Republished from CU Times online dated March 1, 2018. By Mark Pribish and Jim McCabe.
In light of last September’s Equifax data breach event – along with new proposed cybersecurity legislation – credit unions have an opportunity to enhance their cybersecurity best practices and generate residual non-interest income by offering identity theft and breach response services to its members.
Here are four lessons learned from the Equifax breach that can help protect your members and credit union:
Lesson #1 “the Equifax Affect,” no company can fully prevent a data breach from happening. Even Equifax, with more financial and IT resources than most companies in the U.S., wasn’t able to prevent a data breach from occuring.
In Equifax’s case, their data breach event affected 145 million U.S. consumers where information breached included names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers and more.
Lesson #2 “response and recovery,” where Equifax failed in multiple ways to respond in a timely and responsible manner. First, and with irony, the Equifax breach happened because the company failed to fix a software flaw that federal officials had warned about months before. But to make matters worse, Equifax waited nearly six weeks to notify the public after learning of the hacking event.
When this crisis happened, Equifax’s failed management response resulted in its chief information officer and chief security officer “stepping down” and its CEO “retiring.”
Lesson #3 “the future of cybersecurity laws” could include the potential for criminal action for officers and board members of any size organization. CSOonline.com released an article titled The year ahead in cybersecurity law, where CSO states that “major legal cases and proposed state and federal legislation will shape how companies respond to and attempt to mitigate cybersecurity and data privacy risks.”
Lesson #4 “industry best practices should include response and recovery” as Risk and Insurance Magazine highlights in this article titled Cyber Threat Will Get More Difficult, where General Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, and current principal at the security consultant the Chertoff Group, stated that “companies should focus on response, resiliency and recovery when it comes to cyber risks.”
According to Hayden, “companies are focusing on the vulnerability aspect, and responding by building high walls and deep moats to keep attackers out.” He said “If you do that successfully, it will prevent 80 percent of the attackers.”
“But that still leaves 20 percent vulnerability, so companies need to focus on the consequences: It’s about response, resiliency and recovery,” said Hayden.
In an era of growing data breach risks, credit unions that offer data breach “response” services to their business accounts can differentiate themselves. These unique data breach recovery services can help to attract and retain business accounts, which will incrementally grow revenues.
All businesses need strong document management policies and since financial institutions are particularly targeted by criminals, credit unions need strong data breach response solutions themselves to help protect the institution, their members, staff and board of directors.
For all these reasons noted above, complying with NCUA Supervisory Priorities for greater cybersecurity preparedness needs to be the top priority for credit unions. This will help credit unions avoid the “Equifax nightmare” and create the basis for the ultimate response to any data breach “when” it happens. Credit unions must search and find solutions that will not only address cybersecurity preparedness, but also generate new income streams…because cybersecurity preparedness isn’t cheap.
Mark Pribish (email@example.com) is the VP and ID Theft Practice Leader at Merchants Information Solutions, Inc., a leading ID theft and data breach services firm based in Phoenix, AZ. He has authored hundreds of articles and white papers and is frequently interviewed by local and national media as an identity theft and data breach risk management expert.
Jim McCabe (firstname.lastname@example.org) is the SVP, Identity Theft Solutions, Vero, LLC, a subsidiary company of CU Direct. Jim has developed his subject matter expertise in ID theft & data breach solutions and has contributed to industry publications & blog sites, while consistently speaking for conferences & webinars to foster awareness & education of best practices.
Request a WebEx by Vero to learn about unique solutions to maximize the preparedness of your CU, improve member value, and potentially increase non-interest income.
Despite a heightened understanding and awareness of the importance of strong cyber security by everyone, the trend of data breach attacks continues to increase - impacting thousands of businesses and millions of individuals. Last year, there was a 40% increase over 2015 in the number of businesses that were impacted by data breaches. Businesses of all sizes were hacked by criminals that used techniques such as ransomware and non-malware attacks to steal data.
No organization is safe from a data breach. It’s no longer a question of “if”, but “when” a business will have its data compromised…per retired FBI special agent
Over the last five years, data breaches have recurrently made headline news as large businesses such as; Yahoo, Target, Home Depot, Dropbox, Ebay, JP Morgan Chase, Anthem and Living Social, were hit by hackers. Thousands of credit union cardholder members were impacted by these hacks. Yahoo’s 2013 and 2014 hacks took 2-3 years to discover; allowing the criminals and black market even more time to devastate the victims’ identities. Most recently, restaurant chain Arby’s was hacked by malware that affected 1,000 restaurants and even more credit union members – very much like Wendy’s ’16 breach.
Although there are steps that organizations can take to help make themselves less vulnerable to a data breach, it is impossible for any organization to guarantee it won’t happen.
Nearly two-thirds of Americans (64%) have personally been victims of data breaches. And 65% of US Consumers are terrified of experiencing an ID theft.
According to Pew Research Center’s most recent survey:
To make matters worse, coinciding with the rise of data breach victims, there is now the new threat of Civil and Class-Action Lawsuits facing the businesses from these victims – driving new legal and settlement costs.
The aftermath of big company data breaches is almost always characterized by class-action lawsuits. While not every litigation makes its way to the public eye, it is becoming more and more common for organizations of all sizes to face a civil or class-action lawsuit after a data breach. The best way that credit unions and other organizations can protect themselves against litigation is to have a trusted Fully Managed Recovery System in place, such as Vero's IDProSelect.
The majority of Americans expect cyberattack on the nation’s banking and financial systems.
Many Americans lack confidence that various public and private institutions will be able to protect their personal information from bad elements. While Americans often first turn to their financial institution after finding out that they’ve been a victim of a data breach, the majority of them also fear that a major cyberattack will occur on the nation’s banking and financial systems within the next five years. Organizations that have implemented a Fully Managed Recovery System often have clients and members that have greater peace-of-mind.
Having programs in place for cyber security and data breach response is no longer just an option for credit unions. For the second year in a row, the NCUA’s Supervisory Priorities have mandated that credit unions have a plan for 1) cyber security 2) member response and 3) fraud prevention. Vero’s IDProSelect helps credit unions address these areas of NCUA's 2017 Supervisory Priorities.
For more information on how your organization can protect itself from the ramifications of a data breach or to receive more information on Vero’s IDProSelect, please contact Jim McCabe at email@example.com or call (480) 748-0403.
This is the time of year when criminals are most actively plotting and scheming, and credit union members are exposed and vulnerable. Tax scammers are preying on members’ social security numbers for tax-related identity theft and other crimes. In fact, nearly 50% of identity thefts are a result of unauthorized government documents, which include tax filings.
Tax season may just be starting, but these scammers have been hard at work. They’re waiting for an opportunity to steal members’ personal information for fraudulent tax refunds and other transactions. Members that become victims of tax-related identity theft become a high target for other identity crimes since hackers use their same information to sell to the black market, get loans and impersonate the victims in a multitude of other matters.
Being a victim of a tax crime can be a harrowing experience for members. The resolution process with the IRS often takes between 12-24 months. During this time and after, members’ personal information may be used for other crimes. Once the tax-related case has been resolved, IRS will employ measures to help ensure that members’ tax accounts are not compromised again. However, this does not fully protect your members from being victims of other forms of identity theft.
While the tax community must stay on top of security systems to protect taxpaying individuals and their businesses, financial institutions are also being counted on to protect their account holders’ identities and financial account information. Credit unions that offer identity theft recovery and restoration services are best equipped to do this. Victimized members that have been provided with identity theft recovery protection by their credit union can recover and protect their exposed identities easier and more quickly than those that do not have any identity recovery protection. For example, members that are covered by Vero’s IDProSelect through their credit union, are assigned a personal advocate immediately upon confirmation or suspect of any form of identity theft. When members become notified that their social security number has been compromised for tax-related theft, they need only to contact their ID theft advocate, who will handle all resolution steps for the member, as well as will have communication with the member throughout the entire process.
Credit unions should advise their members to:
February 2016 Federal Trade Commission Consumer Sentinel Report