Improved Technology Security Vital to Avoiding Losses, Expense and litigation
Technology has revolutionized worldwide communications and the manner and speed in which we transact business in our professional and personal lives. It has also provided new and fertile opportunities for criminals to commit acts of thievery on unsuspecting individuals and businesses. Until a couple of years ago, technology breaches at credit unions were almost exclusively confined to the telephone. The usual scenario involves someone impersonating a member calling to perform a transaction or request access to an account, such as to receive a new home banking password. Most claims resulted from these "account takeovers" are caused by family members. Although still the most frequent type of technology breach, telephone fraud losses are generally not severe because they usually affect only one account at a time. Computer breaches are becoming more prevalent as high-tech crooks hack their way into financial institution systems with devastating results. Although still lower in frequency than telephone fraud, computer breaches are much more severe. A successful hacker can steal information on multiple credit union members, which can then be used for identity theft purposes at other institutions. The problem is escalating. Before 2002, CUNA Mutual did not have any claims for hacker thefts of confidential member information. Since then, we have seen some startling cases emerge at fairly large credit unions. All were due to credit unions not having adequate information security programs in place. The consequences of computer breaches are damaging and costly. For individuals, the unauthorized access of confidential member information can lead to an identity theft nightmare. Credit unions suffer, too. Increased losses result in higher insurance costs and a tarnished reputation that can take years to repair. Legal wrangles also can result due to the potential for class-action breach of privacy litigation against the credit union, its board, and management for negligence in protecting confidential member information. Credit Union-related Hacker Case Scenarios Hackers have successfully breached the security of a number of credit unions systems leading to the compromise of member information. Information that usually gets compromised includes completed member loan applications submitted to a Web site, home banking passwords, account information within the home banking system and payment information contained in bill payment systems. These types of member information in the wrong hands will certainly lead to serious identity theft and account takeover frauds against those members. In most breaches, hackers take advantage of unpatched system vulnerabilities in the credit union's computer network, especially within the servers hosting the Web sites or home banking systems. In a couple of recent cases the credit unions were using servers provided by their home banking vendors (installed on the credit union's network), and the servers contained known vulnerabilities. Trusting the vendor to manage the security on these servers turned out to be a mistake. Hacker breaches are always discovered after they occur and usually come as a big surprise to the credit union. Sometimes the credit union gets an extortion threat from a hacker who has already stolen member information. The hacker demands a ransom payment and threatens to distribute the member information over the Internet if the demand is unmet. Other breaches have been discovered during vulnerability assessments performed by third-party security firms. Unfortunately, these types of discoveries often occur months after the breaches actually happened. Having confidential information compromised isn't just a problem at smaller credit unions. Quite surprisingly, most breaches we are aware of occurred in credit unions with assets greater than $200 million. Many credit unions are unaware how exposed they are to hackers. CUNA Mutual has relationships with security vendors that perform vulnerability assessments. They report finding serious security issues in almost every credit union they evaluate. Particularly concerning are credit unions that have not yet obtained a basic vulnerability assessment; they may already have a problem and not even know it. Tip For Avoiding Problems Don't rely on the security of a data processor or other vendor for your entire system. If a credit union is using a vendor to host a home banking service, that vendor is likely obtaining third-party security assessments of its system. This, however, does nothing to secure the other systems under the credit union's control. If a credit union's computer systems are connected to the Internet for purposes of Web browsing or email, member information contained on the credit union's internal systems are at risk. Credit unions need to assess the security of their own Internet-connected systems, regardless if they have Web sites or offer home banking services. Credit unions should not be lulled into thinking all is well just by obtaining a periodic security audit. Information security is an ongoing program that needs constant attention. A vulnerability assessment is just the starting point. It shows a credit union where serious vulnerabilities exist at that point in time. In addition, credit unions also need to consider: Addressing and correcting any vulnerabilities found in the initial assessment. Having an ongoing patch-management process in place to make sure firewalls and servers have up-to-date security. Don't assume somebody else is taking care of this for the credit union; it is the credit union's responsibility to complete. An intrusion detection monitoring system. It's important for credit unions to monitor and know what kind of activity is happening through its Internet connection and detect penetrations by unauthorized users. Install virus detection on all computers AND incoming email. Regular vulnerability assessments that include internal scans, external scans, and penetration testing. At a minimum, this should be done annually. For credit unions that host their own Web or home banking servers, this should be done monthly or after any major system configuration changes. Finally, credit union management and boards of directors need to understand this issue and their specific roles. A good reminder comes directly from the NCUA Rules and Regulations (Appendix A to Part 748, Sections III. A. and III. F.) promulgated in July 2001 from the Gramm-Leach-Bliley Act: The board of directors or an appropriate committee of the board of each credit union should: 1) Approve the credit union's written information security policy and program; and 2) Oversee the development, implementation, and maintenance of the credit union's information security program, including assigning specific responsibility for its implementation and reviewing reports from management. Each credit union should report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the credit union's compliance with these guidelines. The report should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program. Employees should also understand their roles in the event of an information security breach. Credit unions that suspect their systems have been compromised should contact their security provider. If certain that a breach occurred, contact local law enforcement authorities.