As the frequency and cost of security data breaches increase, credit unions must be prepared for more regulatory scrutiny in addition to more cyber attacks.
That was the message from Jay Isaacson, VP, commercial products for CUNA Mutual Group. He said modern society has become "reliant" on technology and the ability to communicate, to the point people take it for granted.
"Credit unions have exposure to data risk, cyber risk and security risks," he noted. "The latest research found the average data breach has a global cost of $3.5 million, about 15% higher than the previous study. Cost of notification is up to $510,000. Each record lost or stolen costs $145 globally, $210 in the U.S."
In 2013 there were 63,437 cyber incidents observed, with the finance industry accounting for 856. Cyber breaches, meaning personally identifiable information was compromised, totaled 1,367. Of those 456 involved finance.
Hacking and malware are the two largest sources of data breaches, followed by social engineering, according to Isaacson.
"Network security is everyone's responsibility, because it is only as strong as the weakest link," he said. "At a credit union that depends on the security system, but everyone involved has to remember to look at the third-party providers that have access to information."
CUs should caution all employees to be careful of what they put on Facebook and Twitter, and how they identify themselves as employees of a credit union. Isaacson said social engineering and phishing can target people via information found easily online.
Four Most Common Breaches
The four most common sources of security breach incidents in the financial sector are: Web app attacks, distributed denial-of-service (DDoS) attacks, payment card skimmers and insider misuse.
Isaacson said any type of security breach can have a significant impact on a credit union, starting with its reputation with members and/or potential members, the resulting IT and operational costs, the cost to notify members, lost revenue, potential lawsuits by members, regulators or others, and regulatory scrutiny or actions.
He said do not estimate the impact of fatigue, as CU staffers have to work nights and weekends to contain, handle and respond to a breach.
"The Target breach ended up costing CEO his job and board members their director's positions for not doing enough to prevent the breach," Isaacson pointed out. "A data breach is like an onionpeel back a layer and see the complexity. Credit unions have to determine where the breach occurred and how extensive it is. Then, when it comes to notification of members, each state has different notification requirements."
Risk-Management Considerations
The most common data-related loss types are: fraudulent remote funds transfers, loans, online banking transactions and plastic card transactions. The top cyber claim themes CUNA Mutual sees from credit unions are: DDoS, third-party service providers, employee errors and lost or stolen devices.
Employees are CUs' "greatest asset," Isaacson said, but when it comes to data they also are the "biggest liability."
"Training the staff is important, as is having a strong security posture. Get people used to reporting suspicious activity."
Other tips from Isaacson include:
- Educate members as to security threats.
- Have an incident/breach response plan in place, and test it regularly.
- Have a data security incident response team in place and practice business continuity management.
- Hiring a chief information security officer can reduce exposure.
- Do ongoing due diligence of all third parties housing CU data.
- For online banking, have layered security and multifactor authentication.
- For remote funds transfers, limit transaction size.
- Investigate having a "cyber liability" insurance policy that covers expenses in managing and mitigating a data breach, and liability coverage for breach-related suits.
