Cyber risks credit unions should watch for
Learn what isn’t covered by fiduciary crime bonds and the insurance coverages credit unions should get.
The digital revolution was well underway prior to the pandemic, but now it has pushed virtually all service businesses to go online and utilize new technology to be more convenient and faster.
The same is true for credit unions. To retain and attract customers from a cashless generation, a strong digital strategy is a must. This requires a host of new digital entry points for customers, which, in turn, greatly increases the firm’s attack surface. Cybercriminals have an array of options to target including websites, apps, and ATMs, and a slew of new software. Essentially, credit unions now have a brand new set of digital risks to manage. We recently reported that the financial services industry saw a 31% increase in digital fraud attempts from 2020 to 2021.
To help mitigate cyber risks, most banks have fiduciary and crime insurance that covers a range of fraudulent activities. While this is a step in the right direction, fiduciary and crime insurance does not cover some of the most significant risks banks face, including ransomware, phishing attacks and data breaches. Many credit unions still do not have comprehensive cyber risk coverage. Let’s explore what isn’t covered by a fiduciary crime bond:
Ransomware
Ransomware is arguably the most significant cyberattack technique in recent history, and we are now witnessing its severe impact on critical infrastructure, with a recent attack shutting down some operations of the Colonial Pipeline Co. Increases in the severity of ransomware losses have been particularly acute and have roiled the market. The average ransom demand received by Coalition policyholders more than doubled from the first to the second half of 2020, to more than $1 million per demand.
Ransomware is taking organizations hostage by encrypting and disabling access to business-critical systems and data until a ransom payment is made. For financial institutions, hackers will gain access either directly or through a third-party service and lock critical systems for ransom until their demands are met, possibly crippling customers from conducting transactions or accessing funds. Even when the victim can recover from backups and avoid paying ransoms, they still face costs to identify the method used by the attacker, verify the integrity of the data to be restored, and business interruption and extra expense loss from operating during what can be a lengthy restoration process. And, if they can’t restore from backups, they may have to pay a ransom as well.
Attacks on vendors
Credit unions’ digital presence is reliant on computer networks — their own and those of their critical software-as-a-service platforms and other cloud vendors. Vendor network outages can be caused by denial-of-service attacks, ransomware and other types of malware. These vendor outages can cause the same type of business interruption and extra expense losses as would occur if the credit union’s own network were down.
Data breaches
Credit unions hold valuable personally identifiable information (PII) and this is still of great value to hackers. Responding to a data breach is costly, and without comprehensive cyber insurance coverage, companies are left to manage costs for forensics and data mining, legal fees, notifying consumers and credit monitoring.
With basic cyber hygiene, credit unions can mitigate the risk of attacks, but this is not enough to protect customers, and fiduciary and crime insurance will not cover many of the biggest cyber risks or the services needed to get ahead of them. Credit unions should work with insurance brokers to make sure they are covered for the greatest risks facing businesses today.
Michael Carr is head of risk engineering, U.S. & Canada, for Coalition.
Opinions expressed here are the author’s own.
Related: