BOSTON–A new report from a cybersecurity firm based of a sample of credit unions and vendors offers a “B” grade for their state of security, meaning “cyber breaches would require the skills of persistent, highly experienced hackers.”
The cybersecurity vulnerabilities among credit unions and vendors are included in the report 2021 Third-Party Risk Pulse: Credit Unions and Vendor Ecosystems report released by Black Kite. Black Kite today.
According to the company, it reviewed 250 NCUSIF-insured credit unions and 150 commonly used vendors.
“Most credit unions and vendors experienced leaked employee credentials, employed poor software patch management practices, and used insecure email networks,” Black Kite said in releasing its report. “These vulnerabilities create the opportunity for significant financial impacts if credit unions are attacked directly or via a third-party that has access to credit union networks.”
According to Black Kite, direct attacks to credit unions have resulted in estimated annual financial risks ranging from $190,000 for small credit unions to more than $1.2 million for large credit unions. Potential third-party attacks through credit union vendors pose a higher financial risk, the company said.
Additional Costs & Exposure
In addition, Black Kite said its researchers calculated the financial impact of an attack on just one vendor could exceed $1 million for large credit unions and $300,000 for small credit unions. It’s a figure that should be multiplied across all the vendors the average credit union uses, Black Kite said in order to understand the magnitude of the risk.
“Credit unions are entrusted with the livelihoods of their members. With great trust comes great responsibility to mitigate cybersecurity vulnerabilities, whether they are internal or via a third-party,” said Bob Maley, chief security officer of Black Kite, in a statement. “It is clear that the financial impact of cyber vulnerabilities for both credit unions and their vendors is significant, and resources need to be targeted to protect members and address the most-costly areas of risk.”
The Vulnerabilities
Among the vulnerabilities Black Kite said it discovered were at least one new leaked employee credential on the Dark Web from 86% of the credit unions examined and 76% of the vendors. Leaked credentials are used to deploy ransomware and other sophisticated cyber-attacks, the company noted.
In addition, 48% of those credit unions and 58% of the vendors may have possible critical vulnerabilities due to out-of-date systems and not having updated and patched network software.
The report can be found here.