Go to:

April 2019
< Mar May >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

How Involved Is Your Board in IT Governance?
Thursday, July 28, 2016 6:30 AM

Michael Salyer, IT Analyst, Credit Union Resources

If asked, could your board name what core data processing platform you are using? Do they know what kind of risks you're facing with your current e-commerce services?

Your board should be able to answer these questions, and more. In fact, it's vital that your board knows the credit union’s current state of information technology (IT), as well as the details of future plans for expansion. Remember that business needs must drive IT, not the other way around. It can be tempting to pursue a new and exciting technology, but there must be a business case for its use.

One such example would be remote deposit capture (RDC). This is a wonderful service to provide your membership, but with this new service comes new issues your credit union will have to address to remain safe. Do you have the staff to ensure there are no fraudulent deposits? Are your funds availability policies updated to reflect RDC transactions? Before you expand your risk appetite, you should look at what resources you’ll need to properly and safely implement new services.

One such tool credit unions can use to get a snapshot of your current risk appetite, or risk profile, and a sense of your risk maturity is the FFIEC Cybersecurity Assessment Tool (CAT). The CAT is broken into two main sections: the Inherent Risk Profile and the Cybersecurity Maturity. Each credit union’s current level of risk will dictate the level of maturity it must attain. Although the CAT in its current form is designed for all financial institutions, it can be a valuable tool for assessing your current risks and vulnerabilities.

Even though the National Credit Union Administration is not at this time requiring credit unions to complete the CAT, they are highly recommending it. Starting in mid-2017 NCUA will begin to look at your cybersecurity risk and maturity CAT results. At present, the NCUA will be looking for all credit unions to at least be at the baseline level, unless their risk maturity requires them to be at the evolving level. Early adoption of this tool will assist the credit union in managing its risk profile and maturity as well as providing a helpful metric to your board of directors as to your current state of cybersecurity health.

Using the Cybersecurity Assessment Tool is but one facet of good IT Governance. Human resources, good communication with management, and policy approval are just as important. Concerning the world of cybersecurity for your credit union, the key phrase for all board members is simple: be involved.