The culprits that can cause the greatest damage are only getting more focused in their approach and more sophisticated in their methods, according to Jeff Multz, director of North American Mid-Market Sales for Dell SecureWorks, an Atlanta-based security service provider.

"It used to be that you just had to be more secure than the next guy, so threat actors would leave you alone and go after easier prey," Multz said. "That does still happen, but as long as you have valuable data, the threat actors are going to go after it."

Despite the focus given large firms such as JPMorgan Chase, smaller financial institutions, including credit unions also have reason for concern, largely because of perceptions that surround them, Multz said.

"A lot of attackers attack smaller financial institutions because they normally are not as well protected as the larger ones," he explained. "It is often much easier for attackers to break into smaller institutions than larger ones, so they go there to get access to cash. They also go there a lot to practice their tactics and procedures. Once they perfect their scams on the smaller financial institutions, they move on to the bigger ones."

According to a 2013 study from the Ponemon Institute, a Traverse City, Mich.,-based research center specializing in data protection and information security, the average cost per record compromised in a cyberattack is $277. With an average of 28,765 records compromised in each data base breach, the cost can go as high as $5.4 million.

Data breaches continue to be a growth industry that poses significant threats to credit unions, Ken Otsuka, a senior consultant in risk management at CUNA Mutual Group.

"I think we've seen some serious growth in this area," Otsuka said. "Some credit unions are complacent and believe this will only happen to the largest of the large financial institutions, but this can happen to any size of institution."

Unlike larger institutions, Otsuka said many credit unions lack the security budget to adequately protect themselves. Cyber insurance can fill the ever-expanding risk gap.

"I am sure there are credit unions out there without cyber liability protection insurance, and they need to add it to their suite of protections," he suggested.

Read more: Could cyberinsurance be mandatory someday?

CUNA Mutual offers Cyber Solution, a policy designed to protect a credit union from cyberattacks and customizable to an institution's level of need, according to the company. The insurance product, like the threats themselves, are still adjusting to a rapidly changing marketplace, Jim Hunt, a CUNA Mutual staff underwriting specialist, said.

"Cyber insurance is still so new to the marketplace that there is not a standard for what is covered or not covered," Hunt said, adding that it is generally not part of standard business coverage for a reason. "The unique nature of cyber risk is such that cyber needed its own coverage, conditions, exclusions and definitions. This uniqueness required a separate policy, just as bond, management professional liability and business auto did."

The cost of CUNA Mutual's Cyber Solution package, which Hunt declined to discuss in detail, is based on the credit union's size and factors relating to the risk presented including number and type of services the credit union offers online, the institution's risk management capabilities, as well encryption, security auditing and testing, difficulty of passwords and members' use of mobile devices.

The plan's first-party coverage includes expenses for security breaches, public relations and payment card industry defenses, fines or penalties, replacement or restoration of electronic data costs, extortion threats, loss of business income and extra expenses, Hunt said. Additional services covered include breach preparedness, response and recovery service, member ID consultation and restoration service, risk alerts and on-site risk assessments, and cyber risk-related webinars and white papers.

Industry experts estimate that about 20% of all credit unions have cyber insurance, something Hunt believes will one day be mandatory for all institutions. However, not all agree. What the coverage will look like and whether it's necessary at all depends on the institution and its insurance provider, according to attorney Randy Sabett, vice chair of the privacy and data protections practice at Cooley LLP, a Washington, D.C., law firm.

"Whether a firm needs cyber insurance depends on what you mean by the term itself," said Sabett, who has a background in data security and once worked as a "crypto engineer" writing security code for the NSA. "It's a question of form versus substance. If a firm has a reasonable general liability policy with cyber coverage, they don't need extra cyber insurance."

In the case of credit unions, Sabett said it was a matter of risk tolerance versus the type of security policies the institution had in place. Cyber insurance can come as a stand-alone policy, a rider on an existing policy or may not need to be purchased at all, he said.

"If a credit union has thought through the issue, done a true threat and risk analysis and put in place security they're comfortable with they may decide to self ensure," Sabett said.

From a price-versus-services standpoint, cyber insurance policies are all over the map, Sabett said. Some policies are very costly, the attorney said, noting one he saw was priced "in the low five figures." Yet some business see handling cyber threats as one more cost of doing businesses and plan accordingly without investing in extra insurance.

"The take-away for me, having been involved with a number of these policies, is that a credit union should approach this issue cautiously and carefully read whatever coverage they're contemplating," Sabett said. "They should have a careful dialogue with their broker or insurance company representative to make sure they understand what they're buying and what it covers."

Sabett admits there's reason for alarm, and it's no surprise that the Department of Homeland Security has declared October National Cyber Security Awareness Month. But preparing for a cyber attack and purchasing cyber insurance require the same logical, well thought out approach that executives would take making any other credit union business decision.

"This can be a dark and gloomy scenario if you don't do your homework and engage in the dialogues I just described," Sabett said. "I'm not saying it's all rosy out there, but a credit union needs to be pretty clear about what they do from as part of its business model and understand what it needs from a security perspective to protect member data."