Discover the key risks facing credit unions, effective strategies to combat threats and the importance of consumer protection.
The early 2020s were a whirlwind for cybersecurity. Increased economic insecurity gave many criminals a renewed incentive to carry out damaging cyberattacks, advancements in technology (namely AI and machine learning) created new opportunities for deception, and lockdowns isolated people, making them more vulnerable to scams.
In 2024, cybersecurity is more important than ever. Cyberattacks are on the rise with over 8 billion records breached in 2024. In the midst of this, new leadership at the NCUA promises to prioritize consumer protection, which could put an added strain on credit unions in the process.
As attacks on credit unions grow more frequent, cybersecurity for credit unions must be a top priority, more now than ever. In 2022 alone, the global cost of cybercrime was $8.4 trillion — a number experts project to rise to $23.8 trillion by 2027.
In this guide, we’ll provide an overview of cybersecurity compliance, highlight some top cybersecurity risks for credit unions, share some winning strategies for combating those risks, and discuss the need for consumer protection amid these increasingly uncertain times.
In October, chairman of the National Credit Union Administration (NCUA) Todd Harper explained why credit unions are particularly vulnerable to cyberattacks: “CUSOs [Credit Union Service Organizations] and credit union third-party service providers do not have the same level of oversight as bank vendors, as the NCUA lacks the statutory authority to directly examine or supervise these entities.” In other words, the reduced oversight of credit unions makes them especially appealing targets for cybercriminals.
Though the NCUA lacks the authority to directly supervise the cybersecurity of credit unions, they do provide the first line of defense against cyberattacks in the form of their Automated Cybersecurity Evaluation Toolbox (ACET). NCUA’s ACET offers credit unions a structured approach to evaluating their cybersecurity efforts.
In September, the NCUA issued a new rule requiring credit unions to notify the NCUA within 72 hours of a cyberattack (or suspected cyberattack). Within the first 30 days of this new rule, the NCUA had already received 146 reports, as many as they previously received in an entire year.
While the NCUA is the primary organization regulating cybersecurity for credit unions, organizations should also be aware of the Gramm-Leach-Bliley Act, which contains rules for how financial institutions must disclose their information-sharing practices with their customers, and the FFIEC IT handbook, which contains helpful best practices for securing information.
The four years have been a harbinger of change in the economy, consumer behavior, and infrastructure, but nowhere has this change been as significant as in the world of technology. Here are some of the major cybersecurity threats that credit unions face in 2024:
If an unauthorized party gains access to your company’s or your customers’ protected information, they may steal, misuse, delete, or disclose your most sensitive data. This cybersecurity risk is called a data breach. Recently, a data breach at Bayer Heritage Federal Credit Union led to as many as 61,000 people’s data being stolen. However, data breaches aren’t always the result of a malicious third party. In February 2024, CU Solutions Group exposed 3 million users’ data by misconfiguring their database and leaking their email addresses, IP addresses, and even their passwords in the process.
In a phishing attack, unauthorized parties impersonate another person to gain information through social engineering. A phisher may use the name of a real person within an organization, claim to represent a company they aren’t affiliated with (including major companies like Amazon or Microsoft), or even use spoof email addresses to make their messages appear legitimate, but their goal is to trick users into providing protected information. Special types of phishing attacks include “spear phishing” where bad actors target a specific individual within an organization, “whaling” where cybercriminals target a high-ranking employee like a CEO or president, and “smishing” which is a portmanteau of “phishing” and “SMS” referring to phishing attempts via text messaging.
In December 2023, a ransomware attack temporarily shut down 60 credit unions. As the name suggests, a ransomware cyberattack holds an organization’s computer systems “ransom” until the organization gives in to the attacker’s demands. Ransomware is one prevalent form of malware, a more general term for malicious software like viruses, trackers, and ransomware.
In a man-in-the-middle attack, a cybercriminal intercepts communications between two authorized parties, using that information for their gain. Man-in-the-middle attacks can happen when credit unions communicate over unsecured emails or use public Wi-Fi, making their communications visible to third parties, but they can also occur as a result of malware installed on official devices.
