Having “the talk” … with your IT team

When Rodney Hood started talking about the importance of cybersecurity for credit unions shortly after becoming Chairman, to me, he sounded like the guy who comes about an hour late to the party. After all, cybersecurity has been a key priority of financial regulators for years now. But the COVID-19 pandemic has proven me wrong. With the number of credit union employees now working remotely, consumers relying more heavily than ever before on electronic transactions, and hackers being so brazen that they now steal from Robinhood (I couldn’t resist), your credit union is dealing with new cyber challenges coming from directions it could never have anticipated.

This puts the credit union senior management, and ultimately their boards of directors, in the hot seat given they’re the entities ultimately responsible for making sure your IT team is implementing the proper policies and procedures to both protect members and keep the place going. But in order to do this, boards have to know the right questions to ask. At yesterday’s board meeting, Johnny E. Davis, Special Advisor to the Chairman on Cybersecurity, provided an easy-to-understand list of questions in his presentation that a board member could use to zero in on how it’s IT staff has responded to the pandemic. For example, has anyone asked your credit union what policies and procedures it has put in place related to remote access by employees? Another basic but crucial question to consider is how your credit union is preparing in the mid to long-term for the changes that have been accelerated by COVID. For example, in it’s quarterly earnings discussion with financial analysts earlier this week, JP Morgan commented on how it has seen an increased use of online banking resources by consumers, and how it believes that much of the shift is permanent. As a colleague of mine recently said, credit unions better have the technology locked and loaded, because even grandparents are getting used to remote deposit.

All of this of course introduces a compliance component to consider. Cybersecurity is a point of emphasis for your examiner, and irrespective of your size and sophistication, you should be able to document in your board minutes the steps you are taking with regard to your IT infrastructure.

 

continue reading »