As credit unions become increasingly reliant upon technology to be able to provide services to their members, the uptick in cybersecurity risks and concerns is also growing at an alarming rate. The public is bombarded regularly with announcements of database breaches affecting millions of people, but this is just the tip of the iceberg.
Typically, only the most prominent breaches are made public, with many compromises never making the headlines. Many breaches, even those resulting in the theft of millions of dollars, are never disclosed because they are not subject to mandatory public reporting, since there was no indication of the loss of confidential member data.
The reason for these breaches is simple: big paydays for the criminals involved, many of whom are outside the reach of U.S. law enforcement. The payout may come from fictitious wires that go out electronically or member impersonation where the threat actor will assume a member’s identity and convince the credit union to issue them a new credit or debit card. Some go a step further and assume the member’s identity to obtain loans, buy cars, and even obtain deeds of title.
There are two broad types of vectors that threat actors typically utilize: weaknesses in technology as well as weaknesses in people and operational workflows. A bad actor prowling for vulnerabilities in software can harvest extraordinary amounts of data once they stumble upon a weakness, while social engineering techniques by a threat actor typically require more effort and patience to help them accomplish their schemes. In many cases, a breach is a multi-faceted blending of both human and technical threat vectors.
Since credit unions are continuously competing for business and trying get to market with frictionless services that provide a good member experience, at times they must take risks that could result in losses. These losses happen more often than credit unions might expect; as mentioned previously, though some of these thefts get reported and are publicized, the majority of losses are quietly absorbed.
Credit unions spend significant money to leverage software and tools that offer a competitive edge. These systems and applications enhance customer engagement and online reputation management and are typically developed with cybersecurity concerns in mind. That said, threat actors are constantly searching software and systems for vulnerabilities they can exploit to gain access. While credit unions do not have control of the release of third-party patches, they can mitigate risk by developing a plan to continuously assess and track vulnerabilities to ensure systems are up to date and configured appropriately.
Where credit unions do have a bit more direct control, however, is with losses from social engineering. Constant security awareness training helps keep security at the forefront of employees’ minds. Many financial institutions provide regular training and tests that mimic real-world phishing scams.
Organizations should be evaluating employee performance on these tests and offer additional training and resources when expectations are not met. An employee who fails to meet and maintain the standard may face consequences up to and including termination. While this approach may seem draconian, the fallout from a successful social engineering attack can be very costly in terms of monetary loss, reputational harm, regulatory fines, and costs associated with containment, forensics, and resumption of business.
In February 2023, the NCUA Board approved a final rule (NCUA 12 CFR 748) requiring federally insured credit unions to notify the NCUA as soon as possible and no later than 72 hours after a credit union reasonably believes that a reportable cyber incident has occurred. Under this rule, federally insured credit unions must report a cyber incident that (1) results in a substantial loss of confidentiality, integrity, or availability of a network or member information system(s) because of unauthorized access to or exposure of sensitive data, (2) disrupts vital member services, or (3) causes a serious impact on the safety and resiliency of operational systems and processes.
This rule became effective Sept. 1, 2023. According to the NCUA’s annual cybersecurity report to Congress, credit unions have reported 892 incidents since Sept. 1, 2023. They detailed that approximately 73% of all reported incidents were related to the use or involvement of a third party. This is not a comprehensive accounting of all incidents, as other incidents that did not meet the above criteria were not reported or tracked by the NCUA.
Credit unions must bolster their security controls and processes to better compete against the increasing number of cyberattacks that affect organizations every day. It is critical that credit unions establish and maintain a vulnerability management process that includes controls such as threat information sharing, patch management, vulnerability scanning, and penetration testing to ensure systems and software are not susceptible to attack and exposure.
Credit unions must also prioritize and enhance security awareness training controls, as impersonation scams and phishing have evolved to become one of the most pervasive threats to financial institutions. Security awareness programs should include training employees, among other things, to avoid clicking on hyperlinks and to verify the authenticity of suspicious emails with a call to a trusted phone number.
Enhancing cybersecurity controls, specifically vulnerability management and security awareness, can help prevent breaches and save organizations millions of dollars in damages and loss of reputation.
Kian Moshirzadeh is the managing partner at Turner, Warren, Hwang & Conrad (TWHC) and has more than 30 years of experience working for banks, regulators, and credit unions.
Established in 1987, TWHC has been focused on delivering comprehensive audit reports to credit unions. TWHC provides audit and advisory services to 150 credit unions that range in size from $10 million to more than $28 billion in assets.
