3 Keys to Leading Change in Cybersecurity

CUs must foster their spirit of cooperation across all parties involved in cybersecurity, including government, CUSOs and vendors.

As e-commerce and financial technology continue to advance at breakneck speed, credit unions need additional support from governing bodies to ensure Americans are not left vulnerable. The pace of cyberattacks is only growing. Recent data from the Identity Theft Resource Center showed that by October of last year, the number of reported data breaches had already outpaced those for all of 2020.

Canvas Credit Union recently had the opportunity to testify in front of Congress at the House Financial Services’ subcommittee hearing discussing cybersecurity. As Capitol Hill enacts laws intended to better our society, we consider it an honor, and our duty, to help ensure the underlying implications for credit unions and our members are well understood. We shared three primary opportunities for our government and credit unions to work together and improve cybersecurity for Americans.

Accountability

It is undeniable – the process governing data security and privacy in the financial sector has not kept pace with the malicious activity we combat every day. We feel there is one key weakness to the current legal framework: Accountability.

Much focus has been put on the role financial institutions play in protecting consumer data, and rightfully so. We have supreme responsibility to protect our members’ data. But we are doing so with one hand tied behind our back when much of the threat exists beyond our walls. Simply put, more vigilance is needed with retailers and bank technology providers.

Currently, the NCUA is seeking legislative authority for oversight on CUSOs and third-party vendors offering services to credit unions. While the NCUA sits on the Financial Security Oversight Council, it is the only federal agency without this statutory authority as it pertains to vendors serving banking organizations, leaving credit unions especially vulnerable. There are nearly 5,000 federally insured credit unions serving 128.6 million members nationwide, according to NCUA data. It is high time we are afforded the same foundational support as our counterparts in the financial industry. This can be achieved if the NCUA shares its information with state regulators and coordinates efforts whenever possible.

This critical shift holds vendors with access to sensitive member data to the same standards as credit unions. Smaller credit unions are even more impacted, often priced out of the latest, most robust security products and are most reliant on technology vendors for preventing and fighting against cyber threats. Size has no bearing on how deeply credit unions bleed for and care about their members; it should not be the determining factor in how well credit unions can safeguard their members.

Credit unions are working tirelessly to protect our members’ data, but we need all parties involved in the payments system to be working in concert with us. Our efforts only extend so far if consumers are then left vulnerable at the point-of-sale.

Collaboration

We have much to learn through sharing information on all threats affecting the security landscape. The Cybersecurity and Infrastructure Security Agency (CISA), Homeland Security and the Financial Services Information Sharing and Analysis Center are disseminating threat information effectively and efficiently. Webinars, conferences and summits where CISA and Homeland Security are often guest speakers provide reassurance that the government is standing with financial institutions in our battle to combat malicious actors.

We’ve been especially appreciative of CISA’s free automated network scanning tool. While larger credit unions utilize the tool as a complement to their existing security systems, for a smaller credit union this tool may be its only security option. Accessible services are desperately needed to help ensure all credit unions stiffen their security frameworks.

We owe it to our members and our industry to push for more of this collaboration with government leaders.

Training

The two greatest factors credit unions face in ensuring member data is protected from malicious actors are people and technology. Massive staffing shortages in the financial services industry exacerbates the need for skilled security professionals who can manage the sophisticated tools needed to stand a chance. While the security industry works to address this shortage through increased access to security training at all educational levels, the gap is wide.

Technology’s constantly evolving nature all but guarantees the improvements and changes to mitigation tactics will be met in equal measure by malicious actors. Security tools are improving, allowing for better detection to address vulnerabilities, but a focus by software developers on security in the early stages of the development lifecycle could ensure most vulnerabilities are caught before the product goes live. This is needed from both a software standpoint and infrastructure (the vendors that host or have access to our data).

American data is in danger in a constantly evolving ecosystem. Just recently, the largest threats were malware, viruses and malicious executables inserted into a company’s network. Today, we’re combatting ransomware, social engineering and supply chain attacks. Tomorrow will see deep fake technology, quantum processing, and yet-unknown hardware and software vulnerabilities.

Our regulatory bodies and governing agencies are poised to shift the tide of cybersecurity threats and its future. Credit unions were built on the simple but powerful idea that pooling our resources and providing loans to those around us betters us all. We need to foster this same spirit of cooperation across all parties involved in cybersecurity – government, CUSOs, third-party vendors – as we all have an important role to play in ensuring consumer data is protected. Together, we can be a force to be reckoned with.

Chris Myklebust
Carlos Vazquez

Chris Myklebust, Chief Transformation Officer and Carlos Vazquez, Chief Information Security Officer Canvas Credit Union Lone Tree, Colo.