National Credit Union Administration's Gigi Hyland on Information Security at Credit Unions
RICHARD SWART: Hi. This is Richard Swart, Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com Today, we’ll be speaking with Gigi Hyland who was appointed by President George W. Bush to a seat on the National Credit Union Board effective November 18, 2005. Her term expires on August 2, 2011. When nominated to the NCUA Board, she served as the Senior Vice President and General Counsel for Empire Corporate Federal Union in Albany, New York. She previously served concurrently as Vice President, Corporate Credit Union Relations at the Credit Union National Association and Executive Director for the Association of Corporate Credit Unions. Good morning, Gigi.
GIGI HYLAND: Good morning, Richard. How are you?
RICHARD SWART: Doing well. Among our audience, we have some of the very largest credit unions as well as ones with only a handful of employees. Could you provide us with some pointers on what is important to the NCUA from an information security point of view?
GIGI HYLAND: Sure, absolutely. This is an incredibly important topic for credit unions because things as changing as you know every day in technology, and I think that credit unions can do a number of things to maintain information security and the risk management processes. And I think it really starts with the ensuring that the credit union has a written security policy which they review and revise periodically. Using that as a base, it’s really important for credit unions to complete and annually review the credit union’s risk assessment, to make sure that they’ve correctly and holistically access not only the internal but also the external threats which could compromise member information. In addition to that, credit unions should ensure that there are access restrictions on sensitive data and facilities. Encryption is another key component that credit unions need to consider. Making sure in other words that sensitive member information either in transit or in storage is encrypted. Dual control procedures are important to implement that include segregating duties, making sure that employee background checks not only are updated but that they’re reviewed. Monitoring systems to detect unauthorized access to sensitive information are all key components. And then training staff is critical; making sure that front line staff all the way through to IT staff understands the risk, understands their role in monitoring and accessing and preventing the risks to the system. And you know, that’s – in addition to that obviously, the Board of Directors has a key role here. The Board of Directors has to review and receive an annual report on security which describes the overall status of the security program, and that’s contained in NCUA’s Rules and Regulations under Part 748. As part of that, the Board should really be made aware of any material matters that are related to their security, such as either changes in the risk assessment analysis, or changes in service provider arrangements. In other words, if a data processing vendor is being switched out what does that mean to the overall risk of the institution from a data security perspective. And then what are the results of the testing; have there been any security breeches or violations, and what has been management’s responses and recommendations for changes in the information security program. So, credit unions need to take a very holistic view of data security and really turn the organization inside out and look at all of the possible contact points and internal threats, and evaluate and have policies and procedures in place to try to address those.
RICHARD SWART: I’d like for you to focus on external threats for a second. Many credit unions and banks for that matter depend on third parties for a range of services. What does the NCUA do to protect this industry from breeches of these third parties?
GIGI HYLAND: One thing that’s interesting to note is unlike our sister agencies in the FFIEC, NCUA does not have third party vendor examination authority. We did have that authority during Y2K to make sure that the data processing vendors and other vendors that credit unions utilized were Y2K compliant and in fact were ready for the century date change. But that authority which was a legislative authority actually expired. So, NCUA no longer has that. What NCUA does do from a perspective of protecting credit unions is obviously NCUA is a member of the FFIEC, and through that FFIEC participates in several examinations of major third party vendors, like American Express, Visa, MasterCard. And NCUA is part of that review. So, as NCUA looks at credit unions and credit union’s investments in credit union service organizations, really NCUA only authority is to look at the books and records and financial statements not only of the credit union but also of those credit union service organizations that those credit unions may be invested in. In addition to that, the FFIEC has written protocol with those major groups, again like Amex, MasterCard, and Visa regarding breeches so that if there is a major breech all the agencies become aware at the same time of potential threats to their particular institutions that they regulate. In addition to that, the FFIEC has an event communications protocol meaning that if one particular agency is seeing issues with a particular vendor, that’s communicated to all of the other regulatory agencies so that we have a heads-up on potential threats to the institutions that we regulate.
RICHARD SWART: Well, given that background information, what would you expect the actual credit unions to do in regard to managing their third party relationships in addition to what the NCUA is doing?
