The priority objective of all credit unions is to win the hearts of current and future members. The priority objective of CUSOs like mine is to help credit unions achieve that goal. In the case of CU*Answers, this goes beyond just core data processing solutions.
On the front line of innovation in electronic membership service is software known as the application programming interface, or API. APIs allow connections of a set of data or services with another. For example, credit unions have had great success using APIs to connect to third-party indirect lending systems. APIs also provide ancillary services for members in online banking, where the member’s experience is nearly seamless, strengthening member brand loyalty with the credit union, not the third party.
That said, by their very nature APIs heighten cybersecurity risk. Credit unions usually understand the risk of sharing member information with third parties. By virtue of the fact that APIs facilitate the transfer of data—often sensitive—they create more points of contact for potential failures. These failures might include the misuse of data by the developers, the API itself may be vulnerable, or the third party may be vulnerable opening the door for compromised data to be pulled through the API. CU*Answers recently experienced one such event providing valuable insight into how APIs are changing the risks of innovation.
A Cybersecurity Event at CU*Answers
CU*Answers contracts with a trusted third party to provide a secure portal we use in our daily work. A network partner, who shares the platform with us, was using an API to do some testing on the portal. When using the API, our partner discovered they could see information not normally accessible through the standard interface.
Our partner responsibly notified us of the issue immediately. Our portal provider also acted conscientiously. The system was tested, and the vulnerability was proven out. The portal was taken offline. Our provider patched the system, and the system was back online within twenty-four hours. What’s more, our provider also confirmed that the cybersecurity flaw had been present in the software code for over two years.
This sort of unknown software vulnerability present in software code for years is common. One of the most serious vulnerabilities was the OpenSSL Heartbleed vulnerability, which had been present for three years and was literally due to a single line of bad code.
In 2019, researchers discovered an issue with Microsoft’s Text Services Framework, which is used to provide multilingual support in Microsoft’s Windows OS. That particular security flaw was present in every Microsoft Windows release for the last twenty years.
The takeaway here is technological innovation comes hand in hand with cybersecurity risk. There is no effective way to predict when or how latent vulnerabilities might suddenly appear in otherwise stable and secure systems, or how different software applications coming together might suddenly cause private data to be exposed to others. This heightened cybersecurity risk is inherent in the need to innovate to the requirements of the membership.
Addressing Cybersecurity Risk for the Cooperative
As part of our mission, my CUSO is always willing to partner or invest hard dollars alongside our credit unions for solution-building. However, being a partner in delivering technological solutions does not mean the same thing as underwriting risk. This is why we may require hold harmless agreements for certain high-risk collaborations.
As illustrated with both the issues with APIs and the prevalence of latent security vulnerabilities, controlling cybersecurity risk for the network is fundamentally impossible for our cooperative. If we use the resources of our cooperative to underwrite the risk for one of our credit unions, this could prove devastating to our ability to meet our mission of achieving innovation and collaboration for all.
Credit unions can still manage cybersecurity hazards despite developing at-risk service modernization. In-house or reputable software development firms who are properly insured can assist with risk management. As part of our Developer’s Help Desk process, we recommend every credit union stop and consider these elements before releasing private member information to a third-party software developer:
