Is Your CU Prepared for a Cyberattack?
in Compliance & Regulatory
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

I was trying to think of what to write about in my blog article when I happened to glance to my right and I saw snow floating down outside my window. For me, normally, a sight that would invoke visions of hot chocolate, a roaring fire, and the upcoming holidays. Unfortunately, what I’m seeing is what the weather professionals have been calling a “winter blizzard”. They might have a point as just beyond the snowflakes at my window I see the New Jersey Turnpike (not a pretty sight on any given day) and the truck lane is backing up quickly as I now realize the flakes are coming down swiftly and the wind is blowing them sideways. After those images quickly impressed themselves on my brain, I thought…I wonder how prepared credit unions are for the upcoming winter season?

Is your Business Continuity and Disaster Plan up-to-date?  Have your managers and employees been trained what to do in the event of a physical impact to the business, such as severe weather, power loss, roads closed, etc.? Has your plan proactively been explained in detail to your board of directors; including costs to make a recovery?

Now you might be saying to yourself, but if that’s what she was thinking, what’s with the title, “Is Your CU Prepared for a Cyberattack?” That’s because, although you may not have thought of this, but you can use business continuity planning to prepare your credit union in the event of a cyberattack on your systems. How? You say. Well, I’ll tell you how.

According to CUInsight’s October 16 article by Tyler Leet, Computer Services, Inc., if we think about what happens to a credit union following a cyberattack, we would normally see a loss of member data, direct theft from accounts, regulatory scrutiny and the requirement of refunding members’ money or replacing cards are some of the most common after effects. But the writer goes on to say, “an even more worrisome cyberattack effect is the disruption to business continuity and inaccessibility of online banking, mobile banking and ATM networks. In fact, a disruption to service could potentially affect credit unions even more dramatically than would a data breach.”

What I took from that is that just as a credit union plans for business continuity related to natural disasters, it also should prepare specific plans for responding to a cyberattack. Leet wrote, “A business continuity plan provides an organization with appropriate instructions and procedures as a response to a disaster. Such continuity plans cover the areas of assets, human resources, notifications to business partners and the management of business processes.”

Like any good plan, a successful cyberattack disaster recovery plan is regularly updated and tested by all relevant employees. In order to minimize downtime, two questions should be addressed when building a business continuity plan specific to cybercrime:

  1. How good are your data back-ups?
  2. Does your overall business continuity plan incorporate cybersecurity?

Two other points were made that credit unions would be wise to head:

  • Many business continuity plans are centered on events like natural disasters, cyberattacks are becoming an even greater risk; but
  • Even if an attack does not compromise member data, as would be the case with hackers shutting down the online banking server with a DDoS attack, any attack can cause damage.

So, credit unions should continue to diligently prepare for natural disasters or impact to business systems that might disrupt normal operation or access to your membership, however don’t forget to make room in your business continuity / disaster recovery plan for mitigating and recovering form cyberattacks as well. Last, but not least, Leet advises “that it is vital that credit unions compile an incident response protocol, which trains employees on what to look for as well as the steps to take when a potentially damaging attack has been identified”.

For questions? Compliance help? Contact NJCUL’s Vice President of Compliance & Regulatory Affairs, Nicola Foggie, at nfoggie@njcul.org.