The DCU has outsourced parts of its credit union IT exams to Security Compliance Associates (SCA) from November 2015 through June 2017. The Bulletin states more resources and hours will be devoted to IT examinations (i.e. one to two additional days will be added to the standard IT exams beginning in 2016). Examination hours will be scaled either down or up given the types of technologies used by credit union and given other IT risk factors. Also, the IT examination templates and questionnaires will be updated to make them more useful.
Beginning in January 2016, Division IT examiners, including SCA examiners, will ask credit unions whether they have performed the FFIEC cybersecurity assessment, and if so, examiners will review and go over the FFIEC cybersecurity assessment with the credit union’s IT personnel.
The examination will focus on cybersecurity, incident response program, security awareness education & training, information security policies and procedures, and vendor oversight as it relates to keeping sensitive member information secure.
Information Technology and executive staff should review the full Bulletin.
The use of the FFIEC cybersecurity assessment tool is optional, but beginning in 2016, examiners will ask credit unions whether they have performed the assessment, and if so, examiners will review and go over the assessment with IT personnel.
- Credit unions should complete the FFIEC cybersecurity assessment tool and be prepared to discuss it with examiners.
The Bulletin also states that “It is incumbent upon senior management and the board of directors to be sufficiently knowledgeable about cybersecurity in order to manage the credit union’s IT risks.”
- Executive staff, board members, along with all levels of staff should be trained on the credit union’s security procedures – as appropriate to their positions.