skip to Main Content
Is Your Credit Union Board Of Directors ​Cyber-Ready

Is Your Credit Union Board of Directors ​Cyber-Ready?​

 

If your credit union board of directors is well-equipped to handle potential cyber incidents and protect valuable data, you can stop reading now. However, if you feel your board may not be fully cyber-ready, then you may want to read on to learn more about:

  • Board cyber risk oversight
  • Key cyber risk questions to ask
  • Top threats facing board members
  • Cyber-readiness for boards of credit unions.

In today’s technology-driven landscape, the role of credit union boards of directors extends beyond traditional decision-making; they also hold the responsibility of safeguarding sensitive information and upholding data security. With cyber incidents growing in number and sophistication each year, it is imperative for volunteer boards to be cyber-ready.

Cyberattacks Are Here and Rising

Globally speaking, organisations in the financial services sector suffered the second-largest number of known breaches in 2022, just behind government organisations and ahead of the retail sector, according to threat intelligence firm Flashpoint.

Ransomware attacks are rising and becoming increasingly costly. Data from Akamai showed web application and API attacks against financial services firms grew by 257 percent compared with the previous year.

The financial services sector also incurs some of the highest costs for cybercrime, with IBM noting that in 2022, the typical cost of a data breach for this sector stood at £4.69 million – more than a million above the overall average.

What’s the Board’s Cyber Risk Oversight Responsibility?​

The board has a fiduciary duty to act in the best interests of the organisation and its shareholders and stakeholders; this includes overseeing the organisation’s cyber risk strategy. With a focus on protecting an organisation’s assets and interests, boards must ensure that measures are in place to appropriately manage cyber risk and protect against cyberthreats. ​

“In the 21st century, there is not a single major business decision that does not include cybersecurity considerations. Cybersecurity needs to be woven into the entire process, from R&D through manufacturing through public relations. That’s the message about cybersecurity: We’re all in this together.”​ – Larry Clinton, President, Internet Security Alliance

Key Cyber Risk Oversight Principles

Understanding the organisation’s cyber risk profile: The board should have a good understanding of the potential cyber risks facing the organisation, including the likelihood and potential impact of cyber incidents.​

Helping determine the organisation’s level of cyber risk tolerance: No approach to cybersecurity can ever be 100% risk-free, and boards play a unique role in determining the right level of risk tolerance for the organisation, accepting that a certain level of cyber risk is part of the cost of doing business.​

Overseeing the organisation’s cyber risk management strategy: The board should be involved in the development and oversight of the organisation’s cyber risk management strategy and ensuring that it is aligned with the organisation’s broader risk management strategy. Additionally, the board plays an important role in helping ensure the organisation takes a broad-based approach to cyber risk management across departments, and that efforts are not “siloed” to the technology/security team.​

Ensuring compliance with laws and regulations: The board should ensure that the organisation is compliant with relevant laws and regulations, such as GDPR, PCI DSS, etc., and that appropriate measures are in place to comply with these regulations.​

Reviewing the organisation’s cybersecurity program: The board should regularly review the organisation’s cybersecurity program to ensure that it is effective in protecting the organisation from cyber threats — including insider threats.

Ensuring continuity of operations: The board should ensure that the organisation has a robust backup and disaster recovery plan in place, and that the plan is regularly tested.​

Communicating with stakeholders: The board should communicate the organisation’s cyber risk management strategy and its incident response plan (at a high level) to stakeholders such as shareholders, employees and customers.​

Transitioning to a digital governance solution brings with it not only a marked increase in efficiency, but also significant reductions to their level of risk exposure. In our white paper “Digital Transformation in Credit Unions” find out how a digital solution drives efficiency for credit unions, with best practices needed for a digital solution to be truly effective. Download the white paper here.

———————————————————————————————–

Five Key Cyber Risk Questions for Board Directors to Ask

Here are some cyber risk questions your board should be asking:

  1. How are the company’s cyber risks communicated to the board, by whom and with what frequency?​
  2. Has the board evaluated and approved the company’s cybersecurity strategy?​
  3. How does the board ensure that the company is organised appropriately to address cybersecurity risks, and does management have the skillsets it needs?​
  4. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?​
  5. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with government guidance?​

Understanding Cybersecurity vs. Cyber Resilience/Cyber Readiness

The terms “cybersecurity” and “cyber resilience” may appear interchangeable, as they both relate to cyber safety and have the same goal of safeguarding against cyberattacks, but they are not quite the same.​

Cybersecurity

When we talk about “cybersecurity” we are referring to the various technologies, human activity, processes, methods and governing policies put in place by security teams to protect an organisation’s digital assets, computer networks and systems against cyber attacks. Cybersecurity creates a barrier — for example, antivirus, firewalls, and locked computer screens, promoting awareness and employee training.  ​

Cyber Resilience

“Cyber resilience” or “cyber readiness” is an organisation’s capacity to prepare, respond and recover when a cyberattack is successful. Becoming cyber resilient means having precautionary measures in place which, if a breach does occur, help to mitigate the impact. These measures support business continuity, reduce loss of productivity, and help the organisation to get onto the path to recovery more quickly.

Top Threats Facing Board Members

Did you know that CEOs and board members are 12 times more likely to be the target of cyberattack? The top three threats facing CEOs, board members and other executives are:

  • Business Email Compromise (BEC): uses your authority against you​
  • Personal mobile devices: put your documents at risk​
  • Public Wi-Fi: a cybersecurity minefield​

IT and cybersecurity aren’t just about protecting documents and data these days. They’re about people, too. Gone are the days where cybercriminals would waste their time chasing small targets. Nowadays, they operate just like any other business. They demand a high return on their investment.​

Business Email Compromise (BEC) ​

Phishing emails have been around for decades, but this latest variation – commonly referred to as Business Email Compromise (BEC) – is designed to play on the inherent trust given to those at the top of the organisation by secretaries, assistants, and other members of staff.​

Those in the C-Suite don’t just have access to data; they have authority, which is often unquestioned. New phishing emails harness this inherent trust, impersonating high-ranking executives with emails to staff that ask for important information, access details or even monetary payments.​

Phishing attacks continue to be a major threat to credit unions. In fact, they accounted for over 50 percent of incidents.​

One of the biggest vulnerabilities for credit unions and banks is the fact that 80% are still using usernames and passwords, and nearly 60% are asking security questions for account access.  67% of the people that had been notified of fraud changed their banking institutions as a result, directly blaming the institution for the breach regardless of whether they had any culpability or not. Is your organisation using two-factor authentication (2FA), a security system that requires two separate, distinct forms of identification for access?​

Personal Mobile Devices

Laptops, phones and tablets are the ultimate convenience, but convenience comes at a cost. Mobile devices are inherently insecure and prone to being lost, misplaced or stolen. The same goes for many other portable devices the modern executive carries with them, such as USB drives and external HDDs.​

Many executives also use mobile devices to serve dual purposes – for both personal and business​ – leading potentially to more cyber risk when accessing websites and online information.

Public WiFi

Public WiFi is as much as a blessing as it is a curse. It’s really convenient, but also vulnerable and often one of the easiest entry points for cybercriminals looking to gain access to sensitive information. It’s incredibly easy to create fake networks, which are so hard to differentiate from the real thing. These are typically found in cafés, airports and hotels. ​

Using Governance Technology Helps Boards Establish a Sound Cybersecurity Framework

Using governance technology helps credit union boards protect sensitive data, as well as prevent, mitigate, and respond to cybersecurity threats.

Governance technology brings in a sound cybersecurity framework that provides:

  • Controls to limit 3rd party access
  • User-based permissions to protect sensitive information
  • Robust data encryption to secure board communication
  • A path for new board members to get up to speed quickly on cybersecurity policies

Given the value of information that is exchanged and accessed by the board, it’s imperative to keep it secure as much as possible.

Board technology should offer:​

  • Encryption of data in transit and at rest
  • Multi-factor authentication
  • Mobile applications that are sandboxed from the rest of the device with the ability to remote wipe if device lost or stolen​
  • Ability to restrict printing and emailing from the system
  • User-based permissioning

By regularly assessing and analysing your entire system, you’re better able to spot any new vulnerabilities and emerging threats. It’s also important to educate board members about cyber security best practices so they are equipped to handle various types of cyberattacks.

Alongside using governance technology, credit union boards should:

  1. Conduct regular security audits and training on cybersecurity
  2. Follow good practice in data management
  3. Have an emergency preparedness plan
  4. Have a clear vision of who-does-what after a breach

As part of our continued commitment to help boards navigate the ever-changing landscape of governance and be prepared for what’s round the corner, the Diligent Institute is now offering a course for board members to enhance their knowledge of Cyber Security Risk.

See how BoardEffect, a Diligent Brand can help strengthen your nonprofit’s cyber resilience. Request a demo today.

Jill Holtz

Jill is a Content Strategy Manager at Diligent. Her strategy background and content expertise working across a variety of sectors, including education, non-profit and with local government partners, allows her to provide unique insights for organizations looking to achieve modern governance.

Back To Top