Big banks score all the splashy headlines in the U.S. — both positive and negative. Yet credit unions continue to thrive, often under the radar. As more traditional banks fail or merge into behemoth institutions, many consumers prefer non-profit credit unions’ benefits: member ownership, community involvement, and re-investment in their customers (i.e., owners).
Despite the many headwinds this industry has faced (from the Great Recession to the COVID pandemic to ultra-low interest rates), credit unions — particularly those with around $250 million under management — have outperformed the financial industry at large in terms of assets, loans, and member growth.
In a recent survey of U.S. consumers, nearly 70 percent of credit union customers cited trust as the number one factor in banking decisions. A big part of ensuring credit unions maintain the hard-won trust of their members is investing in strong security and privacy practices.
This has also become a regulatory necessity: The National Credit Union Administration (NCUA) now requires all federally insured credit unions to notify the NCUA no later than 72 hours after a breach or suspected breach occurs. For any lean financial services business, that would be a tight turnaround for a standard lending document — let alone a formal breach disclosure.
So, how can credit unions maintain customer trust and stay compliant with new regulations and standards like these (which are rapidly proliferating)?
In short, credit unions must adopt robust cybersecurity strategies and appropriate technologies. They need tools that enable them to meet breach disclosure timelines. This means increasing efficiency around breach detection to start.
But, of course, credit unions should also improve and streamline processes around cybersecurity protection and threat response as well. Tightening up security across the board will enable credit unions to meet regulatory requirements and ensure they continue to enjoy the trust of their members.
While the above may sound straightforward on paper, any credit union IT or security team knows first-hand how challenging it can be to meet stringent requirements without overstretching teams or investing in security tools that are too expensive and difficult to maintain.
Thankfully, the cybersecurity industry has come a long way in recent years. Credit unions and other lean institutions have more choices than ever regarding tools, services, pre-defined frameworks, and other security solutions. Having a massive IT and security team in-house is no longer necessary to “do the right thing.”
In fact, credit unions can now address common cybersecurity challenges not just reactively (as in the case of quickly reporting breaches) but proactively. They can now detect signs of a potential breach or threat earlier, address it faster and more easily, and often avoid the consequences of breaches altogether.
Ready to learn how to enact proactive security policies that prevent breaches from happening, avoid financial and reputational damage, and reduce resource strain?
Below, we’ll share five of the most common security and compliance challenges credit unions face today, paired with strategies to overcome them without unnecessary resource spending or IT complexity.
As with any major initiative, knowing where to start addressing new regulations can often be daunting. It doesn’t help that the Credit Union National Association (CUNA) reports a significant lack of qualified cybersecurity talent within the credit union industry — unfortunately, no surprise given the massive talent shortage in cybersecurity generally.
Because credit unions’ IT teams are often leaner and more resource-strapped than massive conglomerate banking institutions, it can be challenging to know where to start to build a strong compliance and security posture.
The NCUA recommends the NIST and CIS frameworks as solid foundations for an effective cybersecurity program in the finserv industry.
CIS offers prioritized actions for organizations looking to ramp up their security postures. It even helpfully breaks down these recommendations by IT team size.
Most credit unions should zero in on the recommendations for the IG1 tier, which is for smaller security teams. For IG1, CIS suggests:
NIST is a more generalized framework that covers basic cybersecurity tenets. Still, it’s quite relevant here. Credit union IT teams can find information directly helpful to their goals by reviewing the following NIST publications:
Both NIST and CIS align with other reputable frameworks — in fact, they both mention each other. Birds of a feather…
Credit unions should ideally reference these resources in tandem when building their cybersecurity programs. This will help ensure a well-rounded program with minimal duplicative efforts.
Credit unions should also pay close attention to the Gramm-Leach-Bliley Act (GLBA), as it speaks directly to the requirements placed on financial institutions to safeguard financial data. GLBA also provides specific information-sharing practices for credit union customers.
Specifically, the GLBA requires that credit unions:
These frameworks are an excellent place to start.
