The coronavirus has presented new challenges and ways of working for all of us. If you’re responsible for managing IT and/or security for a credit union, your immediate responsibilities have been making sure your team can continue to work safely, while ensuring customers have secure access to their accounts.
While credit unions across the nation immediately settled into a new way of operating and providing service to customers, the regulatory bodies governing credit unions – namely the National Credit Union Administration (NCUA) and the Federal Financial Institutions Examination Council (FFIEC) – have worked to issue guidance to members, help them adapt to the variables arising from the pandemic, and support their ability to provide critical services during the crisis.
Operations During the Crisis
Many have asked what the status of NCUA examinations (and especially FFIEC audits) are during the pandemic. The governing bodies have agreed to be flexible during this time of crisis, and have shared letters laying out recommendations and operations during the pandemic. Here are some of the key elements you should be aware of:
- Flexibility is a key part of their decision-making during the crisis. The official letter to NCUA members states that: “during this time, the NCUA will limit the burden imposed on credit unions so that they can focus on providing uninterrupted service to their members” and that “Consistent with long standing practices, examiners will consider the extraordinary circumstances credit unions are facing when reviewing a credit union’s financial and operational condition over the coming months.”
- The NCUA also broke down its approach to examinations during the crisis, grouping their actions into three priorities:
1. Credit unions with financial or operational problems will be prioritized: This includes those that have asked for assistance or that the NCUA feels need help based on their finances or operations.
2. Make contact with all credit unions: If you haven’t already heard from your NCUA examiner or regional office, you likely will be soon. The goal is for the group to get a handle on your operational and financial status – and any challenges you’re facing – so they can see if you need assistance.
3. Offsite examinations will continue: The NCUA mandated a strict offsite policy for all employees and contracted support staff that will remain in effect until further notice. This means that all examinations will take place offsite. There’s a few points here to highlight:
- “Unless approved by the Office of Executive Director, examiners will not require a credit union to provide information to conduct offsite examination work.”
- If credit unions are able to provide documents, information and staff, examinations will continue as usual, just in an offsite manner.
- There is language for exceptions as well: “…if credit unions are occupied with addressing the impact of the COVID-19 pandemic on their operations, employees, and members, they should not be required to address an offsite examination request unless it is a serious or time-sensitive matter.”
Are There Any New Requirements?
Credit union requirements have remained the same throughout the pandemic – you still need to prove competence in key areas such as risk management and oversight; threat intelligence; CIS-level cybersecurity controls; external dependence management; and incident management resilience in order to comply with the FFIEC regulations and pass the test.
There is one additional consideration that the pandemic brings to the forefront that you should be prepared for, however:
The FFIEC issued guidelines about being prepared for a pandemic and what credit unions need to do beforehand. How does your crisis plan match up? Have you followed their guidelines now that we’re inside a pandemic? You can bet this will be a part of any current audit.
As described by the Credit Union National Association (CUNA), these requirements state that “…an institution’s business continuity plan(s) (BCP) should specifically address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuance of critical operations, a testing program, and an oversight program to ensure that the plan is reviewed and updated."
The FFIEC’s guidance also leaves room for flexibility in its guidance, stating that a credit union’s BCP needs to be adaptable to the various and multiple possibilities that could result from the current crisis. These plans will also vary from credit union to credit union, based on number of customers and diversity of product offerings.
The bottom line? If you have an exam scheduled or are being audited during the crisis, make sure you have a pandemic business continuity plan in place.
What to Expect
So, what does this mean for your credit union? In short, you should expect that every effort will be made to continue with examinations and audits during the crisis. That said, they have gone out of their way to be flexible and to include language that would help credit unions that are harder hit by the pandemic to delay exams and audits until a time when the organization is on better footing.
For some additional reading on the topic, the NAFCU (National Association of Federally-Insured Credit Unions) had a solid article here. Once the crisis subsides and people start getting back to a sense of normalcy, credit unions can expect that onsite audits will become active again.
How Cygilant Can Help Credit Unions
Regardless of whether you’re looking at an online or offline examination or audit you shouldn’t worry – the NCUA and its FFEIC IT Exam and audits are nothing to be afraid of at all.
Here at Cygilant, our cybersecurity-as-a-service experts have successfully helped credit unions of all sizes achieve high ratings and pass their FFIEC IT Exam and audits with flying colors. Our team can help companies overcome a lack of resources or budget – and ensure their security operations comply with all regulations and guidelines.