Data theft is on the minds of credit union regulators
About 100 million Americans belong to credit unions (CUs), putting their trust in these organizations to protect their sensitive personal data. With CU assets on the rise, the risks associated with network infiltration by malicious actors is a huge concern.
With the explosion of sophisticated cybercrime, the NCUA (National Credit Union Administration) will begin implementing the Automated Cybersecurity Examination Tool (ACET) to improve the integrity and efficiency of its cybersecurity auditing activities. To avoid NCUA repercussions — whether a fine, cease and desist order or other administrative order, CUs need to be prepared to prove they’re able to protect sensitive customer data from compromise.
The threats are real. A case in point is the May 2017 data security breach at electronic signature company DocuSign. The security incident led to the theft of customer and user email addresses, to which malicious third-party actors sent phishing emails exposing a million users to malware. Hacks like these have CUs and customers wondering who will be next.
NCUA audits reflect focus on cybersecurity
Given the dangerous cyber threat landscape, regulatory agencies such as the NCUA and Federal Financial Institutions Examination Council (FFIEC) are laser-focused on cybersecurity. This is clear from the attention it’s given in the IT review section of the FFIEC exam, which informs examinations performed during NCUA audits.
Credit unions need to be ready to have the NCUA dive deep under the hood to make sure you’re meeting specific requirements around user authentication, especially with respect to passwords. These include:
- Policies addressing character length and type, expiration dates, frequency of changes and reuse of old passwords
- Requiring every employee to have different passwords for all workstations and service accounts
- Separate authentication credentials for every system and application
- Confirming terminals lock and computer systems lock out employees after a set number of failed login attempts
- Employing multifactor authentication methods
Passing a CU review requires a first-class password solution
These guidelines are not all that easy to follow, and it’s easy to see why. Some employees may need to log into 5, 10 or more applications and systems every day. That’s a lot of complex credentials to remember, which can be burdensome and inconvenient for users.
In frustration, users may circumvent these measures by creating weak passwords, reusing passwords or simply ignoring standards. Many may forget their credentials, requiring a call to an already busy helpdesk. In addition to putting a drain on productivity, these behaviors open the CU network to the threat of cyber attack.
So how can CUs make authentication less of a burden without compromising security? The key is finding a solution that’s not only effective from a security perspective but also convenient to use and manage. Of course, it must also pass muster with examiners and deliver detailed views of historic and active login activity.
When it comes to next-generation authentication tools, the DigitalPersona® Composite Authentication solution from Crossmatch checks off the right boxes. With the highest level of protection, it provides a broad selection of factors including biometrics and contextual/behavioral elements, enabling CUs to deploy the best mix of authentication options for every user, application, device and network.
Be ready for your next examination
Looking for a better way to prepare for NCUA audits? Contact Crossmatch to get on the right path.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.