As you’re likely well aware, meeting compliance requirements is not a “one-and-done” or “point in time” initiative. Credit unions must ensure their processes and tech stacks enable them to remain continuously compliant with regulations and security best practices.
A note: Migration to the cloud presents an additional challenge for some credit unions aiming to meet and maintain regulatory compliance requirements. Some credit unions have dozens of new cloud environments in play that they must monitor simultaneously, at times alongside legacy environments.
Maintaining compliance across complex, rapidly changing, often hybrid environments can seem dizzying… But don’t worry. This is one area where technology can offer a real leg up.
A lean security team can only handle so many hands-on tasks simultaneously (and it’s frankly not a good use of resources, anyway). That’s why it’s critical to implement technology that makes maintaining compliance more seamless and less manual.
Specifically, credit unions should leverage compliance-conscious security solutions that meet NCUA cybersecurity compliance standards, including:
Moreover, to maintain compliance with lean resources, credit union security teams need clear visibility across environments and as much automation as possible.
One way to achieve this is using a security information and event management (SIEM) solution, as recommended by the NCUA. Of course, IT and security teams are familiar with SIEMs as a category. The key for credit unions (and any business with resource constraints) is investing in tools — SIEM or otherwise — that are maintainable and size-appropriate.
A well-built SIEM can provide real-time monitoring, analysis, and event logs, helping security professionals identify and respond to potential compliance violations and security threats all in one place without alert fatigue and overwhelm. This is key to both staying secure and upholding compliance.
In today’s interconnected yet decentralized digital world, protecting data and assets is not as simple as securing your environments. Credit unions must also ensure that their partners, vendors, and any other third-party solutions meet the same compliance and security standards they are held to.
Yet NCUA Chairman Todd M. Harper called a lack of authority over third-party vendors a “growing regulatory blind spot” for creditors.
So how can credit unions that take security and compliance seriously mitigate potential risks third parties introduce?
You wouldn’t let just anyone into your home. You probably don’t even open the door without peering through the peephole first.
The same should go for business relationships, including those with vendors. Credit unions must establish robust vendor vetting and approval protocols to protect customers’ sensitive financial data as it moves across various systems and environments.
Some key elements to consider when establishing these protocols include:
Risk assessment. Credit unions should conduct a comprehensive risk assessment before engaging with any third-party vendor — or at least request proof that the vendor has undergone a reputable assessment recently. The rigor of these assessments should consider the sensitivity level of the data and systems in question. Assessments should also weigh the potential financial impact of that vendor experiencing a breach. For example, if you’re hiring a vendor to hang up a new sign on your building, you might want to do a quick background check. If you’re implementing a new customer data platform, you will need to dig a lot deeper.
Still trying to figure out where to start? Credit unions can reference NIST 800-121, which covers mitigating third-party risk in digital supply chains.
Contractual agreements. Credit unions should also establish contracts with vendors with clear and specific language on cybersecurity and data privacy expectations and requirements. This contract should cover data protection requirements, incident response procedures, encryption standards, and the vendor’s responsibilities in case of a breach. Enlist legal counsel to ensure all your i’s are dotted and t’s crossed.
Compliance verification. Again, as you well know, compliance is critical for credit unions and all financial services providers. Credit unions can incur hefty fines if they fail to meet regulations. As such, they should ensure that every third party they work with also abides by relevant regulations. Credit unions should verify that their partners are regularly evaluated for compliance with industry-specific regulations, including those outlined by NCUA 12 CFR Section 748.0 on event log management, the mandates on protecting consumer data established by the GLBA, and data privacy requirements outlined by the Federal Credit Union Act.
Exit strategies. Even with a robust vetting process, any organization can fall out of compliance. Sometimes, credit unions may need to terminate their relationship with a vendor for compliance reasons. In these cases, it’s crucial to have a clear exit strategy to minimize risk when closing out a relationship. This includes ensuring the safe return of all data and assets, shutting down access to all systems and services, and documenting any issues that could become relevant later. Just as companies must take care when offboarding employees to avoid potential blowback, credit unions must be just as judicious when ending vendor relationships as when beginning them.
