12 minutes
Cybersecurity oversight and implementation best practices are shifting.
As the cybersecurity threat grows larger and more sophisticated, control of credit union strategies is passing out of the hands of local managers and moving to national and international regulatory and law enforcement agencies and giant accounting firms. Credit union staffs are under pressure to be tougher, better-informed fighters, but, increasingly, the orders are coming from higher-ups.
As defenses are strengthened, reports Richard Crone, internal decision-makers are forced to recognize increased involvement by national regulatory agencies such as the National Credit Union Administration, Consumer Financial Protection Bureau and the Federal Financial Institutions Examination Council. Crone is head of Crone Consulting LLC, San Carlos, California.
These agencies set the audit standards for protecting all stakeholders, Crone explains. “Credit unions are being tasked to make sure they and all their dependent processors comply, even fintech startups,” he notes.
There has definitely been a growth of regulation around cybersecurity, agrees CUES member Paul Wisniewski, VP/enterprise infrastructure at $2 billion GTE Financial CU, Tampa, Florida. “I welcome it. It’s helpful that high standards are required. We are conforming to policies set by higher authorities” like NCUA, he says.
Military-grade intel is coming. Threat intel that started in government security agencies is starting to spread to the private sector, reports Christopher Williams, assistant chief information security officer at Co-op Solutions, Rancho Cucamonga, California, at the time of this interview. (Co-op is merging with CUESolutions provider PSCU, St. Petersburg, Florida). Currently, such intelligence is provided by specialized third parties, but it’s expensive and running into a financial squeeze at credit unions that could get worse in 2024, he suggests.
The cyber attackers aren’t constrained by tight budgets because many of them are huge criminal enterprises with connections to state sponsors, reports Williams, who has a background in government intelligence work, including the Secret Service.
As security gets more complicated, credit unions voluntarily are outsourcing more of it to specialist third parties, reports John Meyer, senior director at CUESolutions provider Cornerstone Advisors, Scottsdale, Arizona. “There are plenty of third-party security providers out there,” he notes. “We hear from clients that they are using them.”
There are national compliance tests that credit unions must pass, Crone points out. The tools for industry cybersecurity compliance include financial, operating and regulatory audits. Regulators now require credit unions to get an annual Statement on Standards for Attestation Engagements No. 18, for themselves and their third-party processors.
SSAE 18, Crone explains, is designed to independently assess the security and controls of every outside processor the credit union depends on, even fintech startups that may not be experienced in complying with regulatory oversight. The standard extends the annual audit to every party in the credit union’s value chain.
Reports required by the standard are part of GTE Financial’s vendor management program, Wisniewski says, and they’re expected of all partners with which the credit union shares data.
Ultimately, there probably needs to be an outside body that specializes in risk monitoring that certifies the parties it monitors, says Chris Sachse, CEO/founder of Think|Stack, Baltimore. “It’s getting too complicated for a bank or credit union to do on its own.”
Guarding the Home Front
However much cybersecurity policy is dictated by higher-ups, it remains the responsibility of individual credit union boards and audit committees, Crone points out, to actively inventory and assess the security of all integrated applications, especially those from newer fintechs. And he thinks that job now requires a dedicated chief information security officer.
“That’s normally a full-time job,” he observes, “as it has become an essential role with assigned responsibility at the C-level, reporting to the audit committee of the board of directors.”
Such cybersecurity experts are available but cost about $200,000 a year, Meyer estimates.
Most financial institutions do have experts on staff in charge of cybersecurity, notes Jay H. Bowden, CFO of TRC Interactive, a training firm located in Harrisburg, Pennsylvania. “There are plenty of training programs. Many professionals have letters after their names signifying credentials they have earned, including university degrees.”
With threats growing and security budgets generally not growing, credit unions need to look closely at how to get the best return on invested dollars and how to keep the right people and the right tools up to speed during a flat budget year, Williams says.
Vendor products may help. The marketplace for cybersecurity technology solutions is active, Wisniewski reports, with new vendors, new products and improved products popping up. Demand is driving supply, and CUs have access to a growing
array of tools.
