Cyber Risk: What Your Employees Need to Know

By: Ann Davidson, VP of Risk Consulting, Allied Solutions 

Today, credit unions are doing a better job across the board enhancing their cyber risk management strategies to include more advanced risk controls.

However, one of the key risk controls that continue to be overlooked is employee education.  With the increase of the potential exposure to cybercriminal attacks, credit unions NEED to make employee risk education a top priority, so staff members at all levels of the organization can help your credit union detect and prevent future fraud risk exposures.

Regular risk training should be provided to employees in order to instill data security culture within the credit union. Employee risk education training should touch on:

  • Common cyber threats and security risks and the related vulnerabilities and threats to credit union operations, so employees understand the gravity of these potential breaches
  • Common warning signs for different types of fraud attempts so they know what to look out for and report
  • Workplace policies employees should follow to help prevent cybercrime, such as:
    • Internet & social media usage: Internet browsing should be limited ad social media usage should not be permitted while at work
    • Software usage: Employees should not install unlicensed software on any work device
    • Personal device usage: Employees should not use their personal computer, tablet, or mobile device while on your credit union’s network
    • Work device usage: Employees should not leave workplace devices unattended without securely locking them and should ensure virus protection software is kept current
    • Password usage: Employees should be required to use strong passwords that are unrelated to their personal information, and different for every secure account
    • Email usage: Employees should never respond to emails or open email links that look suspicious or are from unknown sources
  • The nature of data security and reminders that each employee is individually responsible for helping protect the credit union’s data
  • Legal and regulatory obligations to respect and protect the privacy of secure accountholder and credit union information
  • Procedure for incident reporting in the event a device being used on the credit union’s network becomes infected by a virus or is operating with unexplained errors, including the importance of common warning messages and alerts and who to report incidents to

Cybercrime is not going to go away anytime in the near future. That’s why it is critical that your credit union remain one step ahead of the cybercriminals by educating your employees about the part they need to play in protecting your credit union from these potential exposures.


Take a deeper look at cyber risk and send this informative webinar to your employees:  The Scary Truth About Cyber Risk and Fraud. This session will help your employees learn what they need to know to combat the growing risk of internal and external cyber risk that may impact your credit union and its members. The solutions presented in our webinar will help your financial institution get ahead of the curve and manage fraud risk in a strategic and proactive way.

Register here for Ann’s upcoming webinar on August 3 where she breaks down what the bad guys have been up to the first half of 2017, so you can see beyond the curtain and prepare for the latter half of the year. Fraud in 2017: What’s Hiding Behind the Curtain

Allied Solutions is the NAFCU Services Preferred Partner for Insurance- Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP). More educational resource






Creating a Collaborative Fraud Prevention Program

By: Ann Davidson, VP of Risk Consulting at Allied Solutions.

Many financial institutions in 2016 began picking up their efforts to build more robust risk management strategies. Creating a collaborative, cross-departmental risk strategy has proven to be a great way to manage fraud risk. Watch the full webinar to learn more: Collaboration is Key to Manage Fraud Risk.

One strategy your credit union may want to adopt is to create a risk culture awareness program that will help your financial institution better monitor, identify, and manage potential fraud activity.

What is a Risk Culture Awareness Program?

A risk culture awareness program is an ongoing initiative managed by leaders within your credit union to encourage enterprise-wide awareness of fraud and financial loss threats, so every member of your staff is better equipped to quickly and effectively detect and address these threats. Such programs include creating a fraud investigation unit to centralize the management of these risks, or adopting an enterprise risk management strategy that includes fraud mitigation.

What are the steps an organization should take to implement a risk culture awareness program?

1. Develop the foundational changes that will encourage this new culture of risk awareness.
2. Apply these new organizational changes and the risk culture awareness program.
3. Measure the impact of these changes to determine if they were effective.
4. Apply any necessary changes to the risk culture awareness program.
5. Adjust your risk culture awareness program as needed to meet the evolving needs of your organization and address current risks.

There is something to say about knowing your entire staff is doing their best to help ward-off fraud before it happens. There is also the added bonus of being able to tell your account holders all the hard work you are putting in to help keep their information and money protected – which will inevitably lead to good things for your organization. No matter where 2017 takes you, know that there is much to offer in the way of risk awareness and prevention.

Listen to a more in-depth discussion about how your compliance team and your risk management teams can work together to mitigate risk by watching the full webinar here: Collaboration is Key to Manage Fraud Risk 

 

Allied Solutions is the NAFCU Preferred Partner for Insurance—Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP); and rateGenius. Learn more at www.nafcu.org/allied.





Data Breach Response Planning Best Practices

By: Ann Davidson, VP of Risk Consulting at Allied Solutions

There is a high likelihood another large data breach will occur in 2016, so it is essential your financial institution is armed with a written data breach action plan that includes steps to prepare for, respond to, and recover from an attack. Provided below are best practices your credit union can take to help mitigate the financial and reputational impact of a potential data breach on your financial institution and members:

Plan

  • Establish a formal data breach response plan
    • Name your team
    • Review plan annually
    • Submit to Board of Directors (GLBA)
  • Conduct annual trainings with employees on data breach awareness and response
  • Run tabletop exercises and/or mock data breach drills annually
  • Create a security fund for unpredictable external and internal breach costs

Respond

  • Develop an internal breach action plan
  • Designate resources to draft notification letters, employee scripts, FAQs, press releases, etc.
  • Adopt fraud investigation and credit monitoring services
  • Give away entitlement to services up front to create more value and offset cost at breach

Recover

  • Consider outsourcing with a qualified organization for the following professional services:
    • Fraud counseling service to take calls, provide guidance, place fraud alerts, etc.
    • Call center service to provide multilingual enrollment assistance
    • Identity advocate service to provide identity theft investigation and recovery

Read the Data Breach Preparedness Checklist produced by NXG Strategies or watch the recording of our webinar to learn more about how to build a strong data breach response plan.

Allied Solutions is the NAFCU Preferred Partner for Insurance—Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP); and rateGenius. Learn more at www.nafcu.org/allied.

Card Fraud Lessons Exposed

By: Ann Davidson, VP of Risk Consulting at Allied Solutions

Recently Allied Solutions presented a webinar on card fraud in response to the reported increase in card fraud attacks. When polled, 81% of attendees stated they have personally experienced an uptick in card fraud during the last 12 months.

After this webinar, Allied reached out to individual financial institutions to perform an assessment of their risk programs and help uncover potential causes of the card fraud they were experiencing. Here’s what they found:

  1. Financial institutions were seeing increased instances of PIN fraud at the ATM.

Discoveries:

    • A fraud monitoring system (FMS) was not in place for PIN authorizations performed at an ATM.
    • All employees were granted the authority to change ATM PINs when requested by a caller.

Preventive Actions:

    • Confirm in writing from your PIN vendor that you have a FMS in place for all types of authorizations.
    • Ensure PIN change requests are performed using robust authentication measures, especially if you have a voice response unit (VRU); do not give your employees the authority to manually process PIN changes.
    • Review your PIN change reports to see if there is a notable increase in PIN changes.
  1. Financial institutions were seeing high daily dollar amounts on card transactions.

Discoveries:

    • Credit card limits were set at the line of credit for a 24-hour timeframe.
    • Debit signature limits were set to the available balance in the cardholder’s account.
    • Debit PIN limits for POS and ATM were set at $1500 and greater.

Preventative Actions:

    • Confirm you have daily dollar limits for ALL types of transactions.
    • Set your daily dollar limits to suit your organization’s risk appetite and tolerance.
    • Ensure daily dollar limits are set to accommodate the spending activity of your account holders.
    • Let your cardholders know they should inform your organization if they want the daily dollar limit raised to better accommodate their transactions.

The discoveries that were made after communicating with these financial institutions demonstrate the importance of ensuring you have strong security measures in place to help prevent fraud attacks, while at the same time verifying the strength of your card processors’ and vendors’ security layers.

Watch the recording of Allied’s Card Fraud on the Rise: How Financial Institutions Can Help Prevent It webinar, co-presented by Ann Davidson and Tammy Behnke, Program Executive at ProSight Specialty Insurance, to hear more about how you can remain more protected from card fraud.

Hear more about security breaches and learn what your financial institution can do to help prevent and respond to breaches by attending Allied’s upcoming webinar Data Breaches Continue to Rise: How Financial Institutions Can Prepare & Respond on May 4. Click here to register.

Allied Solutions is the NAFCU Preferred Partner for Insurance—Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP); and rateGenius. Learn more at www.nafcu.org/allied.

Card Data Breach Loss Prevention Checklist

By Ann Davidson, VP of Risk Consulting at Allied Solutions

Many of the large-scale card data breaches in 2015 involved the compromise of magnetic stripe data on both credit and debit cards. The data compromised in most of these card breaches involved either track 1 or track 2 magnetic stripe fraud (POS 90), as determined by the merchant during the transaction authorization. Because the track information can be duplicated, there will likely be a high risk for future fraud exposure if you opt not to block and reissue these cards.

For an in-depth look into payment card fraud risks that many credit unions are being hit hard with right now, watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It.”

Card Data Breach Loss Prevention Checklist:

  • Evaluate the compromised card number to help determine if the risk is high
    • A high risk involves the full unaltered magnetic stripe data from track 1 and/or track 2 – track 1 carries the cardholder name; track 2 does not
  • Confirm you’re utilizing “name matching” if track 1 data was part of the breach
  • Review card associations’ alerts and act immediately on at risk card data outlined in alert
  • Analyze at risk open card accounts to determine which cards are/are not still active
  • Review other card accounts to find out which cards are non-active and have already been closed due to fraud
  • Identify the fraud pattern to uncover the common point of compromise (CPP)
    • This is where the breach took place, not where the fraud occurred
    • Once discovered, report the CPP immediately
  • Block and reissue impacted, open card numbers when magnetic stripe has been compromised
  • Accelerate the reissuance of active cards prior to their expiration date
  • Consider reissuing the card 30 to 180 days before the date of expiration
  • Ask the card association(s) to take recovery action related to any expenses
  • Report the fraud to the Visa Fraud Reporting System and/or MasterCard’s Safe System, as this is a requirement under the card association(s) rules

Watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It” to learn more about payment card fraud risks.

Allied Solutions is the NAFCU Services Preferred Partner for Insurance- Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP). More educational resources and partner contact information are available at www.nafcu.org/allied.