KEY WEST, Fla.–Credit union leaders here were given a “practical checklist” to follow when it comes to addressing cybersecurity. As one expert made clear here, even those CUs confident they have vulnerabilities locked down really can’t be sure.
Speaking to NAFCU’s CEOs and Senior Executives Conference here, Steve Soukup, chief revenue officer with DefenseStorm, asked for a show of hands for the credit unions on hand that had been breached, no hands were raised, but as he made clear a bit later, how could anyone really know? He then defined the term as “any release of sensitive protected or confidential information to an untrusted environment” that are caused by both internal and external players.
The big hurt is on when it comes to breaches for community financial institutions, according to Soukup. He said breaches were up 50% during 2018, there is a three-million-person shortfall between the supply of credentialed cybertalent and the demand for cybertalent, and cybersecurity is a number-one regulatory focus. “I think the regulators are going to get more and more prescriptive in their guidance,” said Soukup.
Cyberthreat Challenge to Credit Unions
For the companies on the Defense Storm platform, there are an average of 20-million cyber-events per day per financial institution. Some 200,000 cyber-alerts are issued per FI per day (which leads to “alert fatigue,” he said).
“Each credit union is a unique, but all are a high-value target,” said Soukup. “You hold two pieces of member gold: your member data and your members’ money.”
The result: the odds of being breached are one-in-four, according to Soukup, citing IBM data. He noted JPMorgan Chase spends $600 million annually on cybersecurity, and it was hit with the eighth-largest breach among FIs. “We hear a lot, ‘I don’t think it will happen to me.’ The trendlines are headed that way,” he said.
Referring to the earlier show of hands asking who had been breached, he noted the average time between the breach and discovery of the breach is 191 days, with 66 more days to resolve. “Are we really safe? How do we know?” he asked.
Soukup pointed out that while many credit unions have multiple IT people in place, less than 7% of IT staff say they are actually focused on cybersecurity.
Where are breaches primarily coming from? Seventy-three percent come from outside an organization, and most of that is hacking (not malware), with the primary motivation being financial, according to Soukup.
Controls
Soukup put forth this simple executive framework for questions to ask:
- Are we doing the right things?
- Are we doing the right things right?
- How can we prove that we are doing the right things right?
“Start thinking about some KPIs you can give your board. They often don’t know the things to ask.”
The good news, said Soukup, is the FFIEC and other regulatory organizations offer a number of good guidelines for addressing cyber risk and establishing a baseline. “What’s really critical is how do you assess your cybersecurity preparedness. How do you do table top exercises? How do you do cyber stress-tests? How do you make sure all the right people do all the right things?”
NCUA offers ACET for ongoing assessment and improvement, but Soukup stressed the key is not to think of this as a moment in time but as something to be used on an ongoing basis.
ACET looks at inherent risk and maturity risk, identifies gaps in alignment, determines desired state of maturity, implements plans to attain and sustain maturity, and then calls for reevaluation.
Board Role
What is the role of a board in all this cybersecurity? Most in the audience agreed their boards are really uncertain what to do, and are asking questions only because they are supposed to but are unsure what questions to ask. According to Soukup, the board should be asking questions that:
- Help establish vision, risk appetite, and strategic direction
- Review management and third party analysis of maturity level
- Review findings regarding how cybersecurity preparedness aligns with risks
- Review and approve plans to address risk management and control weaknesses
- Review the results of management’s ongoing monitoring of exposure to and preparedness for cyber threats.
Soukup said the three basic policies and controls to have in place include:
- Information security policy
- Business continuity plan
- Incident response plan
About half of audience said they have all three in place.
A Big Question
A big question is how to know the credit union’s policies are being adhered to? The best polices and controls in the world if not adhered to mean a gap, said Soukup. One way to find out is to conduct tests, such as phishing exercises, to get a measure. He advised to include everyone in the testing and to practice and “make it real.”
On several occasions during his remarks, Soukup stressed defining the Incident Response Team inside the credit union. Those teams must prepare, identify, gather evidence, contain, eradicate, recover, and follow up.
Other Points Made
Other points raised by Soukup included:
- Vulnerability Assessments. “Your credit union and bad actor skills and methods are continuously changing. You need to do this frequently and you need to change the way you do it. Break cycle and get a different perspective.”
- In terms of things to look for, Soukup said things to look for include metrics that are based on industry specific framework. Things to look out for include any assumption a “fat report is better” and endless lists of vulnerabilities from a third party analysis.
- When it comes to penetration testing, he said among the things to think about is striking a balance in what degree the credit union is willing to tolerate the depth of the penetration.
- Soukup told credit unions, “You can’t be cybersecure without being cybercompliant. Credit unions are held to a higher regulatory standard. Understand the baseline and strive for excellence.”
Action Plan
Finally, Soukup, who observed “people are the weakest link and the strongest defense,” offered an action plan for every credit union to follow, including:
- Educate and test your team.
- Ensure policies around email usage and attachments, as well as web usage
- Have email filters in place
- Have web filtering, anti-virus and malware controls in place
- Ensure training is ongoing, formal, pop quizzes are involved, and stress test drills take place