Credit unions need to be especially mindful of cyber risks

It’s every business owner’s nightmare: a cyber incident that compromises the security of the data of your company, your employees or your customers. And credit unions are just as vulnerable as any other business. In recent months, news reports indicate that credit unions in Florida, New Mexico and across Canada, among other places, have been the target of cybercriminal attacks.

In an interconnected world, we simply cannot take cybersecurity for granted. October is Cyber ​​Security Awareness Monthwhich is a good time to review your plans and procedures to ensure your credit union and members are prepared for a cyber event.

Chris Ratcliffe/Bloomberg

In April, NCUA’s Critical Infrastructure Division provided the NCUA Board of Directors with a update on today’s threat landscape. We know that with the current geopolitical tensions, the risk of cyber warfare has increased. State actors like China, Iran and Russia have already launched disruptive and invasive cyberattacks against US networks, both government and private sector, and will likely continue to do so.

Likewise, cybercriminal networks have evolved and become increasingly sophisticated in their operations. For example, a few years ago most of us worried more about data breaches than ransomware attacks, in which a malicious actor takes over a system and demands payment of a ransom. But IBM Security Intelligence Threat Index 2022 found that ransomware attacks have become the most common type of cybersecurity incursion. Such incidents carry high costs in the form of financial loss, loss of time and productivity, and reputational damage, so credit unions should consider whether they have appropriate cyber hygiene in place and appropriate controls.

And of course, what may be the most likely threat to financial institutions, and especially smaller institutions, is the insider attack, in which a trusted employee or vendor compromises an institution’s data. It can be intentional or unintentional; we’ve all heard stories of employees clicking on malicious links in phishing emails or sharing passwords or other security credentials with unauthorized personnel in tech support scams.

Adding to the concern, as fintech tools and systems become more widespread and integrate into the mainstream of financial sector operations, credit unions will need to be prepared for other potential cybersecurity risks. Overall, we expect fintech to be a huge benefit, but it’s a reality that new tools are likely to introduce new vulnerabilities.

The good news is that while threats continue to grow and evolve, our ability to counter those threats also increases. So what should credit unions do?

First, stay informed of emerging threats to ensure that your institution’s processes and procedures are adapted to respond to the changing threat environment. State and federal regulatory agencies are excellent sources of information on evolving cyber threats. Trade associations of credit unions and other trade and industry organizations also offer useful training programs and tools – if your institution belongs to these associations, take advantage of the support they offer.

Second, take full advantage of the NCUA cybersecurity tools that are already available, such as the cybersecurity assessment software that the NCUA released last December. Use these tools to plan and prepare for a cybersecurity incident just as you would for a fire drill or other emergency. Ensure that all employees understand and adhere to appropriate cyber protocols. Regularly review your processes and have a response plan in place — we should all assume that it’s not a question of if, but when, we will experience a cybersecurity incident.

Finally, open communication is essential. The NCUA board is considering a proposed rule requiring credit unions to report significant cyber incidents within 72 hours. (The NCUA is currently accept public comments on this rule.) These requirements are not intended to punish credit unions or create a reporting burden, but to give us a better understanding of the frequency and severity of threats, so that we can work more effectively with credit unions. to develop answers.

Unfortunately, cybersecurity isn’t one of those areas where you can just “set it and forget it” – it’s an ongoing commitment. Given the nature of the threat, we all need to make cybersecurity a top priority to protect credit unions, your employees and your members. The NCUA stands ready to work with credit unions to address these threats.

Leslie M. Gill