Cybersecurity for Credit Unions: 4 Ways to Reduce the Risk of the Next Attack

Sean Cavanaugh | August 26, 2021 | tag: Financial Services

Credit unions must be on high alert for cyberattacks. That’s according to a recent warning issued by the National Credit Union Administration (NCUA), who cautioned the industry of potential avenues of attack, including ransomware and supply chain attacks.

Such attacks pose grave threats to the nation’s financial organizations. Sensitive financial information can be breached, operations brought to a halt, and a credit union’s reputation tarnished. It’s no surprise then that the NCUA has encouraged eligible low-income credit unions to apply for up to $7,000 in funding to strengthen their cyber defenses.

In the face of evolving threats and daunting regulatory oversight, let’s look at how security and risk leaders in the sector can reduce cyber risk, make proper use of their cybersecurity investments, and engage in smart security measures.

1. Benchmark cyberattack readiness against peer credit unions


Credit unions must constantly evaluate key financial and operational metrics through performance benchmarking. So why not cybersecurity?

Before investments in cybersecurity are made, credit unions must understand what they are doing right and where improvements to their security programs are needed.

By benchmarking security performance in the context of their peers, security and risk leaders can better understand what standards of care are appropriate within the industry, what security targets they should strive to achieve, and where their current security practices and controls fall short.

Benchmarking doesn’t require them to knock on the door of a competing credit union or bank to ask them about their security practices. Instead, they can use BitSight Security Ratings for Benchmarking to quickly and easily assess how their cybersecurity program is performing compared to other financial institutions. The insights gleaned from security ratings can be used to create improvement plans, prioritize risk-reduction strategies, and, if needed, they can be used as support for teams advocating for increased security resources.

2. Continuously monitor for cyber risk


As the past year has shown, cyber risk is constantly evolving. New attack methods and emerging vulnerabilities in IT infrastructures call for constant vigilance. Time to discover is also critical in this sector.

To get one step ahead of the bad guys, credit unions should constantly monitor their attack surface for risk. They can do this by using BitSight for Security Performance Management to continuously monitor the status of their network environments based on detailed attack surface analytics. With BitSight for SPM, teams are immediately alerted to vulnerabilities and potential anomalies – on-premises, in the cloud, and across remote offices. 

Continuous monitoring is particularly important as the credit union’s digital ecosystem grows. When new applications, systems, and networks are added, keeping track of hidden risk becomes increasingly tricky. But with BitSight’s ecosystem-wide views of digital assets and continuous monitoring, credit unions can visualize areas of risk – including critical or excessive risk – better prioritize remediation, and bring continuous improvements to cyber health.  

3. Mitigate supply chain cyber risk


In its statement, the NCUA stressed that supply chain risk is a “significant threat to financial services because of the layered dependencies that exist in a complex, multi-service provider environment found in the financial services sector.”

Indeed, cybersecurity for credit unions is no longer about building a strong perimeter; it must extend to the weakest link in the organization’s security posture. Often, this resides in the supply chain.

Software supply chain attacks have become increasingly prevalent. The SolarWinds data breach and other high-profile incidents have caused untold damage in recent years. But credit unions are also a lucrative target. For example, in July 2021, the Kaseya supply chain ransomware attack targeted a commonly used remote management service deployed by multiple managed service providers and their customers – many of which are credit unions.

There are several reasons for this growing trend. Despite periodic security audits, credit unions don’t have a good sense of their vendors’ security postures. These audits are also a point-in-time snapshot and don’t account for evolving risk. Furthermore, credit unions may partner with hundreds of vendors and lack the resources to scale their third-party risk assessment processes.

Credit unions can overcome these challenges by continuously monitoring all vendors for risk using BitSight for Third-Party Risk Management. Based on the BitSight Security Ratings platform, security and risk teams can scale their security programs to assess hundreds of vendors. No lengthy or costly audits are required; instead BitSight provides an instantaneous snapshot of each vendor’s security posture – both before onboarding and for the life of the contract – and generates alerts when a supplier’s security rating falls below a pre-agreed threshold. Insights can even be shared with the vendor so there is absolute transparency in the process and both sides can work quickly to resolution.

4. Report effectively to the board


Since cybersecurity for credit unions is a top priority, board members need to be involved and regularly briefed on how the institution is managing cyber risk. But some board members may not feel adequately prepared to interpret these risks. They need actionable and easily understandable security performance metrics – such as how the credit union’s security compares to peers in the industry, how secure the organization really is, the likelihood of experiencing a cyberattack, and the financial impacts of such an incident.

Ultimately, a greater understanding of cyber risk strengthens the board’s ability to deliver better and more secure business outcomes for customers, members, employees, and business partners.

Cybersecurity for credit unions – box checked!


Strengthening a credit union’s defenses isn’t that hard. It starts with eliminating the confusion about where investment is needed and focusing instead on a data-driven, risk-based approach. This requires an approach that makes it easier to understand where risk is concentrated – on a continuous basis – both on the credit union’s network and across its third-party ecosystem. Working from a prioritized set of risks, security teams can better allocate already stretched resources to the places where they’re needed most.


The CISO's Guide to Reporting To The Board

Suggested Posts

Financial Services Cybersecurity: 4 Ways to Combat Modern Threats in this Vulnerable Sector

The financial services sector is one of the highest performing in terms of cybersecurity. One factor that contributes to this performance is regulation. Laws such as FFIEC IT, the Gramm-Leach-Bliley Act, NYDFS, GDPR, and SOC2 have...


Cybersecurity for Credit Unions: 4 Ways to Reduce the Risk of the Next Attack

Credit unions must be on high alert for cyberattacks. That’s according to a recent warning issued by the National Credit Union Administration (NCUA), who cautioned the industry of potential avenues of attack, including ransomware and...


What the Gramm-Leach-Bliley Act Means for Financial Services Cybersecurity

For obvious reasons, the financial services industry has had the unfortunate distinction of being one of the largest high value targets for threat actors. Research shows that financial services businesses experience 300 more cyber...


Get the Weekly Cybersecurity Newsletter.