Addressing the Risks and Feeling Confident about the Future
Like any other organization, credit unions rely heavily on technology to streamline operations and efficiently serve members. However, this reliance on technology exposes credit unions to vulnerabilities that cyber criminals can exploit.
Let’s start with legacy systems. Many credit unions still operate using legacy systems, which are outdated and even lack the necessary security features or patches to keep the bad out and member data safe. At a recent UNDERGROUND Collision, Amber Harsin, CUDE (President/CEO of Prodigy) said: “If we move to a microcosm of the credit union movement and think about the technology partners running our operations daily, we have problems.”
The most prominently used core in our movement is written in PLN software, created in the sixties. Yet we line up and pay 75% more for that core. And we may get 50% of the security we think we’re getting because the system is too old. Why don’t we change it?”
And not only are credit unions’ legacy systems vulnerable, but add online banking platforms and mobile banking apps to the mix. These are essential services offered today and help provide 24/7 service to members – something members expect in today’s financial landscape. But these essential platforms and apps are vulnerable to phishing attacks, malware, and hacking attempts 24/7.
Adding to the critical nature of providing 24/7 access, Harsin stated, “Members expect us to be up 24/7, 365 days a year. What happens when a member can’t see their money for 30 seconds? They are blowing up your phones and posting on social media about how terrible you are and that you’re unreliable. So, consider what your technology stack looks like to mitigate your own risk. You have to get off the old core, and you have to be off legacy systems. You have to be ready for what comes next.”
And what Harsin shares shines through when you desire to add new and modernized offerings to your service mix. How often have you been thwarted to modernize your offerings because your core system can’t support them? So, instead, you deal with third-party integration separately, which can bring about potential unauthorized access to your credit union’s data.
Let’s take an example of loan origination. Suppose you cannot link an online loan application to your core system. In that case, you must work with a third-party vendor to provide separate access for members or determine how to integrate it into your system (which may cost thousands of dollars and add another way for hackers to access data).
Technology vulnerabilities are not limited to external threats; internal risks also exist. Employees with access to credit union systems can misuse their privileges or inadvertently introduce vulnerabilities. For example, a disgruntled employee could steal sensitive member data or accidentally download malware onto the credit union’s network. Furthermore, the credit union’s vulnerability can create a negative workplace environment and a lack of trust among your staff.
Stephen Bohanon, Chief Product and Sales Officer, Alkami, shared this insight at a recent Collision: “When it comes to data security, there’s another group we don’t think about. We think about the trust of our members. But we really need to think about the trust of our employees. One major credit union and a major bank in the Northeast had some serious digital issues. Their employees, the call center employees, the branch staff employees – they stopped trusting their employer. When we say we take care of our employees, part of that is investing in the infrastructure so they don’t have to deal with the mess of your lack of planning.”
As you move forward and look at your credit union’s vulnerabilities, where do you start? How do you mitigate your risk without mitigating growth? Where should you invest your money and effort? Take some advice from industry thought leaders on this critical topic:
- George Estrada, Principal Strategist, Amazon Web Services (AWS): “Start with the idea that things will not always work. What happens is everybody waits for the next big thing. You don’t want to invest. It’s tough to predict which disruption is really going to impact you. What should you do? One thing is for sure, you need to have a foot in the cloud at this point. Maybe not everything, but have a foot in there and start experimenting. When you start hedging and spreading out your risk, you understand disruptions happen but you can pivot quickly in response.”
- SHAZIA MANUS, SVP Experience Capabilities, CUNA Mutual: “Hope is not a strategy. Assess and activate. We have all heard, ‘If it’s not broken, don’t fix it.’ Well, you must fix it. And most importantly, you must modernize it. That’s the reality. The truth is that we really, really need to be mindful and thoughtful in how we go about it. Where are the places we make strategic investments? Where do we leave things as they are? What will it take to build and maintain members’ trust? And what are the implications for our businesses? Given the vulnerable technology we have built during the last 60 or 70 years, how do we modernize it and move forward?
- Amber Harsin, President/CEO, Prodigy: “It’s terrifying and scary. It’s like changing the propellers to jet engines on your airplane while flying. You have to think about doing it, you have to be bold, and you have to be brave. Consider what your technology stack looks like to mitigate your own risk.”
IDEAS INTO ACTION: The critical element of protecting the vulnerability of your credit union is to do something. Doing nothing is not a strategy! And closing your eyes and pretending it will work itself out will no longer be acceptable. As you create your strategic goals for the new year, closely examine your credit union’s technology. What can stay? What needs to go? What investment is needed? What timing is acceptable?
Discussing the answers to these questions will set up your credit union for a brighter future and improve your staff and members’ confidence in your organization.
READY TO HAVE MORE DISCUSSIONS LIKE THIS? Register now for our next UNDERGROUND Collision.