Responding to recent distributed denial-of-service attacks on at least two credit unions, the NCUA on Wednesday released a risk alert that it said identifies appropriate policies and procedures to guard against them.

It is the first risk alert released in 2013; no risk alerts were released in 2012.

The regulator advised credit unions to employ controls described in the 2011 FFIEC supplement to guidance on Authentication in an Internet Banking Environment.

NCUA rules and regulations already require credit unions to monitor systems to detect actual and attempted attacks on, or intrusions into, member information systems.

“As the goal of DDoS attacks is causing service outages rather than stealing funds or data, typical network security controls – such as firewalls and intrusion detection and prevention systems – may offer inadequate protection,” NCUA Chairman Debbie Matz said in the bulletin, which is posted on the regulator's website.

However, the NCUA also said in the risk alert that DDoS attacks may also be paired with attempts to steal member funds or data.

Credit unions significantly affected by DDoS or other cyber attacks should notify their NCUA regional office or state supervisory authority, and when applicable, follow regulatory notification proceduresm, the agency said.

The alert suggested credit unions mitigate DDoS risk by performing risk assessments, ensuring incident response programs include a DDoS attack scenario and performing ongoing third-party due diligence, in particular on Internet and Web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.

Credit unions should voluntarily file a Suspicious Activity Report if an attack impacts Internet service delivery, enables fraud, or compromises member information, the NCUA said. The NCUA also encouraged credit unions to participate in information-sharing organizations, such as industry trade groups and the Financial Services Information Sharing and Analysis Center.

In addition, the NCUA said the United States Computer Emergency Readiness Team provides information on the methods used to launch attacks and risk mitigation tactics to reduce their impact.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.