Cyberattacks: Should CUs Worry?

How well are credit unions responding to breach threats? Are they protecting their perimeters, paralyzed into inaction by the headlines, preparing for the worst or merely hoping they will get lucky?

It is clear the financial services industry is under attack.  More than 1,300 breaches exposed more than 163 million reported records in 2019 with the Banking/Credit/Financial category representing only about 7% of the total incidents, but more than 60% of the overall reported records, according to the San Diego-based Identity Theft Resource Center (which was still tallying the damage at press time).

Research from the Palo Alto, Calif.-based Menlo Security revealed finserv companies experienced a 147% increase in phishing clicks between January and September 2019 from scams imitating financial organizations to try to lure victims.

The 2019 “Financial Breach Report” from the Campbell, Calif.-based Bitglass also showed despite the fact that financial services firms suffered a small percentage of 2019 breaches, the incidents caused more damage to financial organizations than other sectors, accounting for 61.4% of all leaked records. A big part of that damage came from the Capital One mega breach, which compromised more than 100 million records alone.

The worst data breaches affecting the ITRC’s Banking/Credit/Financial category, based on reported records confirmed by various media sources and notification lists from state governmental agencies, included:

1. Capital One – 100 million records
2. Centerstone Insurance and Financial Services d/b/a BenefitMall Texas – 111,589 records
3. Auto Approve – 93,759 records
4. Nassau Educators Federal Credit Union – 86,773 records
5. JD Bank – 39,827 records
6. Jackson National Life Insurance – 31,170 records
7. Homeside Financial – 28,446 records
8. Zions Bancorporation – 20,826 records
9. Capital City Bank Group, Inc. – 11,011 records
10. Applied Data Finance – 9,939 records

A handful of credit unions were breached as well, with three besides the breach at Nassau Educators containing reported records: The $296 million Dominion Energy Credit Union in North Chesterfield, Va. (2,662 records), the $20 million Florida A&M University Federal Credit Union in Tallahassee (2,329 records) and the $401 million Town & Country Federal Credit Union of Scarborough, Maine (2,030 records).

Some credit union professionals have appeared to underestimate the potential damage breaches can cause to their institution and membership.

“In general, we must remember that the measure of credit union success comes from our members. Our members expect their information will be correct, delivered when they need it and where they need it. They expect all this to done securely,” Gene Frederiksen, executive director and CEO at the National Credit Union Information Sharing & Analysis Organization, said.

Following the 2017 Equifax exposure of sensitive information – including Social Security numbers, birth dates and home addresses – belonging to an estimated 145 to 148 million Americans, Fredriksen said he was surprised with the number of credit union people who told him the Equifax event did not affect them. “If you look at the credit union universe, fighting the survival battle against the big banks and things like that, you have got to be concerned about all those kinds of things and how it affects your ability to serve your clients.”

Fredriksen noted if a breach happens somewhere and it leads to the decline of a member’s card at a restaurant, ATM or POS device, credit unions are failing to meet member expectations and risk losing members. Additionally, incurring ATM interchange fees for using non-credit union ATMs and having to update multiple merchants and bill pay sites to reflect reissued cards affects members. “Keeping the customer-first focus when ‘it’ hits the fan may be a challenge, but maintaining their trust and making them right as soon as possible is critical,” he said.

Breaches could impact credit unions directly through card reissuance costs (even if the breach is not their own), member communications, legal damages and fines, forensic response, fraud losses, supplemental monitoring fees and surging call center activities, Fredriksen pointed out. Indirect effects could include brand damage, member abandonment due to loss of trust, staff productivity dips and increased stress. “Distractions mean business plans and strategic programs go on hold,” Fredriksen said.

Fredriksen recommended that to protect against breaches, credit unions should patch and fix critical vulnerabilities as soon as possible, as well as provide cybersecurity education for general and specific threats such as phishing, encourage staff to say something if they see something and secure third-party connections.

The St. Petersburg, Fla.-based payments CUSO PSCU’s chief information officer, Dave Stafford, and chief information security officer, David Bryant, teamed up to provide guidance and recommendations. They noted there are two angles to consider when determining how breaches impact credit unions:

First, as owners of technical applications and infrastructure, credit unions and their processing partners can suffer from direct cyberattacks like any other entity. “Thankfully, reports of successful compromises in our industry have been relatively low to date,” Bryant said.

He pointed out an incident would hit the credit union model – tailored to a more personal, trusted service approach – harder compared to the larger banks and card issuers. Members may lose faith in the credit union to protect their data and decide to do business elsewhere. “This impacts the ability of the credit union to service the community and ultimately hurts everyone in the space,” he said.

In addition to the downstream impacts, breaches also lead to legislative and regulatory changes that credit unions have to meet. “This is an expensive and resource intensive job that some credit unions may have issues complying with, given lean staffing and tight operating margins,” Bryant said. Additionally, cyber-protection insurance rates increase across the board, so every institution ends up paying for it.

The second angle lies in the downstream impact of common breaches to large merchants, health care providers and repositories of payment card industry or personally identifiable information. “As these compromises become more and more common, the end result is often a fraudulent card transaction, successful account takeover or even theft of the member’s identity. The credit union may end up needing to service this claim or even cover the effects of the financial loss to the consumer,” Bryant stated.

Stafford and Bryant also emphasized credit union members deal with a loss of personal and account data at the same rate as other consumers in the community. “Credit unions take precautions just like most other providers, but the fraudsters are constantly trying to get in,” the team stated. In the event of a breach, credit unions should focus on notification, protection and account restoration for members.

For cyber events affecting credit unions directly, each institution should have an incident response plan ready. “It is the job of the CISO to make sure the plan is well communicated and tested regularly,” the PSCU duo emphasized, noting security crews ought to respond according to their plan and prepare to remediate and document the incident. It is also very important to ensure the preservation of evidence and involvement of authorities and/or regulators. “Each incident and situation will be unique to that credit union, so the ability to work within the plan and understand the business will be a key element of the response.” In addition, the CISO should be ready to communicate with senior leaders and make sure updates are clear, concise and free of tech speak that muddies the information.

The PSCU cybercrime experts also noted it is critical for credit unions to stay aware of threats and indicators of compromise. “The foundational concepts of defense-in-depth and integration with business processes will also help a great deal. In this regard, PSCU works with the credit union community to share threat data, offer help with security topics and questions and help connect groups together to support each other.” Additionally, working with the NCU-ISAO can provide credit unions with access to forums for idea exchange and thought leadership among other credit unions that have experienced similar events or incidents. “Creating a strong and secure credit union space is important and we all benefit from it.”

The PSCU pair indicated that as part of its standard processing model, PSCU assists in these efforts by providing its owner credit unions with a comprehensive set of advanced fraud management tools and resources that deliver deep, proactive insights into fraud activity trends to strengthen credit union defenses against new threats.

“Reports of increased cybercrime continue to surface daily and it will take a coordinated, focused effort from credit unions, their processing partners and their members to continue to properly address and combat the threat,” they said.