An estimated 98% of organizations worldwide have relationships with at least one third-party vendor that’s been breached.1 The NCUA recently reported an increase in cybersecurity attacks on credit union vendors and suppliers. This particular threat is at every credit union’s doorstep and it may be about to knock.
1 SecurityScorecard and Cyentia Institute
THEY DIDN’T SEE IT COMING
A SingerLewak credit union accounting client was recently impacted by a Cyber incident that caused great disruption and expense. The attack originated with a printing vendor and the ramifications were significant. SingerLewak’s accounting group introduced our SL Cybersecurity team to this client. Here’s what was going on:
- The vendor didn’t disclose the breach clearly or timely.
- This credit union was forced to scramble to find secure providers for printing Member 1099’s and statements in the face of regulatorily imposed deadlines.
- Account numbers and other PII were exposed – forcing an unpleasant decision about changes to account numbers.
- Credit union leadership was forced to focus on mitigating damage that they didn’t cause, but were victims of – and they owed their Members a response.
What made this situation even more stressful was that the printing vendor wasn’t even one of the credit union’s direct vendors – it was a vendor that supported one of the key vendors that the credit union counted on for a good deal of its automation. After forensics commenced, the compromised vendor’s SOC audit report was obtained and reviewed. It wasn’t particularly well written nor was the reporting as thorough as it could have otherwise been.
Was having a SOC report enough to assuage concerns about a breach? The answer is: well, perhaps. Why not better than “perhaps?”
- The mere presence of a SOC audit is not enough.
- SOC reports need to be reviewed by persons that understand boundaries and limitations of these audits and the subject matter thereof.
- SOC reports are just one of various means by which to assess the purported information security controls present at a vendor.
- Consideration of controls at a subservice organization can be vital – many people just file a SOC report away without truly understanding the significant implications of carving out the controls of the subservice organization(s).
THE PATH TO PROTECTION
While there’s no iron clad way to guarantee your information is safe, there are ways to increase your protection. SL Cybersecurity solutions for this area can include the following:
- Assess your credit union’s vendor risk management controls and practices to confirm you’re prudently considering the most salient information security risks.
- Provide a Gap analysis and remediation plan to shore up any holes in the methods used to assess risks inherent in your vendor relationships.
- Perform a systems and data inventory – or review those in place – to assess for possible information security vulnerabilities.
- Undertake cybersecurity-oriented scans of your own systems as needed, providing reports and recommendations for hardening, as needed.
- Contrast your security controls environment against recommendations set by the National Institute of Standards and Technology and the Center for Internet Security.
It will be up to your organization whether or not to implement our recommendations, but you will have a roadmap towards a better protected credit union and Membership.