Cyber Security Awareness Month: Third Party Cyber Risk Management

By: Jacob Olcott, VP of Business Development, BitSight Technologies

How not to become a “Target”
October is cyber security awareness month, and there are few things more haunting to financial or retail institutions than the security breach that affected Target stores a few years back. The attack resulted in more than $40 million in debit and credit card numbers being stolen, and more than likely affected at least some of your members.

The scariest part of the security breach may be where it originated: its HVAC supplier. The attack highlights how important it is for financial organizations to have a well thought-out program to mitigate third party cyber risk.

Regulators are taking a closer look at third party risk management so the importance of employing best practices is not just practical, but legal as well.

Five Key Steps to Develop a Third Party Risk Management Program

Developing a risk management program doesn’t have to be difficult. There are five key points to consider for a plan, and several vendors and services that can help you to do so.

  1. Organize Internally. This means bringing together all teams that have an impact on, or are impacted by your cybersecurity or dealings with third party vendors. This would most likely include your legal, compliance, IT, and procurement teams.
  2. Identify and Prioritize Key Parties. It is important for credit unions to consider any third BitSight_identify_critical_vendorsparty that has either direct network connections to your organization or has access to sensitive data. This would include, but is not limited to, looking at your primary payment processor, largest software vendor, law firms, consulting firms, and benefits administrator. When prioritizing vendors, approach this from the position of your most sensitive data, likely your members’ financial data, and the level of access a third party has to that data.
  3. Evaluate your vendors’ security. This is traditionally done a number of ways such as using questionnaires, vulnerability scans, and audits. If you are not sure where to start, Shared Assessments is a good source that charges a fee for common questionnaires to send your partners regarding their cyber security efforts. If you are interested in developing your own questionnaire, the NIST cybersecurity framework is a good place to start. You can also do your own audits of your partners, but often companies will share their own documentation of audits they have done.
  4. Communicate. The importance of clearly communicating your expectations to your partners should not be overlooked. This should be done not only in writing in forms such as contracts, but verbally as well. It is important to develop a strong dialogue regarding your security concerns that is not just once, when you launch a partnership, but ongoing. The cybersecurity landscape changes on a daily basis so it is important for you and your partners to discuss where you are headed and how to stay ahead of the curve.
  5. Continuously Monitor Vendor Performance. This is another point not to be overlooked. Questionnaires and audits can only give you snapshots of a company’s security profile at one point in time. Actual security is much more fluid than that. NAFCU has partnered with BitSight Technologies as a preferred provider of monitoring services. BitSight essentially works like credit rating service for cybersecurity. They provide a number that indicates how strong a company’s security practices are on a continuous basis. BitSight calculates Security Ratings using a continuous process that gathers, processes, and assigns security data to arrive at the top-level security ratings.

For more dBitSightLogoetailed information on developing a third party cyber risk management plan you can check out NAFCU’s webinar with BitSight Technologies here or  download BitSight’s white paper on the topic.

What Brands Can Do to Circumvent Social Hacking

Originally published on

Guest post by Sundeep Kapur, Author, Digital Evangelist and Director of Strategic Marketing for NCR Corporation.

A simple heist. I went for an afternoon stroll in my grandparents’ neighborhood (Mumbai, India) when I literally bumped into a young man on a bicycle. The “bump” slowed him down, I heard the words “thief,” and saw a group of people chasing him – the young man was caught. The strategy used by these thieves was innocent: young men play ball, the ball enters your community, three young men enter your community to look for the ball, two men steal stuff, a small truck meets them on a distant road, and they are off!

It happens online too. You get a “connection” request on social media. (I used the word connection to imply no one particular social media channel – it could be Facebook, Twitter, Google+, or even LinkedIn.) It’s from a brand you know. You join the forum and start paying attention to the discussions. You soon start noticing a couple of individuals who are actively involved on this brand’s page and are receiving “affirmations” (likes/endorsements/retweets) from the brand. You now get a friend request to connect personally, you do, and you end up downloading something malicious.

Your personal information is harvested and the trouble begins.

Read more

Data Breach Preparedness and Response – A Handy “How-To”

With the recent headlines about yet another data breach affecting credit unions and their members, I wanted to point you to a resource that might help you respond effectively. Because this isn’t the first data breach and it certainly won’t be the last.

We’ve posted a recording and accompanying slides from a Data Breach Preparedness presentation from the 2012 NAFCU Technology and Security Conference for your information, as you look to how to address this most recent incident.  The presentation was made by Christine El Eris, Director, Product Management for Affinion Group (one of our Preferred Partners, for ID Theft solutions), and focuses on best practices for responding to members, partners and stakeholders during and after a breach. Not surprisingly, Christine stresses the importance of putting steps in place in advance and provides tools and guidelines for breach preparation and response.

Read more

Tips to Prevent Identity Theft

It’s scary how easy it is for criminals to get to our personal information – as technology improves, so do the skills of fraudsters. In fact, I find myself being what some think is paranoid – triple checking for the https in online shop URLs, and shredding almost everything with my name on it. I mean look what happened to Sandra Bullock in The Net – if that could happen in the 90’s just think of what’s possible now!

As trusted financial advisors it’s imperative for credit unions to help educate members about what they can do to help prevent their own identity theft and the losses that often accompany that. Not to mention, the more careful your members are, the less at risk your credit union is of incurring losses due to identity theft. (Check out the landmark case involving Comerica Bank and your potential liability from a phishing scam.)

We teamed up with our Preferred Partner for identity theft, Affinion Group, to gather some key tips for you and your members to help prevent identity theft.

Read more

Top Six (Free) Webcasts in the NAFCU Services Library

Our partners are on the front lines with credit unions every day, and while you may only have experience with your credit union, the odds are that our Preferred Partners have worked with hundreds or even thousands. They can bring perspective and common problem-solving to bear on practically any topic.

At NAFCU Services, we try to help the knowledge transfer process by capturing the expertise of our Preferred Partners in digital format—in webcasts, webinars, podcasts and white papers that are archived in our NAFCU Services Partner Library. We are up to 180 and counting, and best of all they are free to ALL credit unions!

Check out our top six most popular webcasts over the last couple of years:

Read more