NCUA’s Cybersecurity Focus Raises the Recordkeeping Bar

The NCUA’s focus on cybersecurity continues, with its announcement that 2016 exam priorities for credit unions will incorporate cybersecurity assessments. The credit union regulatory agency expects more (and more sophisticated) cyberattacks as the financial system becomes more connected. Its cybersecurity assessment tool (developed by the FFIEC) is designed to help credit unions measure and manage their risk, including incident response procedures when member information is compromised.

Some of what the NCUA advises is pretty standard stuff — for example, credit unions should investigate the backgrounds of potential employees and not hire those convicted of certain types of offenses. They should also control who has access to member information systems. But a cyberattack response system should go further:

When an incident response is triggered, credit unions are to report to regulatory and law enforcement agencies, take steps to prevent further unauthorized access or use of member information, preserve records for evidence of unauthorized access, notify members clearly and conspicuously (and encourage them to monitor their information and notify the credit union of suspect activity), and investigate to determine if the information has or will be misused.

Of course, this is a pared-down summary of a response program, but even a summary demonstrates that record keeping is vital to credit unions. Those cyberattack notices to law enforcement and consumers should be kept, as well as the institution’s record of its investigation and remedial steps taken. Failure to keep proper records was characterized as a “red flag” for more serious problems, including dishonesty and fraud, in an April 2015 NCUA Report.

Not only is record keeping a massive undertaking, but the rules are complex, especially where retention periods are concerned. Retention periods range from two years for Truth-in-Lending compliance records to “permanent” in the case of the institution’s charter, bylaws, minutes of the board, applications for membership, members’ statements and more.

Moreover, a credit union’s records preservation system itself must be documented. And it should include procedures for records destruction, including an index of records destroyed. In other words, destruction of records requires creation of new records.

Where newer methods of marketing are concerned, the rules for record retention are more fluid. The FFIEC has acknowledged that the record retention rules for online advertising, disclosures and applications are still evolving.

Lawyer Francois Henriquez of Shutts & Bowen, who represents credit unions, says that even smaller credit unions use technology to connect with members, resulting in “an exponential increase in electronic records.” Digital documents created for membership and account agreements, statements, and mobile check deposits result in records vulnerable to theft, misuse and inadvertent destruction.

Some credit unions will recognize the NCUA’s 2016 cybersecurity priority for what it is, or more practically, for its consequences — greater risk-management obligations and increased record keeping burdens. But according to attorney Henriquez, others have a blind spot about the increasing cybersecurity burden. The NCUA’s cybersecurity exams may shine a light into those blind spots.

The interconnectedness at the heart of some cybersecurity concerns is fueled by mobile devices and apps, online banking, social platform interactions, and as-yet-unknown technologies. If these digital tools are paired with good records and good analytics, victims of cyberattacks may find in their records the evidence to support criminal trials of cyberthieves or civil enforcement actions. That’s where a good archival program comes into play.
_______
 

Note: The author thanks Francois G. Henriquez, a member of the Financial Services Industry Practice Group in the Miami, FL office of Shutts & Bowen. Henriquez practices primarily in the firm’s Credit Union Law Group. He was formerly President and CEO of U.S. Central Federal Credit Union.
 

Share this post!

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.