversely affected by the breach.
In carrying out the responsibilities associated with the protection of institutional information there are any number of written resources from which to glean information. Among those are ones published by NCUA, such as the NCUA Examiner’s Guide and those of the Federal Financial Institutions Examination Council InfoBase.
Beyond the resources available is the need to have a single professional responsible for the credit union’s IT security program. IT security is a complex, highly sophisticated area demanding that one individual stay on top of an institution’s practices and actions. That person must stay informed, ensure the implementation of sound programs and be prepared to provide knowledge and leadership should a problem arise.
Keep in mind also that beyond the vast array of potential legal violations, data breaches are expensive in their own right. The IBM 2015 Study on the Cost of Data Breaches estimated that the average consolidated cost of a data breach is $3.8 million.
Whether a credit union is large or small, information technology supports the environment in which financial services are provided to their members. Indeed, members look to the convenience such an environment creates. There is no room for flaws within the IT program.