Alert urges credit unions to adopt, renew policies associated with cybersecurity risks to remote work

Drawing attention to the cybersecurity risks associated with the increasing incidence of remote work, conference calls, and video meetings during the coronavirus crisis, a “risk alert” was issued Tuesday by the federal credit union regulator noting “common cybersecurity risks” for remote workers.

The National Credit Union Administration (NCUA) in a “Risk Alert” noted that common cybersecurity risks for credit union and other remote workers include malware attacks, phishing and “other social engineering” attacks, and advanced persistent threat attacks (in which groups gain unauthorized access to a computer network and remain undetected for an extended period).

“Credit union employees working remotely should adhere to their organizations’ information security- and privacy-related policies and procedures,” the letter states. “Policies and procedures should effectively address remote work by preparing employees to prevent security incidents and including provisions for responding to any incidents that do occur. Controls over remote work and use of personal devices should be based on an institution’s risk assessment, and commensurate with the size and complexity of the institution.”

Among other things, the alert urges credit unions to adopt or update policies to prepare employees to prevent security incidents and to respond to security incidents.

In prevention of security incidents, the alert provides a long list of items that should be addressed in policies and procedures, including: ensuring family members (or others) do not use devices used at home intended for work; keeping devices physically secure and increasing wireless security “to the strongest encryption option.”

Under responding to security incidents, the alert urges policies be adopted that include disconnecting the device(s) from all internet connectivity; keeping the computer on to preserve forensic evidence; and reporting the incident to the user’s organization.

The alert also provides a listing of “cybersecurity resources” for reference on risks and remote work.

Cybersecurity Considerations for Remote Work