When we look at the issue broadly, many credit unions have experienced a similar pandemic journey. First, urgently managing the disruption of the early stages of the COVID-19 crisis, including abrupt shutdowns and significant business process changes. Then came the wait and see phase. Would the pandemic be a temporary disruption, or would the longer-term need to be considered?
With both understanding and acceptance that the COVID-19 pandemic will require long term, and in some areas, permanent adjustments, credit unions across the country went to work establishing constructs for the long haul.
To better understand some of the changes credit unions are undertaking, I was fortunate to have the opportunity to speak with Valerie Moss, Senior Director of Compliance Analysis, Credit Union National Association (CUNA). Valerie is on the frontlines informing and consulting credit unions as they adjust their business processes to ensure cybersecurity and compliance within their new operating constructs.
What are some of the policy adjustments credit unions should consider as they work to strengthen cybersecurity and compliance within new work-from-home constructs?
Valerie: Many credit union employees who never worked from home became remote workers overnight as coronavirus-related social distancing orders swept across the United States in the early spring of 2020. For many institutions, that meant fine-tuning information security policies and procedures to ensure that employees could continue to safely and effectively serve their members from remote locations.
Credit unions needed to ensure that remote work policies and procedures adequately addressed: keeping devices (and member information) secure and inaccessible by others in the household; increasing wireless security on at-home networks (as needed); maintaining strong passwords and timeout sessions; keeping software up-to-date; ensuring the collection and maintenance of system and account logs; and providing specific steps that employees should take to both prevent and respond to any suspected security incidents. See the National Credit Union Administration’s Risk Alert: Cybersecurity Considerations for Remote Work (20-RISK-01) for more best practices.
What are some of the things that credit unions should be thinking about as they test and consider revisions to their disaster recovery/business continuity plans?
Valerie: The National Credit Union Administration (NCUA) requires federally-insured credit unions to have disaster recovery and business resumption contingency plans addressing all types of operational disruptions – everything from an hour-long power outage to the current pandemic that the world is experiencing right now.
To ensure that the contingency plans work, a credit union should train staff and volunteers, and test (i.e., validate) the plan at least annually or when a significant change occurs. In the case of COVID-19, many institutions had to amend their plans “on-the-fly” to address on-going state and local pandemic-related strategies.
Any test should determine whether the credit union will be able to recover to an acceptable level of business within the timeframe stated in the disaster recovery/business continuity plan. Examples of testing methods include, but are not limited to, drills/simulations, role-play, walk-throughs, and alternate site reviews. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all the institution’s critical systems and functions (e.g., IT infrastructure, telecommunications, etc.).
We are hearing that some credit unions have work-from-home agreements with their remote employees. What are some of the contents of these agreements, and how can these agreements contribute to adhering to compliance requirements?
Valerie: I haven’t seen any formal agreements between credit unions and their remote employees. Generally, telework agreements cover the employer’s expectations regarding the remote employee’s duties and work schedule, company-owned equipment usage, any designated workspace requirements, adherence to the organization’s information security policy, coverage of out-of-pocket employee expenses, liability waivers, etc. Credit unions should work with legal counsel in carefully crafting any such agreement.
Some credit unions are adopting BYOD policies. Are there compliance concerns and what should credit unions be thinking about as they develop BYOD policies?
Valerie: A bring-your-own-device (BYOD) policy can save the credit union money purchasing smartphones, tablets, and laptops for their remote employees. However, the credit union will need to balance these savings against the potential employee privacy and organizational security concerns that go hand-in-hand with an employee using a personal device for employment purposes.
A BYOD policy should address several issues, including which mobile devices are covered by the policy; which employees are covered by the policy; any strong password specifications; supported/restricted mobile applications; payment responsibilities; data security requirements; download restrictions; any available technical support; employment termination procedures; liability protection for the credit union (e.g., loss of personal data, user violations of the law like texting while driving), etc. Again, credit unions should work with legal counsel in developing the policy and any associated agreements.
To learn more about ongoing CUNA initiatives, visit their website. Additionally, please don’t hesitate to reach out to us at SilverSky if you need help as you address required changes and move along your cybersecurity maturation journey.