The most notorious hack of 2015 might have involved the would-be-philanderers at ashleymadison.com.
Less salacious, but far more concerning, is the database breach at health insurer Anthem, where almost 80 million individual records were stored. And the big insurer was not the only target.
If these organizations, with massive resources and top talent, can fall, what’s a credit union to do?
In 2015, Filene surveyed 148 credit union CEOs about their plans and concerns around payments. Apple Pay was new to the scene and the banking world was abuzz with possibilities.
We expected some concerns around interchange and a lot around technology. But the most cited concern was fraud and data breaches, more than doubling concerns about any other issue (“Turmoil in Payments,” Filene, 2015).
I recently traded emails with the CEO of a multi-billion dollar credit union. This CEO was concerned that, despite spending millions of dollars annually on information technology infrastructure and security, his credit union ratcheted up its security investment almost yearly as even well understood attacks like distributed denial of service (DDOS), ransomware, and phishing kept making the news.
His final defense was a little dark humor: “It reminded me of the old joke about running away from a bear. You don’t have to outrun the bear, you just have to outrun whoever is with you.”
So what is a credit union to do? Here’s where to start for 2016:
• Good: Stay abreast. Start with the bare minimum. We might be drowning in a sea of information, but at least some of it is helpful.
NCUA is just as concerned about cyber as you are, with a cyber resource page and in-person guidance.
But don’t stop there, the agency bands together with others to inform the FFIEC, which maintains its own informational helps, including a cybersecurity assessment tool.
But the most active place for up-to-the-minute news and trends might be FS-ISAC (Financial Services Information Sharing and Advisory Center), a coordinating center for the two-way flow of information about cyber threats.
A wide variety of banks, insurers, and credit unions take part, ensuring that you’ll probably hear about threats from the 24/7 watch desk before you see them in your systems.
• Better: Insure yourself. You insure the cash in your vaults, but the data behind your firewalls can be even more valuable.
Reputable insurance companies are jumping into the cyber market with flexible plans. As the consequences of fraud, hacks, and identity theft continue to grow, explore your liabilities and coverage options.
• Best: Band together. In addition to participating in a consortium like FS-ISAC and insuring your risks, consider back-office partnerships to spread both costs and expertise.
Collaboration around cyber threats can be the key to the kind of large-scale collaboration Filene has endorsed for years (“Collaboration in Practice: 11 Credit Union Case Studies,” Filene 2013).
Joint investments in hardware, software, and human expertise mean that even smaller credit unions don’t have to be the bear’s easiest target.
So here’s an easy prediction for 2016: Cyber attacks will increase in frequency and scope. The less easy prediction is whether credit unions are up for the challenge.