After a year when credit unions have been victimized by a series of hacking attacks, the National Credit Union Administration is taking action. The NCUA has sent a letter to credit union boards of directors and CEOs highlighting the risk of cyberattacks at these institutions.
“Given the proliferation of sophisticated information security threats and the importance of safeguarding the assets and information of your members, the NCUA urges credit union boards of directors to prioritize cybersecurity as a top oversight and governance responsibility,” the letter reads. “Credit union board directors like you must ensure that a credit union’s senior leadership is highly focused on managing cyber risks and that your credit union has the necessary resources to maintain an effective cybersecurity program that aligns with the products, services, and risk profile of your institution.”
The letter highlights four key areas where credit unions could better address cybersecurity:
• Recurring training
• Approval of an information security program
• Operational management
• Effective incident response planning and resilience
According to the letter, from September 2023 through August 2024, federally insured credit unions reported more than a thousand cyber incidents. Last December, more than 60 credit unions nationwide were victims of a ransomware attack. That was precipitated by a hack against Ongoing Operations, a division of Trellance, a cloud computing provider that serves credit unions,
Then, in July, a ransomware attack disrupted online banking services for more than 500,000 members of Patelco Credit Union in Dublin, Calif. The attack exposed the personal information of more than a million customers and employees.
“Credit unions, like all financial institutions, are under constant threat of cyberattacks,” said Kevin Libby, Fraud & Security Analyst at Javelin Strategy & Research. “The risk of those attacks succeeding is twofold. “Security breaches can lead to sensitive consumer data, and personal information being exposed. Likewise, criminals can gain control over and steal financial assets. It is encouraging that organizations like the NCUA are working across their member institutions to provide guidance on how best to fortify their cybersecurity protocols. Attack vectors are constantly evolving, and financial institutions would do well to address each the four aspects of cybersecurity identified in the NCUA’s letter.”
Fighting Spam Calls
Credit union leadership has taken a strong stand against scams in recent years. Last year, America’s Credit Unions, alongside the American Bankers Association, sent a letter to the Federal Communications Commission asking for help in dealing with illegal and spoofed calls as well as in reducing the number of legitimate calls that are mistakenly blocked as spam. Their concerns included not just reducing the incidence and recognizability of spam calls but also ensuring that legitimate calls really do get through and reducing the chances that phone numbers are spoofed.
That highlights another way fraud has had a negative impact on financial institutions. A study from TransUnion found that although nearly 90% of consumers say they don’t pick up the phone, 74% of respondents did not answer a call because of safety or fraud concerns, only to learn later that it was a legitimate call. By trying to steer clear of fraud, consumers are missing critical calls.
