Mitigating the risks associated with cyberattacks is one of the most potent challenges credit unions face today. The increasing use of online and mobile banking technologies has made credit unions and their members more vulnerable than ever before. Given the huge cost of a data breach — in terms of both monetary loss and reputational damage — all credit unions should have a solid program for assessing and addressing cybersecurity risks.
Over the last decade, credit union regulators — through the Federal Financial Institutions Examination Council (FFIEC) — have issued guidance on several aspects of cybersecurity. In 2014, the FFIEC outlined the steps credit unions should take to address two severe threats: distributed denial-of-service (DDoS) attacks and cyberattacks on ATM and card authorization systems. Within the last few months, the FFIEC has also released cybersecurity specific guidance and is in the process of updating its IT examination handbooks to account for emerging cybersecurity risks.
DDoS attacks slow website response times and otherwise disrupt network resources. They’re designed to prevent members from accessing credit union information and services and to interfere with back-office operations. In some cases, the FFIEC explained, criminals use DDoS attacks as a diversionary tactic in connection with attempts to initiate fraudulent wire or ACH transfers using stolen member or credit union employee credentials.
Credit unions should address DDoS readiness as part of their ongoing risk assessments, information security program, and incident response plans. In addition, credit unions should also:
- Monitor website traffic to detect attacks,
- Ensure staffing resources can support recovery from a DDoS attack, including potentially contracting with a vendor to assist in managing Internet traffic, and
- Activate incident response plans as appropriate (including notification of Internet service providers and members).
As an ongoing trend throughout the last year’s FFIEC’s releases, recommendations were also made to continually inform the board of directors as well as become an active member in information sharing groups, specifically the Financial Services Information Sharing and Analysis Center (FS-ISAC). Historically, board communications have always been an important piece of a mature information security program, so additional recommendations in this area should build upon a credit union’s existing board communication procedures. FFIEC communications regarding FS-ISAC are relatively new however; so each credit union should assess its current membership in cybersecurity information sharing groups. Information regarding membership in the financial industry’s FS-ISAC group can be found here: https://www.fsisac.com/join
Defending against ATM attacks
The FFIEC also has warned about a dangerous form of ATM cash-out fraud known as “unlimited operations.” It enables criminals to withdraw funds well beyond ATM control limits and even beyond the cash balance in member accounts. In one attack, criminals used unlimited operations to steal more than $40 million using only 12 debit card accounts.
To perpetrate this scheme, criminals typically send phishing emails to credit union employees in an attempt to install malware on the credit union’s network, giving themselves the ability to alter the settings on web-based ATM control panels. By increasing or eliminating limits on ATM cash disbursements and reducing fraud and security-related controls, criminals can quickly withdraw significant sums using fraudulent debit or other ATM cards.
To mitigate ATM fraud risks, credit unions should:
- Conduct ongoing information security awareness training sessions, including how to identify phishing attempts.
- Perform security monitoring, prevention, and risk mitigation, including monitoring third-party processors and ATM transaction activity for unusual behavior,
- Limit access rights and implement secure authentication requirements to reduce the potential for unauthorized access, and
- Review — and periodically test — the adequacy of controls over IT networks, card authorization systems, ATM usage parameters, and fraud detection processes.
Similar to the guidance on DDoS attacks, regulators also expect credit unions to include these threats in ongoing risk assessments, incorporate new threats into incident response plans and testing scenarios, and participate in industry sharing forums, including the FS-ISAC. The guidance also references Payment Card Industry (PCI) security requirements related to creating and encrypting PINs.
Cybersecurity assessment general observations
After a summer of cybersecurity assessments completed by regulators at a sampling of financial institutions, the FFIEC issued two documents in a press release: one focused on general observations gained from these assessments, and the second focusing on financial institutions participating in information sharing forums.
The information sharing forum documentation can be summed up as the FFIEC “recommending that financial institutions of all sizes participate in the FS-ISAC”. The general observations reference existing FFIEC IT examination handbooks instead of releasing any new guidance. The initial comments clarify how inherent risk varies based on multiple variables at each financial institution, which reinforces the need to complete risk assessments and related risk-based audits as threats are unique to each credit union. After the risk assessment portion, the remaining comments are very similar to information security audits we complete for credit unions. This includes controls related to board awareness, all-employee training, event monitoring, technical controls, vendor management, and incident response. The general observations close with a summary identifying the FFIEC’s plan to review and update current guidance to align with changing cybersecurity risks.
Strengthening the resilience of outsourced technology services
Two of the regulatory agencies’ hot topics for years have been vendor management and business continuity. With 2015’s first updated FFIEC IT guidance, this new appendix blends those two topics into one listing of four key elements. In order to ensure critical vendors can recover, and assist the credit union in recovering from a disaster, the FFIEC recommends focusing on:
- Third-party management
Including vendor business continuity and cybersecurity considerations in initial vendor due diligence and ongoing monitoring procedures.
- Third-party capacity
Considering the impact of a disaster affecting a vendor who works with financial institutions across the industry. As mitigating controls, ensure these vendors have assessed and planned for these low-probability but high-impact scenarios, consider contingency options for bringing operations in-house or to another vendor, and participate through user groups and industry initiatives to improve continuity efforts across the industry.
- Testing with third-party technology service providers
Ensuring test scenarios (including cybersecurity incidents), complexity, and frequency are appropriate for each unique vendor relationship.
Confirming your organization and your critical vendors have assessed the risks and responded with mitigating controls and response plans for cybersecurity disasters, such as malware and insider threats.
The appendix also mentions multiple times that whether systems are managed by the financial institution or the vendor, management and the board are ultimately responsible for appropriate oversight and assuring that operations can continue in a timely manner.
Assess your risk
As financial institutions and organizations in other industries continue to make the headlines for breached confidential information, expect regulatory pressure to appropriately continue to focus on these areas. It is critical for credit unions to evaluate their risks and information security programs on an ongoing basis, especially when any changes are made to the environment. By continuing to review alerts from groups such as the FS-ISAC, new guidance from the FFIEC, and other cybersecurity news, credit unions should also continue to ask the questions of “Would that attack succeed at our organization?” and “How can we adapt to mitigate these new cybersecurity threats?”