NCUA Risk Alert on DDoS Attacks
The National Credit Union Administration (NCUA) has released a new credit union risk alert (13-Risk-01), which identifies appropriate policies and procedures to guard against distributed denial-of-service (DDoS) attacks. To mitigate effects from DDoS attacks, NCUA recommends that credit unions:
- perform risk assessments to identify risks associated with DDoS attacks;
- ensure incident response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack; and
- perform ongoing third-party due diligence, in particular on Internet and web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.
Financial institutions should also follow regulations on internet and data security, as well as FFIEC guidance on internet authentication. For additional information on DDoS, please visit the Credit Union National Association (CUNA) members-only webpage to access background and resources from BITS.
CUNA has participated in a number of cyber-security meetings and conference calls in recent weeks with the Financial Services Sector Coordinating Council (FSSCC), BITS, regulators, and other entities. The Government Accountability Office (GAO)’s recent cyber-security report summarizes how the federal government is organized to protect its systems and resources against cyber-attacks. CUNA believes it is positive that the GAO noted that depository institutions in the banking and finance sector are already required to meet mandatory cyber-security standards established by federal regulations, and as a sector, banking and finance was only one of seven sectors that listed cyber-security guidance in its sector-specific critical infrastructure plan. CUNA continues to emphasize that credit unions and financial institutions are already subject to very robust data security standards under the Gramm-Leach-Bliley Act and other applicable data security laws and regulations, including from NCUA and the FFIEC.