Cybersecurity for Credit Unions 101. Compliance, Best Practices, and Infrastructure.

The role of cybersecurity in the credit union industry is primarily one of protecting member data against unauthorized and/or malicious access. Data includes identity of an individual, a credit union, a business, or an accounting function, or any combination thereof, that could be used in an exploitative manner. Loss of any form of identity can enable unauthorized persons to access funds or intellectual property and could expose vulnerabilities causing a breach, an incident response, and ultimately a disruption of credit union services

Ultimately, the cybersecurity team is in place to protect its members' data and to maintain the sanctity of the financial transaction system, while simultaneously providing confidentiality, integrity, and accessibility of all systems involved in the transaction process.

Compliance is a crucial part of a robust cybersecurity program and focuses on following rules and requirements set by the industry’s governing bodies. The National Credit Union Administration (NCUA), the regulatory entity for credit unions, makes available and regularly updates compliance requirements for credit unions (12 CFR Part 748: Guidelines for Safeguarding Member Information). The NCUA expects credit unions to have appropriate board-sponsored policies and procedures in place to anticipate, identify, and mitigate cybersecurity risks, with a specific focus on Gramm-Leach-Bliley Act (GLBA) defined data types.

To establish a successful cybersecurity program from the ground up, start by selecting and analyzing one of several common security frameworks (CSF), such as the NIST (National Institute of Standards) Special Publication 800-53 security controls and assessment procedures framework. Use a spreadsheet or scorecard, often publicly available with these frameworks, to identify gaps in your program and develop a cybersecurity maturity roadmap. In addition, refer to the NCUA's website for current year guidance, memos, and articles on how to get started or what to expect in upcoming reviews of your institution’s controls.

Credit unions should consider tracking cybersecurity program maturity progress against the NCUA’s Automated Cybersecurity Examination Tool (ACET) or the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool (CAT). The ACET and CAT are gap analysis and risk profiling tools that help credit unions define the level of cybersecurity maturity they have reached or must reach to account for the amount of risk inherent in the institution’s technical complexity.

Initial design and capacity planning of a cybersecurity program should begin with a risk assessment. The risk assessment helps determine existing gaps and current risks. Cybersecurity architects can work directly with operational risk analysts, who can apply a monetary value to quantify risks so that leadership can make more informed decisions. Of course, a cybersecurity leader should then evaluate the cost of mitigating the risk versus the cost of a potential exploited risk.

It is best to prioritize risk mitigation based on various factors, including tools and protections already in place, likelihood and impact of occurrence, cost and stability of corrective technology, and human resources required to implement the solution. Credit unions often find prioritization challenging, because they usually run lean staffs who tend to wear multiple hats.

In such situations, best practice is to allow the risk assessment to drive project prioritization of cybersecurity tools, processes, procedures, and controls and to include such projects in the same pipeline that provides member-facing feature enhancements and revenue-generating services and products. Inclusion in board-supported project management reporting is critical to the success of security initiatives, as such projects regularly impact large portions of the credit union’s employee base and/or members.

If a credit union is currently designing its security infrastructure, consider “containerizing” the applications made available to employees. A containerized application infrastructure is a great way to implement “zero trust” within a network and enable incident responders to act swiftly against threats to IT assets without fear of interrupting availability to resilient systems. Micro-segmentation has also proven very effective at stopping attackers from traversing a network if they do manage to gain access to a single system. Maintaining a least-privilege access model, including stringent restrictions for elevated-privilege accounts, along with required multi-factor authentication (MFA) to critical systems and VPNs or remote connections, will greatly decrease odds of all but non-advanced, persistent threat type attacks.

Once a cybersecurity program is established, the credit union’s board of directors or leadership should drive and manage the momentum and provide the support to maintain the program. Effective cybersecurity program management requires a continuous partnership between IT, risk, and security. Together, they establish the company’s perceived level of risk and provide input for the controls necessary to mitigate those risks.

It’s equally important to look at your security awareness training programs, especially now that most employees are working remotely. Continue to keep security at the forefront of their minds. Cybersecurity teams can no longer hang banners and posters around the building to raise security awareness. They must deliver engaging online content that will keep employees interested and that they can apply to their jobs and to their personal lives.

Learn more about three phases of cybersecurity risk measurement and the monetary impact of a cyber-attack.