Data breaches and cybersecurity incidents happen every day, and credit unions need to be considering what to do when – not if – they are attacked. Not only are breaches due to hackers, malware and phishing attacks on the rise, they are becoming increasingly complex and expensive to fix. In this risky climate, credit unions must do what they can to stop potential threats and prepare to respond to attacks.

Earlier this year, the NCUA released its Supervisory Priorities for 2016. Topping that list were Cybersecurity Assessments and Response Programs for Unauthorized Access to Member Information. With the NCUA carefully evaluating credit unions' risk management and information security programs, it is especially important that institutions and their service providers have the necessary policies and best practices in place.

Credit unions must focus on four main impacts of a data breach: Legal, reputational, financial and operational, according to a 2015 FFIEC Cybersecurity Assessment Tool Presentation. Legal impacts are the result of a credit union's duty to protect member information, as required by the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act and the Fair Credit Reporting Act. Credit unions may also find themselves in violation of Dodd-Frank by committing unfair, deceptive and/or abusive acts or practices if the credit union is determined to have advertised security protections that weren't actually in place. Violations of these rules and regulations can result in civil penalties and administrative sanctions.

Research has shown that the financial impact of a data breach ends up being anywhere from $150 to $1,000 per record, a recent CU Times article stated. Multiply that by the total number of affected records and a credit union could face a steep loss. The costs of a breach or incident include member notification and reimbursements, as well as credit monitoring costs (if offered by the credit union). This total also includes fees for breach investigation and resolution, auditing expenses and possible consulting services to prevent future attacks. Finally, there is always the potential for member lawsuits and civil penalties when a data breach results in a statutory violation.

Credit unions should also not underestimate the operational impacts of a breach or other cybersecurity incident. These events are not just inconvenient for the credit union but also its members. If the breach is a result of a virus or malware, employees may not be able to access systems or data. The credit union must investigate where the breach occurred and this can result in system downtime. Members may find themselves with frozen debit cards and unable to conveniently access their accounts.

Another concern for credit unions is the potential hit to its reputation. This can include a permanent stain on member relations as members may lose trust and ultimately leave for other institutions. Finally, a breach can impact employee morale, especially if it is a result of a phishing attack or employee error.

So how can a credit union mitigate these impacts? By focusing on early detection and rapid response; having policies and procedures in place, with employees well-trained to execute them; and by engaging the entire credit union structure, from board members to tellers, in developing a robust response strategy.

Credit unions are required by the NCUA and GLBA to have a Written Information Security Program and a Cybersecurity Incident Response Program. These policies should be reviewed and updated frequently to address constantly changing risks and threats. The board-approved security program should be designed to ensure the security and confidentiality of member records through the use of regular risk assessments. The security program should also require that agreements with service providers contain strong member information protections.

As the Incident Response timeline shows, there are many steps a credit union must take when responding to an incident. Having a thorough incident response program can reduce reaction time after unauthorized access to member information. The program should clearly explain the role of each employee or director. A good incident response program will establish an incident response team and help the credit union understand what happened, why it happened, and how to prevent future incidents, while also mitigating potential negative impacts to the credit union and its members. As noted in the checklist, there are multiple steps in an incident response timeline.

There are tools and best practices available for credit unions to help protect themselves and their members from data breaches and cybersecurity incidents. One item that the NCUA is incorporating into its exams is the FFIEC Cybersecurity Assessment Tool. This tool provides a structured methodology for credit unions to manage information security and protect member information more effectively by identifying gaps in risk management protocols. In addition, best practices for credit unions include reviewing business continuity plans and engaging in disaster recovery tests regularly, performing regular information security risk assessments and establishing a record retention policy featuring encryption of all retained data. Credit unions should also establish a training program that involves all employees and board members on how to identify, prevent and respond to attacks.

Members value the unique relationships they have with their credit unions. By having sound policies and procedures in place, an involved board and well-trained employees, members should have no reason to fear that the uniquely personal style of service credit unions provide comes with any compromise in security.

preparing for a data breachJennifer Winston is an associate at Messick & Lauer PC. She can be reached at 610-891-9000 or [email protected].

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.