Malicious hacks, cybercrimes, compliance—information security priorities are ongoing and ever-evolving. But there’s no need to get spooked by these looming threats.
October is Cybersecurity Awareness Month, and the Cybersecurity and Infrastructure Security Agency (CISA) has themed this twenty-first year of the campaign “Secure Our World.” The campaign emphasizes that every business and individual plays a role in defending cybersecurity, and improving our cyber hygiene is essential.
In honor of Cybersecurity Awareness Month, here are some emerging best practices for information security.
The Clock is Ticking: Credit Unions Need to Enhance Cyber Reporting
Cyber threats are escalating alongside advancements in AI, and attackers are keeping pace with innovative ways to execute their malicious missions. Financial institutions, especially federally insured credit unions (FICUs), are now subject to stricter requirements for reporting suspicious and harmful cyber incidents.
The NCUA Board’s final ruling provides guidance on how to report such incidents, setting a countdown on how soon eligible FIs must respond. All federally insured credit unions must notify the NCUA as soon as possible, but no later than 72 hours after reasonably believing a reportable cyber incident has occurred.
What qualifies as a reportable cyber incident?
A reportable incident is defined as a “substantial loss of confidentiality, integrity, or availability of a network or member information system that results from unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.”
It’s important to note that the reporting requirement applies regardless of the breach's scale, and this protocol is widely considered a best practice among non-FICU banking institutions as well.
Insurance You Can Bank On
Regulatory bodies offer guidance on responding to a breach, but what can be done to mitigate the impact and reduce losses?
The rise in data breach litigation, ransomware payouts, and other cybercrimes underscores the need for enhanced cyber insurance options. The surge in attacks has led to stricter cyber insurance underwriting requirements and stronger enforcement of data privacy laws.
Cyber liability protection policies help cover the costs associated with a potential data breach, aiding your financial institution’s recovery after an attack. To reduce the risk of your data or your accountholders’ data being stolen or misused, financial institutions should maintain appropriate insurance requirements and effective controls.
Best practices for these controls include:
- Encrypted, air-gapped/cloud-based backups
- Multi-factor authentication (MFA) on backups, remote network access, remote email access, and admin/privileged user accounts
- Endpoint detection and response (EDR) solutions
- Email filtering
- Encryption on data at rest
- Phishing and social engineering training for employees
- Updating devices to the latest version to address vulnerabilities like log4j
These best practices are most effective when paired with expert training and education. Regular, ongoing training should be provided to all staff and board members. ID theft protection for employees and institutional data breach protection may also be beneficial additions to your existing cyber liability insurance.
Be sure to incorporate these key protocols into your business continuity management plans. Above all, remember that cybersecurity service partnerships and industry education resources are readily available to support you.
Get fraud and security insights delivered straight to your inbox. Sign up here.
Cyber threats are becoming harder to predict, and it’s no treat to tackle them alone. But with the right resources and knowledge, you can take a proactive approach to protecting your financial institution—and safeguarding the security and privacy of those you serve every day.