Who cares about you?

I recently read the following quote from an NCUA official related to the role of specialized cyber examiners from a NASCUS/CUNA Cyber Security Symposium last week; “Obviously a small institution that could implode from an attack is less impactful to us from an insurer’s perspective than a very large one, but when we are looking at two credit unions in the $100 million range and one is very straight forward and simple and (the other) one has every service and connection under the sun, they’re going to have two distinct risk profiles. So that’s where we would sit there and say, ‘you know what, this is one we’re going to have to focus our energy on.” So who cares about you? NCUA cares. Hackers care. Security solutions providers care. In the light of new and potential regulations and the realities of a consolidating market ask this, Who really cares about the long-term survival of your credit union and your brand?

Of course we know that in this age of technology, with consumer’s desire to have access to their financial information through a multitude of devices, the services and connections that are referred to above represent a critical aspect of competitiveness. Over the past decade the rise of online and mobile platforms has created an amazing array of services for consumers and incredible tools for credit unions to interact with their members. More recently, add a multitude of new payment platforms into the mix and the reliance on technology increases bringing with it complexity and, potentially, cyber risk.

This focus on cyber and potential risk is certainly warranted. Cyber risk is uniquely devious in several ways including its rapidly changing nature. It certainly embodies the mantra, you don’t know what you don’t know. Perhaps NCUA is correct that small yet complex institutions pose increased risk. On the flip side of the coin, small credit unions may be uniquely capable of streamlining their services and operations more effectively than larger operations that have more potential loose ends and take longer to change course. This is certainly true when one considers the sometimes marginalized, human factors that contribute to lapses in cybersecurity. Does a smaller credit union mean less loose ends?

The understanding and assignment of risk is where the movement can play a critical role in the development of new, cyber-focused, regulation. All aspects of the financial services industry has some level of comfort with financial risk. Bank leaders, credit union leaders, federal regulators, insurance companies, investment houses, legislators all have experience and can call upon a vast history of financial failure when calculating risk and projecting impact.

Cyber however is a different story. The pool of institutions where cyber can be pointed to as the prime driver in collapse is far smaller, and even with large information breaches such as with Target, the full scope and impact remains to be seen and the business is still thriving. Unfortunately for credit unions, there remains a lot to be learned and experienced when it comes to discovering the true impact of a significant and successful cyber attack. Furthermore, it remains to be seen how such an attack on a small or mid-sized credit union can or will affect the resources and networks it is connected to.

One area where credit unions can be proactive is transparency. Making an honest analysis of their cybersecurity position and coming forward with questions, areas of concern, and known issues can make all the difference. Basically, providing the clearest picture of current and potential issues so that regulatory solutions are appropriate and not created in a vacuum. The risks are too great to not be forthcoming.

A catch phrase that is often used on resumes is “self-starter”. Credit unions can be self-starters on cyber, and now is the time. Being proactive shows that you care about yourself and your members. Communications from NCUA and the trade groups point to them searching for solutions, or ways to effectively and fairly incorporate cyber into the regulation and exam process. There are suggestions and models in play, such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework, that can act as a starting point. There are technology solutions that are currently being developed that can help credit unions punch above their weight class when it comes to cybersecurity. It will come down to proactive, honest analysis of operations and security and being self-motivated to take steps to ensure cyber safety and security. I would hope that potential increased information security and member well-being would be incentive enough to consider these suggestions before it becomes another piece of the regulatory burden.

Daniel Mica

Daniel Mica

Dan Mica, former head of the Credit Union National Association (CUNA), established The DMA Group as a means to combine a myriad of experience into a one-stop consultancy. Elected in ... Web: www.dmagroupdc.com Details