Valerie Moss - CUNA - Credit Union National AssociationWhen we look at the issue broadly, many credit unions have experienced a similar pandemic journey. First, urgently managing the disruption of the early stages of the COVID-19 crisis, including abrupt shutdowns and significant business process changes. Then came the wait and see phase. Would the pandemic be a temporary disruption, or would the longer-term need to be considered?

With both understanding and acceptance that the COVID-19 pandemic will require long term, and in some areas, permanent adjustments, credit unions across the country went to work establishing constructs for the long haul.

To better understand some of the changes credit unions are undertaking, I was fortunate to have the opportunity to speak with Valerie Moss, Senior Director of Compliance Analysis, Credit Union National Association (CUNA). Valerie is on the frontlines informing and consulting credit unions as they adjust their business processes to ensure cybersecurity and compliance within their new operating constructs.

What are some of the policy adjustments credit unions should consider as they work to strengthen cybersecurity and compliance within new work-from-home constructs? 

Valerie: Many credit union employees who never worked from home became remote workers overnight as coronavirus-related social distancing orders swept across the United States in the early spring of 2020. For many institutions, that meant fine-tuning information security policies and procedures to ensure that employees could continue to safely and effectively serve their members from remote locations.

Credit unions needed to ensure that remote work policies and procedures adequately addressed: keeping devices (and member information) secure and inaccessible by others in the household; increasing wireless security on at-home networks (as needed); maintaining strong passwords and timeout sessions; keeping software up-to-date; ensuring the collection and maintenance of system and account logs; and providing specific steps that employees should take to both prevent and respond to any suspected security incidents. See the National Credit Union Administration’s Risk Alert: Cybersecurity Considerations for Remote Work (20-RISK-01) for more best practices. 

What are some of the things that credit unions should be thinking about as they test and consider revisions to their disaster recovery/business continuity plans?

Valerie: The National Credit Union Administration (NCUA) requires federally-insured credit unions to have disaster recovery and business resumption contingency plans addressing all types of operational disruptions – everything from an hour-long power outage to the current pandemic that the world is experiencing right now.  

To ensure that the contingency plans work, a credit union should train staff and volunteers, and test (i.e., validate) the plan at least annually or when a significant change occurs. In the case of COVID-19, many institutions had to amend their plans “on-the-fly” to address on-going state and local pandemic-related strategies.

Any test should determine whether the credit union will be able to recover to an acceptable level of business within the timeframe stated in the disaster recovery/business continuity plan. Examples of testing methods include, but are not limited to, drills/simulations, role-play, walk-throughs, and alternate site reviews. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all the institution’s critical systems and functions (e.g., IT infrastructure, telecommunications, etc.).  

We are hearing that some credit unions have work-from-home agreements with their remote employees. What are some of the contents of these agreements, and how can these agreements contribute to adhering to compliance requirements?

Valerie: I haven’t seen any formal agreements between credit unions and their remote employees. Generally, telework agreements cover the employer’s expectations regarding the remote employee’s duties and work schedule, company-owned equipment usage, any designated workspace requirements, adherence to the organization’s information security policy, coverage of out-of-pocket employee expenses, liability waivers, etc. Credit unions should work with legal counsel in carefully crafting any such agreement. 

 
Some credit unions are adopting BYOD policies. Are there compliance concerns and what should credit unions be thinking about as they develop BYOD policies?

Valerie: A bring-your-own-device (BYOD) policy can save the credit union money purchasing smartphones, tablets, and laptops for their remote CUNA Business Continuity Issuesemployees. However, the credit union will need to balance these savings against the potential employee privacy and organizational security concerns that go hand-in-hand with an employee using a personal device for employment purposes.

A BYOD policy should address several issues, including which mobile devices are covered by the policy; which employees are covered by the policy; any strong password specifications; supported/restricted mobile applications; payment responsibilities; data security requirements; download restrictions; any available technical support; employment termination procedures; liability protection for the credit union (e.g., loss of personal data, user violations of the law like texting while driving), etc. Again, credit unions should work with legal counsel in developing the policy and any associated agreements.

To learn more about ongoing CUNA initiatives, visit their website. Additionally, please don’t hesitate to reach out to us at SilverSky if you need help as you address required changes and move along your cybersecurity maturation journey.

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.

Healthcare

Affordable defenses for a sector under attack.

Retail

SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.

ACET

Automated Cybersecurity Examination Tool

HIPAA

Health Insurance Portability and Accountability Act

PCI DSS

Payment Card Industry Data Security Standard

FFIEC

Federal Financial Institutions Examination Council

GLBA

Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.

Resources

Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.

Careers

Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.