GUEST BLOG: IT As A Profit Center And Not A Cost Center
Posted by Mr. Idrees Rafiq, Jr., AVP IT Consulting, Credit Union Resources, Inc on 10/17/2017

The following is an article written by Troy Kyle, President/CEO for First Abilene FCU.  Troy is a member of the Executive Committee of the Cornerstone Technology Council.


Equifax isn't the only victim of a cyberattack; it’s just the latest. Credit unions have fought off surge after surge of data leaks, malware, and cyberattacks. Because of the changing menace, credit unions continue to stress the urgency of protecting networks, computers, and member data.

Credit unions have always made safeguarding members' private information a priority. Gone are the days when embezzlements, robbers, and forged documents were the main concerns. Credit unions are operating in a quickly changing environment, and computing is an indispensable part of their services. As more and more members demand remote services including online banking, bill pay, AI banking, robo advisor services, and other technology-based services, the risk for cyberattacks inevitably increases.

To best position themselves for cyberattacks, progressive boards are seeing cybersecurity as a profit center instead of a cost center.

IT As A Profit Center And Not A Cost Center
In 2015 PricewaterhouseCoopers released a Global State of Information Security survey of over 10,000 executives from 126 nations about IT security. The study found cybersecurity incidents rose 38% over 2014. Corresponding budgets increased a mere 24%.

The disparity mirrors current corporate psychology which views cybersecurity as a cost center and a drain on resources. Executives tend to look at cybersecurity as costly, complex, and a damper on productivity. Many believe cybersecurity does not work at mitigating risk. The result is security measures being implemented piecemeal without any umbrella policy, and is itself costly.

To make a bad situation worse, a focus on cost as a deciding factor in IT buying decisions, businesses try to establish the bare minimum and sacrifice usability. When usability is sacrificed, business productivity—profitability—is reduced.

Forward-thinking business leaders see cybersecurity must be embraced at the highest levels within a company as it impacts the whole organization. Managers must move past thinking of cybersecurity as a layer of protection and view IT as a way to improve efficiency and productivity.

A perfect example is the 1964 Shinkansen bullet train in Japan. While anyone can make a fast train, it was the innovative approach to braking that permitted the speed. The brakes weren't added to act as a drag on the bullet train's performance. The brakes allowed the train to travel faster than conventional trains as they put the train drivers in control.

To go fast, really good brakes are required.

Mitigating Cyberattacks
Response to cyberattacks must show the credit union is in control and is acting to limit the damage, increase member confidence, and reduce recovery time. The lion's share of that will fall on the executive team being involved. Developing a plan is crucial in light of the damage a breach may cause. When a breach does happen, the first question—asked by both members and regulators—will be "What was done to prepare?"

There are clear-cut steps which can be taken to mitigate the impact.

Spokesperson. A particular spokesperson should be designated. The individual should come from the Marketing or Public Relations side of the house, and the President/CEO should speak only if there's good news.

Scripts. Communication scripts should be pre-drafted and ready to be used for many incidents, not just cyberattacks. The scripts need to be developed for all—internal and external—audiences.

Slow down. Don't rush to label the event as a "hack" or "breach." Until there is a definitive reason, it's okay to share the fact of being aware of the event to minimize the impact.

Documentation available. Make sure response plans are available and reviewed regularly. Include procedure guidelines and checklists for containment, suppression, and recovery. Policies and directives for a response, and documentation of risk and compliance should be part of the package.

Identify. Identify departments and individuals vital to incident response. If any Single Points of Failure are determined, fill those gaps.

Help. Your company will need help to survive. Maintain relationships with law enforcement and remediation providers. Cornerstone’s Technology Council, is a council you can join that you can ask and share about your experiences. Get best practices by people that have worn your shoes. Don't wait until the point of need to start building relationships.

Risk list. Include a list of threats, risks and potential failure points—ATM, Visa, Shared Branch and so on. Keep updated as more information becomes available and the scenarios develop.

Roles and responsibilities. Be sure the staff is provided with knowledge of their roles and responsibilities in the event of a cyber incident.

Potential For Cyberattacks Will Only Increase
Internet-based services expose credit unions and their members to a host of risk from hackers and cyber thieves. While sounding like science fiction, the increasing dependence on electronic delivery of financial services requires credit union boards to prepare for a cyber intrusion.

A full understanding of a credit union's responsibilities starts with reviewing Part 748 of NCUA's regulations.

Part 748 mandates federally insured credit unions to have a published program designed to protect credit union offices and guarantee the security of member records.

Appendix A requires credit unions to implement administrative, technical, and physical safeguards to protect the integrity of computer-based information.

Appendix B mandates credit unions to react to an unlawful path to member data, and this includes notification of the member and regulator. Credit unions must maintain a fully integrated plan to respond to—and manage—any breach.

The board's obligation doesn't stop with creating a security program. Part 748, Appendix A states:

"The board or appropriate committee must oversee the construction, roll-out, and maintenance of the credit union's information security program."

Credit unions bear the brunt of cybersecurity risk, and substantial financial costs occur following a security lapse. Still, you must embrace  IT as a profit center, not a cost center. Investing in cybersecurity will lead to increased efficiency and productivity. As more services become readily available and used online, it is inevitable that the potential for cyberattacks also increases. Therefore, you must stay vigilant in mitigation efforts, always. And if they do happen, having clearly documented guidelines will help you act quickly, minimize loss, and better protect your credit union and your members from future risk.

Categories: Compliance, Technology Consulting & Compliance
Post a Comment
Email: (Email will not be published.)
Subscribe to the Blog

Categories & Archives
Category Filter

Author Filter




Connect: FacebookTwitter©  Credit Union Resources, Inc. All rights reserved.


Contact Us
6801 Parkwood Blvd.
Suite 300
Plano, Texas 75024
Phone: (469) 385-6400
Toll Free: (800) 442-5762
Online Form