Wrapup of 2015 Cybersecurity Symposium, Aug. 24-25 | NASCUS

PRESS RELEASE

Aug. 26, 2015

CONTACT: Patrick Keefe, NASCUS Communications/703-528-5974, pkeefe@nascus.org

CYBERSECURITY SYMPOSIUM PUTS KEY ISSUES ON TABLE
Hacking, payments, assessment tool all part of crowded agenda

DENVER, Colo. -- The two-day NASCUS/CUNA Cybersecurity Symposium opened Monday (Aug. 24) in Denver to a packed house and a packed agenda of the latest developments in the realm of cyber security, as more than 120 regulators, policy makers and IT professionals proceeded over the next two days to take a deep dive into the key cybersecurity issues.

A highlight of the program: A hacking demonstration (by Brandon Henry of TrustCC) combined with a discussion of tips for detecting and resolving attempted hacks, especially focusing on two common hack schemes: “password guessing” and theft of passwords through network domain name servers (DNS).

The two-day program was jointly sponsored by NASCUS and CUNA; it concluded Tuesday, Aug. 25.

Among the other highlights of the program:

  • Tom Schauer, CEO of Trust CC, kicked off the program with an overview of the cvber security landscape. Based on everything that has gone on in the past year (the OPM data breach, activity by foreign governments, Ashley Madison and ‘hacktivism’), he recommended five key points for credit unions to consider for the remainder of 2015 and into 2016: Make sure privilege escalation can be detected; make sure incident response is ready; address the high and medium-high deficiencies; regularly revisit the questions of (1) If I wanted to steal money from the CU, how would I do it and what can prevent this attack; and (2) If I wanted to negatively impact the reputation of the CU, how would I do it and what can prevent this attack? Finally, recruit IT talent to the Board so the Board is well equipped to provide guidance and oversight to management.
  • Tim Segerson, deputy director for examination and insurance at NCUA, provided a two-hour overview of how NCUA plans to incorporate the new FFIEC “cyber assessment tool” into its exam procedures. He noted that the agency expects a 12-month Industry Implementation of the tool, and would continue national outreach efforts through the end of March, 2016. He said no formal exam or evaluation of credit unions through use of the tool would begin until June, 2016.
  • John Eyre, AVP of IT, TAPCO Credit Union (in Fircrest, WA) suggested using tools as easy to obtain as open source programming Visual Basic to develop effective security, recommending  network security should be multi layered, VB scripting can be extremely powerful and there are many examples are available on the Internet of effective use of the programming tool.
  • In “Life After a Data Breach,” Wes Withrow, cybersecurity expert for TraceSecurity, noted some key points about data breaches: Money isn’t your enemy, variation is; bouncing back is easier than you may expect; you should expect to experience a breach, and; you must control the narrative.
  • Mark Berman of Horsetail Tech outlined “what credit union board members need to know” about cybersecurity, urging credit union boards to simplify their response to any security lapses, talk strategy (not solutions) in addressing future lapses, and ensure that the IT staff and board are speaking the same language in addressing the strategy (i.e., tech talk versus business talk).
  • Jay Isaacson of CUNA Mutual Group gave an overview of the vulnerabilities of “chip and PIN,” Apple Pay and other aspects of the evolving payments system. He noted that member convenience, fraud, and technology investments should be considered in a credit union’s strategic plan when considering adopting new payments systems methods (as well as the inherent risks of the new methods) – but, no matter what new methods are selected, fraudsters will continue to focus on the weakest links.
  • Neil Archibald of Members Trust Company urged the group to ensure that vendor due diligence is a central feature of a credit union’s compliance management and cybersecurity program, noting that an ongoing assessment by a credit union of the purpose, structure, and execution of vendor relationships is vital to safeguarding member information in a shared environment.

 

For more information, contact Pat Keefe.

# # #

The National Association of State Credit Union Supervisors (NASCUS) is the primary resource and voice of the state governmental agencies that charter, regulate and examine the nation’s state-chartered credit unions. NASCUS membership is made up of state-chartered credit unions, state regulators and other supporters of the state credit union system. NASCUS is the only organization dedicated to the defense and promotion of the state credit union charter and the autonomy of state credit union regulatory agencies.

(«ID»)


Information Contact:
Patrick Keefe, Director of Communications, pkeefe@nascus.org or (703) 528-5974

The National Association of State Credit Union Supervisors (NASCUS) is the primary resource and voice of the state governmental agencies that charter, regulate and examine the nation’s state-chartered credit unions. NASCUS membership is made up of state-chartered credit unions, state regulators and other supporters of the state credit union system. NASCUS is the only organization dedicated to the defense and promotion of the state credit union charter and the autonomy of state credit union regulatory agencies.