After The Bad News, Many CEOs Unsure What To Do Next
MADISON, Wis. — Credit unions aren't as prepared as they believe they are to fight off cyber attacks, according to CUNA Mutual Group.
"We did a lot of studies as to the quantity and extent of the threat in the credit union market," said Brad Mundine, regional manager of credit union protection risk management. "To paraphrase results: A lot of credit unions seem to underestimate cyber threats. If something happened tomorrow and a CEO was told the credit union had been hacked and they're missing account and PIN numbers for 10,000 members, a large number of CEOs would not be able to answer questions about what steps they take next."
In 2009, 62 financial institutions were targeted by cyber attacks followed by another 58 in 2010, according to the 2009/10 Data Breach Report by the Identity Theft Resource Center, reported Mundine. Aside from direct physical damage and losses to the CU that can result from a cyber attack, the liability resulting from stolen sensitive member information can be far worse, Mundine said, noting damage to members' credit can cost the credit union significantly more. Noting it is hard to put a number on potential costs if members attempt to recover damages from the CU for impaired credit due to the data breach, Mundine said, "You are looking at about $200 per hour to repair a member's credit."
Preparation and planning are a credit union's best defense to either avoid an attack or recover quickly, minimizing the damage and protecting members, Mundine emphasized. "First thing to do is have a clear-cut policy on what information the credit union is protecting and how to go about doing that. We recommend the plan is something developed and approved all the way up to the board level. This sets the tone from the top."
Key Elements Of A Plan
Key plan elements include how the credit union will be notified and first respond, determine the extent of the breach, and notify members. "How the credit union will be notified in the event of a potential breach must be outlined," said Mundine. "This is a highly technical plan component that involves identifying the appropriate credit union personnel and possibly working with a subcontractor. You need controls in place so people are notified immediately that there has potentially been a breach and then what to do-do you immediately shut down the network and minimize damage? How do you proceed from there?"
Quickly determining the extent of the breach not only allows the CU to act appropriately, but can help preserve its reputation and lower costs associated with the hack, emphasized Mundine. "In many cases when there is a data breach it is not a full breach. It may only be a small number of members. The only way to really know that is to actually undergo some type forensic audit from an outside firm, such as Kroll. So if you can identify quickly the number of accounts exposed, you will save quite a bit of costs from unnecessarily notifying members they may have been involved in a breach."
The third step is to establish the quickest and most effective means to let the right members know about the breach. "The sooner you inform members the better," said Mundine. "Reading about it in the headlines is the last way you want your members to find out about the problem."
Outside good planning, the credit union should check the performance of its defense systems. "We recommend regularly having some type of third-party vendor perform vulnerability/intrusion detections to make sure their system is tested for some of the newer threats," Mundine said. "It can be highly effective to have a company find out if they can break into your system, and if they can, provide you with methods to prevent what they were just able to do."