In recent years, governmental agencies and the legal system have demonstrated decreasing degrees of leniency toward organizations with cybersecurity shortcomings—whether in their actual defenses, or even misrepresentations of those defenses.
Some enforcement actions have included fines of $100,000 or more, and in many jurisdictions plaintiffs no longer need to demonstrate actual damages for the courts to consider their lawsuits.
Against that backdrop, Patrick Sickels of CUAnswers says credit union boards must ask two crucial questions: “Do you have a problem with your cybersecurity defenses, or are you misrepresenting your cybersecurity practices to the public?” he says. “Either one of those can get you into some pretty significant hot water.”
The regularity of major incidents in recent years has stripped some of the shock value from breaches, and has changed the way organizations view and structure their defenses.
“I think credit unions are very aware the cybersecurity wolf is at the door,” says Sickels, who spoke about recent developments in cybersecurity litigation and enforcement at the NASCUS/CUNA Cybersecurity Symposium.
“If somebody is determined to get into your system, it’s hard to stop them,” he adds. “So people need to be in what I call the breach management business: This is likely to happen, so do you have a plan for it?”
The first step for directors seeking to craft an effective cybersecurity plan starts with taking an objective view, Sickels advises.
“Step away from the concept of fault,” he says, “and decide how to approach this issue from the standpoint of reducing the chance a state or federal agency will investigate, of reducing the chance of lawsuits, because it doesn’t look like we cared or had our eye on the ball when it came to cybersecurity.”
For that reason, documentation and awareness of public perception are key, according to Sickels. Include all discussions about cybersecurity strategies in your official board meeting minutes. This demonstrates to examiners that you adequately address the foundational elements of your program.
In terms of perception, review consumer-facing messaging to ensure your cybersecurity defenses align with the manner in which you present information to the public.
For instance, institute regular reviews of your print and online notices to prevent access to materials that are outdated or overstate the capabilities of your defenses.
Sickels recommends you ask your attorneys to regularly review your cybersecurity posture to gauge whether a “reasonable person” would interpret your communication correctly.
More fundamentally, realize the paradigm shift that occurred in the “watershed” Target breach regarding consumers’ attitude toward cybersecurity, Sickels says.
“For the most part, business returned to usual for Target,” he says, which illustrates that “consumers have reached a point where, as long as the company that suffered the breach takes care of them, they’ll be OK. The flip side is, if they don’t feel they’re being taken care of, they might look more aggressively toward legal remedies.”
Credit unions with the most effective oversight structure incorporate cybersecurity into governance, Sickels says. Maintain open communication between credit union staff, management, and the board about security incidents, business resiliency, and disaster recovery planning.
At that point, directors enter a gray area where they must weigh the costs and benefits of cybersecurity defenses. The subjective concept of “reasonable defenses” can benefit credit unions in this instance.
“Sometimes, the right answer is to say, ‘We accept the risk,’” Sickels says. “That’s one of the nice things about the way a lot of the laws are written—they do give some protection. If you can say, ‘For our size and scale, this is reasonable protection,’ I think you’ve gone a long way.”
Another effective strategy is collaborating with other industry leaders to develop best practices, which aids your ability to respond to cyberincidents. Also, standardization provides a more defensible approach for all credit unions.
“The more uniformity we get in the industry, it becomes more of a challenge for state and federal agencies to come in and say, ‘You’re clearly an outlier. You’re not doing what you’re supposed to be doing,’” Sickels says. “Plus, you also get a little bit of a legal defense. That creates a stronger argument than if you’re going it alone, or if your technology is falling behind the times.”
One last development Sickels indicates credit unions should monitor: New York recently implemented cybersecurity legislation establishing requirements for financial institutions that operate in the state, which might become a model for the rest of the country.