Phishing is a common, widespread technique attackers use to gain access to sensitive information, inject malware or ransomware, steal money, and carry out other objectives. Credit unions and other financial services businesses are some of the most popular targets for phishing attacks. This is why IT and security teams at credit unions must institute measures to protect their organizations from phishing campaigns via email, SMS, and other vectors.
Phishing is a form of social engineering attack. Naturally, this means that educating employees and other users about signs of phishing and how to avoid falling victim must be an essential aspect of your strategy. However, phishing attacks morph constantly, so it’s impossible to prevent every errant click, even among your most tech-savvy employees.
That’s why credit union security teams should employ a three-pronged approach:
Filter emails. Regarding phishing, it’s often most effective to prevent suspicious emails from reaching an inbox. That’s where email filters come in. Credit unions should implement robust email filtering systems that immediately identify and block suspicious emails. These systems should be able to detect common phishing indicators, including suspicious sender addresses, misspellings, unusual attachments, and malicious links. Think of filters like a vaccine against phishing — a critical first line of defense.
Conduct regular phishing awareness training. Next, credit unions should conduct regular training sessions for all employees across all departments to educate them on the latest phishing tactics and trends. These training modules should include simulated phishing exercises mimicking real-world scenarios to help employees quickly recognize and respond to phishing attempts. It’s also important to periodically educate credit union members (i.e., customers) about phishing, as they can also become targets, and email filtering at the corporate level will not protect customers.
Establish a pathway to report suspected phishing. If a malicious email gets past filters (or comes in via another vector like SMS or collaboration tools) and an employee suspects something phishy, they need a clear and effective pathway to report it. Credit unions should have a simple, accessible plan so employees know how to report potential threats and IT/security teams know how to contain the incident quickly, notify other employees as needed, and prevent fallout.
Credit union cybersecurity programs must extend monitoring to cover “authorized” users, not just “outsiders.” Insiders (and users who are successfully posing as insiders) constitute one of the most overlooked sources of risk in financial services and beyond. The cliché of the external hacker in a faraway land often takes the spotlight off the real risk of insider-driven compromise.
Insider threats can come from anywhere — including disgruntled former employees or the C-Suite. These threats can also include outsiders who have successfully gained privileged access and appear to be “insiders” within digital systems. Finally, many insider threats are simply the result of employee negligence or ignorance of security policies — but that doesn’t mean their unintentional actions pose less of a risk to the organization.
When credit unions have complete visibility into their environments, they can effectively monitor for indicators of compromise, including signs of insider threats. All credit unions should invest in technology that enables them to automatically detect suspicious activity from “insiders” and respond to potential threats in near real time.
Credit unions can leverage an XDR platform to automate the detection and response of many types of potential and actual incidents, including those caused by insiders. Ensure your XDR provides real-time monitoring of events, meaning activity is immediately processed and analyzed as it occurs. It should capture logs that detail suspicious behavior for any forensic investigations. However, most importantly, threats—insider and otherwise—must be contained as quickly as possible to minimize damage. That’s what makes automation so vital.
With the right security strategies, credit unions can tackle modern cybersecurity challenges just as effectively as giant banks with seemingly limitless resources. Credit unions should lean on technology to mitigate resource challenges and help them stay compliant and secure.
However, many security tools on the market are designed for large enterprises and may prove too expensive and unwieldy to accomplish the specific security goals of the average credit union.
Cybersecurity becomes manageable when credit unions enlist tools — like a well-built SIEM and XDR platform — that are purpose-built for their size and needs. That means you can protect both your reputation and assets and get back to the important business of providing excellent financial services to the members who chose your credit union for exactly that reason.
Ready to protect your credit union against common security threats?
Request a demo of our easy-to-use, highly effective SIEM + XDR platform today