The average cost of a data breach in the United States increased from $7.91 million in 2018 to $8.19 million in 2019, according to this year’s Cost of a Data Breach Report. And the biggest contributor to data breach costs? Lost business.
Cyber breaches, which doubled from 2017 to 2018, can produce devastating financial and reputational losses, affecting a credit union for years – if not shuttering it altogether. So, the importance of being able to control the storm of cyber events that come your way is key to keeping your credit union solvent.
Many financial institutions believe that relegating cybersecurity to their internal IT professionals is enough. But with 20 million logged cyber events occurring in financial institutions each day and a global cyber staff shortage of 3 million, is it?
Regulators hold the C-suite and Boards of Directors responsible for cyber safety and soundness, not tech teams. Therefore, credit union leadership must understand the cyber threat landscape while simultaneously tightening security programs by asking and answering some key questions of your teams. And by creating a culture of cybersecurity and cybercompliance, you can achieve real-time safety and soundness.
Question your security and compliance climate
Today’s regulated climate mandates that credit unions must maintain both security and compliance – along with managing and measuring performance. So, here are three questions that should drive your cybersecurity checklist:
- Are we doing the right things?
- Are we doing the right things right?
- How can we prove that we are doing the right things right?
So, what are the “right” things? First, you must understand and comply with the Federal Financial Institutions Examinations Council’s (FFIEC) cybersecurity standards and auditing for financial institutions and other regulatory agencies.
The second point for a successful cybersecurity checklist is to establish an information security policy, business continuity plan and incident response plan.
An information security policy should ensure those using technology within your credit union or your networks comply with your rules and guidelines to protect the security of information stored digitally in your network or within your four walls.
A business continuity plan outlines steps your credit union will take to respond to and recover from business disruptions, including those caused by cyber events. And an incident response plan systematically documents and manages situations resulting from IT security incidents and breaches.
Finally, to prove you’re doing the “right things right,” educate and test your team, test your vulnerabilities and enact measures to ensure they don’t become full-blown breaches. For most credit unions, this includes hiring a third-party cybersecurity provider to help.
Look to employ outside help
An outside partner can conduct ongoing vulnerability and penetration testing on your behalf, analyze and prioritize findings, and alert you of incidents needing immediate attention. Just be careful when choosing because most cybersecurity providers are generalists who are unfamiliar with financial institutions’ specific needs.
A reputable vendor should be able to prioritize findings for you to address and recommend a methodology for treating risk; and should understand FFIEC’s Cybersecurity Assessment Tool (CAT) and the Center for Internet Security’s (CIS) Critical Security Controls. Make sure, however, to avoid organizations that deliver an endless list of vulnerabilities, a patch-all mindset with no priorities and zero clear risk-treatment strategy.
Know, too, that some analysts predict major changes coming in the cybersecurity space, particularly with a cybersecurity staff shortage in the millions.
In a recent Gartner Blog Network post, computer security specialist Anton Chuvakin, research director at Gartner for Technical Professionals (GTP) and Risk Management Strategies (SRMS) team, wrote: “A revolution is coming…that will sweep away many security products and will replace them with ‘product-service fusions’ where you pay one amount for using the tools together with ongoing help with their operation.”
By partnering with outside help dedicated solely to your space, credit unions can successfully incorporate such a product-service fusion approach, allowing you to maintain both cybersecurity and cybercompliance.
Credit unions using this product-service methodology can help ensure that when and if they fall victim to a security breach, their defenses are up and ready. This approach enables an organization to pay a fixed price for cybersecurity technology and trained professionals to help – 24/7. And by being co-managed, credit union staff can take on some cybersecurity tasks themselves while having their partner manage the rest, all while satisfying regulatory compliance requirements.
The threat of a breach is real – and it’s coming
The National Cyber Security Alliance reports that 60 percent of small- and mid-sized businesses – which include many community banks and credit unions – that are hacked go out of business within six months. Reasons include a lack of security measures and the mindset that they are too small to be on attackers’ radar. However, the odds of having a material breach, meaning a loss of 10,000 or more records, are one in four.
Further, John Chambers, former CEO pf Cisco Systems, once said, “There are only 2 types of companies: those that have been hacked and those who don’t know they’ve been hacked yet.”
By ensuring your in-house IT staff has the help it needs to help mitigate and prevent a cybersecurity breach, you can be round-the-clock threat-ready while ensuring cybercompliance and protecting both your members’ assets and your reputation.
A partner focused solely on small- to medium-sized financial institutions and credit unions can help ensure that your credit union is doing the right things, doing them right and proving it, too.