When the latest ransomware, phishing, or malware attack makes the news, information technology (IT) professionals know that boards will want to know how it will impact the credit union.
“Cyberthreats are always in the news,” says Mark Reed, senior vice president, technology, at $9 billion asset American Airlines Federal Credit Union in Fort Worth, Texas. “Boards want to know and have the assurance that we’re protected.”
A panel of IT leaders discussed how they inform the board about cybersecurity threats and how their credit unions respond to and guard against those threats during the 2021 CUNA Operations & Member Experience Council and CUNA Technology Council Virtual Conference.
“A lot of board members aren’t as knowledgeable in the cyber realm,” says Darich Runyan, vice president, security, at $3.9 billion asset Langley Federal Credit Union in Newport News, Va. “We try to keep them in the know about what the new trends are.”
IT leaders say they often provide a monthly snapshot to the board that describes current and emerging threats, what risks the threats pose, and the credit union’s vulnerability. Some credit unions also include metrics on organization-wide training efforts and reports that break down recent incidents, including how IT became aware of the incident, the response taken, how long it took to respond, and the outcome.
Robert Eckhart, vice president of information security at $3.7 billion asset GECU in El Paso, Texas, says he also includes the results of IT audits if there were findings and summaries of internal and external risk assessments. The information is a high-level overview, with more detailed and technical reports provided to senior management.
While their approach varies by credit union, the panelists agreed it’s best to streamline this information so it’s more easily digestible.
“It’s an evolution,” says Benjamin Corman, director of information security (IS) and IS governance at $9.8 billion asset Digital Federal Credit Union in Marlborough, Mass. “There’s a firehose of information we could discuss, and figuring out what to discuss is crucial.”
In addition to providing information, Runyan says it’s important to complete training with board members, whether it’s a high-level discussion, going over an incident, or keeping them informed about what taking place in the cybersecurity landscape and how the credit union is responding.
“Cyber has to come from the top down,” Runyan says. “It doesn’t work from the bottom up.”