HARRISBURG, Penn.-As the height of the hurricane season approaches, credit unions in disparate regions of the nation are taking proactive measures to ensure disaster recovery measures are in place. That interest is by no means limited to the Southeastern U.S., especially after Super Storm Sandy devastated the Northeastern U.S. in 2012.
"When it comes to disaster recovery, there is a general lack of knowledge that has resulted in a lax view," said Matt Gerber, CEO of IT Lifeline, which offers cloud-based managed IT disaster recovery services. But Gerber noted that his company, which has 17 credit unions clients, signed three Northeastern CUs in recent months.
"It took us three months to find a vendor," said Barry Torrey, program analyst for the Harrisburg, Penn.-based Belco Community Credit Union. "We sent out multiple request for proposals (RFPs) and researched many companies to see what one would have the best bang for the buck. Our biggest problem was not having our disaster recovery backed up under one roof."
When Credit Union Journal interviewed Torrey and Belco Community CU Security Specialist Kevin Williams, the credit union was in the process of completing its first recovery test. "This was a two-day [business] process for us," said Williams. "We hadn't experienced any issues before using IT Lifeline, but we also didn't have [back-up] consistency."
Williams, who is in charge of the compliance department, said the first disaster recovery test was smooth, adding that he was "getting used to" how the service integrated with the existing platform. This otherwise positive result, in part, was due to the onsite help of IT Lifeline staff as well as the numerous webinars in which Torrey and Williams had participated.
"This was a real team effort," said Torrey, adding that five employees participated in the recovery test. While currently scheduled as an annual test, Williams said it could be performed more frequently.
Not Just Acts of God
Gerber said that the uptick in credit union clients is a combination of weather-related disasters as well as NCUA mandates that require credit unions to implement an information security program to control identified risks, including that all information must be secure and backed up while in transit, in storage or on network systems.
"It's all there in black and white, but we have to step in and help financial institutions link strategies to specific technologies," said Gerber. He stressed the importance of documenting "the heck" out of a credit union's business continuation plan.
Along with NCUA, credit unions must meet Federal Financial Institutions Examination Council (FFIEC) standards. "These examiners want to see documentation and what we are seeing are big gaps in execution," said Gerber. "The examiners also want to see progressive testing, which is so critical."
With 48,782 members, $315.4 million in assets and 140 employees, Belco Community CU is a typical sized IT Lifeline client. "Most of these credit unions have small IT departments-like two or three people," said Gerber. "Since these requirements are so specialized, many don't fully understand the framework."
For Torrey and Williams, the implementation process was not without issues. "We had researched other credit unions to find out what they were doing in this capacity and also talked to credit unions using IT Lifeline," said Torrey. "A lesson learned was during implementation. As we were adding more servers and space and more back up, we realized we had to expand our service contract. That was a problem on our end as we didn't initially give ourselves enough room to expand."
Moving forward, Belco Community CU is now in compliance and believes it is prepared for any disaster event. "Whether it is a storm or a hardware failure, we are real time backed up both in-house and remotely," said Williams.