Cyber Security Awareness Month: Third Party Cyber Risk Management

By: Jacob Olcott, VP of Business Development, BitSight Technologies

How not to become a “Target”
October is cyber security awareness month, and there are few things more haunting to financial or retail institutions than the security breach that affected Target stores a few years back. The attack resulted in more than $40 million in debit and credit card numbers being stolen, and more than likely affected at least some of your members.

The scariest part of the security breach may be where it originated: its HVAC supplier. The attack highlights how important it is for financial organizations to have a well thought-out program to mitigate third party cyber risk.

Regulators are taking a closer look at third party risk management so the importance of employing best practices is not just practical, but legal as well.

Five Key Steps to Develop a Third Party Risk Management Program

Developing a risk management program doesn’t have to be difficult. There are five key points to consider for a plan, and several vendors and services that can help you to do so.

  1. Organize Internally. This means bringing together all teams that have an impact on, or are impacted by your cybersecurity or dealings with third party vendors. This would most likely include your legal, compliance, IT, and procurement teams.
  2. Identify and Prioritize Key Parties. It is important for credit unions to consider any third BitSight_identify_critical_vendorsparty that has either direct network connections to your organization or has access to sensitive data. This would include, but is not limited to, looking at your primary payment processor, largest software vendor, law firms, consulting firms, and benefits administrator. When prioritizing vendors, approach this from the position of your most sensitive data, likely your members’ financial data, and the level of access a third party has to that data.
  3. Evaluate your vendors’ security. This is traditionally done a number of ways such as using questionnaires, vulnerability scans, and audits. If you are not sure where to start, Shared Assessments is a good source that charges a fee for common questionnaires to send your partners regarding their cyber security efforts. If you are interested in developing your own questionnaire, the NIST cybersecurity framework is a good place to start. You can also do your own audits of your partners, but often companies will share their own documentation of audits they have done.
  4. Communicate. The importance of clearly communicating your expectations to your partners should not be overlooked. This should be done not only in writing in forms such as contracts, but verbally as well. It is important to develop a strong dialogue regarding your security concerns that is not just once, when you launch a partnership, but ongoing. The cybersecurity landscape changes on a daily basis so it is important for you and your partners to discuss where you are headed and how to stay ahead of the curve.
  5. Continuously Monitor Vendor Performance. This is another point not to be overlooked. Questionnaires and audits can only give you snapshots of a company’s security profile at one point in time. Actual security is much more fluid than that. NAFCU has partnered with BitSight Technologies as a preferred provider of monitoring services. BitSight essentially works like credit rating service for cybersecurity. They provide a number that indicates how strong a company’s security practices are on a continuous basis. BitSight calculates Security Ratings using a continuous process that gathers, processes, and assigns security data to arrive at the top-level security ratings.

For more dBitSightLogoetailed information on developing a third party cyber risk management plan you can check out NAFCU’s webinar with BitSight Technologies here or  download BitSight’s white paper on the topic.

A Momentous Occasion: First-time Homebuyers

Originally posted on

Guest post written by Dan Green, Executive Vice President, Marketing, Mortgage Cadence, LLC.

Mortgage Cadence is the NAFCU Services Preferred Partner for Mortgage Processing and Fulfillment Services.

Last week remarked one of life’s momentous occasions. They occur for everyone, and in everyone’s life there are those we never forget. Mine? My daughter and her husband became first-time homebuyers.

“What’s the big deal”, you might be thinking.  Thousands of former renters become new homeowners every day. Millions every year. Moreover, her father, me, is a mortgage guy. Of course my daughter bought a home. What else would she do?

Ten years ago, I would have wholeheartedly agreed with you. Even seven years ago. Less than that, not so much. The truth is, as the housing crisis unfolded and the economy plunged deeply into recession, the American Dream became simply that for many people. The pundits thought, and there’s much been written over the past five years: we had seen the end of homeownership in the US. As the theory went, people would choose to rent instead, keeping their mobility and employment options open while incurring less financial risk.

