Credit Unions Talking Cybersecurity
The Credit Union National Association (CUNA Conference) Technology Council in San Francisco drew over 600 credit union technologists across the US last week. The conference conversations provided a wealth of compliance and cybersecurity insights for credit unions as well as other financial institutions.
Regulatory Compliance for Cybersecurity Keeping Financial Institutions on Their Toes:
The CUNA conference included sessions from the National Credit Union Administration (NCUA – the regulatory overseer for federally chartered credit unions). The NCUA is the big Kahuna when it comes to credit union compliance. The NCUA is part of the Federal Financial Institution Examination Council (FFIEC), and the FFIEC has established the Cybersecurity Assessment Tool (CAT) to help financial institutions understand their cybersecurity maturity. Wayne Trout, the NCUA presenter, indicated that one best practice is to use information from security service providers to help assess the credit union’s exposure to risk using the Automated Cybersecurity Assessment Tool (link goes to FS-ISAC CAT). You can download this Arctic Wolf FFIEC/NCUA solution brief to understand how we help financial institutions meet FFIEC/NCUA guidance.
Cybersecurity—What Stays in House, What Can Be Outsourced: one credit union consultant highlighted cybersecurity outsourcing depends on the financial institution taking an active, strategic role to be successful. Offerings like Arctic Wolf’s security operations center (SOC)-as-service is a force multiplier for existing IT staff, however achieving optimal results relies on the customer IT and/or IT Security team for strategy and planning. My friendly credit union technologist mentioned had a list of things that the credit union IT/security team needed to drive in order to optimize their SOC-as-a-service relationship:
Limited Cybersecurity Skills and Resources
A constant refrain from attendees was that they’re stretched thin for cybersecurity skills and resources. Some had deployed a SIEM system internally, but most who had now sought to get rid of it because of the time and energy it requires dealing with “false positive” alerts that consume resources and lead to security burnout. The Arctic Wolf team at CUNA understood their pain and explained how we alleviate it through our security operation center (SOC)-as-a-service. Gartner estimates that providing 24×7 monitoring in a SOC requires eight to 12 analysts, and that is beyond the means of the vast majority of financial institutions. The AWN CyberSOC™ service provides a force multiplier for financial institutions to improve cybersecurity and meet compliance obligations.
- IT security strategy
- Establishing internal IT security policies
- Collaborating with risk management and compliance to ensure compliance (NCUA, FFIEC, PCI DSS, New York Department of Financial Services, and so forth)
- Orchestrating incident response training and tabletop exercises for executive team (CEO, CMO, CFO in addition to the IT team)
- Employee security education (can be outsourced, but must be managed)
- Board security education
- Participating in technology advisory board
A SIEM Alone Is Insufficient: the security-focused attendees at the CUNA conference put together a Security Summit to swap ideas and share best practices. The consensus I heard was that while Security Information and Event Management (SIEM) systems are necessary, on-premises SIEMs are technology that requires people to give considerable “care and feeding” to triage alerts and maintain the system. Nearly all of the credit unions attending did not have sufficient staff to provide 24×7 monitoring and do threat hunting. Some tried a co-managed SIEM model, but were still having challenges keeping up with the flow of alerts and information.
Arctic Wolf has been seeing rapid adoption of SOC-as-a-service in the credit union community (and financial services in general). One satisfied Arctic Wolf customer at the CUNA event handed me a bunch of his business cards and said I could hand them out to attendees who wanted to learn more about the AWN CyberSOC! You should check out what we can do to improve your security posture while meeting your cybersecurity compliance obligations. Learn How SOC-as-a-Service can improve cybersecurity and compliance for financial institutions by dowloading our whitepaper.