In early December, the National Credit Union Administration (NCUA) announced that roughly 60 credit unions were experiencing outages following a ransomware attack on an IT provider they used. While the company victimized by the ransomware attack quickly jumped into action and has engaged third-party forensic specialists to probe the details and scope of the incident, it is a reminder of how one attack has reverberated throughout an industry. It’s also a reminder that companies cannot stand idly by.
The attack is a great example of companies being victimized by an attack on another business. This is called a “Supply Chain Attack” and poses a significant risk for organizations — even those that take all the necessary safety precautions themselves. Cybercriminals often target the weakest link within the supply chain, breaching systems through that vendor relationship.
With supply chain attacks and other cyber threats on the rise, many organizations including the NCUA have put stronger cybersecurity measures in place. Just three months ago, the NCUA began enforcing its new requirement for all credit unions to notify the NCUA of cyber incidents within the first 72 hours. The NCUA is just one example of regulatory agencies creating stronger requirements in response to these evolving threats.
Consider the recent updates to the Federal Trade Commission (FTC) Safeguards Rule, established by the Gramm-Leach-Bliley Act (GLBA). The new rule went into effect in June 2023 and provides a security protocols framework for organizations that engage in “significant” financial activities. Most recently, the FTC amended the Safeguards Rule in October for organizations to inform the FTC as quickly as possible — and no later than 30 days — after discovering a security breach involving at least 500 customers.
As part of the notice, companies must include specific details about the event, including the number of customers affected — or potentially affected. Companies must notify the FTC if unencrypted customer information has been obtained without authorization.
Beyond notification requirements, organizations must oversee service providers to limit vulnerabilities of a supply chain attack. The Safeguards Rule has a requirement that companies must oversee service providers by:
- “Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.”
- “Requiring your service providers by contract to implement and maintain such safeguards.”
- “Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.”
That’s where TPx can help. We help ensure companies have a defensible position, and we help ensure infrastructure and data are secure. Complying with the Safeguards Rule or any industry regulatory requirements may seem daunting, but non-compliance can be even costlier, considering the stiff penalties the FTC and other regulatory agencies often levies.
Customers can safeguard their position by taking certain actions to help companies comply with the complex and evolving FTC Safeguard rule. To facilitate this, we have revised our security advisory services portfolio to make it easier and more cost-effective for companies to create and maintain a cybersecurity program that adheres to the updated Safeguards requirements.
The complexities of IT, cybersecurity and compliance are overwhelming. Companies don’t need to go it alone. They should work with a partner to review, architect, and protect their business from attackers, partners, employees, and ultimately, system outages and revenue loss.
Don’t know where to begin? Drop us a line today to start the process.