Our weekly blog addresses issues and topics of interest for Montana credit union board members.
Like many credit union issues, the tone and culture for cybersecurity need to start at the top. Experts and practitioners strongly suggest that cybersecurity be treated as a boardroom issue, but measures should be taken to keep the conversation open within the organization to get feedback and make it possible for all staff to share what is going on and what they feel are best practices.
"To be prepared is half the victory."
Small businesses and financial institutions are targeted because they are generally not using up-to-date operating systems nor are they choosing (and regularly changing) strong passwords for administrative access to their servers. In addition, we often think hackers are responsible for all cyber attacks, but the truth is employee negligence or theft is a major contributing factor and accounts for more than one-third of the reported losses. This news, along with a continued examiner focus on readiness and recently released assessment tool, should be a wake up call to all credit union boards.
Cybersecurity 101: A Resource Guide for Bank Executives from the Conference of State Bank Supervisors (CSBS) notes that “The rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEOs that management of a bank’s cybersecurity risk is not simply an IT issue, but a CEO and board of directors issue…. To adequately deal with the persistent threat of cyber-attacks, financial institutions and bank regulators must come together, collaborate, identify potential weaknesses, and share industry standards and best practices.”
I know the idea of where to start is pretty daunting. In fact, just the word “cybersecurity” makes my eyes roll back in my head. How does a non-IT person understand, and trust, the program your credit union has in place? As a board, a great first step is to make sure you talk about the topic at your meetings. You could also name a committee that regularly reports back to your board on cybersecurity at your credit union.
And, it’s critical to ask questions. If you don’t understand the overview being given, ask the speaker to tone down the tech-talk and clarify the points you find confusing. To take the appropriate role in oversight, you need to know what response is planned, what the results of the assessment were, and how any cybersecurity plan will evolve as your credit union (or technology) changes.
Miguel de Cervantes is credited with saying “To be prepared is half the victory.” Nothing could be truer in cybersecurity. Making it a priority to be informed will help keep the topic front and center at your credit union.
Here are some additional resources to assist in your responsibility
At the bottom of this page, you'll find links to past blog posts organized (loosely) into four categories. Feel free to browse. The blogs are all fairly short and provide food for thought in the areas of directors' duties and responsibilities, advocacy, working with the CEO, and ideas for strategic planning.