As most readers know, the network management software firm SolarWinds experienced a massive cyberattack in March that went undetected until mid-December. The breach pushed malicious code to an estimated 18,000 SolarWinds customers via an update of the company’s Orion software. These customers included government agencies, Fortune 500 companies, financial institutions, and vendors serving financial institutions.
Many credit unions are currently in the process of determining what, if any, impact this breach will have on their IT operations:
- Credit unions running SolarWinds Orion software should refer to the company’s security alert(s) to determine whether systems were compromised, and obtain the company’s breach mitigation recommendations.
- Non-SolarWinds customers aren’t necessarily in the clear. They’ll need to contact their IT vendors to determine whether they utilized the SolarWinds Orion software, and if so, what steps they’re talking to ensure that the credit union’s data is secure.
- Affected credit unions should contact their cyber-liability insurance provider to help manage this process and determine next steps, as appropriate.
What if credit union member data was compromised? The credit union will need to follow its incident response program per Part 748, Appendix B of NCUA’s regulations if there has been unauthorized access to sensitive member information retained in “member information systems” (i.e., "all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information,” including systems maintained by the credit union’s service providers).
The credit union’s data breach response program should contain procedures to:
- Assess the nature and scope of an incident; identify what member information systems and types of member information have been accessed or misused.
- Notify the appropriate NCUA Regional Director or applicable state supervisory authority as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of "sensitive" member information.
- Notify appropriate law enforcement authorities in situations involving criminal violations requiring immediate attention.
- File a timely Suspicious Activity Report (SAR) for reportable violations.
- Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence.
- Notify affected members when the incident involves unauthorized access to member information systems that could result in substantial harm or inconvenience to the member.
Lastly, don’t forget about state law! Please check with your state league regarding state data breach requirements.
For more information:
CISA Emergency Directive 21-01
CUNA News: CISA confirms ‘active exploitation’ of SolarWinds software
CUNA News: CUNA Seeks Insight from NCUA on SolarWinds Cyberattack
Posts
0 comments:
Post a Comment