Cybersecurity criminals continue to find innovative ways to target financial institutions. Their methods range from social to technical engineering. It isn't just large financial institutions that are targeted. Credit unions are also vulnerable. In June of 2022, several credit unions in Canada were hit by a targeted cybersecurity incident. Fortunately, no customer data was stolen, and the incident was said to be contained, as reported by Celero Solutions.
In response to cybersecurity threats, the NCUA has issued a requirement for credit unions affected by a cybersecurity incident.
Any incident leading to "substantial loss" must be reported within 72 hours. This proposed rule comes from the National Credit Union Administration Board. It recently held its seventh open meeting of 2022, where the rule was unanimously approved. This rule will be a requirement for all federally chartered credit unions.
The rule was put in place in response to the Biden administration's warning about increased Russian cybersecurity attacks against American businesses.
Ransomeware attacks are another area seeing increased activity that isn't showing any signs of slowing down. Sophos, an IT security company, surveyed 550 businesses (including financial institutions) in 2021. 34% of those surveyed had experienced a ransomware attack. 25% of those who had their software encrypted paid the ransom. The average cost to recover from a ransomware attack was $2 million.
How can credit unions protect themselves? With limited resources, it may seem that credit unions don't have many options to protect against cybersecurity threats, including ransomware attacks. However, there are several simple methods that they can take advantage of now:
- Create a culture of security and compliance
- Implement two-factor authentication
- Require that password be changed regularly
- Update cybersecurity software regularly
- Audit security systems regularly against the latest threads (both social and technical)
- Have emergency and incident response plans ready to go
- Consistently monitor systems
The above is more human management than it is technical implementation. These are areas that credit unions can make great progress in their efforts to better protect themselves and their customers against cybersecurity threats.