GIGI HYLAND: I would call credit unions attention to all of the letters – not only to credit unions but also to federal credit unions – that we’ve issued, and they’re organized pretty common sense I guess on our website in terms of looking at due diligence of a third party service providers. There’s one letter in particular that I’ll refer you to – its 01-CU20 and it’s called exactly that – Due Diligence over Third Party Service Providers. And in terms of what’s expected from credit unions, the main umbrella is a due diligence review. And what that means is that a credit union has got to think about whether – whatever proposed activity they’re about to engage in is consistent with the credit unions with overall business strategy and it’s risk tolerances. And then from there, it means as part of the due diligence review doing what I think are fairly common sense things like doing a background check on the vendor, what’s been other credit unions or other financial institutions experience with that vendor. Do a legal review, have the attorney or the credit union’s attorney take a look at the contract and make that it’s a win-win and that it’s an evenly balanced contract. Make sure that a financial review is conducted. You know, is this vendor safe and sound from a financial standpoint, or are their financials look like they’re going into the red. Take the look at the return on investment. Is it worth contracting with their particular third party in terms of the what the credit union is actually going to get back through the relationship. Double check any insurance requirements; are there requirements at all. And then once all of that due diligence is conducted, the credit union needs to institute controls either via policies and procedures and through staff education, to really monitor and report performance. In other words, are you getting what you paid for? Did you – were your expectations met in terms of your contract with this vendor and how is it working out? What’s working and what’s not working. How are you adjusting along the way if the business model that you created isn’t exactly fitting the reality of what’s happening in the market place. So expecting credit unions to be nimble, to be flexible, and to really respond to whatever the changing environment is as they go forward with a contract with a third party. And I think the letters to credit unions that we’ve issued – not only the one that I referenced but subsequent ones – have created sort of a broad dimension for credit unions to consider but left them enough flexibility recognizing that as technology evolves, almost instantaneously credit unions really have to have that flexibility to be nimble in that environment, but to have sort of core principles that they need to abide by.
RICHARD SWART: Let’s change our focus and look at external threats, and as we all know the banking industry has seen an overwhelming number of security incidents due to identity theft and phishing attacks and other types of fraud. What advice or words or wisdom would you have based on the available data to the NCUA? What’s working?
GIGI HYLAND: Okay. What’s working is education to members. Giving notice to members on credit unions websites and mailings and meetings and anyway that you can communicate to educate members on what is fishing, what are the new and most threatening types of endeavors that folks are undertaking to try to compromise member information. So the more information that members and consumers have in their hands to really understand what that email may mean that sure looks like it’s from the credit union but it’s asking you for your social security number or your bank account number and what does that mean and how should a consumer respond. Education is probably the number one way to protect member interest and obviously to preserve the reputation of the credit union. I think from a credit union’s internal perspective, implementing, enhancing, enforcing proper internal controls and better fraud detection policies and procedures is also way up there in terms of a best practices list to really prevent financial loss, not only to the consumer but also the institution. And then, ignoring and deleting offending emails, both internally as well as encouraging consumers to do that. Making sure that consumers don’t respond to a fishing message and make sure again that they understand what that is. Again, we have a lot of letters not only to credit unions but to federal credit unions on this matter. I think actually almost every year since about 2002 we’ve issued an updated letter regarding fishing guidance for credit union members and data security issues for credit unions, and things to think about in terms of internet security, in terms of web linking security in terms of dealing with third party service providers. I would refer credit unions to those letters to offer them guidance on what they need to be thinking about. I think that’s probably about it.
RICHARD SWART: Well, thank you. What about Section 501(b) of GLBA and the NCUA Part 748 which requires the Board members to take responsibility for information security program. What has been the NCUA’s experience with Board members, and how good of a job are they doing in understanding their responsibility to protect their members invaluable information?
GIGI HYLAND: I think Board members understand it because they, too are consumers. I think though, having said before that education is critical, management’s education of the Board on what the new and most popular threats are is critical as well. So, you know Board members clearly need that information on a regular basis to understand how the new threats affect the credit union’s operations. And you know as part of that, as you know, under Appendix B of Part 748, there’s guidance that’s provided on responding to unauthorized access to member information and member notice, and those requirements of Gramm-Leach-Bliley. And that appendix was put in place specifically to address the increasing number of security incidence involving unauthorized access. So, it’s critical I think that Boards make sure that they understand the requirements both of Appendix A and Appendix B of NCUA’s Part 748 of it’s Rules and Regulations. But education is really the critical component for Boards in making sure that they can be responsive in giving management guidance on what to do in terms of continuing to be proactive and really trying to counter data security threats.
RICHARD SWART: Are credit unions able to find a well trained security information experts, and what skills or gaps are there in what they need and what they’re finding?
GIGI HYLAND: You know, it’s something that’s certainly as part of risk focus exam we would look at, and as you may know our exam has been retailored over the last couple of years so that an examiner has the discretion to look at a credit union’s specific performance and look to see where the risk areas are. And so I guess if an examiner felt specifically that the credit union needed to do a better job in hiring well qualified folks for IT security and data security, the examiner would note that as part of it’s exam. More broadly than that, though I think credit unions just like the other financial institutions are facing the same challenge in making sure that they hire qualified people; people that really understand not only the operations of the particular institution, but understand what the threats are to that institution, where all the avenues are where a threat could come in the door, sort of to use jargon. But you know, credit unions are in the same boat as banks, as thrifts, as community banks in terms of how can we get the best folks working for us to really make sure that our institution is protected from a data security standpoint.
RICHARD SWART: Well, Gigi thank you for your information, excellent help for our listeners. I just really appreciate your time today.
GIGI HYLAND: You’re very welcome. Thanks for giving NCUA the opportunity to participate in this pod-cast. I hope it’s useful to credit unions and again, I would refer credit unions to our website which is www.ncua.gov for a wealth of information on these and other topics that affect their operations.