By Roy Urrico
The pandemic response forced many credit unions to quickly move to a mostly remote workforce and banking without deep consideration of possible member and organizational cybersecurity, compliance and data privacy implications.
Mobile banking was on the rise before the onset of COVID-19, but with many areas requiring social distancing, Americans became super familiar with the digital channel instead of visiting branches. In a public service announcement, the FBI recently reported a 50% surge in U.S. mobile banking in 2020 so far. Additionally, the PSA noted 36% of Americans plan to keep using their mobile devices for banking activities. The statement also cautioned, “The FBI expects cyberactors to attempt to exploit new mobile banking customers using a variety of techniques.”
It is a perfect formula for creating cybersecurity issues, pointed out Greg Sawyers, senior vice president of compliance at Swiss-based fintech company Temenos, which has 650 credit union clients in the U.S. “The hackers are always changing for everything financial institutions and security personal are doing.”
Infected banking apps, which can launch malware containing viruses, worms, ransomware, spyware and Trojans, are a specific area of concern. The Temenos SVP pointed out that scammers use phishing, spoofing and social engineering to trick members into downloading malware and give up their login credentials, then attack financial accounts with the stolen identities.
A remote workforce and external file exchange also generate additional compromises credit unions must address. “If you are looking at it from a holistic perspective of what can an institution do to protect themselves, training is huge for members and also for staff,” Sawyers said. “Coronavirus has put forth a lot of issues with regard to having to assess what we're doing, and what our customers are doing in making sure (cybersecurity) training is there.”
Credit unions can help thwart these vulnerabilities by educating members to not click on suspicious looking email attachments and social media, maintained Sawyers. “Those are some big things that we have to look at from a financial institution perspective.” The same precautions apply to staff working remotely. He also suggested that credit unions should advise staff as to what are acceptable practices, what is not acceptable, and establishing remote access security standards to reduce the potential risks and consequences from an organizational perspective.
Sawyers recommended the minimum standard for staffers working from home on the organization’s virtual private network should involve employing multifactor authentication and securing the connected device with continuous malware and virus protections. “Those are just some of the ways employees have to ensure compliance and protections,” he said.
Temenos, which has a U.S. headquarters in Austin, Texas, “takes cybersecurity as the highest responsibility for us,” Sawyers noted. “Our compliance department specifically focuses on issues across the U.S. market.” Temenos stays on top of compliance matters such as possible issues with the cloud and any federal truth in lending changes. “We're looking at everything, the whole gamut, and internalizing all that information and passing that around to all the relevant parties to keep our employees and our customers on top of it.” Sawyers added that Temenos also advises on how to mitigate those risks.
Credit unions should also consider what privacy regulations could apply to them. Though no specific national privacy regulation currently exists, any nationwide rules would likely follow the European Union’s General Data Protection Regulation and the California Consumer Privacy Act (CCPA), which took effect on Jan. 1, 2020, but with a six-month grace period. Complicating privacy matters further, laws governing online privacy in the U.S. differ widely from state to state.
Failure to comply with CCPA, for instance, could expose credit unions to potential fines, reputational risks and damages resulting from data incidents. The California attorney general can impose financial penalties up to $2,500 for non-willful violations and $7,500 for intentional violations of the CCPA. These numbers can multiple rapidly depending on the number of users impacted.
Sawyers recommends to any institution analyzing its cybersecurity platform and privacy regulations, such as CCPA, to look at the Center for Internet Security’s (CIS) critical security controls, which identify a minimum information security level all organizations collecting or maintaining personal information should meet. CIS’s 20 controls include inventory and control of hardware and use of administrative privileges; the secure configuration for hardware and software on mobile devices, laptops, workstations and servers; and the maintenance, monitoring and analysis of audit logs, email and web browser protections.
“I guarantee the hackers are trying to stay one step ahead of us,” Sawyers said. “So, you have got to use that as a baseline of what you have got to do, and look at the vision forward on what steps you need to put in place.”