National Credit Union Association

What is Appendix A of Part 748?

The NCUA Board is modifying their security program requirements to include security of credit union member information. Further, the NCUA Board is issuing "Guidelines for Safeguarding Member Information” to implement certain provisions of the Gramm-Leach-Bliley Act (or GLBA).

Currently, NCUA regulations require that federally-insured credit unions have a written security program designed to protect each credit union from robberies, burglaries, embezzlement, and assist in the identification of persons who attempt such crimes. Expanding the environment of protection to include threats or hazards to member information systems is a natural fit within a comprehensive security program. This expansion of the cyber threats to member information systems and data can be found in Appendix A of Part 748 “Guidelines for Safeguarding Member Information”.

Image by Scott Graham

Who Has to Comply? 

The Guidelines apply to member information maintained by or on behalf of federally-insured credit unions. Such entities are referred to in this appendix as “the credit union.” Excerpt taken directly from Appendix A of Part 748. Information is defined as “nonpublic personal information” of “members” as those terms are defined in 12 CFR part 716, NCUA’s rule captioned Privacy of Consumer Financial Information (the Privacy Rule or Part 716).

Image by Shapelined

What Are The Requirements? 

The requirements include but are not limited to:

Req. 2A - Documented information security program 

  • Req. 3B-1 - Internal and external risk/vulnerability assessments 

  • Req. 3B-3 - Policies and procedure development and assessment 

  • Req. 3C-1-F - Monitoring systems and procedures to detect incidents 

  • Req. 3C-1-G - Incident response plan and program 

  • Req. 3C-2 - Security awareness training 

  • Req. 3C-4 - Regular testing controls, systems and procedures of information security program 

  • Req. 3F - Reporting to board annually