Cyber security for Credit Unions 101

American consumers have two clear yet vastly differing choices when it comes to banking. Many opt for a large-sized national or regional bank. Folks select this option for a variety of reasons, typically due to the vast services and ease of use these powerhouses provide. Roughly 60% of Americans count themselves as customers of these large-scale institutions.

Others choose to conduct their banking business differently – and more locally – via credit unions. According to the NCUA (National Credit Union Administration), there are over 4,500 credit unions with over 136 million members nationally. This accounts for nearly $2.25 trillion in total assets – no small number!

Benefits of a Credit Union

• User experience – consumers are considered “members” rather than “customers” and their ultimate goal is to consistently deliver a personalized banking feel.
• Localized focus – Credit Unions are altruistic in their desire to impact their community, support of local small businesses, and connection to charitable causes.
• Better rates and lower fees – since credit unions are non-profit, they are naturally able to deliver more favorable financial options to their members.

For decades, credit unions have used the benefits outlined above as a three-legged stool on which to build both their brands and their membership. Doing so certainly wasn’t easy and of course relied heavily upon the consistent work of great employees. But in recent years, as the threat landscape has evolved, a new benefit must become front and central… Cyber Security.

Here’s why

Credit Unions have historically been a prime target for cyber attacks. Malicious actors are always on the hunt for the type of lucrative data (both personal and financial) that institutions own. And in reality – due largely to resource constraints – it is easier to attack smaller organizations than large ones. Only recently the credit union world has been rocked by two separate cyber incidents:

• In December 2023, a nation-wide Ransomware campaign leveled a devastating blow to the industry. According to the NCUA, “approximately 60 credit unions experienced system outages affecting member account availability.” Many of the affected organizations remained non-operational for weeks.
• Just weeks ago, news broke that the US Credit Union Service exposed more than 3 million customer records. The leaked information contained over a million email conversations, including data belonging to thousands of U.S. credit unions, internal notes, and clients’ full names, home and email addresses, and plaintext passwords.

User experience, community impact, and great rates/fees are the hallmarks of why folks are so loyal to credit unions. But if their PII is stapled to the internet or they experience extended system outages, members will be forced to consider other banking options. This is why cyber security has become the most critical function in the financial industry, period.

Where and how to focus your cyber security efforts

1. Don’t merely follow… Embrace NCUA regulations

• Develop cybersecurity processes and procedures to ensure that you’ll nail your audits quickly and efficiently every time an Examiner visits.
  Credit Union examiners plan, conduct, and complete audits of federally chartered credit unions. They’re responsible for a lot… they’ll look at physical security measures, follow a standard cyber security framework, and look at the financials of the credit union (solvency, how loans are approved, if rates are fair, etc.)
• Create a CORE/CORE+ internal team that meets monthly for shared accountability and to ensure compliance stays top of mind.
  CORE and CORE+ are the names of the specific regulations required by the NCUA. Any credit union with $50m+ in assets must meet these requirements on a consistent basis. Requirements include annual pen tests, phishing/vishing, TTX (Tabletop Exercises), vuln management, etc.
• Attend conferences, follow NCUA for their constant evolutions, and build a fellowship within the credit union cybersecurity community.

2. Establish a continuous security mentality

• Security can’t simply be a point in time (e.g., when the Examiner is in-house!).
• Constantly educate and coach all employees on cyber best practises.
• Leverage trusted external partners for Risk Assessments, Team Training Workshops, TTX, bi-annual Penetration Tests, etc.

3. Over-report to executives and board members

• Consistently outline your established Incident Response/Forensics plan
• Keep key stakeholders consistently abreast of cyber-related, industry-wide changes… breaches, potential vulnerabilities, regulatory changes, etc.
• Deliver monthly reports that highlight both your successes and requirements.

Bottom line

Credit unions often serve as the financial bedrock of their communities. For generations, they have delivered financial support with a human touch in the local areas they serve. But in this new world – where cyber threats lurk everywhere – customer success must start with continuous cyber security.

The NCUA have a great cyber security resource here.