Cyber Security Awareness Month: Third Party Cyber Risk Management

By: Jacob Olcott, VP of Business Development, BitSight Technologies

How not to become a “Target”
October is cyber security awareness month, and there are few things more haunting to financial or retail institutions than the security breach that affected Target stores a few years back. The attack resulted in more than $40 million in debit and credit card numbers being stolen, and more than likely affected at least some of your members.

The scariest part of the security breach may be where it originated: its HVAC supplier. The attack highlights how important it is for financial organizations to have a well thought-out program to mitigate third party cyber risk.

Regulators are taking a closer look at third party risk management so the importance of employing best practices is not just practical, but legal as well.

Five Key Steps to Develop a Third Party Risk Management Program

Developing a risk management program doesn’t have to be difficult. There are five key points to consider for a plan, and several vendors and services that can help you to do so.

  1. Organize Internally. This means bringing together all teams that have an impact on, or are impacted by your cybersecurity or dealings with third party vendors. This would most likely include your legal, compliance, IT, and procurement teams.
  2. Identify and Prioritize Key Parties. It is important for credit unions to consider any third BitSight_identify_critical_vendorsparty that has either direct network connections to your organization or has access to sensitive data. This would include, but is not limited to, looking at your primary payment processor, largest software vendor, law firms, consulting firms, and benefits administrator. When prioritizing vendors, approach this from the position of your most sensitive data, likely your members’ financial data, and the level of access a third party has to that data.
  3. Evaluate your vendors’ security. This is traditionally done a number of ways such as using questionnaires, vulnerability scans, and audits. If you are not sure where to start, Shared Assessments is a good source that charges a fee for common questionnaires to send your partners regarding their cyber security efforts. If you are interested in developing your own questionnaire, the NIST cybersecurity framework is a good place to start. You can also do your own audits of your partners, but often companies will share their own documentation of audits they have done.
  4. Communicate. The importance of clearly communicating your expectations to your partners should not be overlooked. This should be done not only in writing in forms such as contracts, but verbally as well. It is important to develop a strong dialogue regarding your security concerns that is not just once, when you launch a partnership, but ongoing. The cybersecurity landscape changes on a daily basis so it is important for you and your partners to discuss where you are headed and how to stay ahead of the curve.
  5. Continuously Monitor Vendor Performance. This is another point not to be overlooked. Questionnaires and audits can only give you snapshots of a company’s security profile at one point in time. Actual security is much more fluid than that. NAFCU has partnered with BitSight Technologies as a preferred provider of monitoring services. BitSight essentially works like credit rating service for cybersecurity. They provide a number that indicates how strong a company’s security practices are on a continuous basis. BitSight calculates Security Ratings using a continuous process that gathers, processes, and assigns security data to arrive at the top-level security ratings.

For more dBitSightLogoetailed information on developing a third party cyber risk management plan you can check out NAFCU’s webinar with BitSight Technologies here or  download BitSight’s white paper on the topic.

What Biometrics Can Do for Your Credit Union’s Security Strategy

Woman with fingerprint scanningIf you feel like there is always another security measure you need to consider, you’re right and this reality is actually a very good thing. The security landscape is indeed continuously changing and evolving.

You must constantly evaluate and revaluate your security processes because one single solution to satisfy all of your security concerns and needs does not exist.  Consequently, it’s wise to employ a multi-factor security (MFA) strategy.

Chris Amador, Product Owner with Q2, talked about the balancing act that your credit union faces when implementing biometrics solutions, in our recent webinar, “Biometrics: Enhancing Member Experience & Security.” He spoke about the challenges your credit union faces with providing secured online and mobile channels that guarantee compliance with regulations and deliver a satisfying experience for your members.

Watch Biometrics: Enhancing Member Experience & Security

We’re sharing some key highlights from the webinar and encourage you to watch the complete presentation where Chris shares timely insights on:

  • The different types of biometric solutions currently used within the financial services industry
  • What true multi-factor authentication (MFA) means and why the “third factor” is difficult to solve
  • The preferred biometric solution for online use among consumers
  • Barriers you need to consider when implementing biometrics features
  • How to evaluate whether or not your membership is ready to accept this technology

What is a True Multi-Factor Security Strategy?

A true multi-factor authentication (MFA) security strategy should include three key factors:

  • Something I “have” (e.g., your member’s laptop or mobile device like a tablet or a smartphone)
  • Something I “know” (e.g., your member’s user ID and password, pin, account number, or knowledge based questions)
  • Something I “am” (e.g., your member’s biometric data, a physical or behavioral attribute unique to your individual member)

You and your members are familiar with the “something I have” and “something I know” categories,  but those two factors alone have limitations in today’s complex security environment.

