|
Getting your Trinity Audio player ready...
|
The aftermath of a high profile cyberattack at Dublin-based Patelco last summer is continuing into the new year, with the credit union now facing a cease-and-desist order over “unsafe and unsound” practices and a $100,000 fine amid an investigation by state regulators.
Patelco agreed to a consent order from the state’s Commissioner of Financial Protection and Innovation that includes findings and recommendations first introduced to the credit union in November related to its risk management and risk assessment processes, board reporting, business continuity management and internal audit programs, and its security control environment.
“Following the cybersecurity incident we experienced in June 2024, we worked closely with the California Department of Financial Protection and Innovation (DFPI) to understand and address their questions and achieve a resolution,” Patelco President Erin Mendez said in a statement this week.
“As part of this resolution, we are implementing enhanced measures to further strengthen our cybersecurity program — many of which are already underway,” she continued. “These proactive steps underscore our unwavering commitment to transparency, protecting our members’ information and privacy, and continuously improving our systems to prevent future incidents. By investing in these improvements, we reaffirm our dedication to resilience and the trust our members and community places in us.”
That trust was tested in the weeks-long cyberattack and associated outages that the credit union’s 500,000-plus customers experienced starting in June, with multiple lawsuits currently underway in the wake of the attack after customers were unable to access their funds and were notified that their personal data had been accessed by hackers.
While Patelco has cooperated with the investigation and current consent order, it is not required to admit or deny the findings in the order which includes a requirement that the credit union “cease and desist from unsafe and unsound acts with respect to its inadequate cybersecurity system and processes.”
Patelco is now required to develop a cybersecurity program according to a timeline set out by the state consumer finance commissioner that is “commensurate” with its risk profile, including the appointment of a qualified leader for the program and oversight by its Board of Directors on the development, implementation and maintenance of the program.
Other requirements include a training program for all Patelco personnel on how to understand the company’s risk profile and compliance obligations and how to implement the cybersecurity program.
The first requirement is to hire a compliance consultant within 90 days of the order to support the development of a corrective action plan leading up to the development of a full cybersecurity program.
In the immediate future, Patelco has within 30 days of the order to pay the $100,000 penalty.
