CUNA Offers Perspective on Pandemic-Related Business Continuity and Compliance

Valerie Moss - CUNA - Credit Union National AssociationWhen we look at the issue broadly, many credit unions have experienced a similar pandemic journey. First, urgently managing the disruption of the early stages of the COVID-19 crisis, including abrupt shutdowns and significant business process changes. Then came the wait and see phase. Would the pandemic be a temporary disruption, or would the longer-term need to be considered?

With both understanding and acceptance that the COVID-19 pandemic will require long term, and in some areas, permanent adjustments, credit unions across the country went to work establishing constructs for the long haul.

To better understand some of the changes credit unions are undertaking, I was fortunate to have the opportunity to speak with Valerie Moss, Senior Director of Compliance Analysis, Credit Union National Association (CUNA). Valerie is on the frontlines informing and consulting credit unions as they adjust their business processes to ensure cybersecurity and compliance within their new operating constructs.

What are some of the policy adjustments credit unions should consider as they work to strengthen cybersecurity and compliance within new work-from-home constructs? 

Valerie: Many credit union employees who never worked from home became remote workers overnight as coronavirus-related social distancing orders swept across the United States in the early spring of 2020. For many institutions, that meant fine-tuning information security policies and procedures to ensure that employees could continue to safely and effectively serve their members from remote locations.

Credit unions needed to ensure that remote work policies and procedures adequately addressed: keeping devices (and member information) secure and inaccessible by others in the household; increasing wireless security on at-home networks (as needed); maintaining strong passwords and timeout sessions; keeping software up-to-date; ensuring the collection and maintenance of system and account logs; and providing specific steps that employees should take to both prevent and respond to any suspected security incidents. See the National Credit Union Administration’s Risk Alert: Cybersecurity Considerations for Remote Work (20-RISK-01) for more best practices. 

What are some of the things that credit unions should be thinking about as they test and consider revisions to their disaster recovery/business continuity plans?

Valerie: The National Credit Union Administration (NCUA) requires federally-insured credit unions to have disaster recovery and business resumption contingency plans addressing all types of operational disruptions – everything from an hour-long power outage to the current pandemic that the world is experiencing right now.  

To ensure that the contingency plans work, a credit union should train staff and volunteers, and test (i.e., validate) the plan at least annually or when a significant change occurs. In the case of COVID-19, many institutions had to amend their plans “on-the-fly” to address on-going state and local pandemic-related strategies.

Any test should determine whether the credit union will be able to recover to an acceptable level of business within the timeframe stated in the disaster recovery/business continuity plan. Examples of testing methods include, but are not limited to, drills/simulations, role-play, walk-throughs, and alternate site reviews. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all the institution’s critical systems and functions (e.g., IT infrastructure, telecommunications, etc.).  

We are hearing that some credit unions have work-from-home agreements with their remote employees. What are some of the contents of these agreements, and how can these agreements contribute to adhering to compliance requirements?

Valerie: I haven’t seen any formal agreements between credit unions and their remote employees. Generally, telework agreements cover the employer’s expectations regarding the remote employee’s duties and work schedule, company-owned equipment usage, any designated workspace requirements, adherence to the organization’s information security policy, coverage of out-of-pocket employee expenses, liability waivers, etc. Credit unions should work with legal counsel in carefully crafting any such agreement. 

 
Some credit unions are adopting BYOD policies. Are there compliance concerns and what should credit unions be thinking about as they develop BYOD policies?

Valerie: A bring-your-own-device (BYOD) policy can save the credit union money purchasing smartphones, tablets, and laptops for their remote CUNA Business Continuity Issuesemployees. However, the credit union will need to balance these savings against the potential employee privacy and organizational security concerns that go hand-in-hand with an employee using a personal device for employment purposes.

A BYOD policy should address several issues, including which mobile devices are covered by the policy; which employees are covered by the policy; any strong password specifications; supported/restricted mobile applications; payment responsibilities; data security requirements; download restrictions; any available technical support; employment termination procedures; liability protection for the credit union (e.g., loss of personal data, user violations of the law like texting while driving), etc. Again, credit unions should work with legal counsel in developing the policy and any associated agreements.

To learn more about ongoing CUNA initiatives, visit their website. Additionally, please don’t hesitate to reach out to us at SilverSky if you need help as you address required changes and move along your cybersecurity maturation journey.

Head of Product Management, Email Protection and Cloud Email , SilverSky
SilverSky offers a comprehensive suite of products and services that deliver unprecedented simplicity and expertise for compliance and cybersecurity programs.
follow me

Previous

Next

Managed Detection and Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email and Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance and Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.

Healthcare

Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.

Retail

Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Resources

White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events & Webinars

Blog

Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion

Share This