The physical devices your members use, whether it’s a laptop, a tablet, or a smartphone were considered as an integral layer of security, but this is no longer thought to be true because these devices can be stolen. And, due to the rise of social media, your members may post all sorts of information that can be used by fraudsters to determine the correct answers to security questions. As an example, online quizzes on social media (e.g., Buzz Feed) can be used as tools for fraudsters to phish for information.

The “something I have” category is only available through the implementation of biometrics. Biometrics are an effective third-factor in a MFA security offering for your members because they utilize something fraudsters can’t duplicate, the unique personal and physical identifiers of your members.

It’s important to consider and assess to what degree your members will be comfortable and willing to adopt biometric security measures. Continue advancing your knowledge about these options and the biometrics landscape, by watching “Biometrics: Enhancing Member Experience & Security.

Q2 Online and Mobile Banking

Q2 is the NAFCU Services Preferred Partner for a single platform virtual banking solution, including online and mobile. Learn more about Q2 by visiting

Executive Compensation: Making Sense of Fair and Reasonable

Written by Liz Santos, ‎Senior Vice President of Marketing and Business Development
Originally Published on

BFB WebinarMy little brother recently celebrated his 40th birthday. We marked the occasion by thumbing through old pictures and making fun of each other’s unfortunate haircuts. That’s Herbie on the left, in one of our rare moments of peace, prompted only by the promise of a sugary reward.

Growing up, Herbie and I had the usual love-hate relationship, although probably more hate than love. The hate part was invariably fueled by the perception of fairness. “That’s not fair!” was a regular retort in our household, as if there was ever any room for our parents’ reconsideration. When you’re a kid, fairness is meted out by your parents, often based on gender, birth order, age, or by the almighty “Because I said so.”

For credit unions, however, it’s a different story. Fairness, especially in relation to credit union executive benefits, is more predictable and consistent than my parents’ household rules. Executive benefit plans are a critical tool in recruiting, rewarding, and retaining your leadership team. A key concept in designing these plans is “fair and reasonable.” As expected, the NCUA has rules regarding fair and reasonable compensation.

Why do credit unions need guidelines for executive compensation?

When it comes to executive compensation for credit unions, the concept of fair and reasonable serves an important purpose. Paying executives fair and reasonable compensation requires balancing the needs of the credit union (and its members and examiners) and the executives. Paying too much wastes vital resources, while paying too little risks depriving the credit union of key managerial talent. Careful attention to the process will assist the credit union in arriving at an executive compensation that is fair and reasonable and that attracts, retains, and rewards executive talent.

Do banks have the same guidelines for executive pay?

Executive compensation planning at credit unions is comparable to that at banks in terms of balancing organizational and individual needs. However, some key differences are:

  • Banks can offer stock and other equity compensation not available in credit unions, making it more difficult for credit unions to compete for the executive talent.
  • Banks are subject to different regulations that address issues such as clawbacks (e.g., repaying bonuses for restated financials), the employer’s ability to deduct the compensation for tax purposes, and golden parachute penalties.

Unless your leadership team thinks sugary birthday cake is an adequate performance incentive, I recommend viewing a recent BFB webinar, “Attracting and Retaining Executive Talent with Fair and Reasonable Compensation.” The presentation delves into what is fair and reasonable, and how to apply that concept to your executive compensation philosophy.

Burns-Fazzi, Brock (BFB) LogoBurns-Fazzi, Brock (BFB) is the NAFCU Services Preferred Partner for Executive Compensation and Benefit Consulting. Burns-Fazzi, Brock engages the law firm of Sherman & Patterson to advise on regulatory and tax compliance matters. Sherman & Patterson, located in Minneapolis, MN, has consulted with and represented tax-exempt organizations with their executive compensation needs for the past 30 years. They work closely with NCUA and state credit union regulators, and frequently write and present on these topics.

For more information and educational resources, visit

Getting Homeownership within Reach for Your Credit Union Members

Homeownership for MembersDesigning Spaces™ airing on the Lifetime® Channel recently featured an educational segment about making the path to homeownership easier. During the episode, the desire for homeownership and the financial hurdles faced by a millennial couple were highlighted.

Debi Marie, the host of the show, interviewed Matt Young, Senior VP of Sales with Genworth Mortgage Insurance Corporation about private mortgage insurance (PMI), which could be a perfect fit for members of your credit union who are facing similar questions and challenges.

Watch the segment
“Mortgage Insurance and Buying Your First Home – Designing Spaces”

Here are some key points from Debi’s interview with Matt:

Removing the 20% Down Barrier for Potential Homebuyers

Any homeowner knows that accumulating the 20% down for their first home is often one of the biggest financial challenges of their lives. By using PMI, your prospective member homebuyers can purchase a home without having to accumulate the full 20% down payment. This is a big deal since this option can shave years off of the saving process, allowing your members to become homeowners sooner.

During this episode, Matt provides some helpful and specific examples about what payments for PMI would be given your members credit worthiness, down payment amount, and the cost of their targeted home.

Managing Risk with Private Mortgage Insurance (PMI)

As you know, loans with down payments less 20% are typically viewed as riskier loans. With PMI, a down payment as small as 3% is allowable. PMI protects lenders, like your credit union, against loss if a member defaults, making lenders more comfortable with making a loan.

Borrowers are required to pay premiums ONLY until they build sufficient equity in their home, which is typically when they reach 80% loan-to-value (LTV).  PMI is cancellable vs. FHA insurance which remains throughout the life of the loan. This can translate into thousands of dollars in savings for your member over the long-term.

“As we all know, first-time homebuyers often don’t know what their mortgage options are, and it could cost them,” said Matt. “It’s important for us to proactively educate borrowers on the benefits of MI.”

Defraying Costs and Risks of Homeownership

After answering questions about how mortgage insurance works and how it makes some loans possible during this episode, Matt also explained how Genworth Mortgage Insurance provides beneficial online tools for potential member home buyers: a revamped free online Homebuyer Education training course and Homebuyer Privileges®, a discounts program.

Homebuyer Privileges – A program that can help to boost your originations and build member loyalty. The program offers your members discounts and rebates—valued up to $3,500—on the things they need most for their new home. And, best of all, there’s no cost to participate.

Homebuyer Education Online Course (free resource) – An Educated member makes for a better homeowner and decreases the chance of member delinquencies. Through Genworth’s free self-paced online course, members will learn about the home loan process, tips on how to save for mortgage payments, home maintenance planning, and how you can help them along the way.

We’ll be posting more about helping your current and future member homebuyers in the near future; so stay tuned!

Good to CU Genworth Logo
For more educational resources and information from Genworth, visit Preferred Partner Genworth Mortgage Insurance. Genworth Mortgage Insurance is the NAFCU Services Preferred Partner for Private Mortgage Insurance.

Best of NAFCU’s 48th Annual Conference and Solutions Expo (Video and Educational Highlights)

Credit union leaders from around the country gathered to network and discuss the most pressing issues impacting the industry during NAFCU’s 48th Annual Conference and Solutions Expo in Montreal, Canada. The conference was NAFCU’s largest event in nearly a decade.

Here’s a quick video of some highlights from this year’s conference:

During the conference, attendees heard from NAFCU management and leading industry professionals that included keynote conference speakers such as Founder and CEO Jeremy Gutsche, and MasterCard’s General Counsel and Chief Franchise Officer Tim Murphy.

Solutions Expo at the NAFCU 48th Annual ConferenceThis year’s conference included the annual Solutions Expo, spotlighting the latest technologies, applications, and resources available to help improve credit union operations.

Our Preferred Partners exhibited during the conference and shared their thought leadership, innovations, and solutions during educational sessions throughout the conference.

The complete list of sessions and available presentation slides are available on Here’s a quick listing of key topics presented during the conference to help your credit union grow, retain members, manage risks, protect members, and improve overall operations:

Topic Category Presentation Title Preferred Partner
Growth & Retention Building A Strong Payments Strategy Vantiv
Health Savings Accounts, IRAs and Millennials: A New Generation Presents New Opportunities  Ascensus
Using Credit Scores to Grow and Engage Membership VantageScore
Why Your Credit Union Should Offer Wealth Management Services to All Members Money Concepts
Risk & Security A Deep Dive Into EMV Implementation MasterCard
Cybersecurity Risk Mitigation: Protect Your Member Data Knowledge Consulting Group (KCG)
Top Ten Fraud Risks That Impact Your Financial Institution Allied Solutions
Uncovering the Faces of Fraud Q2
Using Moneyball Tactics and Risk Rating Assessment Models Wolters Kluwer Financial Services
Financial & Insurance Trends in the Retirement Plan Industry Pentegra Retirement Services

Thanks again to the 2015 Annual Conference signature sponsor MasterCard, our 5-star preferred partner sponsors Allied Solutions and Vantiv, and all of our partner sponsors, exhibitors, and speakers.

We’re looking forward to seeing you all at NAFCU’s 49th Annual Conference and Solutions Expo in Nashville (Music City) next year! Get more information, sign-up for updates on the latest conference details, and register by visiting