Credit union board meetings are packed with information. From discussion of old and new business to committee reports to voting, boards cover a lot of topics in precious little time.
Unfortunately, cybersecurity is an often-overlooked topic during these meetings. That’s not just a big problem, it’s a costly one, in an industry that lives and dies with costs.
According to a 2022 IBM report, the average total cost of a data breach in the U.S. last year was $9.4 million. For that reason, along with the growing number of cyber threats, credit union boards must prioritize cybersecurity.
But what is the board’s proper role on this topic within their organization? Let’s cover what boards should and shouldn’t do.
The proper role of the credit union board is to provide oversight on cybersecurity. It should be as involved in cybersecurity as it would be with any other crisis within the organization — maybe more so, given the potential financial loss involved. It should treat cybersecurity with as much suspicion and curiosity as it would with anything else in the organization.
The Securities and Exchange Commission (SEC) recently proposed rules for cybersecurity risk management, strategy, governance, and incident disclosure. This will further affect boards’ roles in mitigating potential risk, as well as establishing and maintaining effective risk management strategies. From troubleshooting to formulating external communications, boards should be thinking about all sorts of aspects of cybersecurity oversight.
Boards should strive to have at least one member who’s well-versed on the topic. Failing that, they should be even more inquisitive of the steps their organization is taking to keep its assets and critical information secure. “You might not know exactly what you should be doing. You have to rely on employees’ expertise,” said Nick Merker, an intellectual property and technology practice lawyer at Baker & McKenzie LLP.
Appoint cybersecurity experts to the board
As the world becomes more digital and cybersecurity grows more important, it only makes sense to have a board member with professional cybersecurity experience.
It’s becoming increasingly common to see chief technology officers (CTOs) on boards. When ransomware negotiations take place, board members want to be involved in every step, asking questions someone in the same position would never have thought to ask even five years ago.
That said, cybersecurity shouldn’t be important to just one appointed expert on the board, nor should any other board member de-prioritize the topic. Don’t add a cybersecurity expert or CTO to your board so they can handle everything cyber-related and allow other board members to sit out when cyber concerns arise. All board members should be involved enough to ask intelligent questions and be able to make informed decisions when the need arises.
Take the long view on cybersecurity
It’s easy for boards to think about the immediate costs of implementing sound cybersecurity practices while de-emphasizing the future benefits. Credit unions, and CU boards, can’t afford to think that way.
CU boards should strongly consider forming a cybersecurity oversight committee that focuses on these issues. It could include management- or executive- level employees within the organization who are cybersecurity experts. This committee would perform oversight and report to the board as a whole.
Boards should also get involved in their credit unions’ cybersecurity effectiveness and preparedness. One way to achieve this could be via “tabletop drills,” which allow boards to practice how they would respond when a cyberattack happens.
Finally, check out your organization’s insurance policies, or get a policy if one isn’t already in place, and seek out preferred vendors for forensic investigations. “Line up forensic investigators before you need them,” Merker says. “Things happen fast.”
Data breach costs aren’t just financial
The cost of a data breach goes beyond the seven-figure average mentioned above. Such breaches can damage a credit union’s reputation, along with that of its board.
Even if the breach doesn’t involve financial information or a ransom demand, rebuilding lost trust among CU members, vendors, and anyone else a breach affects isn’t easy.
That said, if a credit union responds well to a breach, it could reflect well on the organization long-term. “A company can put themselves in a positive light by how they respond,” Merker said. “Some companies look better on the other side.”
The bottom line on cybersecurity for credit union boards
Few other industries have as much to lose as credit unions when it comes to cyberattacks, due to the money involved and the sensitive information CU members trust them to keep private. Potential costs don’t end with ransom payments or immediate financial loss from the attack itself. They also manifest themselves in the form of business interruption costs, remediation costs, and increased insurance premiums, among others.
Credit union boards should get in front of these threats and become involved with their organizations’ cybersecurity plans, from appointing IT experts to the board to simply ensuring board members are intellectually curious and invested in the topic. Your organization and its members deserve that.
Interested in learning more about OnBoard? Visit OnBoardMeetings.com.
OnBoard is a CUES Premier Supplier Member.