Article

Tech Time: Your Data Breach—Not If, But When

red emergency siren
Owner
KGS Consulting, LLC

4 minutes

“Well, this day-in-the-life of a credit union VP is going pretty well,” is your thought as you review material for the upcoming board meeting.

With the CU’s president in the middle of a two-week Caribbean cruise, it will be your turn to go over things at the meeting. And things are going well. The rollout of the updated mobile banking platform has been moving right along. Loan growth continues upward. And…

The ringing of your phone interrupts your train of thought, “Pat Jones, Akmye Credit Union. How may I help you?”

“This is Special Agent Joe Gannon,” the voice on the line responds. “I’m with the FBI’s cybercrime division. During a recent investigation, we found files on the dark web that appear to contain information about your customers—names, account number, addresses and other information. Were you aware you may have had a data breach?”

While we hope our cyberdefenses are enough to prevent a breach, or that we are quick enough to notice a problem before someone else does, the odds are we may be the last to know a data breach has occurred. Something like the above may be our first indication of a problem.

How can you prepare your credit union for that phone call?

One of the first things you need to do is transform your mindset and credit union’s culture from “if” to “when” we have a breach.” This needs to start at the very top, with the board of directors, and work its way down through management to staff. With this mindset in place, you will be in a better position to think through the resources you’ll need to respond when “when” is now.

Another important aspect of this change in culture and mindset is that handling a data breach incident is not just an IT issue. Its impact will spread and encompass just about all credit union areas in one way or another. All staff members need to be prepared to answer questions from members or incident investigators. And with members, those answers need to be appropriate and consistent—you can’t say one thing to one member at one time, and another thing to another member at another time.

A tool your credit union can use to prepare your answers and responses is scenario or tabletop exercises. During these exercises, management and staff gather in a room (i.e., around a table) and are presented with a scenario, such as  the FBI call above. While your group works through what items, issues, resources, questions and answers would be needed for a solid response, the coordinator provides additional information. For example, a few minutes after getting the above call, you get a call from the chairman of your board inquiring about an unrelated item for the upcoming meeting. How does that impact your next steps?

It is also important to work through different variations of these scenarios. For instance, with just the information in the example above, you don’t know where the leaked data came from. Did the information come from a breach of the CU’s systems? Or did it come from a breach of a vendor’s system? How would your responses be different? Or, instead of getting a call from law enforcement, what if the call was from an investigative journalist?

Working through these exercises and variations, you will be able to better define and refine your responses—what steps you’ll take, what questions you’ll ask and what resources you’ll need. You can  put this information together in a playbook outlining what you’ll do in various situations. You can think of your CU’s playbook as being similar to a sports team’s playbook: “If they do this, our team does that. If they do that, we do this.”

Going through the tabletop exercises and building your playbook will also help you understand what external resources you’ll need and may want to retain. For example, if your systems have been penetrated, you need to (quickly) understand the extent of the compromise. How were systems accessed? What systems were affected? Are they still compromised? This investigation may require expertise your IT personnel don’t have, especially if you might need to present the evidence from your investigation in court. So, what outside firm can you use? Do you put them on retainer or hope they are available when you need them? If the breach results in legal action, is your current legal counsel sufficient, or should you look for counsel with more experience or expertise in this area? With respect to notifying impacted individuals, is this something your marketing department can do, or do you need a firm specializing in handling breach notifications? (Yes, there are firms that do.)

That is a lot to think about, but with your new mindset, you can work through your answers now—so when your data breach occurs, you are ready.

Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting LLC, Silverdale, Wash., and offers insights to CUs on information technology governance, information security and technology risk management.

Compass Subscription