In today’s ever-present cyber threat environment, financial institutions are frequent targets.
Credit unions continue to fall victim to a variety of cyberattacks, including malware infections, phishing scams, denial-of-service attacks, cryptojacking, and ransomware.
These attacks not only cause monetary losses, they can also contribute to a loss of trust between the credit union and its members.
Cybersecurity is one of the most dynamic risks for organizations to manage. And unfortunately, only 42% believe their company is effective at managing cybersecurity, according to Deloitte.
Given the rate of speed at which cyber-based attacks are spreading, both state and federal regulators have increased efforts to ensure credit unions prioritize cybersecurity in their risk management strategies.
For example, the New York State Department of Financial Services now requires comprehensive security programs directed at preventing and defending against cyber-related crime.
Presumably, other state regulators will follow suit and develop similar regulations as the problem persists.
Additionally, in a recent letter to credit unions, NCUA announced an increased focus on cybersecurity assessments for 2018.
This year, examiners visiting credit unions with assets greater than $1 billion have used the Automated Cybersecurity Examination Tool to assess a credit union’s level of cybersecurity preparedness. They will continue to test and refine the tool for smaller institutions.
An increased regulatory focus and the need for credit unions to continue improving their technological infrastructure call for heightened vigilance in the areas of risk identification, mitigation, and control.
Credit unions should treat cyber vulnerabilities as a multi-layered issue, primarily focusing on:
• Threat intelligence. Cyber resilience strongly depends on access to real-time threat identification and analysis. Understanding the specific nature of a threat allows credit unions to identify and address vulnerabilities in business operations.
To ensure your systems and staff are up to date on the tactics and methods cyber criminals use, you need access to reliable, relevant intelligence.
The top threats to watch include risks to confidentiality, integrity, and availability of stored data.
• Third-party vendors. Focus on managing third party service providers and the potential risks those relationships pose. From a regulatory perspective, understand the cyber maturity of your vendor partners, what data they have access to, and where they might be vulnerable to cybersecurity threats.
Weak vendor security controls translate to a weak cybersecurity environment.
• Independent reviews. Regulatory bodies encourage annual independent reviews or audits of credit union security controls and information security programs.
These are often performed in conjunction with other assessments, such as social engineering tests and penetration/vulnerability testing.
A comprehensive third-party review often provides a well-rounded picture of a credit union’s cyber maturity related to current threats.
• Governance. The increased spotlight on cybersecurity has required credit union CEOs, boards of directors, and the entire C-suite to establish proper corporate governance to manage cyber security risks. This includes developing comprehensive policies, procedures, and reporting structures.
Regulators expect credit unions to develop and implement proper oversight and risk ownership protocols. To regulators, cybersecurity is no longer a function of a credit union’s information security department but a principle responsibility of executive management and the board of directors.
Cyber threats are expensive and damaging to companies’ reputations, and can have far-reaching consequences. Engage your C-suite to gain a clearer perspective of your data security plans and how you can improve them.
Cybersecurity is not just an information technology problem. Commit to understanding the basics of cyber threats, educating the entire organization on next-generation vulnerabilities, and embracing key considerations for strengthening your credit union’s risk posture.
CARLOS MOLINA is a risk management consultant at CUNA Mutual Group and emcee of the 2019 CUNA Cybersecurity Conference with NASCUS.