NAFCU Services Blog

Mar 27, 2023

The Power of Risk Assessment

By DefenseStorm 

Protect Your Credit Union from Cyber Attacks: Put Your Risk Assessments to Work

Every day we are bombarded with news about the threat of cyber-attacks looming over financial institutions. Let’s face it, at times, it can be overwhelming. The constant warnings of impending disaster can make it feel like the fight against cybercrime is a losing battle, with a lot of pain and not enough reward. Take heart; there is a path forward for all credit unions to get ahead of cyber-attacks, better protecting themselves and their members!

It starts by operating with a heightened level of cyber risk awareness and discipline. In essence, it’s applying the same risk management practices used for lending and credit to cyber threats. It involves thoughtful development and implementation over time of a comprehensive cyber risk program that is based on your valuable risk assessment data. Research shows that this more proactive approach is already enabling credit unions to get ahead of potential vulnerabilities and take necessary steps to mitigate risks before they escalate into full-blown attacks. The good news is that you likely have some elements in place already, so it becomes a matter of building out versus starting from scratch. Not convinced yet? Read on to learn what former Secretary of State Condoleezza Rice says about cyber and risk management.

 Risk Assessments Inform Your Battle Plan

 To protect their information and infrastructure, credit unions need to develop a robust cyber risk program that employs a combination of defensive and offensive strategies. It is a siege mindset, which in many ways is similar to how a military commander prepares to protect a valuable target against an enemy. Vulnerabilities are identified, and appropriate fortifications are made to repel potential attacks. That’s defense. At the same time, the commander is assessing the attackers to determine how to adjust plans and continually adapt, getting ahead of the attacker. That’s offense. When combined, credit unions can better safeguard their networks against cyber threats, so they don’t become an attack. 

The same way a commander strategizes with military intelligence that has collected and analyzed intel, an effective cyber risk program must be based on real data and metrics. Which is where risk assessments come in. The program​ must capture the risks specific to the credit union, score inherent risk based on likelihood and impact​, and determine residual risk based on strength of controls. This is a continuous cycle of measurement, not just an annual exercise. Intel must include shared learnings on potential threats from the broader community of credit unions and banks. Threat actors, having found success with one institution, will then target others.

Understanding the origin of threats and how they evolve is critical. While credit unions are familiar with the typical threats such as phishing and malware, new and more sophisticated threats are constantly emerging. Threat actors never sleep or slow down. Additionally, new technologies required for your institution to remain competitive and efficient, open the door to cyber risk because they create new vulnerabilities. This means that your risk assessments need to work in parallel with new technology initiatives and not after implementation when it can be too late.

Establishing a Clear Chain of Command

What we know and now understand: (1) Risk management is paramount and (2) Risk assessments are crucial; but, the question arises, are the right people bought into the plan? In particular, how do the Board and c-suite think about cyber risk and are they prepared to take the necessary actions? This is an element of good governance. All too often, however, credit unions report a disconnect between cyber risk priorities and practices and key decision-makers.

During a recent keynote address, the Former Secretary of State, Condoleezza Rice emphasized the importance of risk management for credit unions. “I’m going to put in a plug for risk management which needs to be of the utmost importance to the credit union. Cybersecurity IS a board issue and a C-suite issue. It’s not going to be your Chief Risk Officer who speaks to the press.” Her message is clear. Bridging the gap in knowledge of cyber risk management requires all levels to understand the risk associated with cyber-attacks and their accountability in protecting the credit union and its members.

 Credit unions understand the devastating consequences of a successful cyber-attack, including monetary losses, business disruptions, and reputational damage. As cyber threats continue to evolve and we see articles with titles like "The Year of Risk” dominate headlines, it's crucial for credit unions to prioritize cyber risk management with a unified front. All credit unions, regardless of their current position or practices, can advance their cyber risk maturity to win the battle against cybercrime.

About the Author