It’s not IF—It’s WHEN: Prepare Your Credit Union for Data Breach Aftermath

By Jay Isaacson, CUNA Mutual Group

With the rise in highly publicized financial data breaches, the first question credit union directors and senior executives should ask themselves may not be how to prevent it from happening to their credit union. Given the most recent cyber-crime statistics (see sidebar), the more appropriate question to ask may be: “What are we going to do when it happens to us?” Not if, mind you, but when.

Beyond lawsuit judgments and defense costs, your credit union may be faced with a variety of other direct and indirect losses a data breach can cause. For example, consider how your credit union would handle these potentially significant expenses:

1. Investigating the Data Breach’s Cause and Extent

You may need to hire a forensic auditor, network security specialist, or other professionals to determine which databases and files have been compromised, which members may be affected, the types of member data breached, how hackers gained access to the data, etc.

2. Extortion Threats

Imagine your CEO gets a call from a hacker who can confirm the acquisition of confidential member information. The hacker demands $1 million not to release the information to other criminals who will exploit the information.

3. Public Relations to Counter Reputation Damage

Outside public relations professionals may be needed to manage reputation risk if you don’t have in-house expertise.

4. Notifying Members and Protecting Their Assets

Depending on the size of the breach, the cost in work hours and materials to notify every potentially affected member can be significant. And if your membership crosses state lines, there will be added complexity and expense to your response due to varying state data breach notification laws. Remember that informing members is just a start; you’ve also got to have the staff or hire a third party to handle the inevitable surge of inquiries from members. In addition, try to estimate these potential expenses for a large-scale breach:

  • Credit report monitoring/identity theft restoration services for potentially affected members
  • Changing account numbers and following through with members to change their user identification and passwords
  • Reissuing checks or share drafts
  • Blocking and reissuing plastic cards

Decide How to Manage the Risk

Unfortunately, the above list of cyber-crime expenses is far from complete. As part of an overall cybersecurity risk management strategy, your credit union needs to determine which insurance coverage (if any) is needed to best protect your credit union from cyber risks.

Be sure you understand whether you have insurance coverage for these risks, and if so, whether is it part of another policy that may not be as comprehensive as a traditional cyber liability insurance policy. Make sure you review the coverage limits to determine if they are sufficient, based on your exposure. Estimating your potential exposure is especially important if your credit union chooses to self-insure against these risks.

Credit union leaders must continue to educate themselves about these threats as criminals adapt and shift tactics.

Jay Isaacson is Vice President, Business Protection Product Management, for CUNA Mutual Group. Contact him at 800-356-2644, ext. 6657829, or at

Strategic Link is the NWCUA’s wholly-owned service corporation, using the power of aggregation to provide the Association’s member credit unions with exclusive, high-quality, competitively-priced products and discounted services. Contact Director of Strategic Partnerships Craig Reed at today to find out how Strategic Link can help your credit union save money while meeting its goals in 2015 and beyond.

Posted in Article Post.