Feb. 12, 2018
By Richard G. Bentley, CISSP; Troy M. La Huis; and David R. McKnight, CISSP
Most credit unions routinely engage in business continuity planning (BCP), and many also assess their cybersecurity risks and develop appropriate risk-based controls. To achieve the best results, credit unions should integrate precautionary measures within traditional BCP, rather than conducting them as separate activities.
Credit unions long have been aware of the threats posed by the possibility of hurricanes, flooding, and similar business disruptions. They have responded by developing business continuity plans and disaster recovery plans (DRPs) that lay out how the organizations will protect and restore critical infrastructure to minimize interruptions to operations. However, these plans might overlook the increased risk of cyberattacks that a credit union could face in the wake of a more traditional risk like a hurricane. By including cyber incident planning as part of its BCP and DRP, a credit union can avoid the negative consequences of compounded disruptions that result from cyberattacks that occur in conjunction with more traditional business continuity threat vectors.
The Case for Cyber Incident Planning
Even if a credit union has data security safeguards, it cannot afford to ignore cyber incident planning. Cybercriminals constantly are refining their weapons and the ubiquity and stealth of their attacks. Potential targets must have processes and procedures in place to resume operations promptly if and when they are attacked.
Whether conducted in isolation or in tandem with another event that affects business continuity, the costs of cyberattacks can be staggering and eat into capital and earnings. The National Association of Federally-Insured Credit Unions found in a 2015 survey that credit unions, on average, spent $226,000 in costs associated with data breaches in 2014. That figure includes costs related to re-establishing member safety after a breach.
Imagine if a credit union were exposed to a cyberattack that resulted in a breach while in the midst of Hurricane Harvey. What would happen if cybercriminals tried to exploit a credit union’s compromised state to increase the probability of their operational success? How would the credit union comply with the data breach notification requirements? How would it reconnect with members and protect their assets? Would it temporarily shut down access to accounts and then revalidate customers? Security resources would be stressed, to say the least.
How can credit unions tackle these issues without making their members more vulnerable? Consider, for example, the Equifax data breach. Equifax set up a website to help people determine if they had been affected by the data breach. Unfortunately, Equifax’s official Twitter account repeatedly directed people to a fake site where they could have been victimized further by phishing schemes designed to collect their access credentials.1 Obviously, these are not issues that can be appropriately addressed on the fly – they must be identified and planned for. Budgeting for such events and coordinating with traditional BCP efforts can increase a credit union’s effectiveness in the face of a cyberattack.
In addition, the Federal Financial Institutions Examination Council has indicated that financial services companies should integrate cybersecurity with their BCP: “Effective business continuity planning (BCP) and testing demonstrate the financial institution's ability not only to recover IT systems, but also to return critical business functions to normal operations within established recovery time objectives (RTOs). A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP [technology service provider] for all types of adverse events (e.g., natural disaster, infrastructure failure, technology failure, availability of staff, or cyber attack).”2
The Nature of Cyberrisks
A small cyber-related vulnerability such as a break in a process can cascade and create a big cost. Common risks include:
- Inadequate backup tape storage. A credit union that lacks adequate storage could have difficulty restoring its critical data if subjected to a ransomware attack, which could result in the need to pay a significant ransom. Similarly, credit unions can run into trouble if they keep their tapes in a facility that could become inaccessible (for example, because of flooding).
- Inadequate staffing. An important aspect of BCP is maintaining qualified personnel to perform essential tasks. Will employees recognize that an attack is occurring and be able to repel it? Are the personnel available during an incident cross-trained to mount the backup tapes? Do staff know how to respond to a phishing attack if the cybersecurity specialist is not available?
- Phishing. Members are not the only ones who might fall prey to a phishing attack. Employees also might click on a phishing link in an email and end up providing his or her credentials to cybercriminals.
- Vendor reliance. If a credit union uses a single vendor for its primary and backup data lines, what happens if that supplier goes down? Alternatively, a credit union could discover at the worst possible moment that a vendor is not living up to its quality of service guarantee. For example, if the backup data vendor delivers less bandwidth than expected, a credit union would be both more vulnerable to disruption from a “distributed denial of service” attack and less able to provide the desired remediation.
- Brand and reputational risk. Equifax is only the most recent breach of notoriety that has made headlines in the past several years. Others – Yahoo, Target, and JPMorgan Chase – have experienced the long-lasting reputational damage cyberattacks can trigger. A credit union’s very livelihood is at risk if it is perceived as ineffective at protecting members and their assets.
Accounting for Cyberrisk in BCP
To allow for adequate consideration of cyberrisks in BCP, credit unions should begin by allocating part of their cybersecurity budget to BCP. Both existing vulnerabilities and vulnerabilities that may occur from a cyber incident should be incorporated. Tabletop exercises that contemplate disruptions to operations and communications should be conducted. Previously documented disruptions to operations are a good starting point for tabletop, which are discussion-based exercises where employees meet to talk over their responsibilities and roles during an emergency that triggers their BCP processes.
Among other issues, the cyber incident component of a credit union’s business continuity plan should consider:
- Procedures for shutting down accounts and revalidating members if the credit union loses the ability to interface between retail and operations
- Frequency of backups (based on the number of transactions per day and the cost of the loss of a day’s, week’s, or month’s data)
- Moving backup tapes to multiple or geographically diverse locations
- Testing of data lines and other vendor systems to confirm vendors are providing the paid-for services
The credit union also should expand its risk assessment to encompass cyberrisks. For example, what is its risk if a member goes to a bogus link and compromises his or her credentials? Once specific risks are identified, the credit union can formulate standards and procedures for addressing them.
A credit union located on the Gulf Coast would never take a wait-and-see approach to dealing with the effects of a hurricane on its operations, and a credit union in California would never do so with wildfires or earthquakes. Likewise, no credit union should take such an approach to cyberrisks. Effective BCP takes into account all potential disruptive events, including cyberattacks.
1 Merrit Kennedy, “After Massive Data Breach, Equifax Directed Customers to Fake Site,” NPR, Sept. 21, 2017, http://www.npr.org/sections/thetwo-way/2017/09/21/552681357/after-massive-data-breach-equifax-directed-customers-to-fake-site
2 “Appendix J: Strengthening the Resilience of Outsourced Technology Services,” FFIEC Business Continuity Planning Booklet, https://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspx