Closing the CUSO Security Loop Hole

The CUSO Security Loop Hole

The NCUA Inspector General (IG) suggested this week that the agency have regulatory oversight of Credit Union Service Organizations (CUSOs) to reduce the overall risk to the system. CUSOs have long been seen as a separate firm from the credit unions, though they may have an ownership stake in them. To date, many of these organizations have been outside the regulatory and oversight controls that are applied to the very credit unions they serve. In terms of information security, that often means they aren’t held to the same level of security and risk management controls as required by NCUA 748 and other guidance.

DigitalMoneyCUSO Security Oversight Challenges

The NCUA IG suggests that NCUA guidance and regulatory oversight be directly applied to CUSOs, instead of through vendor or partner risk management programs of the CUSO customers. This would provide for more direct regulation of the security controls and risk management processes in use at the CUSOs themselves. However, this introduces several challenges for some CUSOs, who may be more focused on agility, market speeds and innovation – areas where regulatory guidance can be especially impactful and can create significant budgetary challenges. This gets even more complicated when regulatory guidance is vague, or can be inflexible – the very opposite of the needs of organizations focused on innovation and market speed adaptation. An excellent example of this is CUSOs working on financial technologies, crypto currencies, blockchain and other exciting new areas. Regulatory guidance lags or lacks in most of those areas and hasn’t caught up to these new, and in some cases, experimental technologies.

One Approach – Best Practices CUSO Security and Third Party Attestation

One approach that might work, is for CUSOs to work with independent third-party assessors who could then measure the CUSO against industry standard best practices that apply to their specific lines of business, research or innovation. These vendors could then help the CUSO build a relevant and respectable CUSO security and risk management program – which they could attest to the NCUA. If this attestation were required on a yearly basis, along with some basic guidance, like ongoing risk management reviews, ongoing vulnerability management, etc – this could go a long way to mitigating the risks that concern the NCUA IG, while still maintaining independence and control by the CUSOs – thus, empowering their mission. Programs like these have been very successful in other industries and don’t have to add the overhead and bureaucracy of full regulatory compliance or programs like PCI-DSS. 

If you’d like to build such a program for your CUSO, please get in touch with us. We’d love to work on creating this process with a handful of CUSOs around the US, and are more than capable of applying our 30 years of experience in information security to each organization’s independent needs. Drop us a line or give us a call at (614) 351-1237 and let’s work together to close the CUSO Security loop hole in a way that reduces risk but doesn’t destroy the power and flexibility of the CUSO ecosystem.

Bandwagon Blog: Why Isn’t Compliance & Regulation Working?!?

Everyone else seems to be blogging about it, so why not a “me too” blog from a different angle?

The main security questions people seem to be asking over the last few days are “Why are data theft and compromise rates souring? I thought that regulations like GLBA, HIPAA, various state laws, PCI DSS and all the other myriad of new rules, guidelines and legislation were going to protect us?”

The answers to these questions are quite complex, but a few common answers might get us a little farther in the discussion. Consider these points of view as you debate amongst yourselves and with your CIO/COO/CEO and Board of Directors in the coming months.

What if compliance becomes another mechanism for “doing the minimum”? The guidance and legal requirements are meant to be minimums. They are the BASELINES for a reason. They are not the end-all, be-all of infosec. Being compliant does not remove all risk of incidents, it merely reduces risk to a level where it should be manageable for an average organization. This absolutely does NOT mean, “have some vendor certify us as compliant and then we are OK.” That’s my problem with compliance driven security – it often leaves people striving for the minimum. But, the minimum security posture is a dangerous security posture in many ways. Since threats constantly evolve, new risks continually emerge and attackers create new methods on an hourly basis – compliance WILL NOT EVER replace vigilance, doing the right thing and driving defense in depth deep into our organizations. Is your organization guilty of seeing compliance as the finish line instead of a mile marker?

Not all vendors “do the right thing”. Vendors (myself included) need to sell products and services to survive. Some (myself NOT included) will do nearly anything to make this happen. They will confuse customers with hype, misleading terminology or just plain lie to sell their wares. For example, there are some well known PCI scanning vendors who never seem to fail their clients. Ask around, they are easy to find. If your organization is interested in doing the minimum and would rather pass an assessment than ensure that your client data is minimally protected, give them a call. They will be happy to send you a passing letter in return for a check. Another example of this would be the “silver bullet technology” vendors that will happily sell their clients the latest whiz-bang appliance or point solution for fixing an existing security need, rather than helping clients find holistic, manageable security solutions that make their organization’s security posture stronger instead of the vendor richer….

Additionally, many compliance issues reinforce old thinking. They focus on perimeter-centric solutions, even as the perimeter crumbles and is destroyed by disruptive technologies. Since regulations, laws and guidance are often much slower to adjust to changes than Internet-time based attackers and techniques, the compliance driven organization NEVER really catches up with the current threats. They spend all of their time, money and resources focused on building security postures and implementing controls that are often already ineffective due to attacker evolutions.

Lastly, I would reinforce  that there are still many organizations out there that just simply will not “do the right thing”. They believe that profit surpasses the need to protect their assets and/or client data. They do not spend resources on real security mechanisms, fail to leverage technologies appropriately, remain careless with policy and processes and do little in terms of security awareness. There are a lot of these organizations around, in nearly every industry. They do security purely by reaction – if they have an incident, they handle that specific issue, then move on. Since consumer apathy is high, they have little to no incentive to change their ways. The only way to enhance the security of these folks is when everyday buyers become less apathetic and veto insecure organizations with their spending. All else will fall short of causing these organizations to change.

So there you have it. A few reasons why regulation is not working. I guess the last one I would leave you with comes from my 16+ years in the industry – good security is hard work. It takes dedication, vigilance, attention to detail, creative AND logical thinking and an ability to come to know the enemy. Good security, far beyond compliance, is just plain tough. It costs money. It is rarely recognized for its value and is always easier to “do the minimum” or nothing at all…