Data Security Budgets Are Rising

Protecting member data is a top CU priority.

December 1, 2014


The massive data security breaches at major retailers and other industries throughout the past year weigh heavily on the minds of credit union executives.


So it’s no surprise that protecting member data is overwhelmingly the top information technology (IT) security concern for credit unions, according to exclusive results from the second part of CUNA’s 2014 Technology Spending Survey, sponsored by Credit Union Magazine and conducted by CUNA’s market research department (CU Mag, 6/14, p. 20). Credit unions across all asset sizes listed this as their No. 1 worry.

Credit unions are responding to growing cybersecurity threats by ramping up spending, testing, and investments in network defenses.

Credit unions allocated about 14%—or $115,000, on average—of their overall technology budgets to data security expenses (excluding staff salaries and benefits). That figure rises to nearly 20% in credit unions with assets of $500 million or more.

That reflects expenses incurred protecting credit union databases from destructive forces and the unwanted actions of unauthorized users.

“The greater the size and complexity of the credit union, the greater the number of members and larger amount of member data it must protect,” says Jon Haller, CUNA’s director of corporate and market research.

Overall, more than 10% of credit unions increased their data security budgets by more than 10% over 2013 budgets. Another 14% approved increases from 6% to 10%, and 24% reported increases of up to 5%. About 44% of credit unions overall said their data security budget remained the same as last year, and 2% said it declined.

While no more than about 20% of credit unions with assets of $10 million to $100 million report 2014 data security budget increases of 6% or more, more than 45% among credit unions with assets of $500 million or more planned increases of that scale.

Two-thirds of credit unions anticipate their overall technology budgets will rise during the next couple of years, while only about 5% believe their investments will decrease. That trend generally carries across all asset groups surveyed.

NEXT Data breach concerns

Many credit unions shored up their cybersecurity defenses to address concerns about security threats to their own institutions and data breaches at national retailers.


More than two-thirds of credit unions with $10 million or more in assets say they’re “very concerned” additional retailer breaches will impact their members’ debit and/or credit cards and personal information, and 29% report they’re “very concerned” about their credit union’s vulnerability to cyberattacks. These findings are consistent among all asset groups.

Not surprising, then, 76% of credit unions rank protecting member data as their top IT-related concern, followed by complying with regulations (52%) and meeting members’ demand for new and additional remote technology services (39%).

“The high-profile data breaches at Target, and more recently at Home Depot, reinforced what credit unions already knew: A host of bad apples will stop at nothing to commit cyberfraud,” says Haller. “Credit unions take a serious view on protecting their members’ data, so that threat can’t and won’t be underestimated.”

The Target breach proved costly to credit unions. In the first two months alone, credit unions incurred upwards of $30 million in related costs—not including fraud costs— and reissued around 4.6 million credit and debit cards, according to findings from a CUNA survey earlier this year. The average cost per affected card was $5.68. Future fraud losses likely will increase those costs.

In the past two years—and in direct response to Target and other breaches—more than half of credit unions responding to CUNA’s Technology Spending Survey have conducted a data security vulnerability test or made it a higher priority to implement EMV (Europay, MasterCard, and Visa) check card/credit card protections in advance of the Oct. 1, 2015 liability transfer deadline. That chip-based technology lessens the risk of fraud in point-of-sale transactions.

Nearly 40% of credit unions have implemented fraud detection/prevention systems or used vulnerability consultants to identify potential threats to their systems.

Credit unions are acting judiciously, says Robert Reh, chief information officer at $394 million asset Nassau Financial Federal Credit Union in Westbury, N.Y.

“It’s hard to keep up with all security threats that keep popping up, and the potential threats cybercriminals have in store, when you have limited time, staff resources, and money to spend on solutions,” says Reh, a former CUNA Technology Council executive committee member.

“Security is like insurance: How much is enough, and how much is too much?” Reh adds. “You want to have just the right amount of security to provide all protection needed while not overspending for what you don’t need or will never have use for.”

Despite all these precautions and improvements, high levels of trepidation exist among credit unions of all sizes because the threat shows no signs of dissipating.

“Credit unions must remain vigilant about protecting their members’ data, because cyberattacks likely will increase in frequency, grow in scope, and adapt to new barriers placed in their path,” Haller says.

NEXT Other security precautions


Top data security measures credit unions have used in the past two years include external penetration tests— the most common activity (conducted by 70% of respondents)— followed by vulnerability assessments (64%), internal network security assessments (62%), IT audits (52%), and website security assessments (47%). The use of external penetration tests and vulnerability assessments tends to rise as asset size increases.

Overall, nearly 85% of credit unions already use member verification techniques—the most common authentication technology in place—followed by member single signon (55%), mutual authentication (47%), and Internet Protocol (IP) address location/geolocation (41%). The presence of these technologies typically increases as asset size increases.

One-quarter of credit unions allow members to access credit union sites using their Facebook, Twitter, or other social media logins, and another 12% plan to add that option in one to three years. Only 4% of credit unions employ biometrics, and 87% say they have no plans to offer it. Larger credit unions typically have more of these authentication technologies in place.

For each of the 10 authentication strategies addressed in the survey, no more than 17%—and as few as 3%—of credit unions that have yet to implement a given technology plan to do so in the next three years.

About 35% of credit unions with assets of $500 million or more, however, aim to add mutual authentication (dual control) and out-of-band authentication technology during that time frame.

NEXT Addressing potential threats



1. Environmental Scan resources:

2. Security training:

3. Home Depot data breach survey updates:

4. Stop the Breaches, a national action alert for CUs:

NCUA’s cybersecurity resources:

Countering existing threats is important, but that’s just one piece of the puzzle. Credit unions must also create strategies that address potential incidents.

The most worrisome security threats among credit unions are member identity theft and a data breach involving a third-party provider, followed by a virus attack.

Almost half of survey respondents ranked those possibilities among their top three security concerns in coming years, while just over 30% feel that strongly about the threat of a cyberattack.


Notably, credit unions with assets of $10 million to $200 million express greater concern about virus attacks than do their larger counterparts. Concern over member identity theft peaks among credit unions with assets of $200 million to $500 million.