Credit Union Cybersecurity Risk and how YOU are the key

In the National Credit Union Administration (NCUA) 13-Risk-01 Risk Alert, NCUA provides great information relevant now more than ever on how your Credit Union can become better prepared at Cybersecurity risk mitigation.

What does that mean?

The increasing frequency of cyber-terror attacks on financial institutions heightens the need for credit unions to maintain strong information security protocols.

Frequent incidents have included distributed denial-of-service (DDoS) attacks, which cause Internet-based service outages by overloading network bandwidth or system resources.

DDoS attacks do not directly attempt to steal funds or sensitive personal information, with such attempts to distract attention and/or disable alerting systems.  

Key Credit Union Risk Mitigation Strategies

  • Performing risk assessments to identify risks associated with DDoS attacks.
  • Ensuring incident response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack.
  • Performing ongoing third-party due diligence, in particular on Data Processors, Internet and web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.

DDoS attacks my include attempts to steal member funds or data.
Credit Unions should employ controls described in the 2011 FFIEC supplement to guidance on Authentication in an Internet Banking Environment.

General risk mitigation practices for credit unions with networks that face the Internet include:

  • Maintaining strong information security awareness training programs for employees and members.
  • Utilize transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.

Implementing strong controls over computers used to process commercial payments, including but not limited to:

  • Multi-factor authentication.
  • Removal of hardware tokens upon session completion.
  • Prohibited or highly filter use of Internet browsing.
  • Dedicated, corporate-owned systems without administrator privileges.
  • Following network and application security best practices with regard to configuring systems, patch management, and security testing.

Threat Monitoring

In Appendix A to Part 748 of NCUA’s Rules and Regulations requires credit unions to monitor systems to detect actual and attempted attacks on or intrusions into member information systems.

NCUA also encourages credit unions to participate in information-sharing organizations, such as industry trade groups and the Financial Services Information Sharing and Analysis Center (FS-ISAC),

The FS-ISAC is the global resource for the financial industry for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it was created by members, for members and operates as a member-owned nonprofit entity.

The FS-ISAC also provides an anonymous information sharing capability across the entire financial services industry.

Upon receiving a submission, industry experts verify and analyze the threat and identify any recommended solutions before alerting FS-ISAC members.

This assures that member firms receive the latest tried-and-true procedures and best practices for guarding against known and emerging security threats.

In addition, the United States Computer Emergency Readiness Team (US-CERT),, provides information on the methods used to launch attacks and risk mitigation tactics to reduce their impact.

The US-CERT leads efforts to improve the Nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans.

US-CERT strives to be a trusted global leader in cybersecurity—collaborative, agile, and responsive in a dynamic and complex environment. You can subscribe to US-CERT’s mailing lists and feeds.

In conclusion, it is very important for Credit Unions to put controls in place to monitoring transaction to detect system anomalies and ensure verification procedures with both internal systems and third party vendors.

If you combine that with strong information security awareness training programs for employees and members you are well on your way to managed and educated Credit Union environment.