Bill Nelson, president/CEO of the Financial Services Information Sharing and Analysis Center, is scheduled to deliver the opening keynote.

CU Times: What is the goal of the Financial Services Information Sharing and Analysis Center (FS-ISAC)?

Nelson: FS-ISAC's primary goal is to share cyber and physical threat information with member financial institutions in order to help them prevent, detect and respond to various attacks and vulnerabilities.

CU Times: How many members does FS-ISAC have?

Nelson: FS-ISAC has more than 7,000 member institutions. FS-ISAC has grown rapidly in the last two years, adding more than 3,200 members since January 2014. This is largely due to the efforts of the FFIEC and the NCUA, which have recommended membership to the credit unions and banks that they regulate.

CU Times: What is the structure?

Nelson: FS-ISAC is a nonprofit 501 (c) (6) organization, and its members are financial institutions including credit unions, banks, broker dealers, insurance companies, payment processors and technology companies that support the financial services industry.

CU Times: How can credit unions participate?

Nelson: Credit unions can join FS-ISAC directly by logging in to fsisac.com and setting up their memberships. Once a credit union joins, they can start receiving alerts and sign up to share information by joining various groups such as the Community Institution Council or Cyber Intelligence email distribution lists.

Gene Fredriksen, vice president and chief information officer for the St. Petersburg, Fla.-based PSCU, and CEO of the newly formed National Credit Union – Information Sharing and Analysis Organization, is scheduled to deliver the PSCU Gold Sponsor Keynote Presentation.

CU Times: What is the goal of the National Credit Union – Information Sharing and Analysis Organization?

Fredriksen: Post 9/11 there was a presidential order about the need for threat sharing organizations or consortiums. One of the organizations that stood up right away was the Financial Services Information Sharing and Analysis Center. There is one for chemical, for real estate, for healthcare. There have been a lot of those (more than 20).

I am not taking anything away from those organizations. They are very outstanding but like everything else, you have heard about the financial sector, it is hard to do anything that applies to everyone. One of the big differences is financial services. On one side, you have the megabanks, Bank of America, Wells Fargo and Citibank. On the other side, there might be a five-employee credit union with a couple of million dollars in assets as opposed to hundreds of billions and trillions of dollars in assets.

This last year, President Obama issued an executive order to authorize the creation of information sharing and analysis organizations. The focus of the ISAOs was to be laser-focused on a specific business or market sector that needs attention. That is pretty much the definition of what the credit union market is.

Many credit unions might not have a full-time security person, and they are not publicly traded companies. The credit union mindset is there to serve the community and to return the value generated from the credit union back into the community.

This organization is going to be about living up to that same mission, that same mindset. We are here to serve. We are here to find out what all sizes of credit unions need and deliver that for a price the largest and smallest credit unions can afford. PSCU is a founding sponsor.

CU Times: What is the NCU ISAO's mission?

Fredriksen: As part of my role as CISO at PSCU, I have found uncertainty and angst at credit unions about the thousands of threats that come out every week. They are struggling to determine how these threats affect them and what they need to be concerned about.

The other thing that unintentionally has caused them some pain is the NCUA. In a great effort to raise awareness around cybersecurity, [the NCUA] has said, we want you to run this FFIEC Cybersecurity Assessment Tool.

What we have are many credit unions running this tool and getting results, and they are not sure what to do with it now.

One of the big missions of the NCU ISAO is not just to put out threat information or threat intelligence; it has to put out operational intelligence. The mission is also to collect ideas from other credit unions and get them to share information that relates to them such as with the Cybersecurity Assessment Tool.

That is where communication between them is more than just threat assessment.

The ISACs in the past were just ways to share threats and share attacks; that is going to stay the same. I do not want to compete in that space. If there is something specific to credit unions, we will pass that awareness along.

We want to take it to the next step. Our overriding motto is to help accelerate the security and maturity of credit unions.

We want to get them to share things such as templates, procedures and ideas, which are part of that operational intelligence. That is going to let them make leaps in that cybersecurity maturity model much faster than they would be able to do on their own, even with a limited staff.

CU Times: What other values will the NCU ISAO bring?

Fredriksen: We are going to develop anonymous benchmarking models. In the case of the FFIEC Cybersecurity Assessment Tool, it will provide feedback and scores of credit unions of the same relative size. You can take that to the board, it lets you know where you are. It's information sharing at its best, but it is not just threat sharing.

Alex Ricardo, privacy breach response manager at Beazley, is scheduled to speak about trends in cybersecurity and incident response.

CU Times: What is Beazley?

Ricardo: We are a specialist insurer and the pioneer of breach response insurance. We manage more than 4,100 privacy/data breach incidents, not only providing risk transfer options for credit unions dealing with third-party liability, but also helping clients stay defensible from privacy/data breach incidents. Beazley aids within the assessment, investigation and response phases. A data breach is not always a disaster. Mishandling it is.

CU Times: What are the biggest data breach threats to credit unions?

Ricardo: Much like other organizations that own the personally identifiable information on employees as well as members, most of the threat or liability extends not from lawsuits or regulatory investigations, but rather the lack of experience in properly assessing, investigating and responding to the privacy/data breach incident at hand. Many liability pitfalls arise in the course of those phases leading up to the possibility of lawsuits or regulatory investigations. With respect to causes of such incidents, we are seeing a surge with spear phishing, malware intrusions via social engineering tactics, ransomware and broken business practices such as improper or lacking encryption practices on portable media devices.

CU Times: What are some of the less obvious threats?

Ricardo: Some of the less obvious causes to privacy/data breach incidents include physical record loss, which accounts for 16% of such incidents. Rogue employees account for 10% of such incidents. Another less obvious but significant cause is third-party vendors, which cause about 30% of such incidents.

CU Times: How can credit unions protect themselves?

Ricardo: Beyond some of the obvious measures both from a network security and physical security prospective, the best course of action to protect against the liability that surfaces within a privacy/data breach incident is to have a robust data breach incident response plan as well as having proper employee education on privacy awareness. Having such preparedness initiatives in place reduces the likelihood of third-party claims such as lawsuits and regulatory investigations.

Can your cybersecurity strategy handle an attack? Do you have the latest tools and techniques to prevent fraud and data breaches? Get them and more at our FREE Second Annual Data Breach Defense Virtual Conference on September 7. Plus, you'll also learn the latest trends in cybersecurity including incident responses and be able to immediately download white papers, and so much more. Register for FREE Now!