NAFCU Services Blog

Sep 24, 2019

Part 1: An Executive’s 3-Point Checklist for Cybersecurity

By Steve Soukup, Chief Revenue Officer, DefenseStorm

Cybersecurity is a vast and technical topic. There’s so much buzz in the market that it can be an intimidating subject to discuss. Understandably, executives tend to delegate discussions on this topic to their very capable technical teams. However, since regulators are holding C-suites and Boards of Directors accountable for cyber safety and soundness, our goal is to help educate everyone on the cyber threat landscape. This includes what credit unions will want to look for in their security programs, and the questions to ask their teams.

To begin, let’s define what a data breach is. According to the National Institute of Standards and Technology, a breach is “the release of sensitive, protected, or confidential information to an untrusted environment.” These are the things that your team attempts to prevent, resolve, and control.

In the unfortunate circumstance that a breach does occur, there are laws governing who must be notified, in what manner, and when. Federal and state laws are too complex to review in this single blog, but they should still be reviewed with a well-informed cybersecurity counsel. To head off a crisis, the National Conference of State Legislatures and the National Credit Union Administration (NUCA) are two good resources to consult to confirm breach notification laws in your state.

Now that we’ve talked about what a data breach is, let’s identify the first of a few cybersecurity trends that represent the realities credit unions face and the challenges they experience from day to day.

Part 1: An Executive’s 3-Point Checklist for Cybersecurity

Did you know that cyber breaches—not just attacks, but actual breaches—are up 50 percent? And on top of that, there’s a growing global shortage—in the millions—of qualified cybersecurity talent.

This means the time to act is now. Bad actors are getting more and more successful at breaking through defenses and operating in stealth mode to gain higher and higher levels of credentials while they are in your system. John Chambers, former CEO of Cisco Systems once said, “There are only 2 types of companies: those that have been hacked and those who don’t know they’ve been hacked yet.” So let’s get ahead of this together.

Now that we’ve established how serious a data breach is, let’s talk about the first way you can protect your credit union.

You cannot be secure unless you are compliant. And you must manage and measure your performance with regard to the efficacy of your policies and controls. So, here is the first point that should be on your cybersecurity checklist. Ask these three questions as you lead your credit union:

  1. Are we doing the right things?
  2. Are we doing the right things right?
  3. How can we prove that we are doing the right things right?

What are these “right” things to do? The Federal Financial Institutions Examinations Council (FFIEC) lays it out for us. The FFIEC provides cybersecurity standards and auditing for financial institutions and other regulatory agencies. Understanding and complying with FFIEC recommendations helps companies identify what is most important when it comes to cybersecurity.

The role of the Board of Directors is to make informed decisions about risk.  Here’s a guide on how to get started:

  1. Help establish vision, risk appetite, and strategic direction--like they do for other risk management activities (e.g., lending, new member account opening, etc.).
  2. Review management and third-party analysis of maturity level.
  3. Review findings regarding how cybersecurity preparedness aligns with risks.
  4. Review and approve plans to address risk management and control weaknesses.
  5. Review the results of management’s ongoing monitoring of exposure to and preparedness for cyber threats.

Stay tuned for Part 2: An Executive’s 3-Point Checklist for Cybersecurity. Click here for more information, and to subscribe for blog updates.