Inherent risk is always dynamic

Inherent risk is always dynamic

Cybercriminals’ strategies, tactics are constantly changing.

February 3, 2021

As the business landscape continues to evolve, accelerated by the coronavirus (COVID-19) pandemic, many credit union executives have revenue generation and cost containment at the forefront of their minds. There tends to be less appetite for ongoing investments that elevate cybersecurity.

For many credit unions, a sense of weariness sets in when, year after year, they repeat the same tasks to meet the same information technology (IT) risk requirements. IT or cybersecurity teams move through the Federal Financial Institutions Examination Council (FFIEC), Federal Deposit Insurance Corp. (FDIC), Automated Cybersecurity Evaluation Toolbox (ACET), or other tools and check the boxes they believe will keep regulators happy. Unfortunately, that approach misses the point

NCUA has made some tweaks to its oversight approach. But if ACET, which is now categorized as a self-assessment tool, is embraced as intended, credit unions will navigate toward increasingly robust cybersecurity postures. Risk reduction is a primary goal for most executives, and a more mature cybersecurity posture can accomplish that goal.

Recognizing true inherent risk

A credit union’s inherent IT risk profile is based on technologies and connection types within its digital ecosystem, delivery channels, use of online and mobile technologies, organizational structure, and experienced external threats.

Many executives maintain that if none of those factors have changed markedly, then an organization’s inherent risk profile is the same and there is no need to invest additional time and resources to graduate to higher levels of cybersecurity maturity. According to that line of thinking, maintaining the status quo, including investment levels, should be fine.

However, that thought process is fundamentally flawed. Even if the key risk factors of a financial services firm’s operations remain static—which is rarely the case—cybercriminals and their strategies and tactics are anything but static.

Because attackers constantly evolve, a firm’s inherent risk profile must be viewed as dynamic. A credit union’s risk profile does not naturally move in the direction of greater security, so without intentional efforts and investment to increase security, actual inherent risk will always increase.

‘Without intentional efforts and investment to increase security, actual inherent risk will always increase.’
Miguel Hablutzel

Attack strategies evolve

Attack strategies, and therefore risk, are continually changing. For example, USB devices used to be the leading endpoint threat. Most credit unions banned the use of USB devices, and that vulnerability all but vanished. Criminals had to perfect a new attack vector, and email currently leads that charge. However, it is a near guarantee that criminals will move to other vectors as email security continually strengthens.

What about novel attack strategies?

Cybersecurity technologies are often great at detecting and defending against known attack signatures. SilverSky can help protect organizations against a never-before-seen attack, such as the supply chain attack that utilized the SolarWinds update server.


Although none of SilverSky’s customers were infected, that attack reminded us of the critical importance of coupling around-the-clock monitoring with an intimate familiarity with our digital ecosystems. Only dedicated and diligent monitoring can spot unusual domain name system (DNS) query activity or unexpected queries to a command-and-control server.

The supply chain attack also reminded us of the importance of endpoint detection and response (EDR) capabilities to prevent malware from being dropped on endpoints. If malware infects endpoints despite sophisticated protective measures, EDR allows the infected organization to roll back endpoints to their pre-attack states.

A static approach is going backward

Criminals are constantly investing in both strategies and technologies to perfect their craft. Firms that opt to not evolve their defense strategies to keep pace are, in fact, going backward.

CUNA’s piloting of the Information Technology Risk Examination for Credit Unions (InTREx-CU) acknowledges that exact fact. InTREx-CU allows both examiners and credit unions to identify and remediate potential high-risk areas, particularly within the cybersecurity controls domain. ACET, now a self-assessment resource, helps credit unions meet InTREx-CU requirements while strengthening their organization’s overall security.

Fortunately, the industry is converging to help credit union executives accurately assess their organizations’ risk exposure and creatively balance budget realities with the imperative to evolve their firms’ defenses.

MIGUEL HABLUTZEL is the vice president of strategy at SilverSky, a CUNA Strategic Services alliance provider.