NAFCU Services Blog

May 31, 2023

Governance and Risk Assessment: The Winning Formula for Cybersecurity Success

By Jessica Caballero - DefenseStorm

Cyber threats - ever-present, always evolving - the worry that keeps credit union executives up at night. As we navigate the innovation of technology, threat actors are poised and waiting for the perfect opportunity to strike. With credit unions always a prime target for cybercriminals looking to exploit vulnerabilities and gain access to sensitive information, it's more important than ever to stay vigilant and take proactive measures to protect against these threats, but it’s not just external threats that institutions need to be wary of when it comes to cybersecurity. According to DefenseStorm’s 2023 Benchmark Report, more than 68% of institutions have ongoing strategic objectives or growth initiatives that could impact their cyber risk level. As financial institutions continue to evolve and grow, they must prioritize their cybersecurity measures to protect themselves and their clients from potential threats.

So, what’s the secret to achieving cybersecurity success? To safeguard the credit union and members’ sensitive data, cyber risk must be managed using the same framework employed in other areas of the credit union. A risk management framework must be designed and implemented by defining risk appetite, culture, and a risk management system. It is essential for proper governance over the program to ascertain that it continues to be implemented as designed and that the risks are being mitigated in line with the credit union’s risk appetite.

Risk Management and the Risk Assessment

The credit union’s risk management system is a vital and comprehensive process, which includes the ongoing cycle of identifying, measuring, mitigating, and monitoring risk. Another key part of the risk management system is all the credit union’s policies, processes, systems, and people that work together to form a system of controls that mitigate the risks to which the credit union is inherently exposed.

A pivotal starting point within the risk management system is the risk assessment. Credit unions must first identify and measure risks before they can design the proper system of controls. It’s an exercise of asking yourself – what are the risks? What is the level of risk? Are we comfortable with that level of risk? What controls can we put into place to mitigate this risk to a level that aligns with our risk appetite or our comfort level toward the individual risk in question?

However, the risk management process doesn’t stop there. The credit union must then continuously ensure that the controls work and adequately mitigate the risk down to that defined risk appetite or comfort level. Understanding that this is not a one-and-done task but rather a continuous exercise where risk assessment and governance converge is critical.


Here is where governance plays a crucial role through ongoing monitoring and oversight of the program to ensure success. Credit unions should assess the risks, design their controls, and implement processes to monitor and test control effectiveness. Many credit unions may pause and ask – isn’t that what an audit does? And yes, to an extent, an audit is an essential element here. However, credit unions are left in the dark between annual audit cycles by solely relying on an audit to identify control deficiencies and exposures. Ongoing monitoring exercises done by internal independent parties – like risk management or departmental leadership separate from the daily processes and control implementation – can identify breakdowns before there is a breakdown in your program. We can all agree that finding something during a monthly monitoring exercise is more effective than waiting a year to find out a control isn’t working. No credit union can afford that kind of cyber risk exposure.

A common way to employ proper governance is through the three lines of defense. An audit is obviously the third line – the last line. But what comes before that? Independent risk management (IRM). Their job is to oversee and assess risk independently. IRM should monitor and report on the front line’s adherence to policy directives, designed controls, and execution of the risk appetite statement. For credit unions without a formal second line of defense, monitoring is often the role of the information security officer.

Another key element in achieving proper governance over your cyber risk management program is board or committee oversight. This is the ultimate layer of governance; however, it only works well if those governing understand the program well enough to provide effective challenges. How can a board member ask the right questions if they don’t understand the program? The short answer is - they can’t. Ensuring your board or governing committee is well informed through training and reporting leads to better governance over the cyber risk management program, ultimately leading to better protection from cyber threats.

The Winning Formula

Risk management is nothing new; however, ensuring the same caliber risk management program is employed within security is an area where most credit unions need improvement. The credit union should be solid in its processes for identifying risk, designing controls, and monitoring the effectiveness of those controls. Strength in those areas will go a long way toward ensuring success. Couple that with appropriate oversight and governance, and credit union leadership has secured the confidence of knowing that not only is the program well designed, but it will also find the deficiencies before the bad guys do. Ultimately, that’s the name of the cyber risk management game, right? Proactively identify vulnerabilities and address program deficiencies to stay one step ahead of potential threats so credit union leaders can sleep peacefully knowing their members’ data and assets are adequately protected and prepared to tackle emerging threats.

About the Author