In a recent blog post for CU Insight, former CUNA CEO Dan Mica argued that in addition to credit unions’ tax exempt status and consolidation, cybersecurity ranked as a major threat to credit unions. As Mica explained “there is certainly a tipping point in safety and soundness where the regulators and public will not allow a credit union to continue to operate if security is a continual problem.”
Not that a highly paid, DC super lobbyist needs my vote of confidence, but amen brother! Credit unions need to confront cybersecurity on the legislative, legal and regulatory front if they are going to keep costs manageable for all but the largest of our institutions. On the regulatory front, the National Institute of Standards and Technology (NIST) recently issued a discussion draft laying out a suggested framework for all industries and businesses to follow in assessing threats to their computer systems. For example, the draft identifies key areas of a business that need to be protected and suggests that every business grade itself on how well it is protecting these core functions. It reminds me an awful lot of the type of matrix that credit unions have adopted in assessing their BSA vulnerabilities and I wouldn’t be surprised if we see regulators imposing an IT analysis framework on all financial institutions.
One of the reasons why the NIST framework might take on significance is because Congress remains unable to agree on cybersecurity legislation. For my money, one of the top legislative priorities of credit unions has to be the expansion of liability to major retailers whose mismanagement of credit and debit card information creates so much of the financial costs associated with data theft in the first place. I know I am preaching to the choir on this one, but we have to be able to place the costs of data theft on the parties most responsible for letting it happen and existing law on both the state and federal level doesn’t allow courts to do that, at least as between card issuers and retailers.
The combined legal, regulatory and reputational risks are particularly acute for smaller credit unions. Irrespective of the size of your credit union, if you are on a computer network, then your credit union is a potential portal for cyber thieves. As a result, no credit union — no matter how small — will be exempt from the costs and obligations of cybersecurity requirements. Now’s the time for Congress and legislators to makes sure that the costs are apportioned reasonably across all business sectors and that regulators balance the need for increased scrutiny against the cost of compliance.continue reading »