Thinking Beyond Cybersecurity to Safeguard Member Data

Much has changed in recent decades in terms of how credit unions protect member assets and determine the legitimacy of transactions. ­David Green, president/CEO of 1st Northern California Credit Union (1st Nor Cal), recollected that when he first joined 1st Nor Cal as SVP/CFO in May 1992, branch staff usually recognized members as they walked in and did not ask them to produce identification. About six months later, the credit union began requiring photo ID for in-branch transactions, much to members’ dismay. “I come in every week – how can you not know who I am?” Green recalled members saying in objection to the new rule.

Fast forward to 2023, and members are accustomed to the scrutiny required to ensure they are who they say they are. But despite the many security controls credit unions have in place, threats remain. So, how should credit union leaders be thinking about cybersecurity and fraud now, and what types of attacks are most likely to slip through the cracks?

Jim Van Dyke, SVP of innovation for identity security company Sontiq, a TransUnion company, has been warning credit unions that their likelihood of being the second victim in what he calls a two-part crime is high. Part one entails fraudsters getting their hands on consumers’ personal data – often by hacking an organization within the health care or K-12 education sector, both of which are considered “soft” targets – and in part two, fraudsters misuse that data by committing identity fraud at a regulated financial institution, by, for example, attempting to open a new credit or deposit account or transfer funds via a P2P payment network, Van Dyke explained.

“Credit unions should mostly be concerned about crime number two, which is what to do once the breach has happened, because as regulated financial institutions, they’re probably doing everything they can about crime number one, and the data that’s likely to be breached or hacked from a third-party attack is out of their control,” he said. “So the new trend that credit unions need to be concerned with is not so much for the CISO – the chief information security officer or the person securing the data – it’s the person stopping the fraud that needs to pay attention.”

The person in charge of stopping the fraud should, first, watch the news for breaches of local organizations that may have exposed personal information belonging to people within the credit union’s field of membership, as that could lead to an uptick in fraudulent transaction attempts at the credit union. Second, they should clearly communicate with members about any local breaches that take place and the next steps they should take, because contrary to what some fraud professionals believe, members are passionate about protecting their identities, Van Dyke said.

“People are intelligently able to act on recommendations that treat them as being motivated and capable, but they need the communications to be specific,” he noted.

Green acknowledged that 1st Nor Cal ($861 million, Martinez, Calif.) is susceptible to the type of fraud Van Dyke has been sounding the alarm about, with fraudsters typically stealing Social Security numbers and other personally identifiable information from commonly-targeted organizations such as government agencies, and sitting on it for a period of time. “And when nobody’s looking, that’s when they start opening up fraudulent accounts,” Green said.

Green also shared a story about a recent incident that indicated fraudsters don’t always use the internet to carry out the entirety of their schemes. 1st Nor Cal rents a local post office box for its supervisory committee, which often receives returned mail containing private member information. Last year, criminals broke into the post office on a weekend and stole the supervisory committee’s pile of mail, which had been sitting in a bin instead of locked inside a box. Concerned that they may be using the member information to initiate fraudulent transactions, the credit union monitored its debit and credit activity reports, but thankfully did not find anything out of the ordinary. It also began requiring the post office to hold the credit union’s mail in a secure location going forward.

Green said 1st Nor Cal has not experienced any direct breaches or ransomware demands, and that it credits much of its strong cybersecurity posture to core processing and fintech services provider Jack Henry, which the credit union formed a partnership with approximately five years ago after an NCUA examiner pointed out weaknesses in its existing system. The Monett, Mo.-based Jack Henry now hosts all of the credit union’s servers and provides it with information security expertise through its Gladiator service.

Green said the Gladiator service has been especially helpful because it’s eliminated the credit union’s need to bring on an information security officer – something the credit union’s NCUA examiner instructed it to do. “Being in the San Francisco Bay Area, we’re competing not only with big banks and credit unions [for talent], but with Apple, Google, Amazon and Facebook,” Green said. “If I’m an ISO expert out of Stanford and looking for a job, am I going to apply to 1st Nor Cal Credit Union? I don’t think so, and we certainly couldn’t afford to hire someone like that. So Gladiator/Jack Henry is our virtual ISO, and they make sure that we are in compliance with the FFIEC guidelines. We go over all the steps we need to take to make sure we’re looking at the right things, and then we hold them accountable for the things they need to do, so it’s been a very good partnership.”

Credit union leaders may be laser-focused on cybersecurity, but because not all crimes begin with a data breach, they would be better served to view cybersecurity as just one component of a comprehensive security strategy, according to Alan W. Ropes, president/CEO of the information security CUSO VyFi. “At the end of the day, credit unions are expected to protect sensitive member information, or personally identifiable information,” he said. “That information can be verbalized, written on a piece of paper or digitized, so it comes in a lot of forms. They are expected to protect it regardless of what medium it’s in.”

Ropes continued, “A business continuity plan, for example, shouldn’t just address cyber incidents, it should address failure of the credit union to be able to deliver services to the member, for whatever reason. It could be cyber, it could be geographical, it could be geopolitical, it could be weather-related. So I worry when people think ‘cyber,’ that they categorize it as something that’s different from the rest, and to me it’s a continuum.”

The Merritt Island, Fla.-based VyFi was unveiled as a CUSO in November 2022 after the Clearwater, Fla.-based Security Compliance Associates (SCA) sold its financial services division to Redzone Protects, a company for which Launch Credit Union was an original investor, in late 2021, creating Redzone Protects/SCA, LLC. The $1.3 billion Launch, also based in Merritt Island, then purchased Redzone Protects/SCA, LLC outright and renamed it VyFi.

VyFi inherited approximately 170 of the existing company’s credit union clients and has since gained close to 20 new ones. The CUSO’s services, which are focused on helping credit unions meet information security compliance and assessment mandates from the NCUA and state regulatory agencies, include professional information security assessments, regulatory compliance advisory services, and assisting in the areas of governance and oversight. “When people ask for my really quick elevator pitch, I tell them we’re an auditor. We don’t fix what we find, we advise the credit union of whatever was found during the assessment, good or bad,” Ropes noted.

However, Ropes did share a few high-level security recommendations – “fixes,” if you will – with CU Times. First, credit unions must ask their employees to follow specific rules or guidelines, such as restrictions around cell phone use in the office, and inform them of the consequences if they were to break those rules. “You manage, and I say this nicely, you manage through fear and the consequences associated with not following the rules,” he said.

Second, strive to infuse good security hygiene into the fabric of your credit union’s culture through education. When it comes to employee security education, it’s important to offer variety, let employees know what to expect and provide it on an ongoing basis, he said. Finally, Ropes said a credit union’s security response should match the institution’s size and what it can afford. “Do what’s appropriate for you – you’re not protecting Fort Knox. In the security world, sometimes you do the best you can, and that’s not settling, that’s being realistic. You have limited resources including people and funds. Make sure you have compensating controls and that you remain vigilant. If you’re doing most of the things you should be doing, following advice and performing assessments, you’re probably going to be in pretty good shape.”