October is Cybersecurity Month, and as such, I can think of no better time to reassess where our industry is and where it’s going in regard to cybersecurity. Earlier this year, the NCUA said cybersecurity would be a priority focus in 2023, and we’ve seen more regulators with this specific focus added to engagements. Looking forward, there are many areas in which credit unions will need to implement new or stronger cybersecurity plans. Today, we’ll focus on a few of those areas and how you can keep your credit union up-to-date and secure.
Incident response plans
In Michigan, the state regulators are on a 3-year rotation of bringing in an IT specialist as part of the examination process and doing a deeper dive than the normal checklist items. In preparation, credit unions should have a formal incident response plan prepared as it has been a focal point the last couple of years (and you can look at the headlines ransomware and other attacks get as a motivator there). The incident response plan should specifically refer to cyber incidents such as the aforementioned, breach, exposure of member data, and things more cyber-related, as opposed to the robbery, internal fraud, and more traditional incidents of the past.
If you do have an incident response plan already, be prepared to be asked about how you’re training staff with a tabletop exercise at least once per year or another type of awareness/readiness training with staff. The role playing, especially for those new to the concept is a good way to practice the workflow and decision-making that would need to happen in the event of a real incident, so there is real value in some preparation. There has been a marked shift from looking at incident response as an IT responsibility to more of a key item for the entire institution, with the CEO and board of directors participating.
continue reading »