By Roy Urrico
Credit unions not only need to form peripheral protection to defend against cybersecurity events, but form a response plan that includes communications scenarios for dealing with the almost-inevitable data incident.
That is the opinion of Kevin Dinino, president and founder of San Diego-based KCD PR, who talked with Finopotamus to provide insight about the importance of having a communications plan before a cybersecurity occurrence. KCD PR works with credit union clients, credit union service organizations (CUSOs), and fintechs that service the credit union space to set up incident response communications plans.
“It is getting credit unions, banks and financial institutions under the tent of understanding the scenario of a cyberbreach happening is not an ‘if’ scenario; it is very much a ‘when’ scenario,” said Dinino.
He added. “I am looking at it from a crisis communication standpoint. But I am also a board member on the San Diego Cyber Center of Excellence (CCOE) as well. I am also very much working closely on cybersecurity issues with the FBI, the Department of Defense and a lot of the authorities that end up working with a credit union after incidents occur.
Recent NCUA announcements spotlighted credit unions cybersecurity:
In August 2023, the NCUA warned it was seeing an increase in cyberattacks against credit unions, CUSOs, and other third-party vendors providing financial services products and services.
Beginning on September 1, 2023, all federally insured credit unions were required to notify the NCUA no later than 72 hours after the credit union reasonably believed that it experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.
Responding to a Cybersecurity Incident
“If you take a step back, the biggest need right now within the credit union and financial services space is to have an incident response plan,” explained Dinino. He noted that might include the organization’s communications team, the CEO, and in many cases the security people within a credit union.
“The number of breaches that will likely be reported is probably going to increase pretty significantly,” said Dinino, especially given the NCUA’s new cyber incident reporting requirements.
In testimony before the House Financial Services Committee in November 2023, NCUA Chairman Todd M. Harper said, “In the first 30 days after the rule became effective, the NCUA received 146 incident reports, more than it had received in total in the previous year. More than 60% of these incident reports involve third-party service providers and CUSOs.”
Dinino pointed out, “Now all this stuff comes under the public eye, more both from a potential (and) lost funds, lost data standpoint; but now you are (also) dealing with things like retention of members, and public reputation and confidence. Things along those lines all become just bigger priorities across the board.”
Approaching CUs and Smaller FIs
Researchers from Palo Alto Networks documented 3,998 posts on ransomware leak sites in 2023, compared to 2,679 in 2022 — a 49% increase. Cybercriminals extorted a record $1.1 billion in ransom payments from victim organizations around the world last year, crypto-tracking firm Chain lysis said in a report.
Despite these increasing numbers, many credit unions and other financial institutions (FIs) view themselves as too small for ransomware targets and other cybercriminal activity. However, hacking organizations do not see credit unions as too insignificant to attack. “They're not too small because they're easy prey,” said Dinino.
Case in point, the NCUA received incident reports indicating that as a result of a ransomware attack on the tech firm Ongoing Operations on Nov. 26, 2023, approximately 60 credit unions experienced some level of outage.
In many cases, FIs may take on various fintech partners or other mechanisms using application programming interfaces (APIs) that directly connect to some of their networks as well. “All of that adds to the level of risk and vulnerability really across the board,” Dinino explained.
“It is a huge problem,” Dinino emphasized. “The best way to get in front of it is to have a plan of attack so that you can address what happened and then communicate it to credit union members, employees, leadership, really all of the audiences across the board. How you communicate it to them and how fast you remedy the situation plays a huge role in how risk is mitigated as well.”
Having a Plan
Dinino advised FIs to create an incident response plan. He noted producing a communications infrastructure is something his firm works specifically with credit unions and regional banks to create. He said this process involves understanding the core audiences when something does happen and testing scenarios. “But a lot of this needs to flow in many cases from the CEO level as well.”
When a cyber incident occurs, an organization’s role is trying to mitigate risk and communicate a clear, concise message, suggested Dinino. "Yes, there was a breach, here's what happens to the breach. Here is what we are doing to ensure that this does not happen again.”
In terms of preparedness, he detailed what credit unions should be doing. “First and foremost, ask the question ‘Do you have an incident response plan in place?’” said Dinino. He continued, “If the answer is ‘yes,’ great. Does it need to be updated based on changing technologies, changing trends going on the space? If the answer is ‘no,’ you need to have an incident response plan so that your management team is on board and everyone understands if there is a breach, here is the process. Here is the playbook that we are going to follow.”
Communication During a Security Crisis
The incident response plan should document the line of communications that needs to happen. “Really kind of making an audience matrix,” proposed Dinino. He added, for a credit union that could mean areas broken out by member, employee, and board communications. “If there are vendors involved, vendor communications; and then what leader of the organization is responsible for each of those audience quadrants, and what is our message going to be?”
Communicating “your funds are safe” and putting that that under the umbrella of trust can make a difference. “So that members don't pull their funds out from the credit union and leave and go somewhere else as well," said Dinino.
The plan should also include the structure and distribution method of the message to the outside world. “That is where a firm like ours can definitely help as a strategic partner to create that plan, that strategy and infrastructure,” said Dinino.
Dinino further explained in many cases KCD PR helps communicate the details of an information security crisis for an organization operating without a plan. “It tends to be, in many cases, crisis triage where you are trying to mitigate risk, mitigate reputation as much as possible. And from a dollars and cents standpoint, in many cases it might be too late as well.”
Consider Vulnerabilities
The plan, Dinino added, should also seek to plug any vulnerabilities created by integrating a fintech, a CUSO or a network. “Are they vetted by said credit unions? What is their security stack? If they are connecting to our systems, et cetera, is there a thorough review occurrence. All of this now becomes priority number one in terms of protecting your entity across the board,” he pointed out.
For credit unions, start by knowing where vulnerabilities exist, Dinino advises. “That is probably a big takeaway, lift up the hood to your organization, see if (specific) services are needed or critical heading into 2024 and beyond.”
His firm also forms incident response plans for CUSOs and fintechs, Dinino noted. “In that case the incidence response plan would include who is responsible for contacting each and every one of the credit union clients of the CUSO or fintech.”
Dinino added the website of the San Diego CCOE offers planning resources and guides to any type of organization. Many of the resources available focus on helping financial service and healthcare organizations.