What Happens When You Get the Call No Credit Union CIO Ever Wants?

By
5 Minutes Read

By Kenneth Kulawiak, Senior Manager, Wipfli

It’s 4 a.m. Your phone is buzzing despite your do-not-disturb setting. And even though you haven’t picked up, you already know you’re about to get the call no CIO ever wants to receive.

When you answer, your worst fears are confirmed: your credit union is facing a ransomware attack.

What happens next and how can you take action to protect your credit union against this kind of attack? Keep reading to find out.

What Actually Happens During a Ransomware Attack on a Credit Union?

If you’re a credit union CIO or CISO, a phone call or message from your team is probably your first indicator that a ransomware attack may be happening. But what happens after that?

In this moment, you’re the quarterback for your team. Here’s what your next steps may look like:

Establish the facts

Once you’re aware that an event may be underway, your first task is to find out the critical facts. You could be in the middle of a full-blown data breach, but you might also have caught onto an attempted attack before it has successfully broken through your defenses.

Establish what you know and what your team is seeing. Has someone gained unauthorized access to your systems via a compromised email address or other phishing scam? Are you seeing a degradation of services or reports that team members can’t access files? Have you received a ransom message from a hacker?

Activate your incident response plan

If it becomes clear you are facing a major threat, you’ll need to activate your incident response plan. This will likely include both reactive steps to respond to the attack, as well as proactive steps to manage the ripple effects.

  • Your IT or cybersecurity team will need to take immediate action to secure any uncompromised systems to prevent the attack from spreading further. At this point, you may already be locked out of certain systems and have received a ransom message demanding you make a five, six or even seven-figure payment to regain access.

  • You’ll also need to get your executive, legal and comms teams involved to advise on next steps. These could include weighing the costs and benefits of making a ransom payment and whether to involve insurance, plus beginning the process of communicating with your members, partners and other stakeholders about the attack.

  • After you make a ransom payment or otherwise regain access to your systems, you’ll have to reboot and establish that your systems are once again secure.

Do a postmortem analysis

In the days and weeks after an attack has been resolved, it’s essential to figure out what happened and how you can better protect your credit union in the future. Typically, you’ll want to do a postmortem analysis that reviews the attack details as well as all of your current controls and security measures so you can establish how the breach occurred and what new measures to put in place.

During the postmortem period, your credit union will need to continue communicating with members and will likely face a forensic investigation from your insurance company. Depending on the circumstances of the attack, you might also be subject to regulatory review.

What Kind of Damage Can a Successful Attack Cause?

Credit unions are understandably reluctant to advertise the costs of a successful ransomware attack. But those costs can be considerable and may include financial, reputational, and regulatory damages. Institutions that have been breached once are also at higher risk for a repeat attack.

Financial costs

The average financial cost of a successful ransomware attack on a financial institution is roughly $6 million dollars. A massive national institution can shrug that figure off, but for a credit union with three branches in a mid-sized city, a hit like that represents an existential risk.

Reputational harm

Many credit unions rely on factors like superior customer service, faster loan approvals and trust to win members away from larger competitors. A ransomware attack can throw a huge wrench in all of the above, and also leave your members questioning whether their data is secure.

Regulatory blowback

No defense is perfect. But credit union CIOs or CISOs should be prepared to prove to regulators that prior to an attack, they had preemptively done everything possible to manage risks and implement a mature cybersecurity program. You don’t want to face questions about your due diligence in the wake of a breach, as those questions can lead to regulatory penalties.

You should also know that regulators will be very reluctant to approve a merger or a new product if your credit union has experienced a successful cyberattack.

Insurance investigation

If you use your cybersecurity insurance policy to cover ransomware costs (which you will likely need to do), expect that your insurance company will conduct a forensic investigation. Like regulators, your insurer will want to see that you’ve done everything by the book, so you’ll have to document all of the controls you use to protect your data and systems.

Crucially, mistakes or lapses could void your policy coverage.

High likelihood of future attacks

Finally, you should know that if your credit union has been breached once, it’s more likely that you’ll be targeted again. Repeat attacks could come from the original hackers, but may also originate from unrelated cybercriminal groups that are aware of the initial attack and now believe you to be a softer target or one that’s willing to pay a meaningful ransom.

Also aware of this fact: regulators, which is part of why they’ll treat your credit union with a higher level of skepticism moving forward.

What Are the Key Steps to Bolster Your Defenses?

Here are five steps to strengthen your cybersecurity defenses to better protect your credit union against a ransomware attack:

1. Have a documented incident response plan

Creating a clear incident response plan will allow you to react much more quickly and effectively in the event of a cybersecurity incident. Your plan doesn’t have to be overly complex, but it should outline your high-level tactical response to a confirmed attack.

An effective plan will establish when different team members or groups need to be brought in and cover different phases of an attack. Attack phases are typically broken down to detect, identify, respond, recover and postmortem.

2. Implement 24/7 holistic monitoring

The typical credit union already has an IT person watching its network for signs of an attack until the branch closes for the day and the IT person goes home. In today’s threat environment, that’s simply not enough.

You need 24/7 active monitoring of your systems, or you may come into work one day to find you’re already locked out of everything because you were breached during the night. If contracting 24/7 monitoring out to a third-party security firm feels cost-prohibitive, many credit unions are taking a hybrid approach that combines in-house monitoring during business hours with vendor support at night.

3. Practice your response with regular tabletop exercises

Speed is essential in cybersecurity. To get your team moving as fast as possible, practice your incident response plan with regular tabletop exercises to run through each stakeholder’s responsibilities during each phase of an attack.

4. Test your controls and defenses

Regularly test your existing cybersecurity defenses to see how they hold up to an attempted attack. This should include both an external penetration test (which assesses how well your defenses protect against a hacker with no existing internal access) and an internal penetration test (which pits your controls against an attacker who does already have system access).

You can also run a full-on simulated ransomware attack, which will allow you to see how your team and controls stand up in that situation.

5. Follow a security framework

Credit unions will typically benefit from aligning with a security framework like NIST CSF. This will give you a holistic framework on which to base your defenses and can also make it easier to identify gaps and demonstrate due diligence to regulators. You should also review appropriate CIS benchmarks.

Connect with Wipfli to learn more.

Picture of Wipfli

Wipfli

Wipfli LLP is an advisory firm offering expansive services in tax, audit, risk, M&A, strategic planning, operational performance, and digital transformation. Wipfli professionals bring real-world experience to deliver the industry, compliance, and technology knowledge you need. We understand the realities you face and provide the guidance necessary for success. Our experts use decades of industry experience and innovation to help clients transform faster, engage smarter, and achieve tangible results. Others see problems. We see possibilities.

Author