3 Ways to Keep a Credit Union’s Cyber Risks From Turning Into Legal Risks

The New York State Department of Financial Services, one of the preeminent state regulators of financial institutions, recently filed its inaugural cybersecurity enforcement action. This enforcement action provides key lessons for credit unions addressing cybersecurity risks, even for credit unions that are not under the NYDFS’s supervision.

The NYDFS alleged that one of the country’s largest title insurers, First American Financial, failed to properly address a security vulnerability on its website that exposed millions of documents containing consumers’ information. After the insurer uncovered the vulnerability in a penetration test, the insurer misclassified the vulnerability as “low,” failed to timely or reasonably investigate it, and failed to heed the recommendations of the insurer’s cybersecurity employees. Further details about the security vulnerability at First American are available in the CU Times article, “Title Insurance Company Leaks 885 Million Mortgage Records.”

As shown by the timing of the NYDFS’s first enforcement action, cybersecurity remains a key priority for regulators, even during the COVID-19 pandemic. And private attorneys who represent members in lawsuits against credit unions have also remained active during the pandemic. Credit unions can employ the following three strategies to help keep cyber risks from becoming legal risks:

First, a credit union’s outside counsel should coordinate the response to sensitive cybersecurity issues. The NYDFS pointed to First American’s employees’ internal disagreements about how to address the security vulnerability as evidence of misconduct. A credit union should turn to its outside counsel when sensitive cybersecurity issues arise. Involving outside counsel will lower the risk that a credit union’s employees will prematurely speculate, and reach conflicting conclusions, about a security vulnerability. And, outside counsel can establish an attorney-client privileged communication channel, which will reduce the likelihood that unfavorable documents about a cybersecurity issue will become evidence in a legal proceeding. The phone number for outside counsel should be listed in a credit union’s incident response plan and also stored in the personal cell phones of key credit union personnel in case a credit union’s systems become inaccessible during a cyberattack.

Second, involve outside cybersecurity experts. Regulators expect credit unions to tap the expertise of qualified vendors when complex cybersecurity issues arise. Outside experts can provide a detached, objective assessment of a credit union’s cybersecurity concerns. This is preferable to relying only on a credit union’s cybersecurity employees, who may have conflicts of interest. Also, involving outside cybersecurity experts will lessen the possibility that a credit union’s employees will have debates on how to respond to a cybersecurity issue. Employees view these debates as unproductive. Regulators view them as a red flag.

Third, keep abreast of evolving cyber risks and regulatory guidance. The NCUA has remained active in cybersecurity initiatives during the COVID-19 pandemic. In July, the NCUA issued an update to its 2020 supervisory priorities, urging credit unions to stay vigilant against cyberattacks stemming from advances in fintech, as well as increased remote work arrangements and mobile app use. Similarly, the NYDFS issued guidance urging financial institutions to remain vigilant against risks heightened by the pandemic. Credit unions should periodically review their cybersecurity programs to ensure they mitigate new risks and comply with evolving regulatory guidance.

Note: The opinions expressed are those of the authors and do not necessarily reflect the views of the firm or its clients. This article is for general information purposes and is not intended to be and should not be taken as legal advice.                      

Charles J. Nerko, Esq. is a principal attorney in the financial institutions regulatory and commercial litigation groups at Offit Kurman, P.A. in New York City.

Daniella Casseres, Esq. is a principal attorney and chair of the financial institutions regulatory group at Offit Kurman, P.A. in Vienna, Va.