User login

FFIEC Cybersecurity Assessment Tool Should Remain Voluntary

The Missouri Credit Union Association (MCUA) sent a letter to the Office of the Comptroller of the Currency, which is collecting comments on behalf of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is currently soliciting input on the reporting burden associated with its recently released Cybersecurity Assessment Tool.

In today’s quickly evolving technological landscape, cyber and data threats are very real and breaches all too common. Understanding the significance of a breach, credit unions take very seriously their responsibility to safeguard their members’ information from such threats. Further, MCUA appreciates the FFIEC’s recent work to create a comprehensive tool dedicated to cybersecurity. MCUA would like to ensure the FFIEC is aware of several issues related to the Assessment. At a minimum, MCUA believes the FFIEC has overlooked the challenges many institutions will face in reviewing and understanding the Assessment, let alone the time and resource commitment necessary to actually conduct the Assessment. MCUA urges the National Credit Union Administration (NCUA) to maintain the Assessment as a voluntary tool that credit unions can use for guidance.

The Assessment spells out a number of specific expectations for financial institutions’ boards of directors, including review of management’s analysis of the Assessment results, review of management’s determination of whether the institution’s cybersecurity preparedness is aligned with its risks, and review and approval of plans to address any weaknesses. Under a voluntary approach, we fully support extensive involvement and accountability of an institution’s board of directors. Further, under a mandatory approach, extensive involvement of a board is likely appropriate for very large and complex financial institutions, such as some of our nation’s largest commercial banks. However, MCUA is concerned with the trend over the past several years of increasing the specific requirements of credit union boards as enumerated in the NCUA’s rules and regulations. Thus, if the Assessment becomes mandatory, MCUA asks the NCUA, in coordination with the FFIEC, to limit the specific board responsibilities as detailed in the Assessment.