Preparing Your CU for a Cyberattack with Business Continuity Planning

By Tyler Leet07.09.2018

What are the consequences of a cyberattack on credit unions? Traditionally, loss of member data, direct theft from accounts, regulatory scrutiny and the requirement of refunding members’ money or replacing cards are some of the most commonly listed aftereffects.

But one often overlooked impact of a cyberattack is the disruption to business continuity and inaccessibility of online banking, mobile banking and ATM networks. In fact, a disruption to service could potentially affect credit unions even more dramatically than would a data breach.

So, just as a credit union plans for business continuity related to natural disasters, they also should prepare specific plans in the event of a cyberattack. A business continuity plan provides instructions and procedures to an organization as a response to a disaster. Such continuity plans cover the areas of assets, human resources, notifications to business partners and the management of business processes.

The best shot at a successful cyberattack disaster recovery plan is a strategy that is regularly updated and tested by all relevant employees. In order to best minimize the downtime as a result of a breach, two questions should be addressed when building a business continuity plan specific to cybercrime.

Is Data Adequately Backed Up?

In the case of a breach, credit unions must ensure that their data is protected and backed up regularly. A robust back-up protocol ensures access to vital data in the event of an attack that shuts down the member database or locks access to transactions or accounts.

As part of the planning process, credit union executives must confirm that their back-up process is run often enough to protect the institution, and comes to the rescue when the regular system is compromised. Finally, credit unions must verify with the back-up vendor that the process operates as expected.

In addition to verifying that all data is backed up, a credit union should regularly test the backup restoration process to ensure it works effectively. They also should work with their backup provider to ensure the backup data also is secure and that there is minimal risk that the backup data could be corrupted or accessed.

Is Cybersecurity Incorporated into the Overall Business Continuity Plan?

While many business continuity plans are centered on events like natural disasters, in recent years, cyberattacks have become an even greater risk. Even if an attack does not compromise member data, as would be the case with hackers shutting down the online banking server with a DDoS attack, any attack can leave a credit union in a bind.

To better prepare for such instances, it is vital that credit unions compile an incident response protocol, which trains employees about what to look for and the steps to take when a potentially damaging attack has been identified.

In addition, it’s a good idea to create cyberattack simulations so employees can practice reacting quickly and adequately should a real attack occur.

When facing any type of disaster, it is best to over-prepare and ensure all staff is knowledgeable enough to best address and react to any situation, which is especially true when it comes to cybersecurity attacks.

By building a robust business continuity plan covering all areas of your credit union’s operations—including cybersecurity—you will be able to quickly respond to any situation and get back to what is most important: providing stellar service to your members.

Tyler Leet is director of risk and compliance services at Computer Services, Inc. (CSI), a consulting firm that provides bank core processing, regulatory compliance software, and other IT-managed services.