CA DFPI Announces Consent Order with San Francisco Credit Union Following Cybersecurity Incident

On February 4, the California DFPI announced a consent order with a San Francisco-based credit union related to certain cybersecurity practices that the DFPI found to require corrective action based on its investigation of a recent ransomware attack that targeted the credit union.  According to the DFPI’s findings, the ransomware prevented members from using online banking services and enabled access to some members’ personally identifying information.

Under the order’s terms, the credit union neither admits nor denies the DFPI’s factual findings and legal conclusions.  As the order explains, the credit union, as part of its cooperation with the DFPI’s investigation, agrees to pay a $100,000 penalty and develop and maintain a cybersecurity program that complies with relevant federal and state laws.  Notably, the credit union must take the following actions:

• The board of directors must oversee the development, implementation, and maintenance of the cybersecurity program, including a training program for all employees.
• A qualified individual with adequate authority must be appointed to manage the cybersecurity program.
• A written risk assessment must be prepared — and updated regularly — to identify reasonably foreseeable threats that might result in unauthorized disclosure, misuse, alteration, or destruction of member information and evaluate the adequacy of policies and procedures to address these risks.
• The credit union’s management must report to the audit committee of the board concerning the progress of its corrective actions, including findings, recommendations, and risks identified through the risk assessment.

Within 90 days of the order’s effective date, the credit union also must engage an independent compliance consultant.  The consultant will, among other functions, prepare written quarterly reviews of the cybersecurity program and perform quarterly testing of cybersecurity systems and processes.