Article

Cybersecurity in Canadian Credit Unions

 Laptop with binary computer code and Canada flag on the screen
By David Israelson

8 minutes

Cyber fraud is increasing in Canada. How can CUs fight back?

Cyberthreats and cyberattacks are pervasive, persistent and growing, requiring credit unions to work harder than ever to stay ahead of the crooks.

The bad actors used to be bank robbers or fraudsters, but today they’re hackers who can attack from anywhere. Instead of showing up with a mask and a sack or some fake paperwork, they can strike in a nanosecond and disappear into the dark web—with a success rate that’s alarmingly high.

“The potential threats out there are not only from someone knocking at your door. Attackers today are spending a lot of time exploring your network to see what they can do,” says Mark Kroll, senior manager/information technology at $5.2 billion Libro Credit Union in London, Ontario.

“They’re looking for the items that are most important and valuable, which they can sell or use against you,” he says.

7 Common Cybersecurity Threats

The most common threats come from:

  • Ransomware—when a hacker gets into your files, encrypts them and demands a ransom to get them open again. Even when you pay, this doesn’t guarantee that the hacker will go away. The McCarthy-Tétrault Cyber/Data Group reported that Canadians lost $4.9 billion due to ransomware attacks last year.
  • Social engineering—the general heading that refers to hackers and criminals manipulating people psychologically to gain their confidence and getting them to give up information that should be private.
  • Phishing—when people click on a seemingly legitimate email that often looks like it comes from a real company, institution or friend, only to find that they’ve given up their personal information or credentials to a fraudulent website or infected their computer with malware.
  • Smishing—the same as phishing, only in the form of a text message (SMS).
  • Distributed denial of service—when hackers overwhelm a server by sending through more traffic than it can handle.
  • Malware—not just viruses, but any other type of worm, spyware or other malicious software that can bring a computer or a network to a crawl or steal information.
  • Man-in-the-middle attacks—when hackers intercept what a user thought was a private, secure communication and then either eavesdrop or intercept a transaction. Multi-factor authentication is one way to inhibit these attacks.

Despite widespread awareness of these threats, hackers often find what they’re looking for. According to a 2021 report by the CyberEdge Group, which surveyed 1,200 IT security professionals in 17 countries and across 19 industries, 86% of organizations suffered from a successful cyberattack last year, and 69% were compromised by ransomware.

More than half (57%) of the ransomware victims paid ransoms, yet only 28% of them actually recovered their data. Canada’s financial sector gets hit by a significant 7.9% of all cyberattacks in the country, according to research by the cybersecurity unit at major law firm Blakes.

The COVID-19 pandemic hasn’t been helping either, with more people hunched over their screens at home working or idling away the time. The Canadian Anti-Fraud Centre says that cyber-related fraud complaints in Canada grew in 2020 by more than one-third over the previous year.

Canada holds the world’s top spot as a target for phishing attacks, according to the Outseer Fraud and Payments Report for Q1 2021. Canada is also in the top 10 (ninth place) as a source of phishing attacks. Data from Interac shows that 64% of Canadians are worried that fraud is rising in the wake of COVID-19, with three in five saying they care more now about keeping their identity data safe online.

Cyber-related fraud complaints in Canada grew in 2020 by more than one-third over the previous year.

Some of these cyberattacks are sophisticated and spread the damage widely. One of the biggest, for example, was the massive 2020 attack on U.S. technology firm SolarWinds that reached deep into U.S. government data files in the Treasury, Commerce and Homeland Security Departments, as well as major corporations.

But a cyberattack can be relatively crude too—as simple as a phishing email that a credit union member or employee might be tricked into opening.

“There are some misconceptions that credit unions have low levels of cybersecurity. But the awareness of the risks and the types of risk is actually good among credit unions we work with,” says Kevvie Fowler, partner/global and Canada incident response leader at Deloitte Canada, who has studied cyberthreats.

“In fact, credit unions can be quite agile in how they respond to cyber-incidents. We’ve seen some credit unions restore services that were disrupted in a matter of days when it could take weeks for larger financial institutions to come back,” he says.

Canada holds the world’s top spot as target for phishing attacks.

Many Canadian credit unions engage third-party security experts to bolster their cyber-protection.

“I see this as a double-edged sword,” says Fowler. “A third party can speed up the recovery when a breach occurs. On the other hand, outside security sources aggregate and bundle the risks that various different credit unions face, so you run the risk of someone else’s breach affecting others.”

In addition to the pandemic leading to people spending more time online, the expanding number of smart devices that people now use adds to the risk of a cyberattack on financial information, Fowler adds.

“All this data makes it easier for criminals to send emails that appear real—that includes highly personal information that only a close friend or colleague would know, for example—and trick recipients into clicking on a phishing link. This could then lead to a ransomware attack,” he says.

“There’s an increase in less sophisticated actors both committing attacks and falling victim,” says Tom Beaupré, lead/cyber risk management at MNP, a national accounting, tax and consulting firm.

“The credit unions we work with say some of the challenges come from issues such as more people working from home and sharing computers with others,” he says. A hybrid workforce with people working remotely part of the time can be good for peoples’ mental health, but it’s a “prevailing challenge,” he adds.

“Cybersecurity is a moving target,” says Danny Timmins, MNP’s national cybersecurity leader. “The steps you’ve taken in the past are a great start, but you must constantly be vigilant and proactive in assessing and mitigating vulnerabilities—or else find yourself caught flat-footed.”

Complacency is the enemy, Beaupré adds. “We really think awareness and training are underrated.”

Long-Lasting Implications

The implications of a breach to a company or institution can be huge and uncertain, Timmins notes.

“In many cases, victims of a data breach will launch a class action lawsuit, accusing the company of not doing all it could to protect their information and for not responding appropriately to the incident,” he says.

“Fines are being introduced in Canada for companies that don’t respect privacy and breach notification obligations. To mitigate their cyber risk, it’s important for organizations to follow not only their legal obligations, but also the leading practices of their industry.”

In August, the Office of the Superintendent of Financial Institutions released updated requirements governing how federally regulated financial institutions, including federal credit unions, should disclose and report technology and cybersecurity incidents.

Institutions must now report a technology or cybersecurity incident to OSFI’s Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible. OSFI has also brought in a new “failure to report” requirement: If a financial institution doesn’t report a cyber-incident on time, it could be hit with increased government supervision, placed on a watch list or put under more direct supervision by the agency.[DD1] 

Awareness and education are key, says Kroll. He points to a series of videos produced by the Canadian Credit Union Association and the Large Credit Union Coalition to inform credit union staff, businesses and credit union members about how to spot and respond to threats.

Videos remind watchers to beware of social engineering attacks, for example—emails from unexpected sources or unfamiliar web links. The best way to respond to ransomware that locks your data or asks for money is “don’t do it,” the videos suggest. Don’t pay ransom unless you want the crooks to come back for more; instead, take your infected computer to your credit union’s designated IT person.

The need for increasing cyber-vigilance underscores the importance of the chief data officer at a credit union—and really, all other businesses and institutions these days, Beaupré says.

“The data officer can drive the necessary governance and funding for protection. Institutions also need to develop the right data protection architecture. I think credit unions are better than the average corporation in keeping up with risks such as fraud, but it’s important and it’s hard to keep up with cyberthreats,” he says.

Individual credit unions are all taking steps to keep up with the ever-morphing threats that hackers keep throwing at them and their members. For example, Central 1 Credit Union puts out a thorough online guide to cybersecurity.

The U.S. National Institute of Technology also has a cybersecurity framework to identify, protect, detect, respond and recover from an attack. The institute recommends that organizations inventory all their own cyber activities—who does what online in both the office and among customers, clients and members. Organizations should then profile their own risk appetite—what would happen if there’s breach—and look at the resources they have to meet the challenge.

Credit unions then can make fact-based decisions on how to meet the risks they face. Smaller organizations might outsource their information security—the “double-edged sword” that Fowler refers to, but still with one side of the blade that can fight back.

Protecting members should be credit unions’ primary goal during or after a cyberattack. Getting back to business as quickly as possible with minimal friction is important for staff too, and the integrity of the institution.

In the pandemic era, it’s noteworthy that both humans and institutions are learning in real time how to beat a virus. cues icon

David Israelson is a non-practising lawyer, writer and consultant based in Niagara-on-the-Lake, Ontario. 

CUES Learning Portal