Cyber liability exposures continue to evolve, and credit unions can no longer rely solely on their information technology staff to ward off a cyber attack.
Network security requires solid governance and oversight with active participation by management and the board of directors, said Jay Isaacson, CUNA Mutual Group’s vice president of commercial products.
Data breaches, he noted, are increasing across all businesses, resulting in significant dollar losses and reputational damage. He cited the Verizon 2014 Data Breach Investigation Report, which indicated 1,367 data breaches occurred in 2013, with 465 involving the finance industry.
And the price tag is high. In May, the Ponemon Institute’s Cost of a Data Breach Study reported that the average total cost of a data breach is $3.5 million, with a global average cost of $145 for each lost or stolen record containing sensitive and confidential information.
“Think of your own credit union and do the math,” Isaacson said. “While a data breach might seem somewhat remote, it’s within the realm of possibility and could threaten the safety and soundness of your institution.”
Within the financial sector, the most common security breach incidents involved Web application attacks, denial of services (DDoS) attacks, payment card skimming, and insider misuse, according to the Verizon study. While financial gain motivates most data breach perpetrators, cyber espionage also is increasing. Isaacson said the most common sources of data breaches are hacking, followed by malware.
Specific to credit unions, the most common cyber claim themes reported to CUNA Mutual Group under its Cyber & Security Incident insurance coverage involved DDoS, third-party service providers, employee errors, and lost or stolen devices.
“Network security is only as strong as the weakest link. You may have an air-tight data system, but if a third-party provider you use is lax, or a laptop containing confidential data goes missing, your credit union is at risk.
Isaacson said risk management considerations include education and training for all employees (not just IT staff); development and frequent testing of an incident/breach response plan; and the creation of a data security incident response team. Member education is also important.
“There’s a need to balance security and convenience,” he said. “Members need to understand why certain security measures they might not consider convenient are necessary for their protection and the credit union.”
CUNA compliance staff recently responded to a query if credit unions are required to disclose the numerical value of the military annual percentage rate to borrowers covered under the Military Lending Act.
Following its groundbreaking comprehensive study on regulatory burden, CUNA released its new Regulatory Burden Calculator that allows individual credit unions to assess the impact of regulation on their operations.
After months of advocacy by CUNA, the CFPB Thursday wrote to CUNA announcing it will initiate a rulemaking this summer to address issues with the bureau’s Truth in Lending Act-Real Estate Settlement Procedures Act integrated disclosures rule.