A Direct Line Blog

By Donya Parrish, MCU VP- Risk Management

As a financial institution, your credit union has something hackers and cyber criminals want — members’ personal financial information. Your only option is to be aggressive and proactive in protecting it; putting your head in the sand in this area can harm the whole financial system’s reputation. So what do you do, especially when you have limited staff and budget to fight it?

This article provides a snapshot of our current situation and how phishing continues to be an effective way around strong and expensive systems. It points out that “phishing is so effective for cybercriminals — because it exploits human weaknesses, not technology.” Training for all employees should be a bare minimum of your cyber policy. The methods are sophisticated and evolve regularly, so a one-and-done training may not be sufficient.

The Federal Reserve System Ask the Fed session on February 14, Insights with the Cybersecurity Infrastructure Security Agency (CISA), is one upcoming opportunity to share with your IT team. The invitation notes that cybersecurity “is a top risk facing the banking sector and remains a challenging environment due to sophisticated bad actors, persistent vulnerabilities, third-party reliance, and an evolving threat landscape.”

The NCUA has some great materials on its website to assist you or your IT provider with assessing your vulnerabilities and addressing weaknesses. You can also use the agency’s quick reference guide for reporting any cyber incident or breach to the agency within 72 hours under their new (September 1, 2023) rule. As many Montana credit unions were recently reminded, third-party vendors also pose a risk, so you should review the agreements you have in place with any vendors that you share sensitive member data with and have a plan should a compromise occur.

It would be much easier to wait until something happens to react, but the risk is just too great. As board members, you should get an annual review of the credit union’s Security Policy under NCUA Part 748. We can’t be paralyzed by the fear that a breach of some sort is coming, so taking the time to plan and feel confident you are as ready as you can be is a much stronger approach.