Cyber threats are becoming increasingly pervasive, Garcia said, noting that 110 million Americans – or 50% of U.S. adults – had personal data exposed during 2014. Of that, 80% of hacking victims were unaware they had been hacked until informed by vendors, authorities or consumer, he added.

According to FFIEC, financial institutions saw their greatest risk in the areas of inherent risk from daily operations that interface with the cyberworld and electronic communication devices, and preparedness for the inevitable cyber assaults that will occur for most enterprises.

Garcia outlined five areas in which financial institutions, including credit unions, could improve their preparedness in an effort to reach cybersecurity maturity.

1. Risk management and oversight. Cybersecurity is a problem for board and senior management and not just IT staff, Garcia said. Ongoing discussion must ensue about threats and vulnerabilities to the credit union. Accountabilities must be established and enforced for managing accountability for cyber risks. Staff at all levels should be trained to recognize and, whenever possible, help prevent cyberattacks by not sharing credit union information through their personal devices.

"It's not just an IT problem," Garcia said. "Conversations about cybersecurity have come out of the computer room and gone into the boardroom, and that's as it should be."

2. Threat intelligence and collaboration. Credit unions must understand the source of threats, as well as the pain points in the credit union's firewall and other means of access, Garcia said. The information should be gathered, monitored, analyzed and shared among appropriate staff and board so that strategies can be developed and approaches created to reduce future threats.

"What reports are provided to board and staff, and who is accountable for maintaining relationships with law enforcement, are questions that need to be asked and answered," he added.

3. Cybersecurity controls. The need for controls goes without saying, but those controls should be preventive, detective and corrective for maximum efficiency, Garcia said.

The credit union's process should clearly define all steps taken in each of the categories. In addition, there should be a clear understanding of who is responsible for updating processes whenever the credit union's data processing system changes. The process should also define appropriate risk controls and outline a process for corrective action for risks that are uncovered, he said.

4. External dependency management. Third-party service providers, business associates and even members are all part of the credit union's cybersecurity equation, Garcia said. If they interface in any way with the credit union's system, they run the risk of provide access to cyber invaders and posing a threat to the credit union.

"If someone has access to your network do they have cyber-liability insurance coverage?" Garcia asked. "They should."

Third-party vendors' roles during cyberattacks also should be clearly outlined in the credit union's security plan, he added.

5. Cyber incident management and resilience.  Care should be taken to incorporate all the necessary facets into your cyberattack detection and prevention plan, Garcia said.

Those elements include incident detection and the appropriate response; mitigation of threats and risk; escalation of efforts in response to a rise in the threat environment; and reporting occurrences and results of those occurrences to the board and appropriate authorities, as well as members as necessary. All of that will add to a credit union's cyber-resilience, he added.

"Take the bullet and incorporate those facets into the program you already have," Garcia said.