One of the biggest challenges credit unions need to prepare for in 2017 is ensuring they can meet cybersecurity compliance requirements. They are certainly not alone. A recent report from cybersecurity research firm CyberEdge shows that nearly half (48%) of organizations surveyed, including those outside the credit union industry, had significant concerns about their ability to manage compliance. But with typically fewer resources in IT security and IT operations, credit unions carry an extra burden as they struggle to balance heightened consumer expectations for faster, more efficient banking and an ever-evolving technology environment with the needs of protecting the organization. It's no wonder that many in the industry are dreading what's ahead. Unfortunately, compliance can't be ignored. So what is going to change in terms of regulations in the coming year, and what is the best approach to managing it all?
Consumer expectations around service, access and convenience have compelled credit unions to innovate to remain competitive. The expansion of applications, platforms and supported devices has significantly improved the banking experience from the consumer's point of view. However, from a cybersecurity standpoint, these valued services significantly expand and convolute the attack surface (all the ways in which an organization's IT systems can be breached) by introducing new targets.
In 2017, visibility into complex networks will be key to overcoming compliance challenges – from how traffic flows through IT environments, to where personal data is stored, to testing to see if proper measures are in place to protect consumer data. Meeting many of today's (and tomorrow's) compliance requirements won't tolerate network zones left in the dark, including those in virtual or cloud environments. If your credit union isn't making use of security tools that increase visibility of the network, it's time to start looking for some.
Recommended For You
In 2017, shareware will further facilitate collaboration between credit unions and their partners to provide a better member experience and new high-value services.
While integration with third-party technology partners will provide rich opportunities, it will also introduce significant cybersecurity risks. Any one credit union is likely integrating with dozens of third parties, each one contributing to the attack surface.
To effectively manage cybersecurity risks associated with third parties, credit unions need to lay out their own compliance requirements to ensure their technology partners meet, at the very least, baseline cybersecurity standards on an ongoing basis.
While limited third-party compliance assessments are likely a symptom of limited resources, the results of this practice can be disastrous. The reality is that an intrusion can originate from any point of connectivity and the damage is just as devastating no matter how obscure the source. In 2016 alone, U.S. Bancorp, Kroger, Stanford University, Wendy's and Acer were hit by attacks stemming from third parties, just to name a few.
Responsibility for cybersecurity compliance and its associated liabilities – reputational, legal and financial – is shifting toward the executive suite, with company dollars and C-level jobs at stake in 2017.
For example, in March 2017, the state of New York will implement strengthened cybersecurity regulations aimed at guarding consumer data and financial systems from cyberattacks. The regulations would require all financial institutions and insurance companies operating in the state to designate a CISO (or equivalent role), adopt written cybersecurity policies and implement annual penetration tests, among other seemingly basic requirements. Expect other states to soon follow.
Notably, under the proposed regulations, board or senior compliance officers would need to certify that their organization's security controls are meeting requirements. This could potentially expose such individuals up to criminal liability if the claim is found fraudulent.
Larger credit unions that have members who are in the U.S. on a work VISA or who have members residing in both the U.S. and Europe need to be informed about new regulations in the European Union's General Data Protection Act. It applies to everyone doing business in the E.U. or handling E.U. citizen data.
GDPR won't be in effect until May 2018, but companies are already scrambling to understand and implement changes to ensure they meet the regulations. One reason for this: GDPR will dramatically increase penalties for non-compliance, with fines of up to €20 million (or 4% of turnover) – significantly higher than the €750,000 penalty under the current Data Protection Directive.
To effectively manage this ongoing shift, it's critically important to elevate the role and influence of the CISO within the organization's top leadership team. While CISOs can identify risks and prioritize initiatives, it's incumbent on senior executives to infuse the importance of cybersecurity management throughout the organization. It also requires investing in automated tools to systemize not only ongoing cybersecurity management, including regular remediation of vulnerabilities, but also auditing and compliance reporting.
As new technological advancements roll out, credit union executives should expect to see increasingly stringent compliance requirements imposed by federal agencies aimed at mitigating damages and losses associated with cyberattacks. Addressing these requirements without automation is impossible, and the consequence of compliance failure is painful. This is why it's necessary for credit unions to investigate and implement tools to systemize processes around vulnerability and threat detection, vendor integration, remediation, auditing and compliance reporting.
Ravid Circus is VP, Products for Skybox Security. He can be reached at 408-441-8060 or [email protected].
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