Read more

The Looming Impact of Dodd-Frank

Originally posted on

Guest post written by John Levonick, Chief Legal & Compliance Officer, Mortgage Cadence, LLC.

Mortgage Cadence is the NAFCU Services Preferred Partner for Mortgage Processing and Fulfillment Services.

Dodd-Frank impacts lenders in many ways. In the span of less than two years there are now many new rules that will have material impact on the conduct of all mortgage originators and assignees. Consider the following impending rules:

  • Qualified Mortgage (QM) / Ability to Repay (ATR)
  • LO Comp Rule (Reg. Z)
  • Appraisal Rules:
    • Joint Rule (TILA / Reg.Z – HPML)
    • Copy Rule (ECOA)
  • Escrow Rule
  • Know Before You Owe / Integrated Disclosures (TILA / RESPA)

While all are important, the Ability to Repay (ATR) elements of the Qualified Mortgage (QM) rules is first on our list. That’s where we’ll turn our attention this month.

The Ability to Repay requirements with the Qualified Mortgage

A QM is a new loan classification that represents how the lender has made a thorough assessment of, and has fully documented, a borrower’s ability to repay their covered loan. Currently, Regulation Z, as amended by the Board of Governors of the Federal Reserve System in 2008, prohibits creditors from extending Higher-Priced Mortgage Loans (HPML) without regard for the consumer’s ability to repay. The ATR rule extends application of this requirement to all loans secured by dwellings, not just HPMLs. Also of note, this final rule establishes a Safe Harbor that contains a “presumption of compliance” with the ATR requirement for non-HPML QMs. While the ATR rule does not specify any particular underwriting model, lenders must consider and validate, at a minimum, 8 discrete underwriting factors:

Read more

Engaging the Hearts and Minds of Your Service-Selling Team

Originally posted on

Guest post written by Julie ann Wessinger, National Director of Client Performance Strategies, Allied Solutions.

Allied Solutions is the NAFCU Services Preferred Partner for Insurance—Bond, Creditor Placed (CPI), Guaranteed Auto Protection (GAP), and Mechanical Breakdown (MBP); iSolutions; rateGenius.

Research on employee commitment to organizational goals indicates that only slightly more than 1 out of 4 employees (29%) are actively engaged. With less than one-third of all employees showing up “on purpose”— and willing to invest their discretionary efforts to make a difference in helping their organizations succeed, it is evident that this sobering statistic indicates establishing competitive advantage is a very real challenge.

When it comes to culture change there is no “work-around.” Without fully engaged employees it is difficult, if not impossible, to develop a service-selling team and execute a growth strategy. In our experience, lack of active engagement is often caused by issues such as a lack of organizational alignment or employee confidence and belief that they have the ability to contribute in a meaningful way to organizational goals.

Read more

The Branch’s Love/Hate Relationship with Technology

Originally posted on NCR Corporation’s Blog.

Guest post written by Brian Bailey, Vice President and General Manager, NCR Corporation.

NCR Corporation is the NAFCU Services Preferred Partner for ATM Products and Services, Teller Cash Recyclers (TCRs).

Technology has killed the bank branch.

You’ve heard this refrain before. Online banking. Intelligent deposit ATMs. Mobile banking. The future of mobile wallets. These technologies that make our lives easier supposedly have made the bank branch irrelevant. A dinosaur from bygone days. The financial services equivalent of the movie rental store or disco. Tower Group estimates that global teller transactions have decreased by 31 percent in the past 10 years, and forecasts an additional 15 percent decline by 2015. Bloggers such as Bank 2.0’s Brett King have declared the branch dead because … hey … you’ve got a mobile phone.

What doesn’t kill you makes you stronger, right?

That’s true when it comes to branch’s love/hate relationship with technology. In fact, technology has not killed the bank branch. Technology is the future of the bank branch.

Read more