With cyberattacks on the rise – leaving credit unions particularly vulnerable – credit unions should take a proactive approach to mitigating both their internal and consumer risks.
Risk assessments like NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET) help credit unions gauge their cybersecurity maturity. This tool interfaces with another previously mentioned tool: the FFIEC IT Handbook. The ACET provides plain-language interpretations of FFIEC standards to help credit unions evaluate their compliance with cybersecurity best practices.
Perhaps the most important step a credit union can take to manage its cybersecurity risk is to invest in ongoing training. The goal of ongoing security training is both to equip employees with the knowledge of common security risks and how to avoid them, but also to influence the culture of your organization to be security-minded. Cybersecurity is difficult to enact from the top down as many of the biggest cybersecurity threats work from the bottom up (phishing, man-in-the-middle attacks, etc.). Training bridges this gap, creating a culture of vigilance that starts with frontline employees and extends to executives. Good training can reduce cybersecurity risks from 60% to 10%, making training one of the easiest and most effective ways to boost security.
While a culture of cybersecurity vigilance goes a long way, cybersecurity is fundamentally a technological attack. Though bad actors often rely on low-tech social engineering to infiltrate credit unions, high-tech solutions can safeguard your data. For instance, using encrypted document sharing portals eliminates the opportunity for man-in-the-middle attacks that rely on unencrypted communication. Cybersecurity software can also monitor for unusual activity, often catching criminals before they’ve had the opportunity to launch a formal attack.
Nearly half of all credit union cyberattacks are simple password attacks on web applications. Cybercriminals return to this method because it’s easy, simple, and has little to no consequence for incorrect guesses. To combat cyberattacks, the NCUA recommends making it more expensive for attackers to succeed, thereby disincentivizing would-be attackers. One such way to increase the cost of attack is by using robust authentication protocols that encrypt and secure users’ identities. Authentication protocols make it harder for third parties to spam password attempts, thereby increasing the cost of attack and disincentivizing cybercriminals.
In addition to reporting cyberattacks to the NCUA within 72 hours, credit unions should establish their own thorough incident response plans. These plans should account for everything from blocked phishing attempts to successful data breaches. While the specifics of the plan will be unique to the organization, the general framework of an incident response plan should include preparing for potential attacks, detecting and identifying cyberattacks, containing and addressing attacks when they do occur, and a plan for continuous improvement in the aftermath of an attack.
Consumers put a lot of trust in their financial institutions to safeguard their data, even when they don’t fully understand the consumer risks they’re being protected from. Consumer protection must be a top priority for credit unions as the reputational, financial, and legal consequences of a cybersecurity event can be significant.
Since the National Credit Union Share Insurance Fund insures credit union deposits of up to $250,000 (similar to the FDIC, which insures bank deposits up to the same amount), consumers are relatively protected from direct financial loss. However, cybercriminals don’t always target money (at least, not directly). Information can be just as valuable.
Cyberattacks are damaging to both credit unions and their customers. Once information is leaked, it’s difficult (but not impossible) to regain control, which is part of the reason why the NCUA’s renewed commitment to consumer protection comes at such an important time.
Prioritizing consumer protection requires more than just reacting quickly to cybersecurity threats — it also means being proactive. Proactive credit unions use a combination of industry best practices, technology, and vigilance to keep their customers — and their customers’ data — safe.
With the rise in cyberattacks, both inside and outside credit unions, credit unions must minimize consumer risk.
Your credit union can effectively minimize risk by staying in compliance with regulatory requirements, following best practices, being familiar with the most prevalent cybersecurity risks, and employing winning strategies.
This proactive approach helps credit unions navigate the complex world of cybersecurity, keeping themselves and their members safe from harm.
Improve your security measures and safeguard your members' data. Request a FileInvite demo today.
HR contract management and employee onboarding doesn't need to be complicated, automated systems are here to make these processes much more efficient.
Document collection tools can do more than just collect documents and data - commercial lenders can use them to actually improve their loan...
Financial institutions must understand personally identifiable financial information in order to prevent disclosing it. Here are some of the common...