Credit union online news agency CUInsight.com recently published an article declaring cybersecurity a “must” for credit unions. In support of its position, author Stuart Levine cites more than 400 incidents – recorded by the Identity Theft Resource center in 2015 – putting at least 80 million records at risk and tallying costs in excess of $100 million for the targeted organization.
What’s the best way for credit unions to tackle cybersecurity risk management? The author suggests credit unions start with a robust Enterprise Risk Management effort.
Total data protection, however, is an impossible objective. Management, therefore, must identify those risks to avoid, accept, mitigate or lay-off… By design, this approach heightens the urgency to address cyber-risk, creating a mindset of data protection that infuses the organizational culture.
Attaining assurance that your credit union has reached a satisfactory level of control over cyber risks requires that your IT security program integrate traditional governance functions like vendor and asset management with its Enterprise Risk Management program. When risk is identified as the common baseline measure of resource allocation for cybersecurity defenses, an otherwise overwhelming concern is broken down into manageable, actionable initiatives that address the weakest areas of the control environment.
Involving a large percentage of your employee base in the risk assessment process not only creates the “risk culture” portrayed by Levine, but also assists in the identification of systemic concerns inherent to IT security programs. Many credit unions can’t identify a single point of failure at which to apply resources. Upon evaluating a variety of assessments across multiple functions, the majority uncover systemic concerns that must be addressed with more broadly focused mitigation strategies.
Programs reaching out to the managerial level of the business also provide assurance that, in the event of a breach, the business is covered from any claims that its leadership was negligent in its effort to reduce material risk. With boards now held accountable for all risk (at whatever level it might materialize), they can be held responsible for creating an environment that results in a cybersecurity failure, even if they had little to do with the failure itself.