Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Financial Regulators Expect Firms to Address OpenSSL "Heartbleed" Vulnerability
Monday, April 14, 2014 6:55 AM

The Federal Financial Institutions Examination Council (FFIEC) members say they expect financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability. Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses

OpenSSL and consider requiring users and administrators to change passwords after applying the patch. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.

OpenSSL is a cryptographic software library used to authenticate services and encrypt sensitive information. A significant vulnerability has been found in OpenSSL that could allow an attacker to decrypt, spoof, or perform attacks on network communications that would otherwise be protected by encryption.

Credit unions can find additional information about the Heartbleed bug, including an informative Q&A online, at


Helpful Resources: Technology Consulting & Compliance Services through Credit Union Resources. Available services include:

  • Security Risk Assessment: Evaluate the risk of compromising member information in fulfillment of the NCUA Regulation 748 Appendix A and B to include physical, administrative, and technical security.
  • TR-39 ATM PIN Security Audit (Previously known as a TG-3 PIN Audit): Certified CTGA auditor performs audit focusing on security practices throughout all six phases of the encryption key life cycle: Generation, Distribution, Storage, Usage, Destruction, and Compromise. The evaluation is in fulfillment of the even-numbered year audit requirements by the 3 ATM network processors PULSE, STAR, and NYCE.
  • Information Systems & Technology (IS&T) Assessment: In-depth review a credit union’s overall IS&T systems concentrating on security, audit, information technology, and member services in fulfillment of NCUA’s letter to credit unions 06-CU-10.
  • Security Policy & Program Development: Take a risk-based approach in developing a Security Policy & Program in fulfillment of the NCUA Regulation 748 Appendix A and B to include physical, administrative, and technical security.
  • Security Risk Assessment and Policy & Program Annual Review: Detailed review of the 26 elements associated with the Risk Assessment and Policy & Program in fulfillment with the NCUA Regulation 748 annual review requirements.
  • Network Vulnerability Assessment Testing: Assess current Internet connections to identify points of weakness that leave the credit union exposed to external threats that may be a result from hackers, network viruses and more. Testing is in fulfillment of NCUA’s Letter to Credit Unions, eCommerce Guide to Credit Unions 02-CU-17.
  • Systems Maintenance: This service will help ensure the healthy and efficient performance of your computers and network. We will securely connect to your network and apply all needed software updates, antivirus/anti spyware updates, perform disk cleanup and disk defragmentation tasks, and review event logs to proactively identify potential issues.