Cyber World Creates New Liability Risks for CUs

June 16, 2010
/ PRINT / ShareShare / Text Size +

By Chuck Cashman

The evolution of the cyber world and virtual servicing are creating an emerging set of risk exposures for credit unions known as “cyber liability.”

These risks are linked to security incidents or direct breaches of credit union data, unlike the highly publicized third-party data breaches, such as Heartland and TJX.

These new risks create additional liability for credit unions, including member data breaches on a credit union’s system, new exposures from social media sites such as Facebook and Twitter, and other problems caused by computer malware and viruses.

In 2009, a report by the Identity Theft Resource Center reported nearly 500 data breaches exposing more than 220 million records (although the records number can be much higher due to non-reporting).

In addition, the 2008 CUNA Technology & Spending Survey Report stated more than 40% of credit unions experienced at least one incident of ID theft in 2008.

In addition, more than 20% experienced online fraud, and 4% reported a data breach over that same time period.

Clearly, with member data stored in numerous places, especially electronically, the ability for outsiders to gain unauthorized access continues to be a growing problem.

Further, it’s relatively easy to distribute electronic data to inappropriate destinations, whether through intentional acts by employees, simple mistakes, or employee ignorance, which puts member data in even more jeopardy.

The most notable risk of cyber liability is financial loss. Credit unions not only face the direct loss of funds from a data breach, but also recovery costs.

A recent Ponemon Institute study states that in 2009, organizations spent more than $200 for each record compromised in a data breach.

Seventy percent of this amount resulted from indirect costs, such as customer turnover, while 30% resulted from direct costs, including notification and litigation. According to the study, the average breach cost $6.8 million.

Another risk, though not so obvious but equally important, is to the credit union’s reputation. How would members respond to a breach at your credit union?

Publicity from such an event may not only be reflected in the loss of current members but might make potential new members reluctant to join your credit union.

Further, highly publicized breaches have caused such mistrust that some organizations have been forced to downsize, discontinue operations, or go out of business altogether.

Data breaches within a credit union can happen in a number of ways:

  • A credit union sends a mailing with members’ account numbers printed on the mailer;
  • Someone steals a credit union employee’s laptop, which contains confidential member information and account data’
  • A fraudster hacks into a credit union’s ATM server, stealing credit and debit card information to commit unauthorized transactions; or
  • A credit union loan officer steals personal member data and fraudulently obtains thousands of dollars in loans attributed to members.

You can protect your credit union and members by:

  • Understanding your potential risks and exposures. Have a third party conduct an analysis of your response plan and policy.
  • Routinely testing your disaster recovery plan, including recovery from a data breach.
  • Protecting your credit union by having cyber liability insurance and making sure it covers data breach liability, member ID theft protection and restoration, and card/check replacement.

Chuck Cashman is a director in credit union protection product management for CUNA Mutual Group. Contact him at 800-356-2644, ext. 7161.

Related Articles

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory (www.appreciationatwork.com/assess) will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive