The digital age has transformed how credit unions conduct business. With 24/7 access from almost anywhere in the world, customers can complete all types of transactions through a variety of devices. It has never been easier to pay bills online, apply for a loan, set up a retirement plan, check an account balance, or receive financial advice; however, such progress and convenience often come at a price.

According to the 2014 Global Report on the Cost of Cyber Crime, the average annualized cost of cybercrime in the financial services sector ranks second-highest out of 17 industries at $12.97 billion, just shy of first place. While the Internet makes access to assets more convenient for customers and creates operational efficiencies for financial institutions of all types, it also provides an avenue through which cyber criminals can attack your networks and your customers. To help financial institutions guard against risk to themselves and their customers, the Federal Financial Institutions Examination Council (FFIEC) recently released guidance to assist with the identification and mitigation of cyberattacks that compromise user credentials or utilize malware.

Is your credit union prepared for the reality that you may be the next target of a malicious cyberattack? All it takes is one cyberattack to penetrate your IT security defenses and it won't be long before your members will run to a competing institution with a better cybersecurity plan – perceived or actual. Because you can't afford to let your reputation be compromised, now is the time to review your organization's security posture.

There's no doubt that cybersecurity tops the list of things that keep chief information security officers awake at night, but rest assured that it doesn't have to become a nightmare. If you want to get your cybersecurity plan right, it is important to take a holistic approach to your credit union's security posture by assessing, planning, building and executing an effective cybersecurity program. Instead of looking to just mitigate attacks, it is paramount that a full lifecycle approach be taken to address these four components: risk management, governance, security operations and security compliance.

Risk Management

Credit unions must start by identifying weaknesses and key risk indicators while aligning with business objectives to be successful. As the cyber threat environment continues to evolve, credit unions must implement a comprehensive plan that addresses cyber risks, security assessment and authorization, continuous monitoring, third-party risk management, business continuity and contingency planning. A solid risk management plan can help address and mitigate risk before it becomes an incident.


Credit unions must also have a clearly defined governance structure, layers of authority and well-defined and communicated policies and procedures to establish the proper authority and accountability needed for an effective governance foundation. A holistic understanding of key people, processes and technologies is needed to develop a governance function within your cybersecurity program that aligns to the organization's culture.

Security Operations

It is imperative that credit unions protect their corporate assets and their members' critical data. This requires understanding and mitigating the vulnerabilities that adversaries may exploit. Attacks against networks and systems are continuous, so it is important to constantly monitor your organization's systems for anomalous activity so you can prevent and/or defend against potential breaches. Credit unions must develop, implement and maintain methodologies, technologies and processes to defend against and respond to a constantly changing threat environment.

Security Compliance

Organizations must also define and implement processes, policies and technologies that comply with government regulations, assist with audit preparation, meet financial industry standards or comply with the Payment Card Industry (PCI). You can't do business if you can't achieve, track or maintain compliance.

It's a fact that there will be more instances of security breaches similar to the ones that impacted Sony Pictures Entertainment, Staples, Home Depot, Target and J.P Morgan Chase in the near future. It is also a reality that your credit union could be the next target. There's no time like the present to take a holistic approach to your security posture to determine if your organization is prepared. A comprehensive evaluation of your risk management, governance, security operations and security compliance efforts will enable you to build, fortify and execute an effective cybersecurity program that will stop hackers in their tracks, while saving your reputation and making you more competitive in the process.

Courtney Schiffman is director of financial services for the Knowledge Consulting Group, Reston, Va. She can be reached at 703-467-2000, ext. 169 or