The Equifax logo.

In light of last September’s Equifax data breach event – along with new proposed cybersecurity legislation – credit unions have an opportunity to enhance their cybersecurity best practices and generate residual noninterest income by offering identity theft and breach response services to their members.

Here are four lessons learned from the Equifax breach that can help protect your members and credit union:

Lesson 1: The Equifax Effect

No company can fully prevent a data breach from happening. Even Equifax, with more financial and IT resources than most companies in the U.S., wasn’t able to prevent a data breach from occurring.

In Equifax’s case, its data breach event affected 145 million U.S. consumers, and information breached included names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers and more.

Lesson 2: Response and Recovery

Equifax failed in multiple ways to respond in a timely and responsible manner. First, and with irony, the Equifax breach happened because the company failed to fix a software flaw that federal officials had warned about months before. But to make matters worse, Equifax waited nearly six weeks to notify the public after learning of the hacking event.

When this crisis happened, Equifax’s failed management response resulted in its chief information officer and chief security officer “stepping down” and its CEO “retiring.”

Lesson 3: The Future of Cybersecurity Laws

This could include the potential for criminal action for officers and board members of any size organization. released an article titled “The Year Ahead in Cybersecurity Law,” where CSO states that “major legal cases and proposed state and federal legislation will shape how companies respond to and attempt to mitigate cybersecurity and data privacy risks.”

Lesson 4: Industry Best Practices Should Include Response and Recovery

As Risk and Insurance Magazine highlights in this article titled “Cyber Threat Will Get More Difficult,” General Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, and current principal at security consultant the Chertoff Group, stated that “companies should focus on response, resiliency and recovery when it comes to cyber risks.”

According to Hayden, “Companies are focusing on the vulnerability aspect, and responding by building high walls and deep moats to keep attackers out. If you do that successfully, it will prevent 80% of the attackers.”

Hayden added, “But that still leaves 20% vulnerability, so companies need to focus on the consequences: It’s about response, resiliency and recovery.”

In an era of growing data breach risks, credit unions that offer data breach “response” services to their business accounts can differentiate themselves. These unique data breach recovery services can help to attract and retain business accounts, which will incrementally grow revenues.

All businesses need strong document management policies, and since financial institutions are particularly targeted by criminals, credit unions need strong data breach response solutions themselves to help protect the institution, their members, staff and board of directors.

For all these reasons noted above, complying with the NCUA Supervisory Priorities for greater cybersecurity preparedness needs to be the top priority for credit unions. This will help credit unions avoid the “Equifax nightmare” and create the basis for the ultimate response to any data breach when it happens. Credit unions must search and find solutions that will not only address cybersecurity preparedness, but also generate new income streams … because cybersecurity preparedness isn’t cheap.

Mark Pribish is the VP and ID Theft Practice Leader at Merchants Information Solutions, Inc. He can be reached at

Jim McCabe is the SVP, Identity Theft Solutions for Vero, LLC, a subsidiary company of CU Direct. He can be reached at