Protect Your CU, Members from Cyber Attacks

Preparation can help minimize damage to your bottom lineā€”and your reputation.

October 24, 2014

650Data breaches have made the news with frightening regularity in recent months.

According to the Identity Theft Resource Center, there were 621 data breaches during the week of Oct. 13, 2014, a 26.5% increase over the same time period last year (491 breaches).

And a report by Experian says companies are attacked an average of 16,856 times annually, with many causing a quantifiable data breach.

The threat is real

A 2013 report from NetDilgence [pdf] found that while the financial services sector was second only to healthcare when it came to the frequency of information breaches (15% vs. 29.3%), personally identifiable information was exposed slightly more than protected health information (28.7% of breaches vs. 27.2%).

What To do if a Breach Occurs

• Contact your breach coach. This is legal counsel specializing in privacy laws that will help you assess the legal implications of the breach and the steps you need to take.

Keep in mind you need to follow the data breach requirements of each state where your members live, not where your credit union is located.

 Stop the bleeding. Once you know you have a breach, it’s vital to stop additional data loss.

 Analyze the breach. Use an IT forensic team to document who discovered the breach, when and how it was discovered, what data were compromised, and whether the data were encrypted.

• Notify regulators and your cyber insurance provider.

Although most data hacking (45.6%) occurred among organizations with more than $100 billion in assets, credit unions certainly can’t rest easy: Organizations with less than $50 million in assets experienced 22.1% of the hacks, while those with $300 million to $2 billion in assets experienced 22.9%.

Verizon’s 2013 “Data Breach Investigation Report” said that 83% of breaches on financial institutions took hours—or less—to occur, but 61% of the attacks took weeks to discover. Lost and stolen laptops/devices were the most frequent cause of loss (20.7%), following by hacking (18.6%).

Credit unions should take these nine steps now to prepare:

1. Review your endpoint security. Work to ensure the security of any device (or endpoint) connected to the credit union network. Tools include firewalls, software to protect against viruses/spyware/malware/spam, and intrusion detection systems (IDS).

Too often, organizations learn about a breach from a third party. An IDS alerts you to unauthorized access attempts that may lead to a data breach.

2. Encrypt all personally identifiable member data. Encrypt all confidential member data that live on your network—on servers, workstations computers, laptops, or mobile devices.

Think encryption is too expensive? Consider the costs associated with a data loss.

3. Install operating system patches. When a vendor sends a patch, it’s often to address a security issue. Update your system pronto.

4. Conduct third-party security reviews. Even if your credit union has information technology (IT) people on staff, have an outside expert review and test your system.

5. Lock down USB ports. This helps prevent a fraudster from loading data to a thumb drive or mobile device.

6. Establish security protocols for telecommuters. Require employees to use only credit union-issued laptops to access the credit union network and to connect via a virtual private network.

Prohibit employees from using public Wi-Fi to connect to your network. Require a strong form of multifactor authentication (e.g., one-time password tokens) rather than just usernames and passwords.

7. Educate staff. Instruct staff never to open an attachment or click on a link contained in an email unless they know the sender and are expecting the file or link.

Require staff to update passwords regularly and develop protocols to ensure strong passwords. Stress the importance of securing paper records, too.

8. Create an incident response plan, and review it at least annually. You should know exactly what to do if a breach occurs and who will handle each task. (See NCUA Rules and Regulations Part 748 [pdf], Appendix B, for complete information on creating a plan.)

9. Get a cyber-insurance policy. These cover a variety of costs such as breach analysis, legal/public relations costs, notification/mailings expenses, victim credit monitoring, liability protection in the event of a suit—and the costs associated with lost member trust.

Although there’s no way to entirely avoid a data breach, advance preparation can help minimize the damage to your bottom line—and your reputation.

KEN OTSUKA is senior risk management consultant for CUNA Mutual Group.