Data breaches and cybersecurity incidents happen every day, and credit unions need to be considering what to do when – not if – they are attacked. Not only are breaches due to hackers, malware and phishing attacks on the rise, they are becoming increasingly complex and expensive to fix. In this risky climate, credit unions must do what they can to stop potential threats and prepare to respond to attacks.

Earlier this year, the NCUA released its Supervisory Priorities for 2016. Topping that list were Cybersecurity Assessments and Response Programs for Unauthorized Access to Member Information. With the NCUA carefully evaluating credit unions' risk management and information security programs, it is especially important that institutions and their service providers have the necessary policies and best practices in place.

Credit unions must focus on four main impacts of a data breach: Legal, reputational, financial and operational, according to a 2015 FFIEC Cybersecurity Assessment Tool Presentation. Legal impacts are the result of a credit union's duty to protect member information, as required by the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act and the Fair Credit Reporting Act. Credit unions may also find themselves in violation of Dodd-Frank by committing unfair, deceptive and/or abusive acts or practices if the credit union is determined to have advertised security protections that weren't actually in place. Violations of these rules and regulations can result in civil penalties and administrative sanctions.