Go to:

November 2018
< Oct Dec >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Cybersecurity Menace Prompts CUs to Stress Urgency in Protecting IT Concerns
Tuesday, October 31, 2017 6:55 AM

Troy Kyle, First Abilene FCU | Executive Committee member, Cornerstone Technology Council

Equifax isn't the only victim of a cyberattack; it’s just the latest. Credit unions have fought off surge after surge of data leaks, malware, and cyberattacks. Because of the changing menace, credit unions continue to stress the urgency of protecting networks, computers, and member data.

Credit unions have always made safeguarding members' private information a priority. Gone are the days when embezzlements, robbers, and forged documents were the main concerns. Credit unions are operating in a quickly changing environment, and computing is an indispensable part of their services. As more and more members demand remote services including online banking, bill pay, AI banking, robo-advisor services, and other technology-based services, the risk for cyberattacks inevitably increases.

To best position themselves for cyberattacks, progressive boards are seeing cybersecurity as a profit center instead of a cost center.

IT as a Profit Center and Not a Cost Center
In 2015, PricewaterhouseCoopers released a Global State of Information Security survey of over 10,000 executives from 126 nations about IT security. The study found that while cybersecurity incidents rose 38 percent over 2014, corresponding budgets increased a mere 24 percent.

The disparity mirrors current corporate psychology, which views cybersecurity as a cost center and a drain on resources. Executives tend to look at cybersecurity as costly, complex, and a damper on productivity. Many believe cybersecurity does not work at mitigating risk. The result? Security measures are implemented piecemeal without any umbrella policy, which is itself costly.

To make a bad situation worse, when costs are the deciding factor in IT buying decisions, businesses succeed in establishing the bare minimum while sacrificing usability. When usability is sacrificed, business productivity and profitability are reduced.

Forward-thinking business leaders see cybersecurity must be embraced at the highest levels within a company, because it impacts the whole organization. Managers must move past thinking of cybersecurity as a layer of protection and view IT as a way to improve efficiency and productivity.

A perfect example is the 1964 Shinkansen bullet train in Japan. While anyone can make a fast train, it was the innovative approach to braking that permitted the speed. The brakes weren't added to act as a drag on the bullet train's performance. The brakes allowed the train to travel faster than conventional trains as they put the train drivers in control.

To go fast, really good brakes are required.

Mitigating Cyberattacks
Response to cyberattacks must show the credit union is in control and acting to:  limit damage, increase member confidence, and reduce recovery time. The lion's share of involvement will fall on the executive team. Developing a plan is crucial in light of the damage a breach may cause. When a breach does happen, the first question—asked by both members and regulators—will be, "What was done to prepare?"

There are clear-cut steps for mitigating the impact.

Spokesperson. A particular spokesperson should be designated. The individual should come from the marketing or public relations side of the house, and the president/CEO should speak only if there's good news.

Scripts. Communication scripts should be pre-drafted and ready to be used for many incidents, not just cyberattacks. The scripts need to be developed for all—internal and external—audiences.

Slow down. Don't rush to label the event as a hack or breach. Until there is a definitive reason, it's okay to share that you're aware of the event to minimize the impact.

Documentation available. Make sure response plans are available and reviewed regularly. Include procedure guidelines and checklists for containment, suppression, and recovery. Policies and directives for a response and documentation of risk and compliance should be part of the package.

Identify. Identify departments and individuals vital to incident response. If any single points of failure are determined, fill those gaps.

Help. Your company will need help to survive. Maintain relationships with law enforcement and remediation providers. Join Cornerstone’s Technology Council so you can converse with others and share your experiences. Get best practices from people who have worn your shoes. Don't wait until the point of need to start building relationships.

Risk list. Include a list of threats, risks, and potential failure points: ATM, Visa, Shared Branch, and so on. Keep updated as more information becomes available and scenarios develop.

Roles and responsibilities. Be sure to provide your staff with knowledge and training of their roles and responsibilities in the event of a cyber incident.

Potential for cyberattacks Will Only Increase
Internet-based services expose credit unions and their members to a host of risk from hackers and cyber thieves. While sounding like science fiction, the increasing dependence on electronic delivery of financial services requires credit union boards to prepare for a cyber intrusion.

A full understanding of a credit union's responsibilities starts with reviewing Part 748 of NCUA's regulations.

  • Part 748 mandates federally insured credit unions to have a published program designed to protect credit union offices and guarantee the security of member records.
  • Appendix A requires credit unions to implement administrative, technical, and physical safeguards to protect the integrity of computer-based information.
  • Appendix B mandates credit unions to react to an unlawful path to member data, and this includes notification of the member and regulator. Credit unions must maintain a fully integrated plan to respond to and manage any breach.

The board's obligation doesn't stop with creating a security program. Part 748, Appendix A states: "The board or appropriate committee must oversee the construction, roll-out, and maintenance of the credit union's information security program."

Credit unions bear the brunt of cybersecurity risk, and substantial financial costs occur following a security lapse. Still, you must embrace IT as a profit center, not a cost center. Investing in cybersecurity will lead to increased efficiency and productivity.

As more services become readily available and used online, it is inevitable that the potential for cyberattacks also increases. Therefore, you must stay vigilant in mitigation efforts. If attacks do happen, having clearly documented guidelines will help you act quickly, minimize loss, and better protect your credit union and your members from future risk.


Assess Your Systems and Manage Your Risk
As technology changes, every credit union faces new security issues. Let Credit Union Resources help you stay on top of it—your future could depend on it. Our team of technology professionals provides guidance on compliance, shares best practices, and performs audits. We have a vested interest in your success, and your cybersecurity matters to us. To find out how we can help you manage cybersecurity and operational risks, contact:

Idrees Rafiq
800-442-5762, ext. 6799

Deanna Brown
800-442-5762, ext. 6464

About Credit Union Resources Inc.
Credit Union Resources is a service corporation that provides industry-leading solutions and expertise to credit unions across the country. Credit Union Resources is a wholly owned subsidiary of the Cornerstone Credit Union League, a regional trade association representing the interests of credit unions in Arkansas, Oklahoma, and Texas.