ARLINGTON, Va.—The Credit Union Cyber Security Symposium got underway here with attendees hearing from security experts who shared plans and strategies for credit unions to protect themselves before and after a data breach occurs. The two-day event is being hosted by NASCUS in partnership with CUNA.
Ian harper, former Pentagon FCU CIO, told the 100-plus in attendance at the Hyatt that today FIs live “in the breach.”
Pointing to the sharp rise in data breaches that FIs, and now consumers, are well aware of, Harper explained that the cyber-threats are shifting toward web app attacks and cyber espionage.
He advised credit unions to:
- Establish a strong working relationship with the FBI field office,
- Work with the board of directors to educate them on issues surrounding cyber-crime and the importance of data security,
- Make breach preparedness a C-level priority,
- Demand third-party compliance and contractual performance,
- And support political/legislative development of a rational legal framework for notification and cost recovery.
Randy Gainer, from the law firm of BakerHostetler in Seattle, addressed legal risk facing CUs as a result of data breaches and how to protect the organization.
Gainer noted that NCUA requires each CU identify reasonably foreseeable internal and
external threats; assess the likelihood and potential damage of these threats; and assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks.
“Credit unions should have risk assessment performed by outside experts who can look over their policies and procedures and do a technical assessment of their network to make sure they don’t have software vulnerabilities that can be exploited,” Gainer told CUToday.info.
Gainer said the CU must have a plan for how to contain a breach if it happens, and then how to quickly respond to members and the media. Gainer told CUToday.info that the speed at which data breaches make news today after they happen demands that organizations have a prepared statement ready to share with the press.
He also advised that CUs should work with PR and crisis management firms before a breach occurs.
In one of the day’s final sessions, Paul Reymann, from McGovern Smith Advisors in Washington, pointed out that risks associated with payments are growing due to the reach payments have within the organization today.
“Payments have always been a core competency of credit unions,” Reymann told CUToday.info. “But if you look at their other core competencies—lending, deposits, investments—all those today are related to payments.”
Related links
NASCUS CU Cyber Security Symposium