How secure is the organization? Are we improving over time? Are our investments in cybersecurity paying off? Are we more or less secure than others in our industry? Find out how today's CIOs are answering these questions.
Credit unions must be on high alert for cyberattacks. That’s according to a recent warning issued by the National Credit Union Administration (NCUA), who cautioned the industry of potential avenues of attack, including ransomware and supply chain attacks.
Such attacks pose grave threats to the nation’s financial organizations. Sensitive financial information can be breached, operations brought to a halt, and a credit union’s reputation tarnished. It’s no surprise then that the NCUA has encouraged eligible low-income credit unions to apply for up to $7,000 in funding to strengthen their cyber defenses.
In the face of evolving threats and daunting regulatory oversight, and NCUA cyber incident reporting requirements, let’s look at how security and risk leaders in the sector can reduce cyber risk, make proper use of their cybersecurity investments, and engage in smart security measures.
1. Benchmark cyberattack readiness against peer credit unions
Credit unions must constantly evaluate key financial and operational metrics through performance benchmarking. So why not cybersecurity?
Before investments in cybersecurity are made, credit unions must understand what they are doing right and where improvements to their security programs are needed.
By benchmarking security performance in the context of their peers, security and risk leaders can better understand what standards of care are appropriate within the industry, what security targets they should strive to achieve, and where their current security practices and controls fall short.
Benchmarking doesn’t require them to knock on the door of a competing credit union or bank to ask them about their security practices. Instead, they can use BitSight Security Ratings for Benchmarking to quickly and easily assess how their cybersecurity program is performing compared to other financial institutions. The insights gleaned from security ratings can be used to create improvement plans, prioritize risk-reduction strategies, and, if needed, they can be used as support for teams advocating for increased security resources.
2. Continuously monitor for cyber risk
As the past year has shown, cyber risk is constantly evolving. New attack methods and emerging vulnerabilities in IT infrastructures call for constant vigilance. Time to discover is also critical in this sector.
To get one step ahead of the bad guys, credit unions should constantly monitor their attack surface for risk. They can do this by using BitSight for Security Performance Management to continuously monitor the status of their network environments based on detailed attack surface analytics. With BitSight for SPM, teams are immediately alerted to vulnerabilities and potential anomalies – on-premises, in the cloud, and across remote offices.
Continuous monitoring is particularly important as the credit union’s digital ecosystem grows. When new applications, systems, and networks are added, keeping track of hidden risk becomes increasingly tricky. But with BitSight’s ecosystem-wide views of digital assets and continuous monitoring, credit unions can visualize areas of risk – including critical or excessive risk – better prioritize remediation, and bring continuous improvements to cyber health.
3. Mitigate supply chain cyber risk
In its statement, the NCUA stressed that supply chain risk is a “significant threat to financial services because of the layered dependencies that exist in a complex, multi-service provider environment found in the financial services sector.”
Indeed, cybersecurity for credit unions is no longer about building a strong perimeter; it must extend to the weakest link in the organization’s security posture. Often, this resides in the digital supply chain.
Software supply chain attacks have become increasingly prevalent. The SolarWinds data breach and other high-profile incidents have caused untold damage in recent years. But credit unions are also a lucrative target. For example, in July 2021, the Kaseya supply chain ransomware attack targeted a commonly used remote management service deployed by multiple managed service providers and their customers – many of which are credit unions.
There are several reasons for this growing trend. Despite periodic cybersecurity audits, credit unions don’t have a good sense of their vendors’ security postures. These audits are also a point-in-time snapshot and don’t account for evolving risk. Furthermore, credit unions may partner with hundreds of vendors and lack the resources to scale their third-party risk assessment processes.
Credit unions can overcome these challenges by continuously monitoring all vendors for risk using BitSight for Third-Party Risk Management. Based on the BitSight Security Ratings platform, security and risk teams can scale their security programs to assess hundreds of vendors. No lengthy or costly audits are required; instead BitSight provides an instantaneous snapshot of each vendor’s security posture – both before onboarding and for the life of the contract – and generates alerts when a supplier’s security rating falls below a pre-agreed threshold. Insights can even be shared with the vendor so there is absolute transparency in the process and both sides can work quickly to resolution.
4. Report effectively to the board
Since cybersecurity for credit unions is a top priority, board members need to be involved and regularly briefed on how the institution is managing cyber risk. But some board members may not feel adequately prepared to interpret these risks. They need actionable and easily understandable security performance metrics – such as how the credit union’s security compares to peers in the industry, how secure the organization really is, the likelihood of experiencing a cyberattack, and the financial impacts of such an incident.
Ultimately, a greater understanding of cyber risk strengthens the board’s ability to deliver better and more secure business outcomes for customers, members, employees, and business partners.
Cybersecurity for credit unions – box checked!
Strengthening a credit union’s defenses isn’t that hard. It starts with eliminating the confusion about where investment is needed and focusing instead on a data-driven, risk-based approach. This requires an approach that makes it easier to understand where risk is concentrated – on a continuous basis – both on the credit union’s network and across its third-party ecosystem. Working from a prioritized set of risks, security teams can better allocate already stretched resources to the places where they’re needed most.