October is Cybersecurity Month, and as such, I can think of no better time to reassess where our industry is and where it’s going in regard to cybersecurity. Earlier this year, the NCUA said cybersecurity would be a priority focus in 2023, and we’ve seen more regulators with this specific focus added to engagements. Looking forward, there are many areas in which credit unions will need to implement new or stronger cybersecurity plans. Today, we’ll focus on a few of those areas and how you can keep your credit union up-to-date and secure.
Incident response plans
In Michigan, the state regulators are on a 3-year rotation of bringing in an IT specialist as part of the examination process and doing a deeper dive than the normal checklist items. In preparation, credit unions should have a formal incident response plan prepared as it has been a focal point the last couple of years (and you can look at the headlines ransomware and other attacks get as a motivator there). The incident response plan should specifically refer to cyber incidents such as the aforementioned, breach, exposure of member data, and things more cyber-related, as opposed to the robbery, internal fraud, and more traditional incidents of the past.
If you do have an incident response plan already, be prepared to be asked about how you’re training staff with a tabletop exercise at least once per year or another type of awareness/readiness training with staff. The role playing, especially for those new to the concept is a good way to practice the workflow and decision-making that would need to happen in the event of a real incident, so there is real value in some preparation. There has been a marked shift from looking at incident response as an IT responsibility to more of a key item for the entire institution, with the CEO and board of directors participating.
Following the theme of incident response, the NCUA issued a letter to credit unions in August, updating and clarifying its position on Cybersecurity Incident Reporting. As of September 1st, 2023, this is now required within 72 hours of an incident, which they broadly define including:
“A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”
Notifications are required to be via phone or email. Credit unions should review this letter and make sure they understand who will be responsible for that task in the event it is necessary.
Another area of focus has been cybersecurity literacy. With the view traditionally being this is an IT discipline, we’ve noted the shift to include executive management and boards, at minimum, to understand the key concepts and assist with the risk rating of the various business functions at the organization. The good news is there is an ever-growing list of resources an institution can lean on for this training and education, the best of them are geared toward those non-technical roles. If you’re rolling this into an annual or period board meeting make sure you capture the details in the meeting minutes.
The final note from the regulatory side is that the NCUA made mention of a new examination framework, not the ACET but a simpler framework based on institutional size/complexity. We have not encountered this during an examination yet, though we expect to in 2024. We continue to see a mix of credit union recommendations that include the ACET, though no formal requirement to do so.
Thanks to the MOVE IT incident back in June, in which a data compromise affected over 60 million individuals and large companies like FIS Global and even the US government, the attention around cybersecurity has moved beyond just your own organization, but to those key vendors and partners your institution transacts business with. Expect to see more compromises like this along the “supply chain” theme that saw attackers going after managed IT service providers and the remote monitoring and management tools they use in 2022. The opportunity for a bad actor to not just affect a single institution, but many who use a common technology solution like MOVE IT, will continue.
While no organization—even the largest—can secure everything under its own roof, due diligence and cyber-focus among your critical vendors will be key. This means that the traditional vendor management and due diligence processes need to incorporate some cybersecurity considerations as well. First off start with the contract. Does the service provider say they will notify you if they are impacted by a cyber incident? What details will they provide and on what timeline will they do this? Given many service providers are not regulated to the standards credit unions and other financial institutions are, what assurance can you get that your key provider is doing as much as your organization is?
A second area of focus is their ongoing work to stay on top of cybersecurity. While they are not likely to share the details with you, do they have a robust testing, audit, and validation process for their internal teams, operations, and the products they provide? Contracting through an independent firm that provides this testing and validation is the best route to stay on top of the latest vulnerabilities, given the frequency services that test on tight intervals and monitor for things like zero-day threats are good resources to have in place.
The third item and the most challenging is understanding your key vendor’s own vendor due diligence processes—think “fourth party” service providers. As it hit the headlines just last week, two large casino operators had been hit with ransomware, one of them who settled is rumored to have paid in the neighborhood of 15 million to get systems back online. The other was still suffering from service outages as it tried to recover a week later. The most concerning thing about these incidents—outside of the sheer cost of recovery—was the fact the breach happened through a third-party IT firm that was socially engineered into resetting credentials on behalf of the client.
If your vendors aren’t following the same strict cybersecurity practices your internal organization is, you are at no less of a risk.
Insurance continues to be a focal point for organizations as the bar for coverage continues to climb nearly as fast as the cost of the coverage. What we can see from the insurance carriers is the technical controls they deem most effective, meaning you’ll not have an incident and as such, a claim. The technical controls they require are things your organization should consider, as they will reduce cyber risk (Patrick Sickels covers those items in detail here). In 2022 there was a big focus on backups and patching—definitely keys to a solid cybersecurity program.
Multifactor authentication is at the top of the list. It should be implemented on all publicly available sites, especially those that have access to or are used to transmit business confidential or member information. Many corporate credit unions, the Fed, and other key vendors have employed them for a while, but what about your online LOS portal or your new fintech partner de jour? MFA has also been something that could be implemented on an institution’s internal network, as well as cloud services such as 365, which should be strongly considered if not already in place.
Real-time incident response services are another item that will likely be a firm requirement in the near future. These solutions collect information from all of the network-connected assets at your organization and use it to baseline normal behavior and to detect and respond to abnormal behavior in near real-time. In most cases, if an incident can be contained quickly, the damage can be limited. The worst incidents are ones that go undetected for long periods of time, allowing bad actors the ability to continually exfiltrate data and collect sensitive information.
In the past, these solutions required a lot of staff to run in-house and constant fine-tuning—and you had to have someone watching around the clock. Today, these solutions have all been repackaged as software as a service so the 24×7 staffing, the updates, and everything else are just part of the service subscription, which in most cases is less than hiring a single cybersecurity specialist on your team. Most telling about the results they provide are the large monetary reimbursements many of these companies offer if you do have an incident on their watch—that shows some real confidence in the service.
Last but not least, the requirement for more security around email is there as well. Controls like DKIM and DMARC are there to help prevent those spoofed emails, which can be made to look quite convincing, from getting to their intended targets on your team (you can learn more about these tools here). Although most of the bad guys have a diverse variety of tools, including some very complex ones, the easiest and least expensive way to gain a foothold is still tricking someone who has access into giving to someone who should not. Training and testing of staff around phishing remains important but putting technical speed bumps in is definitely worth consideration as well.
Looking beyond 2023
The NCUA will release its areas of focus for 2024 soon and we expect Cybersecurity to remain on the list and a hot topic of conversation in our industry. Stay tuned for more on the topic from our team.