What Should Credit Unions Expect From a Renewed Federal Focus on Cybersecurity?

An incoming president always faces new challenges, but arguably no administration has faced a more complex environment than that in which the Biden team currently finds itself. Chief among these, of course, is COVID-19, but the pandemic is far from the only pressing issue the administration must navigate. Cybersecurity has also become an increasingly critical federal priority, due in a large part to the recent SolarWinds attack. Thus far, the breach has impacted up to 18,000 organizations – including government agencies and financial services firms – and it’s possible that more affected companies will be discovered in the coming months.

The Biden Administration has pledged to make the SolarWinds investigation a priority. In addition, it plans to invest in infrastructure, personnel and partnerships to improve cybersecurity and help provide guidance to organizations navigating the industry’s myriad challenges. As a recent article from Brookings put it, “… the Biden Administration is likely to make a point of a multifaceted, well-funded and strategic approach to cybersecurity threats that are only becoming more complex and far-reaching. Many top priorities for the Biden Administration – infrastructure, international trade, pandemic response, broadband deployment, election integrity – will depend on it.”

With this in mind, let’s take a look at some credit union-specific security challenges – and what a renewed federal focus on cybersecurity might mean for them.

Supply Chain Vulnerabilities

The SolarWinds attack illustrates the domino effect that a breach at one vendor company can have across many others. Given the wealth of sensitive data to which financial services organizations have access, these companies’ supply chains are frequently targeted by hackers with the ultimate goal of accessing the bank or credit union’s system. Of course, this isn’t new information. In fact, it’s one of the reasons why credit unions typically select software providers with a large financial services customer base. But just because a vendor has extensive industry expertise doesn’t necessarily mean that the organization is abiding by the most stringent cybersecurity standards.

As such, credit unions would be wise to carefully review the security posture of every vendor in their supply chain – even ­well-known brands with trusted industry reputations. Technology providers that prioritize cybersecurity should be conducting penetration testing to uncover and address any vulnerabilities. It’s important to ask for the results of these pen tests, as well as ongoing security audits. Certifications, such as SOC 2 Type II, can provide additional reassurance that a vendor is taking security seriously. Developing a standard cybersecurity due diligence questionnaire for potential vendors to respond to can also be very helpful in this area.

And if you’re ever in doubt about a vendor’s security practices, ask for clarification. As researchers uncover more about the SolarWinds breach, I expect that the federal government will establish more stringent policies targeting supply chain vulnerabilities. Companies that anticipate these regulations and begin reviewing supply chain security now will be ahead of the curve when these policies are enacted.

Acceleration of Digital Banking

According to a 2020 survey from FIS, 45% of consumers have changed how they interact with their banks since the start of the pandemic. As Mike Mayo, an analyst at Wells Fargo Securities, put it in an American Banker interview, “What we’re seeing is the greatest acceleration of digital banking in history … What’s taken place over the last few months may have taken place over two to 10 years [had the pandemic not hit].” This acceleration of digital banking offers credit unions numerous benefits – increased options for personalization, new service offerings and cost reduction, to name just a few. At the same time, however, the trend also introduces some security concerns.

Many of these center around passwords. Even in the best of times, individuals typically practice terrible security hygiene when it comes to their passwords – creating simple ones that are easy for hackers to guess and reusing them across multiple online accounts. With the introduction of lockdown restrictions requiring people to create new passwords for grocery delivery, virtual doctor’s visits and other newly-digital services, you can only imagine how pervasive these poor password practices currently are. It’s critical that credit unions are mindful of this problem as they roll out new digital offerings.

It’s unrealistic to expect people to dramatically improve their password behavior, particularly in such stressful times. What credit unions can do, however, is implement screening solutions that check passwords against a live database of exposed credentials both at creation and at every login. If it’s determined that the password has been exposed, members can be prompted to change it so that the account remains secure. Assuming that no compromise is detected, the member experience remains unaffected and members aren’t tasked with unnecessarily complex password requirements.

Multi-factor authentication (MFA) can be helpful in preventing unauthorized account access as well, although user acceptance of these technologies can ­sometimes be difficult. Device-based trust has become a very popular means of limiting user exposure to MFA in a more limited context for when access from a new untrusted device is detected.

Security Education

This final trend is less of a challenge than it is an opportunity. Many credit unions increased their electronic communication as branches closed in response to the pandemic, and there is no reason these digital correspondences should cease when life returns to normal. A key credit union value proposition has always been the personal member relationships, and they now have the opportunity to strengthen them by educating members on the security landscape.

Whether it’s emails advising of a significant breach like SolarWinds or a simple reminder of phishing red flags, credit unions can help members become more digitally savvy. It follows that a security-conscious consumer practices better security behavior in every online transaction. As such, in a very small way, credit unions can mirror the Biden Administration’s strategic focus on cybersecurity by using their digital channels to educate members on security best practices.

Mark Weatherford, the chief strategy officer at the National Cybersecurity Center, said in a Forbes op-ed that he believes “… the Biden Administration has both the opportunity and the obligation to establish national policies that help public and private organizations understand where the [cybersecurity] guardrails are located and what lifeline resources are available.” The coming months will bring more clarity as to how exactly this may happen, but one thing is certain: The renewed federal focus on cybersecurity will have a direct impact on credit unions. As such, leadership would be wise to take a similar stance and prioritize security throughout their supply chain, and among their employees, members and themselves.

Mike Wilson Founder and CTO , Enzoic Boulder, Colo.