NAFCU Services Blog

By Sean Feeney, CEO, DefenseStorm

Cyberbreaches in 2017 were up 50% over 2016. It’s the No. 1 focus of federal regulators, yet experts predict that by 2019 there will be 2 million fewer certified cybersecurity professionals than positions that require them. Seventy percent of cybersecurity professionals say their organizations currently are affected by a shortage of cyber talent. Just 6.8% of IT employees are dedicated to cybersecurity and 53% of companies say it takes up to six months to hire qualified cybersecurity staff.

That’s a problem for credit unions, whose Boards of Directors and executive teams are increasingly being held accountable for Cyber Safety & Soundness. It’s no longer acceptable to take the stance that cybersecurity is the domain only of IT professionals. Instead, C-suite leaders are expected to create a culture of cybersecurity compliance across their credit unions.

Yet, the time and expense burdens of regulatory compliance can hit credit unions hard. A recent article in Banking Exchange enumerates burdens related to a broad spectrum of regulatory compliance demands, and notes that smaller institutions are hit twice as hard financially as larger ones.

The Real Targets

While smaller credit unions might be tempted to believe they are not targets, the truth is all represent attractive stakes for cyber bad actors, not only for access to their assets, but also as potential entry points to broader interconnected financial networks. Compliance with cybersecurity regulations helps combat the sobering reality that each credit union is a unique, high-value target with an average of 20 million potential cyberattacks every day, and each must deal with unique threat data, regulatory pressure, staffing needs and budgetary constraints.

With the number of breaches across all industries doubling – in a 2017 survey 24% of organizations reported a breach in the last year, and by 2018 that nearly doubled to 46% – cybercompliance is more critical than ever. In the Financial and Insurance Sector specifically, Verizon’s 2018 Data Breach Investigations Report identified 598 breach incidents from cyberattacks in 2017, 146 of which had confirmed data disclosure. Nearly all (92%) breaches resulted from external attacks and nearly all (93%) were financially motivated. Of the data compromised, 36% was personal, 34% was payment information and 13% was bank information.

Cost-Reducing Prevention and Benefits

But there are actions credit unions can take to combat the rise in cyber attacks, the cost of compliance and the competition for cyber talent. 2018 marks the first year the impact of security automation has been included in the annual Cost of a Data Breach Study by Ponemon Institute. Organizations with cybersecurity automation platforms in place slashed the cost of identifying and containing cyber exploits by 35%. Other cost reducers include having an Incident Response Team in place, using two-factor authentication, training and testing employees on cyber defense and involving your Board of Directors in cyber preparedness.

While credit unions can perceive complying with cybersecurity regulations as a burden, there are benefits. Compliance measures help you identify factors contributing to current cyber risk, assess cybersecurity preparedness, and understand the gap between the two. Together with your risk tolerance level, that knowledge pinpoints risk management practices and controls you need. Involving your Board of Directors helps ensure everyone agrees on the tradeoffs among member and employee service goals, risk management and control measures, and investments in cybersecurity and cybercompliance. Having written policies and controls – especially an information security policy, business continuity plan and incident response plan – magnifies effectiveness.

The Ponemon Institute predicts your odds of having a material breach (more than 10,000 records exposed) over the next two years have risen to 1 in 4. While credit union leaders might be tempted to believe “it will never happen to me,” those odds are far greater than other events one might perceive as unlikely, such as winning the Powerball (1 in 292,000,000), being hit by lightning (1 in 1,000,000), finding a pearl in an oyster (1 in 12,000) or being audited as an individual by the IRS (1 in 160). Investing in the right cybersecurity and cybercompliance technology to protect your Cyber Safety & Soundness seems like a good bet to make.

Other cybersecurity predictions for 2018 include:

1. $75.2 billion will be spent globally on infrastructure protection and cybersecurity, with the fastest growth in security information and event management, security testing and IT outsourcing
2. Continued success of “Aftershock Breaches” involving usernames/password will drive more financial institutions to 2-factor authentication
3. Types of cyber attacks that will increase include State-sponsored attacks, attacks via compromised IoT devices, and attacks against cybercurrencies
4. Automation of threat detection will increase
5. Regulations will increase

While there’s no “finish line” in guarding against continually evolving cyber threats, there are measures credit unions can take to ensure they can quickly identify attack attempts and thwart damage. Automating and actively managing cybersecurity with compliance measures mapped to regulatory frameworks is at the top of that list.