Credit unions need to be extra alert to cyber risks

It's every business leader's nightmare: a cyber incident that compromises the data security of your firm, your employees or your customers. And credit unions are just as vulnerable as any other business. In recent months, news reports indicate credit unions in Florida, New Mexico and across Canada, among others, have been targeted in cybercrime attacks.

In an interconnected world, we simply can't take cybersecurity for granted. October is Cybersecurity Awareness Month, which is a good time to review your plans and procedures to ensure your credit union and your members are prepared to face a cyber event. 

Chris Ratcliffe/Bloomberg

In April, the NCUA's Critical Infrastructure Division provided the NCUA board with an update on today's threat landscape. We know that with today's geopolitical tensions, the risk of cyber warfare has grown. State actors like China, Iran and Russia have previously launched disruptive and invasive cyberattacks against U.S. networks, both government and private sector, and are likely to continue doing so.

Likewise, cybercriminal networks have evolved and become increasingly sophisticated in their operations. For example, a few years ago most of us worried more about data breaches than ransomware attacks, in which a threat actor seizes control of a system and demands a ransom to be paid. But IBM Security's 2022 Intelligence Threat Index  found that ransomware attacks have emerged as the most common type of cybersecurity incursion. Such incidents bring high costs in the form of financial losses, lost time and productivity, and reputational damage, so credit unions should be asking if they have appropriate cyber hygiene and the appropriate controls in place.

And of course, what may be the most likely threat for financial institutions, and particularly smaller institutions, is the insider attack, in which an employee or trusted vendor compromises an institution's data. That can be purposeful or inadvertent; we've all heard stories about employees clicking on malicious links in a phishing emails or sharing passwords or other security credentials to unauthorized personnel in tech support scams. 

Adding to the concern is that as financial technology tools and systems become more widespread and integrated into the mainstream of financial industry operations, credit unions will need to be prepared for additional potential cybersecurity risks. On balance, we expect fintech to be a tremendous benefit, but it's a reality that new tools are likely to present new vulnerabilities.

The good news is that while the threats continue to grow and evolve, so does our ability to counter those threats. So, what should credit unions do?

First, stay informed about emerging threats to be sure your institution's processes and procedures are adequate to respond to the changing threat environment. State and federal regulatory agencies are excellent sources of information on how cyber threats are evolving. Credit union trade associations and other business and industry organizations also provide helpful training programs and tools — if your institution belongs to these associations, take advantage of the support they offer.

Second, take full advantage of the NCUA's cybersecurity tools that are already available, like the cybersecurity assessment software that the NCUA released last December. Use these tools to plan and prepare for a cybersecurity incident just as you would a fire drill or other emergency. Make sure all employees understand and observe proper cyber protocols. Regularly review your processes and have a response plan in place — we should all assume that it's not a matter of if, but a matter of when, we're going to experience a cybersecurity incident.

Technology

What banks are — and aren't — doing to repel cyberattacks

February 24, 2022 5:13 PM

Finally, open communication is critical. The NCUA board is considering a proposed rule requiring credit unions to report substantial cyber incidents within 72 hours. (The NCUA is currently accepting public comment on that rule.) Such requirements are not intended to punish credit unions or create a reporting burden, but to give us a better understanding of the frequency and severity of threats, so we can work with credit unions more effectively in developing responses.

Unfortunately, cybersecurity isn't one of those areas where you can just "set it and forget it" — it's an ongoing commitment. Given the nature of the threat, we all need to make cybersecurity a top priority to protect credit unions, your employees and members. The NCUA stands ready to work with credit unions to meet these threats.