Breaches, account takeovers, cardfraud, malware, phishing, ransomware, DNS attacks … whichcybersecurity development will have the greatest effect on creditunions in the coming year? Some credit union industry professionalshelped draw a picture of what to expect in 2019.

“The continued organization and consolidation of cybercriminalswill result in greater efficiency in their effort to attackexisting vulnerabilities, while accelerating their ability toexploit new vulnerabilities,” Nayan Patel, vice president,strategic alliances at Fiserv, said. This, along with theincreasing lack of cybersecurity talent available to most creditunions, will necessitate the adoption of security orchestrationplatforms as well as the enlistment of trusted partners to augmentexisting tools and staff in the form of managed security serviceproviders.

Patel said the concept known as SOAR (security orchestration,automation and response), will tremendously influence credit unionsand other institutions going forward. “SOAR platforms enableorganizations to collect security-related data from the manydifferent sources that comprise an institution's securityecosystem, and apply machine learning and automation to that datain order to quickly detect, identify and remediate maliciousattacks.”

Paul Love, chief information security officer for CO-OPFinancial Services, emphasized, “With new tools and technologies attheir disposal, criminals continue to expand their capabilities atan increasingly faster pace; they have developed automated ways todeploy extremely well-crafted and highly-targeted schemes. With aclearer picture of the fraud and cybersecurity risks across ourindustry, across channels and even across verticals, we can movemore quickly to thwart attacks.”

Love said he foresees credit unions in a much better position tospot and stop potentially damaging intrusions by expanding existingtechnologies, and layering artificial intelligence and machinelearning on top of collaborative efforts. “We'll see credit unionsasking their strategic partners and vendors for more meaningfulcollaboration, mainly through greater data sharing.”

PSCU President/CEO Chuck Fagan admitted cyber threats keepcredit union professionals up at night. “You never know from oneday to the next where the threat's going to come from. And if youthink for an instant that they're not getting in, that's a naiveapproach.”

He also warned, “It would be a black mark for the entireindustry, if a credit union or a credit union partner, gets into asituation where a cyberattack is successful.”

PSCU's objective is to protect member data without affectinginteraction. Fagan referred to PSCU's Eye on Payments study, inwhich 75% of respondents said they decided how to pay for somethingprimarily based on what was most secure, convenient anduser-friendly. “We have to balance cardholder and member experienceversus protecting the financial assets.”

Tim Maron, director of business development services forCorelation, said he sees artificial intelligence and the Internetof Things as possible hacker targets. “Many experts have said theAI evolution will be a hacker's paradise – and it might be if we'renot careful.” But he noted it isn't quite mainstream enough in thecredit union industry to be a major threat.

IoT is a different story, with the number of equipped devicesgrowing by millions on a daily basis. “This unchecked growth alsomeans IoT vulnerability increases on a daily basis,” Maron said. Henoted hackers could exploit unanticipated avenues like securitycamera systems and put member data at risk through connecteddevices such as refrigerators, cars and wearables. “Next year wemay see more of these devices being hacked than ever before and itcould be a massive threat to any financial institution – includingcredit unions.”

Jeffrey DiMuro, chief security and compliance architect,financial service industry team at Salesforce, said new technologysuch as chat bots and robo-advisors could be inviting attackvectors. “Credit unions have long been trusted institutionsembedded within the local fabric of a community. It's this trustthat hackers can more easily manipulate by inserting/embedding thesame chat bot/robo-trading technology to disguise their maliciousintention to pilfer the investments of unknowing victims.”

DiMuro proposed, “We see a growing need for attribute,contextual and behavior authentication technology to quicklyidentify anomalous activity, which would signal a potential breachof member data.”

Greg Sawyers, product compliance officer for Temenos, shared,“Cyberattacks will continue to capture headlines as sophisticatedcriminals perpetuate attacks in an attempt to stay a step ahead ofcredit unions' data security efforts.” Sawyers saw two areas ofprominence for 2019: AI and stricter cybersecurity regulations.

“AI's predictive analytics can provide deep insight intorecognizing potential hacks into a credit union's banking systemsand enable them to quickly introduce a course correction,” Sawyerssaid. “Credit unions must remain vigilant to protect their memberdata, community trust and corporate brand. A closer look at AI isimperative, for federal regulations are likely to dissuadecybercriminals but will not eliminate the burgeoning opportunity tobreach security.”

Jeffery Kendall, SVP/general manager for Kony DBX, explained,“This year, we'll see a convergence of cybersecurity technologiescreate enhanced capabilities for fraud prevention for mobile anddigital.” Kendall said he thinks regulatory technology andanalytics will become more important as institutions look to tietogether multiple threat prevention approaches, such asgeolocation, biometrics, pattern detection and multi-factorauthentication.

He added, “We're seeing early stages of this convergence now andanticipate it will continue to increase [in 2019].”

As larger banks fund enhanced security controls, attackers willturn their attention toward credit unions and other financialinstitutions with less mature security programs, Carolyn Crandall,chief deception officer at Attivo Networks, said. “Determinedattackers have proven they can bypass security controls, moving thebattlefield inside the network. Understanding the adversary androot cause analysis will be big themes for 2019. It will becomeeven more critical to understand where the attack originated, howthe adversary is attacking and what they are after.”

Mike Dionne, managing director of community markets forFinastra, noted, “Cybersecurity is an increasingly importantdifferentiator for financial institutions, and a growingfrustration for credit unions, which may struggle to stay ahead ofthe latest security technologies.”

Dionne indicated many credit unions are realizing the addedbenefits of cloud delivery, platform-as-a-service and openapplication program interfaces for the latest and greatest fraudprevention technologies. “It enables them to access customer datafor use with artificial intelligence to further mitigate fraud. Inessence, cloud, PaaS and open APIs are democratizing access totechnology and giving credit unions access to the same toolsavailable to the largest banks.”

CRMNEXT, Inc. CEO Joe Salesky voiced concern over many creditunions not properly securing account access/transfer capabilitiesby using texts or one-time PINs. “The most likely new story will bea large surge in Zelle-related fraud,” Salesky said. “Despite thegreater than $250K investment per credit union necessary to bringZelle capability live, the fraud exposure potential of the platformis still a significant risk.”

Salesky referenced an April 2018 New York Times articlein which PwC disclosed one bank encountered a 90% fraud rate on theplatform. The piece inferred some financial institutionsimplemented Zelle without any protections like two-factorauthentication and user behavior monitoring. “It is far from clearthat Zelle, despite its linkage to Early Warning, has provided anyplatform capabilities that mitigate fraud risk to members andcredit unions,” Salesky cautioned. “Bad people have been robbingbanks and credit unions from the inside and outside since thebeginning of time; it is clear that Zelle provides them a new toolin this pursuit.”

There are three key areas that will most significantly affectcredit unions in 2019, according to Rebecca Herold, president ofSIMBUS and CEO of The Privacy Professor:

• More ransomware. “They will not just throw alarge digital net to everyone in your organization, but they willgo after specific employees and vendors with the most dataaccess.”
• IoT device incidents. More employees,including those working for third-party vendors, cloud serviceproviders and other contracted entities, are using smart devices.“These poorly-secured devices create pathways into your businessnetworks, systems and databases. They can also siphon out data andbe used to plant malware, among an unlimited number of othermalicious acts.”
• More civil lawsuits. Herold said she believesin 2019, the public will start taking actions as they becomedissatisfied with the judgements made in class-action suits and thecomparatively low penalties applied by regulators in breachcases.