12 FOCUSREPORT/2021 Regulatory OutlookAn incoming presi- dent always faces new challenges, but arguably no administration has faced a more complex environment than that inwhich the Biden team currentlyfinds itself. Chief among these, ofcourse, is COVID- 19, but the pandemic is far from the only pressing issue the administration mustnavigate. Cybersecurity has alsobecome an increasingly criticalfederal priority, due in a large partto the recent SolarWinds attack.Thus far, the breach has impactedup to 18,000 organizations – including government agencies andfinancial services firms – and it’spossible that more affected companies will be discovered in thecoming months.
The Biden Administration has
pledged to make the Solar Winds
investigation a priority. In addi-
tion, it plans to invest in infrastruc-
ture, personnel and partnerships
to improve cybersecurity and help
provide guidance to organizations
navigating the industry’s myriad
challenges. As a recent article from
Brookings put it, “… the Biden
Administration is likely to make
a point of a multifaceted, well-
funded and strategic approach to
cybersecurity threats that are only
becoming more complex and far-
reaching. Many top priorities for
the Biden Administration – infra-
structure, international trade, pan-
demic response, broadband de-
ployment, election integrity – will
depend on it.”
With this in mind, let’s take a
look at some credit union-specific
security challenges – and what a
renewed federal focus on cyber-
security might mean for them.
Supply Chain Vulnerabilities
The Solar Winds attack illustrates
the domino effect that a breach
at one vendor company can have
across many others. Given the
wealth of sensitive data to which
financial services organizations
have access, these companies’
supply chains are frequently tar-
geted by hackers with the ulti-
mate goal of accessing the bank or
credit union’s system. Of course,
this isn’t new infor-
mation. In fact, it’s
one of the reasons
why credit unions
typically select soft-
ware providers with a
large financial servic-
es customer base. But
just because a vendor
has extensive indus-
try expertise doesn’t
necessarily mean that
the organization is
abiding by the most
stringent cybersecu-
rity standards.
As such, credit unions would bewise to carefully review the security posture of every vendor in theirsupply chain – even well-knownbrands with trusted industryreputations. Technology providers that prioritize cybersecurity
should be conducting penetrationtesting to uncover and addressany vulnerabilities. It’s importantto ask for the results of these pentests, as well as ongoing securityaudits. Certifications, such as SOC2 Type II, can provide additionalreassurance that a vendor is taking security seriously. Developinga standard cybersecurity due diligence questionnaire for potentialvendors to respond to can also bevery helpful in this area.
And if you’re ever in doubt
about a vendor’s security prac-
tices, ask for clarification. As re-
searchers uncover more about the
SolarWinds breach,
I expect that the fed-
eral government
will establish more
stringent policies tar-
geting supply chain
vulnerabilities. Com-
panies that anticipate
these regulations and
begin reviewing sup-
ply chain security
now will be ahead of
the curve when these
policies are enacted.
Acceleration of DigitalBanking
According to a 2020 survey fromFIS, 45% of consumers havechanged how they interact withtheir banks since the start of thepandemic. As Mike Mayo, an analyst at Wells Fargo Securities, put itin an American Banker interview,“What we’re seeing is the greatestacceleration of digital banking inhistory … What’s taken place overthe last few months may have taken place over two to 10 years [hadthe pandemic not hit].” This acceleration of digital banking offerscredit unions numerous benefits– increased options for personalization, new service offerings andcost reduction, to name just a few.At the same time, however, thetrend also introduces some security concerns.
Many of these center around
passwords. Even in the best of
times, individuals typically prac-
tice terrible security hygiene
when it comes to their passwords
– creating simple ones that are
easy for hackers to guess and re-
using them across multiple online
accounts. With the introduction of
lockdown restrictions requiring
people to create new passwords
for grocery delivery, virtual doc-
tor’s visits and other newly-digital
services, you can only imagine
how pervasive these poor pass-
word practices currently are. It’s
critical that credit unions are
mindful of this problem as they
roll out new digital offerings.
It’s unrealistic to expect peopleto dramatically improve theirpassword behavior, particularly insuch stressful times. What creditunions can do, however, is implement screening solutions thatcheck passwords against a livedatabase of exposed credentialsboth at creation and at every log-in. If it’s determined that the password has been exposed, memberscan be prompted to change it sothat the account remains secure.Assuming that no compromise isdetected, the member experienceremains unaffected and membersaren’t tasked with unnecessarilycomplex password requirements.
Multi-factor authentication
(MFA) can be helpful in prevent-
ing unauthorized account access
as well, although user accep-
tance of these technologies can
sometimes be difficult. Device-
based trust has become a very
popular means of limiting user
exposure to MFA in a more limit-
ed context for when access from a
new untrusted device is detected.
Security Education
This final trend is less of a challenge than it is an opportunity.Many credit unions increasedtheir electronic communicationas branches closed in response tothe pandemic, and there is no reason these digital correspondencesshould cease when life returns tonormal. A key credit union valueproposition has always been thepersonal member relationships,and they now have the opportunity to strengthen them by educating members on the securitylandscape.
Whether it’s emails advising of asignificant breach like Solar Windsor a simple reminder of phishingred flags, credit unions can helpmembers become more digitallysavvy. It follows that a security-conscious consumer practicesbetter security behavior in everyonline transaction. As such, in avery small way, credit unions canmirror the Biden Administration’sstrategic focus on cybersecurityby using their digital channels toeducate members on security bestpractices.
Mark Weatherford, the chiefstrategy officer at the NationalCybersecurity Center, said in aForbes op-ed that he believes “…the Biden Administration hasboth the opportunity and theobligation to establish nationalpolicies that help public and private organizations understandwhere the [cybersecurity] guardrails are located and what lifeline resources are available.” Thecoming months will bring moreclarity as to how exactly this mayhappen, but one thing is certain:The renewed federal focus on cybersecurity will have a direct impact on credit unions. As such,leadership would be wise to takea similar stance and prioritizesecurity throughout their supplychain, and among their employees, members and themselves. n
GUEST OPINION
CUs Look to Renewed Federal Focus on Cybersecurity
Mike WilsonFounder and CTOEnzoicBoulder, Colo.
