Confidence evaporating to sheer terror. That look on the face of Harrison Ford? Classic.
Indiana Jones is running toward the enemy, machete raised high, only to turn the corner to face a horde of armed and angry natives running his way. He’s outnumbered and vastly unprepared. And he had no idea.
I think we’ve all had that feeling. Many credit unions are feeling that right now. They believe they have a mature and robust information security/cybersecurity program—something that not only protects the confidentiality of member information but can also respond to a potential breach. The reality? Many credit unions are vastly unprepared with inadequate programs, and they don’t know what they don’t know.
They soon will, however, because annual compliance examinations are going to start taking a much closer look under the hood. And you better bring more than just a machete to the inevitable cybersecurity gunfight.
Ready for regulators?
Threats are everywhere. Tornadoes, flooding, robbery, security failure and a host of cyber attacks all pose a risk to your organization and the privacy of your members. Identifying every possible hazard – and demonstrating your plan to address them to governing bodies – quickly becomes a grueling task. The list is growing, too: GLBA risk assessments, information security programs, business impact assessments, business continuity plans, disaster recovery preparedness, and more.
The problem is that by and large credit unions have not been pressed by examiners in the past (or regulated as heavily as banks), so many have been lulled into a false sense of security—that whatever security plan they have in place is more than sufficient to pass the annual exam and protect their stakeholders. And even if you’ve recognized you need to beef up your plan, you may not even know where to begin.
So, let’s start here: When the NCUA released its 2019 supervisory priorities, it made sure to include the following:
“Examiners will continue conducting information security maturity assessments with the Automated Cybersecurity Examination Toolbox (ACET). Examiners will use the ACET to assess credit unions with over $250 million in assets that have not previously received an assessment. The security, confidentiality, and integrity of credit union member information remains a key supervisory priority for the NCUA.”
While the regulations haven’t changed (part of the reason this isn’t always on the radar) – and the NCUA hasn’t always put a high priority on IT risk management in the past – the organization is beefing up its examinations to evaluate how your organization is meeting the requirements of Part 748. And those examiners are looking for proof of a mature program that’s equipped to handle the security concerns facing today’s financial institutions.
Unfortunately, this isn’t simply an IT problem. While your credit union may delegate these kinds of operational issues to your CISO or IT director, the organization’s overall security is something that touches everyone, from top to bottom. An article in Credit Union Magazine punctuates the point:
“With the ever-increasing array of malicious cyberevents – phishing attacks, spyware, viruses, worms, ransomware, and distributed denial of service attacks to name a few – the board’s ongoing involvement in the credit union’s cybersecurity program is more important than ever … The board should ensure the credit union integrates cybersecurity throughout its operations as part of enterprise-wide governance, information security, business continuity, and vendor risk management processes.”
Planning for a better plan
The escalated scrutiny is going to surprise many credit unions, who aren’t even aware this is coming their way. For those who do? They’re not sure what an adequate program is even supposed to look like. They may have parts of a plan, and they may talk with others within their networks. They may get a few good tips here and there, but unfortunately those bits and pieces usually don’t add up to a complete program in the end.
Even those credit unions hoping to tackle the job internally are realizing the resources just aren’t there. Instead, many credit unions are finding success through a partnership with an outside vendor. If you choose to go that route, make sure the partner already has established contacts with NCUA examiners—as well as experience dealing with examiners one on one. Ideally, look for an outside vendor with people who used to be CIOs at a financial institution (versus someone who’s more of a security engineer or an auditor). That kind of experience will allow them valuable insight into the regulatory perspective and help you adequately prepare.
Together, you can work to drive the security program from the top down. Your outsourced partner needs to understand what’s at stake from a board level, and grasp that IT is not just a department but actually woven into every aspect of a successful credit union. Once you better understand what a complete security program should look like, you can start building the roadmap to get you there.
That way you’ll have an entire battalion at your back when you face the next security threat waiting for you around the corner.