On February 4, the California DFPI announced a consent order issued against a credit union (respondent) following a significant cybersecurity breach. This breach, a ransomware attack, allegedly led to the shutdown of various banking systems from June 29, 2024, to July 15, 2024, and resulted in the unauthorized access to personal identifying information of approximately 500,000 members. During this period, members were unable to access their account information online, although limited access was available through ATMs and in-branch services.
The DFPI Commissioner investigated and identified deficiencies in the respondent’s cybersecurity framework. The investigation highlighted areas needing improvement, including risk management practices, IT risk assessment processes, board reporting, security controls, business continuity management, and the internal audit program. As a result, the consent order mandates the respondent to establish a comprehensive cybersecurity program tailored to its risk profile.
Under the terms of the consent order, respondent is required to appoint a qualified individual to oversee the cybersecurity program, conduct periodic risk assessments, and maintain written policies and procedures to manage identified risks effectively. Additionally, the order stipulates independent testing of the cybersecurity measures, regular reporting to the board of directors, and the implementation of a training program for all personnel. The respondent must also engage a third-party compliance consultant to assist in addressing the corrective actions identified by the Commissioner. The credit union has agreed to pay a monetary penalty of $100,000 and is prohibited from seeking indemnification.
