Credit unions have recently seen a rise in data breaches and security incidents. Most notably, the CitrixBleed incident caused outages at nearly 60 credit unions, and the MOVEit breach impacted many organizations in several different industries.
With the surge in these types of incidents, credit unions must remain vigilant in protecting sensitive member information. One crucial step is to continuously review the information security controls of their third-party service providers.
Keep in mind that the threat landscape has evolved rapidly. Cybercriminals are using increasingly sophisticated tactics in an attempt to exploit sensitive member information from credit unions. At the same time, credit unions are increasing their reliance on third-party service providers. While these services enhance efficiency and reduce costs, entrusting your member data to a third party can introduce new risks. A breach or security incident at a service provider could have severe consequences for the credit union.
Here’s a rundown of the critical steps credit unions should take in their due diligence to enhance third-party risk management:
Vendor risk assessments: These assessments should be completed as part of the enterprise risk management process. New vendors should be assessed at the time of onboarding for any potential vulnerabilities. Risks identified should be mitigated to an appropriate level prior to working with a new vendor. Once onboarded, vendors should be reviewed at least annually for any new potential vulnerabilities and a plan should be made to manage them appropriately.
Review of contracts: Security requirements should be clearly outlined within the contract with third-party vendors. Contracts should be reviewed to help ensure that vendors are required to maintain security controls that align with the credit union’s expectations, as well as with regulatory requirements. Contracts should also outline the vendor’s responsibilities in the event of a security incident. Consequences for noncompliance by the vendor should also be identified in the contract.
Audits: Ongoing audits of third parties are essential to verify that they are maintaining compliance. Vendor questionnaires and policy reviews can provide a lot of good information, but they are not a substitute for a thorough audit completed by a reputable auditor. SOC 1 and SOC 2 type 2 examination reports should be reviewed on an annual basis along with any other applicable third-party audit reports.
Incident response planning: Credit unions should develop their own incident response plan and test it frequently to make sure they are prepared to respond to a security incident. The same expectation should also be in place for third-party vendors. In addition to contract requirements, it’s important to review a vendor’s incident response plans to verify that they are compliant with current regulations, including the recently enacted requirement for federally insured credit unions to report incidents to the NCUA within 72 hours. Credit unions should also verify that third parties are testing their incident response plans regularly.
In the face of the escalating threat landscape and the increasing frequency of data breaches, credit unions must proactively monitor information security controls at third-party service providers. By taking a comprehensive approach, credit unions can not only mitigate the risk of data breaches but also strengthen member trust, ensure regulatory compliance and bolster their overall cybersecurity program.
How Wipfli can help
As credit unions navigate the fast-evolving landscape of cybersecurity risks, it’s necessary to adopt a proactive approach to defend against threats. Wipfli’s skilled cybersecurity team is ready to help your organization assess where your greatest vulnerabilities are and provide solutions to reduce the risk of costly data breaches and reputational damage. Learn more about the wide range of services we offer to support credit unions.
Sign up to receive additional financial institutions content in your inbox or continue reading on: