The unthinkable has happened. Your credit union is hit by a ransomware attack, forcing you to shut down banking services until you can recover. As soon as members learn what’s happening, they’ll be concerned – some may even freak out. They’ll certainly have a lot of questions. That’s why you’ve thought this through, even gamed it out. The reality is that a cybersecurity incident is actually not unthinkable at all. The right communications will calm your members. A recent incident reminds us of best practices credit unions can follow.
In the wake of the ransomware attack that forced Patelco Credit Union offline for more than a week, we’ve been studying their member communications to identify strategies that can be used by credit unions and other financial institutions. Many of the lessons learned can be implemented today as you build your playbook for rapid incident response.
Best practices for cyber incident communications
With post-incident member communications detailed in your cybersecurity plan, you’re able to react without delay so members, regulators, and the community know that you’re ahead of the issue. Despite how disruptive ransomware can be, good communication helps preserve trust while eliciting patience and empathy. The Patelco credit union response demonstrates key best practices:
Get information out right away – You won’t know the full extent of the incident the moment it’s discovered. You must resist the temptation to “wait until we know more” before sending a press release and notifying members. Patelco posted a five sentence statement on day one, and added more details in subsequent messages. While the NCUA allows 72 hours for notification, an immediate message – even if it’s incomplete – will do a lot to tamp down member concerns and take pressure off front line employees. Commit to providing additional information when it’s available, at least once per day as long as systems are impacted.
Use honest, plain language – Don’t be defensive or overly technical. If your communications show empathy for how members are being impacted, members will have empathy for what you’re going through. This statement by Patelco is a good example: “Unfortunately, we are unable to provide an ETA on when those systems will be running as expected. We know this news is concerning, and we are committed to keeping you informed as our investigation continues.”
Don’t assume members understand what you know – You live and breathe cybersecurity, and ransomware has been all over the news. Still, it helps to explain the situation in order to alleviate unnecessary speculation. After Patelco confirmed that the incident was a ransomware attack, they included an explanatory sentence in their messaging: “This is a type of cyber-attack where a hacker illegally enters a company’s network, blocks access to some parts, then demands a ransom to resolve the damage they’ve done.”
Drive inquiries to your website – Stand up a landing page immediately and begin populating it with the information members and the press will be asking about. The Patelco landing page provides a good template to emulate. It includes a letter from the president that’s updated daily; an overview of the situation; a chart listing services and their availability status; and FAQs. Website visitors are directed to the landing page with an urgent banner on the top every page of the site. There’s no reason to put off building your incident response landing page. Create it in advance so you can turn it on as soon as it’s needed.
Tell members what you know and admit what you don’t – Members understand that, like a natural disaster, a cybersecurity incident is a dynamic situation. Commit to giving them information as soon as it’s known, and don’t over promise. Patelco knew members would be concerned about their personal information and included this FAQ: “Is my information impacted as a result of this incident? A: The investigation into the nature and scope of the incident is ongoing. If the investigation determines that individuals’ information is involved as a result of this incident, we will of course notify those individuals and provide resources to help protect their information in accordance with applicable laws.”
Make sure members are aware of what’s safe and what’s not – Members will come to their own conclusions when they find out that their financial institution has been attacked. This can lead them to do things they might normally avoid, like answering a call from someone who claims to represent their credit union. Patelco made sure members knew it was safe to use ATMs and credit cards, but warned them not to give out personal information if someone contacts them.
Reassure members that problems will be fixed – Blocked from accessing their credit union accounts for a week or so, members will naturally begin to worry about bills, direct deposits, and automatic payments. Patelco made a commitment that they would waive or reimburse fees and even help members correct their credit reports if necessary. This reassurance probably helped keep call center queue times from completely exploding.
SIEM for mid-sized businesses
5 ways Blumira supports incident communications
By making the unthinkable thinkable, you put reality-based plans in place to prevent, detect, and respond to cyberthreats. The Blumira SIEM + XDR platform monitors your systems 24/7, and features automated threat blocking that will isolate intruders in order to prevent ransomware.
Here’s how Blumira supports post-incident member communications:
Faster detection – Blumira detects and identifies threats in minutes rather than days. This allows you to get information out to members faster, and comply with the 72-hour NCUA notification requirement.
Automated threat blocking – Blumira automatically isolates priority threats, minimizing the reach of the intruder as well as their opportunity to cause damage. This allows you to get word out that the threat is contained while your team works to mitigate the incident.
Activity log archives – Blumira offers unlimited data retention. Activity logs are essential to post-incident forensics. A better understanding of the incident gives you information your communications team will need to reassure members and let them know what to expect.
Playbooks – Every detection on the Blumira platform comes with a step-by-step playbook so users can take immediate action. These playbooks can also provide information that will help inform member communications.
Expert support – Blumira customers have access to 24/7 support from a Security Operations team that will help with threat investigation and resolution, and Incident Detection Engineers who are proactively identifying new threats and attack methods. Your communications can reassure members that you’re working side-by-side with cybersecurity experts.
Cybersecurity detection and response is vital to financial institutions, and Blumira has been serving credit unions from the start. Customers who use the Blumira platform are able to provide better communications, faster, to members in the case of a cyberattack.
Ready to see how Blumira can protect your organization? Try Blumira XDR free for 30 days or use our Free SIEM with three cloud integrations and 14 days of data retention forever. Sign up to start protecting your organization in minutes.
