Cybersecurity is the new frontier of fraud prevention. As more information ends up on the internet, retailers and financial institutions are learning it the hard way. The data breach of Target demonstrates that even when financial institutions are not the victim, they can still suffer losses. In 2013, over a three-week period, hackers gained access to Target’s point-of-sale system and obtained credit card data of 40 million customers. Credit unions incurred significant costs when customers learned of the breach and asked for their cards to be replaced. On September 15, 2015, a federal judge granted class-action status to financial institutions suing Target, but the loss of consumer confidence will be hard to replace.
Credit unions must learn from the Target data breach because hackers have begun to target financial institutions themselves. Just weeks ago, a Hawaiian credit union discovered that it had been the victim of hacking and is still trying to determine what information was taken. The Hawaiian credit union appears to be the victim of a common tactic of sending emails with legitimate appearing attachments that contain malicious software. All it takes is a single employee to open the attachment and then hackers can slowly infiltrate the credit union’s other computer systems by installing surveillance and key logging software. Hackers are then able to watch as employees perform routine functions, such as funds transfers, and then repeat the functions themselves at their convenience.
In determining the proper way to protect sensitive information, credit unions need to map out business processes to determine which transactions support which products and services. Such a review should include examining the roles that employees and third parties play in carrying out those processes. From there, a credit union can develop a proper plan to protect member information.
There are several steps credit unions can take to combat hacking attempts. First, credit unions should determine which computers are most at-risk. Where possible, employees who do not need access to email should be denied email. Siloing information and denying access to critical information can both prevent intrusions and mitigate the damage of successful intrusions.
It is also important to consider the credit union’s own liability in cybersecurity. Today, it is imperative that credit unions protect themselves by maintaining a cybersecurity insurance policy. By having a strong defense against hacking, credit unions can also bolster efforts to fight other forms of fraud.
This is an article from Poole Huffman’s The Credit Union Quarterly. A publication created for Georgia’s top credit union executives.
Disclaimer: The information contained in this article is for informational purposes only and is not legal advice or a substitute for legal counsel. It does not constitute advertising or solicitation. The information in this article may or may not reflect the most current legal developments; accordingly, this article is not guaranteed to be complete, and should not be considered an indication of future results.