When the Federal Financial Institutions Examination Council issued revisions to a part of its main information technology exam handbook in November, one credit union IT executive was pleased.
"The good news is that the new assessment provides a holistic view of cybersecurity and combines the enterprise risk management piece that was missing from standard IT risk assessments," said Michelle Hatton, vice president of information technology at Solarity Credit Union.
With 50,000-plus members, 135 employees and six branches, the $650 million Yakima, Wash.-based institution is among scores of CUs trying to stay one step ahead of cyber-attacks while staying in compliance with FFEIC regulations.
"This new process allows us to see what areas we have higher/lower risk and what areas we have stronger/weaker controls and then adjust these to meet our risk appetite," said Hatton. "The down side for some credit unions is the potential financial hardship they might face to meet the new baseline requirements."
Hatton said though Solarity has not experienced a cybersecurity breach to date, she reached out to technology vendor Horsetail Technologies to ensure all the CU's bases were covered.
Mark Berman, a principal at the Baltimore-based financial services technology vendor, explained that FFIEC's updated assessment has significant implications for cybersecurity preparedness as well as "tremendous utility" for the strategic, tactical and budget planning for individual credit unions.
In Berman's opinion, however, certain underlying assumptions could muddy the waters.
"First, given the tremendous complexity of IT in a modern credit union, it is impossible to prescribe a single set of best practices for cybersecurity," he said. "Second, even if one could describe such an ideal path, there is no one size fits all in cybersecurity that could be equally applicable to credit unions large and small with the tremendous variation in resource and budget that exists."
Berman added that whether a CU is a multi-billion dollar institution or built in the basement of a church, "all credit unions are a target and some attacks will be successful."
To prevent an attack at Solarity, Berman and his team were onsite at the CU for two days and spent time asking Hatton and other staff 400-plus questions—from governance to policy to procedure to testing.
For Hatton, a major takeaway from the process was underscoring the following point: Cybersecurity involves many IT related functions and oversight, but the human element is the weakest line when it comes to security.
"This includes our staff and our vendors," she noted. "These are two areas that cannot and should not be 100% controlled by IT. We also know that a data breach can happen any time even with all the controls in place. How we respond to a data breach is just as important as how we mitigate the risk."
Getting Past Baseline
Berman said Horsetail has completed two other FFEIC assessments at credit unions and has three more scheduled in February. He pointed out that a "baseline" assessment should be thought of as a "minimum" required by all CUs.
"How far one goes beyond minimum is a strategic decision based on budget and balanced with other priorities of the board," said Berman. "A dollar spent on mitigating risk does not go to payroll, marketing, member loyalty or get returned to the membership at the end of a profitable year."
A $50 million credit union, for example, without online presence may be "fine" at baseline assessment (from the viewpoint of the examiner and the board), according to Berman.
But a similar institution with $50 million in assets that embraces mobile payment, online banking, mobile banking and has a remote workforce and multiple vendors with access to member data may find that baseline is an absolutely "inappropriate" level of risk maturity.
"It is no longer sufficient to invest only in defenses. The credit union must invest in resources that will focus limited resources where the most likely threats exist," said Berman. "Currently that means protecting from the inside against malicious or inadvertent insiders (55% of breaches in 2014) and from the outside by gathering actionable threat intelligence. These two actions provide focus for very limited cybersecurity resources."
Moving forward, Hatton said that Berman and his team will make two site visits a year. Solarity has created an "umbrella cybersecurity program," which includes information security, business continuity planning and incidence response with oversight from its enterprise risk management committee.
"Horsetail provided a complete overview with observations of our strengths/weakness, recommendations for areas of higher risk that would warrant stronger controls, and what steps should be taken to meet the next level of maturity if we so choose," said Hatton. "We now have several items in our 2016 budget and a plan to help minimize our risk profile and strengthen our overall cybersecurity program."
