Take prompt action
“Security risk is the single most important thing that keeps me up at night,” says Mary Beth Wilcher, CEO of $350 million asset Erie (Pa.) Federal Credit Union. Unlike regulatory compliance, with security breaches usually there’s no warning and the consequences can be devastating.
When previously working at CUNA Mutual Group, Wilcher gained insight into where losses occur. “I learned how they happen and what we can do to stop them before they stop us.” That knowledge showed her how important it is for every CEO to take the lead with security planning.
Recently, Wilcher led Erie Federal in tightening security on file transfer protocol destinations, email procedures, and storage and mailing of address change notices.
Erie Federal typically factors its security expenses into its overall operating budget. Security expenses aren’t currently segregated into individual line items in the budget, but that will probably change in the future. The credit union’s operations team oversees policies, procedures, compliance, and security.
“Keeping up with compliance and security certainly takes a toll on our budget,” notes Wilcher, “but it can’t be scaled back and will only escalate expenses going forward. As new security threats appear, we’ll continue to take prompt action as needed. Budgets don’t always anticipate those expenses in advance. Being able to explain them to your board and examiners is critical.”
Erie Federal had one robbery attempt in 2009. In response, says Wilcher, “branch security became a top priority, and we began retrofitting our branches with state-of-the-art security.
“One easy fix is to add additional lighting and cameras both inside and outside your facilities to deter crime,” she suggests. “We also added internal technology that enables us to reduce risk by monitoring accounts that could potentially cause
us a loss.”
Security planning and budgeting should be a line item on the budgets for all branches and corporate facilities, she says.
“If security isn’t first and foremost in the minds of your management staff and your board of directors, you’re potentially opening the door for a hit to your reputation, monetary loss, or—God forbid—loss of life,” she says.
Address risks and exposures
For the past 15 years, $135 million asset Public Service Credit Union in Romulus, Mich., has been addressing specific security issues within its budget and business plan.
“Years ago, security planning was much more rudimentary than it is now due to increased exposure that we face to physical and data threats,” says Dean J. Trudeau, president/CEO.
The credit union’s annual budget process takes into consideration both physical and electronic data security.
“We have a person in charge of loss prevention who makes recommendations for software upgrades that allow for detection of fraudulent accounts and suspicious activity,” he says. “He’s primarily responsible to budget for upgrades or make additions to our security equipment such as cameras, electronic access devices, or alarm upgrades.”
Additionally, Public Service encourages all department and branch managers to consider security enhancements when they submit their annual budgets. “We include security-related issues within our overall business plan by starting with an annual physical risk review of our offices and practices.”
The credit union also performs an internal Bank Secrecy Act risk assessment of products offered and methods for opening accounts. “We use these reviews as an opportunity to modify procedures and create budgets to address new risks and exposures,” says Trudeau.
Security needs have become a huge concern for credit unions today because they’ve become a core consideration of how business operates. Consequently, credit unions face numerous challenges when planning for possible security problems.
“All facets of security are important,” says Trudeau. “First of all, we’re required by regulation to protect member data. And secondly, insurance no longer covers the losses that were covered years ago unless they become catastrophic.
“Our bottom line mandates that we fend off potential losses at every opportunity. The cost and effort to provide security for records, documents, and member data is greater due to the ever-changing, sophisticated methods to defraud the system.”
So what’s the top recommendation when it comes to security planning? Move beyond using only one department to review security, says Trudeau.
“Budget for security throughout your organization. The perspectives and objectives for each department are different and necessary for a strong security plan.”