“Look for vendor products that integrate all platforms,” advises Jason Lord, VP/global fraud solutions at TransUnion, the Chicago-based credit reporting agency. “And if you don’t have a big budget, you may decide to pass up the strongest product for one that provides 80% of the protection for 50% of the price.”
But don’t skimp on wire protection. The biggest losses per transaction happen with wires, Meyer reports—$45,000 per average loss and a total of over $2 billion in losses a year.
The second biggest drain comes from debit cards. Two years ago, the gross losses from debit fraud were $12.2 billion, Meyer says.
After clawbacks, the net loss from all card fraud was 6 basis points a few years ago, he says. “Now, we see losses nearing 14 to 15 basis points on card-not-present transactions and recoveries in the 5 to 6 bps range, extending fraud losses greater than 8 to 10 basis points.”
Credit Unions Can Get Expert Help
“All the Tier 1 accounting firms have dedicated assurance practices to help financial institutions with this challenge,” Crone says. “If you have to make decisions like whether to buy ransomware insurance, don’t guess. Get advice from your audit firm. They can even provide interim professional services, acting as a fractional CISO in some cases.”
Educating members remains important. A growing threat comes from the remarkable new ability to clone a voice, Meyer reports.
A person’s voice can now be cloned in six minutes. The “Grandma, I’m in trouble” scam works even better when it’s the grandson’s voice that is making the plea, he notes, and it’s not hard to get a sample of a person’s voice to clone.
Nevertheless, under relentless attack, credit unions will have losses. Sachse thinks credit unions are obsessed with prevention and don’t spend nearly enough time preparing to respond to a breach.
“They haven’t trained for the response,” he observes, “so they make mistakes that make the problem worse and add to the cost. They can never prevent all fraud, so they have to be ready to deal with it when it happens.”
Training Employees
Attackers are cleverly cracking the weak point of cybersecurity—people.
“Credit unions and their core processors have become very good at bolting down legacy systems,” Crone notes. “That leaves the human element.” So cyber thieves target CU employees and the employees of CU vendors.
The biggest financial losses from cybercrime, Sachse points out, come from social engineering that targets employees.
The biggest fraud transactions tend to stem from compromised email, Meyer says. Typically, a fraudster can hack into a bank or CU email system, do a good job of impersonating the CEO or CFO of that institution and order a large wire transaction. The employee follows orders.
“We worked with one CU last year [2023],” Sachse reports, “where a person in the AP department got an email from what appeared to be a major vendor, explaining that, due to a change in bank accounts, they had not received payment for several months and the CU now owed $280,000.” The accounts payable staffer person wired the money, and it was gone.
Somehow the crook had learned that the CU had a relationship with that vendor. “There are lots of ways the fraudster could have learned of that relationship with a little research,” Sachse observes. “The bad guy knew enough to convince the employee. That still happens fairly often.”
The $280,000 was just the beginning of the financial loss, Sachse explains.
“They had to hire us to investigate,” he says. “They had to buy new security software for two-factor authentication. They still had to pay the vendor, and they had to spend time working through the problem.”
Ransomware attacks are constant threats. Last fall, Williams reports, hackers researched an employee of the MGM Grand hotel and casino in Las Vegas and gathered enough information to pretend to be that employee and request information from the help desk. It worked, and that led to a ransomware attack.
Reportedly, MGM recovered without paying the ransom, but Caesars Palace did pay a $15 million ransom after a similar attack, he recalls.
Ransom attacks have been extremely profitable in 2023 and are likely to grow in 2024, Williams predicts. Ransomware insurance should be considered. “We’ve renewed ours a couple times, and it’s an enlightening experience. They’re there to pay claims, of course, but they also have deep resources for dealing with attacks.”
Cybersecurity insurance is valuable beyond having someone to pay claims, Wisniewski agrees. Insurers use questionnaires and assess the financial institution’s risk controls to determine terms of the policy, he explains, and that can be informative. And insurers have teams that help you respond to an incident before claims would be filed, he adds.
Security training for employees has been a top priority, but the results have been disappointing.
“Enforcement is still lax,” Sachse observes. “Investigations usually lead to someone high up, and they’re not being punished personally. Most incidents turn out to be a bit excusable, so CUs focus on more training and more layers of approval.”
Cybersecurity training is happening, Sachse concludes, “but it’s not changing behavior.”
Naïve or careless employees definitely need to face consequences when they allow fraud, Meyer says. “There must be clear policies and penalties for not following them, up to termination.”
You can try to train employees to detect and prevent suspicious behavior, but you also can reinforce that training by hiring ethical attackers who try every trick to break into your systems, Meyer says. For example, a crook could take a photograph of an employee’s badge while the employee is having lunch in a restaurant, duplicate it and get by a receptionist, he illustrates.
Securing Supply Chains
The other major weak link in cybersecurity is a credit union’s connections to vendors, Sachse points out. “There’s tremendous vendor risk, and credit unions are far too trusting of their vendors,” he charges. “The vigilance needs to be continuous and in-depth. That’s hard to do, and I don’t think anybody is doing it well enough.”
Often a cybersecurity attack is launched not on a credit union but on a credit union’s vendor, Williams notes. “They’re hitting the providers of services that a lot of companies use,” he explains, like a basic file transfer service. “Then they use that breach to gain as much access as possible to the whole network.”
Credit unions need to recognize that they are part of a cyber supply chain and that security also needs to be addressed at the supply-chain level, Williams says. “We need to get better at understanding how supply chains work and where the weak links are.”
Protecting core operations, Meyer notes, is fundamental and required. The challenge is protecting the edges of operations. As credit unions stretch those edges to accommodate more vendors that can automate operations or satisfy members, the edges become more vulnerable. “It’s a real challenge for a CISO to manage all those third-party exposures,” he observes.
Every credit union relies on third parties, Crone points out, and that increases risk. “When CUs use fintechs experimentally, they create potential gaps. Credit unions and core processors must make sure these fintechs are covered by the same industrial-strength security requirements under the guidelines set by SSAE 18, NCUA and FFIEC,” he notes.
SSAE reviews, Crone concedes, are “only as good as the moment the review is concluded.” This is particularly true because inventive fintechs enter and leave the chain as they provide or fail to provide solutions that FIs hunger for. That includes digital wallets, P2P payment systems and buy now, pay later plans. It also includes pilots and beta tests of software that is not yet in production, he says.
At GTE Financial, security requirements apply equally to established processors and to fintech start-ups, Wisniewski says. That includes beta tests and proof-of-concept testing. If security is not feasible in early-stage experiments, fake data are used, he explains.
Ending Disorganization
In spite of all the attention given to cybersecurity, credit unions still drop balls. Too often, Meyer notes, a credit union has a fraud team and a cybersecurity team, and they don’t talk, even when they share a common enemy. “There’s not great coordination in the responses they make.”
A major point of vulnerability, Lord says, is the administrative gaps within a credit union’s cybersecurity operation.
“Be sure you have an intentional, enterprise-wide identity resolution strategy,” he urges. “You have to know for certain who you are dealing with. And you have to tie together all the authentication in one system. Too often it resides in disparate systems. Fraudsters capitalize on gaps.”
“I’ve worked for large firms,” Williams reveals, “and uniformly they lack communication among the cybersecurity stakeholders. They’re not prepared to execute a plan with efficient, coordinated teamwork. The best are pretty good at recognizing risks, documenting them, mitigating them and having a recovery plan, he explains. But when an event occurs and they have to execute, “things start to go wrong.”
The cybersecurity challenge is a job for a dedicated pro, but pros are scarce and expensive, Sachse reiterates.
“Only a few of the largest have real ‘chief information security officers,’ at the C-suite level,” he says. “Cybersecurity tends to be packaged with risk or risk and compliance under a chief risk officer; it’s no longer supervised by IT.”
Cybersecurity is going to be a long, asymmetrical war. The bad guys are elusive and effective. The good guys are mobilizing, getting organized, marshalling resources, upgrading weapons and moving toward a chain of command. It may not be a war credit unions can win on their own. cues icon
Richard H. Gamble writes from Grand Junction, Colorado.
