Credit Union Cybersecurity

GLBA & PCI DSS: Demystifying the Credit Union Compliance Code

Jul 10, 2024

Financial gain remains the number one reason for cybercrime. In fact, Verizon credited 94.6 percent of breaches in its Data Breach Incident Report to financial motives. It’s no surprise, then, that the National Credit Union Administration (NCUA) last year warned its members of “a rise in cyberattacks against credit unions, credit union service organizations (CUSOs), and other third-party vendors supplying financial services products.”

The financial threat credit unions face in the ever-changing financial services landscape is real. Credit unions also face severe organizational and reputational implications. Compliance and regulatory considerations also make protection against cyberattacks an important, ongoing concern for credit unions.


Compliance, regulatory requirements for credit union cybersecurity

Given the sensitive financial and personal information they handle, credit unions must prioritize cybersecurity. Both government and industry standards exist to help credit unions strengthen their cybersecurity defenses. This section identifies and defines the main ones.

Gramm-Leach-Bliley Act (GLBA)

Enacted in 1999 to protect consumer financial privacy, the GLBA (also known as the Financial Services Modernization Act of 1999) requires credit unions and other financial institutions to safeguard sensitive customer information. Compliance involves providing notice of privacy policies, allowing customers to opt out of having their information shared with non-affiliated third parties, and implementing security measures to protect against unauthorized access to customer data.

National Credit Union Administration (NCUA) Regulations

The NCUA requires credit unions to implement robust cybersecurity programs that address risk identification, mitigation, and monitoring. The requirements call on the unions to develop a written security plan to “ensure the security and confidentiality of member records,” “protect against unauthorized access,” “respond to incidents of unauthorized access,” prevent destruction of vital records” and more.

Payment Card Industry Data Security Standard (PCI DSS)

If credit unions process credit or debit card payments, they must comply with PCI DSS, which mandates security controls to protect cardholder data. This requires credit unions to know how and where cardholder data is received, stored, and transmitted, as well as to implement, document, and report secure controls to minimize risk and repair any identified vulnerabilities.

Data Breach Notification Laws

In the event of a breach, many states have laws requiring credit unions to notify members of the possible exposure of their personal information. Additionally, in October 2023, the Federal Trade Commission (FTC) expanded its Standards for Safeguarding Customer Information Rule (the Safeguards Rule) to require credit unions to report certain data breaches and other security events directly to the FTC. This includes unauthorized disclosures of unencrypted data of at least 500 customers.


Combatting cyberattacks against credit unions

Staying informed about regulatory requirements is key, but maintaining compliance also requires an investment in cybersecurity measures to safeguard operations and member information. This section explains specific practices that can support credit union success.

Credit unions have complex infrastructures requiring secure connections between headquarters, branch offices, ATMs, and mobile users. Virtualizing architecture can simplify management and enhance agility and scalability.

Software-defined Wide Area Networks (SD-WAN) are one useful way to enable digital and cloud transformation. Virtualizing network services such as routers, firewalls and load balancers can improve the credit union’s scalability and agility. SD-WAN can also improve network performance for internal and external users by prioritizing critical traffic and off-loading non-critical business apps. Using integrated security features like encryption and sandboxing capabilities can also help reduce/prevent data loss, downtime, regulatory violations, and legal liabilities.

Virtual Desktop Infrastructure (VDI) and storage can also support compliance regulations by securing sensitive data with the support of multi-factor authentication options. Meanwhile, you can safely support optional bring your own device environments while also blocking devices that pose greater risks such as USB flash drives and external disks.

Multi-factor authentication on all sensitive accounts and systems, including email accounts and remote access portals, adds an extra layer of protection against unauthorized access and phishing attempts.

Additionally, securing email can also involve installing phishing detection and blocking capabilities. Cisco Secure Email Threat Defender, for example, uses artificial intelligence-driven detection and threat intelligence to optimize your defenses and remediate faster.


Readiness for the worst

Credit union compliance also calls for planning and implementing Incident Response Plans (IRPs) and disaster recovery (DR) solutions. Regularly testing an IRP, with specific roles and responsibilities assigned to designated personnel, can ensure a swift and coordinated response in the event of a cyberattack.

Backup and data recovery is foundational to your cyber readiness. With a readily accessible backup (that you test consistently), a credit union can ensure compliance while reducing downtime after cyberattack and protecting against natural disasters.

An Active DR solution also supports cost-effective, highly available business continuity. Instantly scalable during outages, this always-on solution provides a fast failover option. Combined with high bandwidth network connectivity and a virtualized infrastructure, the Active DR solution replicates the credit union environment when needed.


Partner with Team29B for compliance success

Team 29B, The Credit Union IT People, offers decades of experience supporting credit unions by offering robust, secure network infrastructure solutions customized to the individual credit union’s needs.

Our innovative and sustainable IT solutions use cutting-edge technologies to protect infrastructure and data while optimizing performance. We understand the sensitivity of credit union data, the demands placed on the IT and Information Security departments by the Board of Directors, and the changing needs of members. Let us help transform your network infrastructure and shield your systems against the increasing cyber threats facing all businesses. Contact our experts today!