There are plenty of cybersecurity lessons for credit unions in a year in which 143 million Americans — nearly half the nation’s population and more than the total number of U.S. credit union members — had their data exposed as a result of the massive breach at Equifax.
“The Equifax breach made it clear that if you’re not on top of your patching, you’re vulnerable,” said Mike Atkins, chief information officer at Bellco CU and chair of the CUNA Technology Council.
That breach and others like it have made vulnerability management a key issue for CUs going into 2018.
“Data breaches are learning experiences for the organizations that experience the breaches as well as the industry as a whole,” Tim Mielak, chief information security officer at Michigan State University Federal Credit Union, said via email.
Chris Saneda, executive vice president of technology and digital innovation at Virginia Credit Union and vice chair of the CUNA Technology Council, recommended working with vendors that hold the same cybersecurity standards as your credit union.
That’s the strategy Bellco’s Atkins uses. He explained that when considering a vendor for his credit union, he assesses the company’s security standards by asking the same questions of them as he asks of his CUSO, Open Technologies, LLC. “If they are touching member data, we ask a lot of questions around how they are going to protect that data,” Atkins said.
But a security program for a credit union changes based on the institution’s size and scope.
“It’s really difficult to quantify how much a credit union should invest in cybersecurity, but I can tell you the hurdle is increasing at a rapid rate and isn’t likely to let up soon,” George Rudolph, SVP of operations and technology at Alliant Credit Union and second vice chair of CUNA Technology Council, told Credit Union Journal via email.
Rudolph estimated including systems, people, ongoing third-party support arrangements and consultants Alliant CU uses, the financial institution has spent well into the tens of millions of dollars on cybersecurity during the past five years.
Atkins estimated his CUSO spends between four and five percent of its total budget on cybersecurity.
“We’re all fighting the bad guys,” he said. “And they are well-funded and well-organized, and any organization online is a target.”
According to Rudolph, machine learning and artificial intelligence will play a large role in reducing attacks. This technology would also reduce false alarms, making the process more efficient for CUs and their members. On top of that, increased usage of tokenization can reduce the incentive for stealing member data – or at least limit exposure in the event of a breach.
“I will say there is a trend toward behavior-based analytics and artificial intelligence to detect and block suspicious or unusual activity,” Saneda said. “But this technology is new and expensive.”
As more breaches occur, Rudolph noted, it will become more difficult for CUs to combat fraud while providing frictionless service.
According to Mielak, $3.7 billion-asset Michigan State University FCU is moving toward next-generation security controls such as firewalls and intrusion-prevention systems that inspect all layers of communication from fundamental networks to high-level applications while integrating experimental and open-source technologies to enhance more predictable, textbook security controls.
Saneda explained that it’s up to individual credit unions to assess new risks “in terms of their processes, members and vendors, and how they might be exposed to a risk.” Saneda considers three factors when making cybersecurity investment decisions: How many externally facing devices the CU has, what kind of software it has enabled and how well it does cybersecurity training.
Saneda recommended CU executives follow listservs or different cybersecurity feeds online to keep up to date with best practices, along with updates from the Federal Financial Institutions Examination Council and the National Credit Union Information Sharing and Analytics Organization.
“There are a lot of cybersecurity solutions out there,” he said. “But generally if credit unions take a look at their own controls, that awareness will take you a long way in deciding which tools to use.”