Risks to CUs for Data Breaches Parallels the Member Risks for ID Theft & Fraud


With the recent release of the 2022 NCUA Supervisory Priorities, it is worth noting that cybersecurity preparedness, once again, is within the top list of concerns for credit unions to address.

While most of the past articles I have written focus on the dangers facing Members for identity theft and fraud, it is critical to remember that Credit Unions themselves are as much, or more, at risk for breach events. This has been particularly noted by the Identity Theft Resource Center (ITRC) which identifies the financial industry as one of the most actively attacked groups and only follows healthcare, which is THE MOST actively attacked industry.  A recent IRTC article pointed to the significant increases in year-over-year data breach events in the first quarter of 2022 compared to Q12021.  The rise in data breach activity has been a trend for several years, with record-setting data breach events going higher and higher, year after year. 

So, it remains a precariously dangerous data breach environment, where all that is needed is a very focused attacker who intends to gain access to your systems and look for a vulnerability that could exist in any number of places. It's when you think you have every angle covered and your institution is "totally secured" that is when the infamous "insider threat" proves that "totally secured" is a fallacy. According to the 2020 and 2022 Cost of Insider Threats Global Reports by the Ponemon Institute, insider attacks result in devastating losses for organizations. For example, the average cost of insider-related incidents rose from $11.45 million in 2019 to $15.38 million in 2021 - a 34% increase.

Therefore, it is essential to give appropriate attention and budgetary resources to a strong response and recovery strategy. This strategy should fully support and maximize your incident response plan for WHEN, not IF, the breach happens. In this way, you have all the angles covered and can solidify your ability to withstand any fallout and ramifications of a data breach.

You may think that the answer is to obtain a good "cyber insurance policy,"….and that will solve everything. But, the problem with cyber insurance is that you have a cost/benefit dilemma in determining how much to pay for the insurance versus the number of "exclusions" in the policy you're willing to accept. And many cyber policies do not facilitate the actual recovery activities needed for a data breach event, so there's still work that needs to get done for the clean-up.

So all of this begs the question: Why not choose a solution that creates a far-reaching cybersecurity preparedness that supports your Credit Union, employees, and Members? These solutions exist in a way that genuinely protects the Credit Union as a whole. Your CCUL representatives know of such resources and would appreciate the chance to introduce them.

Regardless of the action you might take to protect the Credit Union, don't fall for the "totally secure" mindset. Instead, the best and most secure approach is to assume a breach WILL HAPPEN, and when it does, be sure to have the best response and recovery plan that minimizes the fallout and maximizes the mitigation of the breach at hand.  

Article by Jim McCabe, Senior Vice President, Identity Theft Services at Vero, a California and Nevada Credit Union Leagues business partner.