Government agencies, major health insurers, and should-be impenetrable data security firms have all recently fallen victim to cyberattacks—evidence that every organization, including credit unions, should consider itself vulnerable and prioritize defending against breaches.
More than 2.8 million system compromises occurred each day in 2014—a 78% increase over 2013, according to Gemalto, a digital security firm. And the average data breach claim stands at a whopping $805,000, an industry survey of cyber liability insurance providers indicates.
Financial institutions are especially vulnerable to data hacks. In fact, 19% of breaches occurred within these organizations, NetDiligence’s Cyber Claims Study says.
That’s second only to the healthcare industry, at 22%. Organizational size offers no protection: The same survey found 68% of all submitted claims came from organizations with annual revenues of less than $2 billion.
NCUA’s Rules and Regulations Part 748 (Guidelines for Safeguarding Member Information) and its Appendices A and B clearly spell out credit unions’ responsibilities in this increasingly important area.
Appendix A implements the Gramm-Leach- Bliley Act’s safeguards rule, which requires credit unions to develop a written information security program designed to:
To meet this three-pronged responsibility, Appendix A states:
A credit union may outsource the maintenance or processing of sensitive member data to a third-party service provider, but it can’t outsource the responsibility for maintaining the security and confidentiality of that data. As noted in Appendix A, the credit union should employ effective due diligence before the partnership begins and continuously assess the relationship.
Implement a process to monitor the performance of the service providers so you can confirm compliance with the contractual requirements. Credit unions should request and review service providers’ audits, summaries of test results, or other equivalent evaluations.
It’s critical to monitor all vendor relationships— not just those with an obvious data link. For instance, the Target data breach occurred through a hack into its refrigeration, heating, and air conditioning subcontractor.
Thieves gained access to Target’s payment system because the company hadn’t properly segmented its computer systems to block third-party vendors from accessing this sensitive area.
Credit unions’ legal counsel should review all of their vendor contracts to make sure they include provisions to protect the credit union and member data, such as:
Information sharing and collaboration are critical strategies to improve data security. One resource to investigate is the Financial Services Information Sharing and Analysis Center (FS-ISAC), a worldwide nonprofit organization that informs member financial institutions of the latest cyberthreats and recommended actions.
This article initially appeared in Credit Union Directors Newsletter, which provides strategic insights for policy makers.