Driving Down Business Risk for Credit Unions

Business Risk for Credit Unions

by Kyle Benson, Product Marketing Manager

I recently listened to an interview with two CEOs of mid-sized credit unions. The interviewer asked them about what keeps them up at night. Without a pause, they both answered, “being the victim of a cyberattack.” Their concerns are well placed—the risks associated with cybersecurity are tremendous, and the impact of attacks continues to grow daily.

As the interview progressed, they discussed the complexity of compliance and how much more effort is required to meet today’s regulatory requirements. The compliance struggle is real and will continue to grow as new threats, new attack vectors, and new legislation is enacted. Ultimately, achieving the right balance between a security program’s people, process, and technology is a significant undertaking.

One of the challenges of implementing a security program that drives down risk in a credit union is the sometimes fuzzy lines between IT functions and security functions. Because IT infrastructure is often the target of cybersecurity threats, many people in credit unions think security is an IT issue. It’s not. Cybersecurity is a business issue.

One of the ways to drive down risk is to acknowledge this fact and to commit the resource needed for a robust cybersecurity program. In many cases, IT professionals are asked to include cybersecurity as an “other duty as assigned.” This informal approach is a recipe for disaster since already overstretched IT teams might not have the skills or expertise to properly execute on a cybersecurity plan.

The numbers are telling. Studies have shown that just 54% of alerts are investigated1, and 51% are not being remediated.2 This lack of investigation and remediation can lead to impacts like dwell time where the average number of days to detect a data breach has swollen to more than 200 days3. From a cost of business standpoint, the average cyberattack has a cost of over $180 thousand dollars.4

Approaches to Reduce Business Risk for Credit Unions

So, how can credit unions reduce their business risks? It begins by understanding your data. We recommend creating diagrams that illustrate where your data resides at rest, then how it traverses through your network as it is being used. By understanding this, credit unions can build and test the right defenses at each stage of data residency. Since data moves throughout the various departments of a credit union, your processes must support securing your data while it is in flight and not just when it is safely protected inside the data center or cloud.

As credit unions hone their data mapping, they can then put the processes and technologies required to secure it into place. This mapping will include monitoring the entire network and server infrastructure, along with making sure endpoints are secured for transactions like mobile banking. Ensuring vulnerabilities are assessed, and patches are implemented promptly reduces risk as well.

Education goes a long way toward improving the cybersecurity maturity of a credit union, so making sure credit union employees are made aware of what potential threats look like is critical. Through email phishing or social engineering, cybercriminals know that human nature and the desire to help, particularly in an industry that is judged by customer service, can accelerate their access to sensitive data or infrastructure control.

Regulatory Complexity Challenges

Regulatory legislation is becoming firm on compliance requirements. The NCUA exam has seen a marked increase in the number of topics concerning cybersecurity, and the Automated Compliance Examination Tool (ACET) now includes almost 500 declarative statements and requires over 70 pieces of documentation to prove that a credit union is compliant with current regulations. This level of complexity and workload strains the limited resources in many credit unions, pushing the compliance exercise to become an effort checked off the list solely to pass the audit. In these cases, many of the learnings and potential process improvements can be lost as teams work on the tactical checklist to meet compliance.

Finance has a role to play in driving down business risk as well. As decision-makers for many of the investments needing a robust cybersecurity plan, finance professionals need to understand the risks and impacts that cyberattacks can have on their credit union. “Breaches open wallets” is a common refrain among cybersecurity professionals. This statement may be accurate, but once a breach has happened, it’s too late —a great deal of time and money is required.

At SilverSky, we’ve focused our business on ensuring that credit unions have the cybersecurity skills and expertise to protect their members. From security program development and testing to active monitoring and management of IT infrastructure, we work around that clock to provide the safety and security credit unions need. If you’d like to learn more, including the “10 Step Risk Readiness Checklist for Credit Unions to Drive Down Business Risk,” listen to a replay of our recent webinar as Gerrit Boele, CISSP, discusses the business risks threatening credit unions and what can be done about them.



1. Cisco 2018 Security Capabilities Benchmark Study

2. Cisco 2018 Security Capabilities Benchmark Study

3. Ponemon Institute – Cost of a Data Breach

4. Symantec



Managed Detection & Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email & Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance & Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.


Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.


Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.


White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 



Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

About Us

Did you know that SilverSky enjoys a 97% customer satisfaction rating and a 87.5% customer retention rate from thousands of small and mid-sized companies?

Looking to strengthen your cybersecurity?

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion