Credit/AdobeStock
There has been a stark uptick in cybercrime against credit unions and their third-party service providers, which often possess a treasure trove of confidential and personally identifiable member information. The paramount importance of mitigating cyber risk for credit unions is reflected in the NCUA’s recent regulatory activity, such as the implementation of its Security Examination program, risk assessment tools and adoption of cyber incident notification requirements. Between September 2023 and May 2024, over 892 cyber incidents were reported by credit unions to the NCUA, with 73% of reported incidents “related to the use or involvement of a third party.”
Proactive preparation can be the difference between a minor interruption and a catastrophic cyber event. Here are four steps your credit union can take in the New Year to effectively plan and prepare for a cyber event – whether suffered by your own organization or a trusted third-party vendor your organization uses.
1. Review and Update Your Incident Response Plan
While federal regulations require credit unions to have up-to-date security response programs, when was the last time your incident response plan was truly reviewed for accuracy in light of your current IT environment? Practically speaking, in the event of a cyber incident wrecking your IT systems, do you have an offline copy of your incident response plan? In the first few minutes of an incident, it is recommended that you utilize “out of band” communication strategies. In other words, your executive and IT leadership must communicate about the incident in a secure fashion. Company email, now potentially involved in the compromise of your IT environment by a threat actor, is no longer guaranteed to be a secure means of communicating.
Do you know how to reach your executive leadership team and outside cybersecurity vendors using “out of band” communication strategies? Sometimes, this can mean at least having an after-hours cell phone number to utilize until a secure encrypted messaging platform can be established.
In the event of a cyber incident, one best practice is to immediately contact outside cybersecurity legal counsel, who can immediately cloak the communications in privilege.
2. Review Your Cyber Insurance
When buying cyber insurance, a credit union may often provide a declarations page that summarizes the coverage. However, not every policy nuance is addressed. It is important to request a specimen policy or a full copy of the policy as bound. If you have a bond, the same considerations apply.
Cyber insurance will often provide coverage for a cybersecurity incident, including legal, forensic and crisis communications/media relations professionals to support your efforts in recovery. However, to tap into this coverage, it is often a requirement that you utilize vendors of the cyber insurance carrier’s pre-approved menu or “panel.” If your IT department has a trusted third-party vendor that it calls in to begin to remediate your IT environment after a cyber event, contracting with that vendor without the cyber insurance carrier’s pre-approval can potentially jeopardize your cyber insurance coverage. The best practice is to engage with your carrier’s preauthorization for all vendors you wish to engage or to utilize vendors pre-approved by your carrier.
3. Expedite Cybersecurity Updates
Is your credit union replacing a legacy system that is no longer supported? Is IT in the process of rolling out protections such as multi-factor authentication or email filtering? Swift security rollouts are imperative to mitigate cyber risk. Kicking the can down the road on a critical system update because of budgetary concerns can expose your credit union to extreme cyber risk. If your credit union is operating systems that your IT department refers to as “legacy” or “no longer supported,” it is important to make sure that that risk is quickly mitigated. Often, these out-of-date systems are the culprit when the root cause of a cyber incident is discovered.
4. Manage Access and Data
One way to mitigate cyber risk is to severely limit access to sensitive member data, especially vast troves of it in data repositories. Similarly, looking at privileged user accounts and determining whether those “super users” are truly required in your environment is an easy way to reduce the threat surface in your organization.
Credit unions that take time to anticipate the inevitable cyber incident can start the New Year with confidence that their organizations can weather the storm. An ounce of prevention is always worth a pound of cure.
Beth Burgin Waller is a Principal and Chair of the Cybersecurity & Data Privacy practice at the law firm Woods Rogers in Roanoke, Va.
Ross Broudy is an Associate in the Woods Rogers Cybersecurity & Data Privacy practice group.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
