Within the last week we’ve heard that NCUA has reached out to some credit unions regarding a threat targeting certain US-based financial institutions. Financial institutions are being sucker-punched in every direction. Credit unions need to remain vigilant to prevent and respond to all forms of cyber incidents and to be ready to use every tool in their arsenal to thwart these attacks. Awareness and quick action are key to thwarting and limiting damage from these types of attacks. So, what can credit unions do as a proactive measure to protect themselves and their members’ funds from the reputation risk that the credit union would incur as a result of a cyber breach/attack?
- Fortify the Walls. Ensure good security hygiene and make sure your systems and platforms are secure. Reinforce and strengthen your systems so they are impenetrable to breach. Evaluate those systems for vulnerabilities. This is not a one and done process. It should be constant and ever evolving. Remain vigilant.
- Practice What You Preach. Credit unions are constantly reminding members to guard, strengthen, and secure passwords. Credit unions should ensure that they are practicing what they preach. Administrative passwords and vendor system passwords need to be changed/strengthened frequently. Multi-factor authentication should always be used if the option/capability to do so is available. Review access credentials and permission requirements to critical systems frequently. Evaluate for vulnerabilities.
- Vulnerable Vendors. As you know NCUA wants third party vendor authority for this reason. Evaluate third party vendor access and relationships to credit union systems. It shouldn’t be news that many cyber-attacks exploit vulnerability gaps in third party systems used by institutions. Vendors must be held accountable. Credit unions must ensure that the vendors they contract with are safeguarding those systems. The credit union’s reputation and your members’ funds and personal information are at stake.
- Test. Test. Test. And Test Again. Stress testing of the credit union’s back-up and recovery systems should be conducted often to ensure it works as it should. It’s too late if those systems don’t function when needed. Regular and frequent back-ups of the system should be common practice. If a breach occurs there will be considerable downtime to get systems running optimally and online again. Risk to a credit union’s reputation for systems that are offline for an extended period of time is HUGE.
- Member Education. Continue educating members on identity theft and password security. Unfortunately, sometimes it is ignored. Cyber threats are constant. In educating members on good security practices offer learning lesson scenarios. Bringing attention to the negative ramifications of poor security practices may drive it home for some.
- Notify NCUA. A credit union must notify NCUA after the credit union reasonably believes it has experienced a reportable cyber incident OR received a notification from a third party regarding a reportable cyber incident.