Credit unions are guided by a series of internal, state and federal rules and regulations pertaining to data security. One example is the requirements established by the National Credit Union Association (NCUA). This entity has set forth the IT Security Compliance Guide designed to summarize the obligations of credit unions to protect information in specific situations. One specific situation is the proper capturing – and disposal of information. It is often this situation, and the role of credit union partners and administrators, that puts a credit union at risk for a data breach. Let’s take a look at the guidelines and the opportunity for risk.
The proper disposal of information requirements in the Security Guidelines applies to any personal information a credit union obtains about an individual. But those requirements also extend to a credit union’s providers. A credit union must require its service providers that have access to consumer information to develop appropriate measures for the proper disposal of the information, regardless of whether a loan is ultimately secured. In essence, if a dealership provides credit information to a potential lender, that information must be disposed of properly whether the loan is completed or not. How often do you assess the information disposal practices of your partners?
The guidelines also provide a list of recommended measures needed in establishing a set of security controls designed to prevent access to sensitive information via cyberattack. Some of these measures include:
- Encryption of electronic member information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access
- Procedures designed to ensure that member information system modifications are consistent with the credit union’s information security program
- Monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, member information systems
- Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies
Requiring these same security measures from your business partners is a sound business practice. Applying this rigorous level of security is at the heart of EFG’s customer focus. Our clients rely on EFG’s technology for everything from rating products to processing claims. It is for this reason that EFG recently achieved the Service Organization Control 2 (SOC 2) Certification under the Statement of Standards for Attestation Engagements 18 (SSAE 18) guidelines from the American Institute of Certified Public Accountants (AICPA).
Several years ago, EFG took proactive steps to secure its own data and achieved SSAE 16 certification in 2016. Since then, EFG continued its efforts to further augment the company’s security measures, investing close to a quarter of a million dollars annually on security enhancements, and achieving SSAE 18 certification in December, 2019.
SSAE 18 certification is the most widely recognized standard providing companies with a method for reporting information about the design and operation of internal systems and controls relating to privacy and security regulations. SOC 2 reports evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality and privacy.
The SSAE 18 certification demonstrates to clients and contract holders that EFG has the necessary processes in place to ensure that personal and confidential information is more secure than almost any other product provider.
With the amount of confidential consumer information collected in the retail automotive industry, data security is mission critical to successfully conducting business going forward. While credit unions have recognized this and made their own enhancements, smart institutions are now evaluating their partners with the same laser focus on data security and compliance. Make sure you are putting your provider to the same rigorous test as your own institution.