Build Up Security Policies and Budgets

Include the costs of security in your CU’s business plan and overall budget.

May 7, 2012

Knowing that your credit union is only as strong as its weakest link illustrates how important it is to have a strong security system in place.

A security breach can cost your credit union revenue, productivity, and member loyalty. Security problems can tarnish your reputation and result in a critical loss of funding.

Three CEOs describe here how their credit unions are being proactive—prioritizing security planning and protection to avoid security lapses.

Budget for top priorities

“Without adequate security policies and the willingness to invest in security, there isn’t a need for a business plan—we won’t be in business,” says Sterling Nielsen, president/CEO of $2.9 billion asset Mountain America Credit Union, West Jordan, Utah.

Mountain America stays up-to-date on best security practices and makes it a priority to implement them into its planning process. “Through that process,” says Nielsen, “the priorities are identified and the funds are budgeted to accomplish our security goals. We might not be able to complete our entire wish list, but we can budget funds for the highest priorities.

“One security oversight can destroy any trust our members have in us,” he adds. “Therefore, we go to great measures to secure our buildings, our networks, and our online services. The cost of protecting our networks is very high, but worth every penny.”

Mountain America has hired employees specifically trained in various aspects of security. It also has implemented employee training across the credit union and has enhanced its policies and procedures pertaining to security.

“Effective security is multifaceted—including security of the buildings, networks, online access, mobile access, member education, and other areas like social engineering,” says Nielsen. “But it’s easy to overlook social engineering—psychological manipulation of people you generally don’t see face-to-face in order to deceive them.

“This can be a significant security threat to credit unions, particularly as they grow and possibly become more vulnerable to scams like phishing, pharming, and other types of fraud.”

To pinpoint needed security improvements, he adds, you have to take a hard look at what you’re doing now. “For example, could a person pretending to be a phone company representative or a member of your information technology department talk his or her way into a sensitive area of your building?”

Updating security around social engineering includes several elements, Nielsen explains. Make sure staff don’t write down their passwords or place them where they can be found by others.

“We strive to maintain the trust of our members, but that doesn’t mean we should make online access easier than it should be,” he says. “If your online services are so convenient that your security is weak, you won’t be doing any of your members a favor.”

Next: Take prompt action as needed

Take prompt action

“Security risk is the single most important thing that keeps me up at night,” says Mary Beth Wilcher, CEO of $350 million asset Erie (Pa.) Federal Credit Union. Unlike regulatory compliance, with security breaches usually there’s no warning and the consequences can be devastating.

When previously working at CUNA Mutual Group, Wilcher gained insight into where losses occur. “I learned how they happen and what we can do to stop them before they stop us.” That knowledge showed her how important it is for every CEO to take the lead with security planning.

Recently, Wilcher led Erie Federal in tightening security on file transfer protocol destinations, email procedures, and storage and mailing of address change notices.

Erie Federal typically factors its security expenses into its overall operating budget. Security expenses aren’t currently segregated into individual line items in the budget, but that will probably change in the future. The credit union’s operations team oversees policies, procedures, compliance, and security.

“Keeping up with compliance and security certainly takes a toll on our budget,” notes Wilcher, “but it can’t be scaled back and will only escalate expenses going forward. As new security threats appear, we’ll continue to take prompt action as needed. Budgets don’t always anticipate those expenses in advance. Being able to explain them to your board and examiners is critical.”

Erie Federal had one robbery attempt in 2009. In response, says Wilcher, “branch security became a top priority, and we began retrofitting our branches with state-of-the-art security.

“One easy fix is to add additional lighting and cameras both inside and outside your facilities to deter crime,” she suggests. “We also added internal technology that enables us to reduce risk by monitoring accounts that could potentially cause
us a loss.”

Security planning and budgeting should be a line item on the budgets for all branches and corporate facilities, she says.

“If security isn’t first and foremost in the minds of your management staff and your board of directors, you’re potentially opening the door for a hit to your reputation, monetary loss, or—God forbid—loss of life,” she says.

Address risks and exposures

For the past 15 years, $135 million asset Public Service Credit Union in Romulus, Mich., has been addressing specific security issues within its budget and business plan.

“Years ago, security planning was much more rudimentary than it is now due to increased exposure that we face to physical and data threats,” says Dean J. Trudeau, president/CEO.

The credit union’s annual budget process takes into consideration both physical and electronic data security.

“We have a person in charge of loss prevention who makes recommendations for software upgrades that allow for detection of fraudulent accounts and suspicious activity,” he says. “He’s primarily responsible to budget for upgrades or make additions to our security equipment such as cameras, electronic access devices, or alarm upgrades.”

Additionally, Public Service encourages all department and branch managers to consider security enhancements when they submit their annual budgets. “We include security-related issues within our overall business plan by starting with an annual physical risk review of our offices and practices.”

The credit union also performs an internal Bank Secrecy Act risk assessment of products offered and methods for opening accounts. “We use these reviews as an opportunity to modify procedures and create budgets to address new risks and exposures,” says Trudeau.

Security needs have become a huge concern for credit unions today because they’ve become a core consideration of how business operates. Consequently, credit unions face numerous challenges when planning for possible security problems.

“All facets of security are important,” says Trudeau. “First of all, we’re required by regulation to protect member data. And secondly, insurance no longer covers the losses that were covered years ago unless they become catastrophic.

“Our bottom line mandates that we fend off potential losses at every opportunity. The cost and effort to provide security for records, documents, and member data is greater due to the ever-changing, sophisticated methods to defraud the system.”

So what’s the top recommendation when it comes to security planning? Move beyond using only one department to review security, says Trudeau.

“Budget for security throughout your organization. The perspectives and objectives for each department are different and necessary for a strong security plan.”