The NAFCU Journal May - June 2018 - 20

''

We can combat something
today, and a different strain of
an old threat can come about
the following day.

''

- MICHAEL ROSE, SENIOR VICE PRESIDENT OF INFORMATION
TECHNOLOGY AND PAYMENT SOLUTIONS,
AFFINITY FEDERAL CREDIT UNION

multistate class-action lawsuit following a massive 2013 breach of 41 million
customer payment card accounts.
More recently, Equifax, the data warehouse best known for its credit reports,
announced the biggest breach in U.S.
history when it disclosed last year
some 141 million citizens - roughly
half the U.S. population - were now at
risk of identity theft and fraud following a data compromise. The number of
victims has since risen to 147 million
U.S. consumers.
Equifax now faces numerous investigations and class-action lawsuits, including
one for negligence brought by a dozen
credit union leagues. These litigants are
seeking compensation for the financial
losses past, present and future as the
result of Equifax failing to patch a known
vulnerability that was then exploited.
Most federally-insured credit unions may
lack the size and market penetration of a
major retailer or multinational provider,
but they still must minimize their risk
exposure and abide by the same government mandates and industry standards
when it comes to securing data.
"Credit unions tend to be smaller organizations, and what we see across the
board with smaller organizations is a
lack of awareness of good behavior, of
things to do," Tollerton says. "Security
governance is typically nonexistent, and
a lot of employees have a lot of access to
sensitive information."

AN 'AFFINITY' FOR
COMPREHENSIVE DATA
SECURITY PROGRAMS

That lack of security governance isn't
the case at New Jersey's Affinity Federal
20

Credit Union, which has 154,000 members and $2.9 billion in assets. Michael
Rose, the credit union's senior vice
president of information technology and
payment solutions, says cybersecurity is
a top priority.
Since arriving at Affinity five years
ago, Rose has improved or instituted
numerous best practices to ensure that
intruders cannot penetrate a network's
perimeter and that 440 employees
working in headquarters and 20
branches cannot unwittingly aid a
compromise. It's a tall order, given that
members of the digital underground
are masters of human manipulation,
which is usually needed to help them
infiltrate databases.
"What people have to understand is that
cybersecurity is an evolution," Rose
says. "We can combat something today,
and a different strain of an old threat
can come about the following day. It's
almost like when you are dealing with
the flu. You get a flu shot, and the shot
is supposed to take care of it. But a
new strain comes along, and that shot
doesn't work anymore."
So what does work at Affinity and other
credit unions with a strong cybersecurity posture? It starts with an honest
appraisal of current policies, procedures,
people and products. Then you boost
resources through internal initiatives or
partnering with trusted vendors.
Affinity conducts an annual analysis
of its current security platform and
compares it to what is recommended
by other agencies, such as the National
Institute of Standards and Technology
(NIST), SANS Institute, the FBI and the

Federal Financial Institutions Examination Council (FFIEC). Those agencies
also undergo regular reviews to make
sure guidelines are still good.
Earlier this year, NAFCU Regulatory
Affairs Counsel Andrew Morris sent
NIST a letter in support of updates to its
cybersecurity framework. Those changes,
among other things, clarify how risks
and cost-benefits are analyzed among
different organizational maturity models.
"This distinction is essential, given that
there is no one-size-fits-all approach to
cybersecurity," Morris wrote. NAFCU
also supports replacing specific metrics
and measures with a more holistic view
of compliance that better reflects how
credit unions utilize the framework with
their existing structure. Finally, NAFCU
supports new draft language used
for gathering threat intelligence that
expands beyond yes-or-no statements,
believing such declarative statements
aren't as useful if credit unions adopt
risk-related controls.
In addition to annual assessments,
Affinity routinely conducts internal
network audits, product and service gap
analyses and penetration testing (using
a so-called "red team" to try and hack
into the system) to find - and quickly
patch - software, firmware or hardware
vulnerabilities. At the same time, Rose's
team of 23 routinely scans security
researchers' sites, IT security blogs and
CERT alerts to stay current on the latest
cyber threats.
When ransomware dubbed WannaCry
and Petya first started locking up mission-critical systems worldwide in 2017,
the Affinity IT team halted operations
for an emergency breakout session to
make sure all relevant server updates
had been installed and remediations
were ready.
Additionally, Affinity has a system
in place for supervisory, board and
executive oversight. "Regulators are
making the board accountable," Rose
says. "By being accountable, they need
to be educated so that they understand
our data security status in the reports
THE NAFCU JOURNAL  MAY-JUNE 2018


https://www.nafcu.org/newsroom/nafcu-supportive-nist-framework-updates https://www.nafcu.org/newsroom/nafcu-supportive-nist-framework-updates https://www.nafcu.org/newsroom/nafcu-supportive-nist-framework-updates https://www.nafcu.org/newsroom/nafcu-supportive-nist-framework-updates

Table of Contents for the Digital Edition of The NAFCU Journal May - June 2018

Conferences
From the Chair
Washington and Industry Briefs
Trump, Credit Union CEOs Discuss Issues at White House
Growth Strategies
In Cybersecurity We Trust?
The New Landscape of Mobile Banking
2018 Annual Conference Exhibitor Directory
Executive Spotlight
Management Insight
Compliance Central
Inside NAFCU Services
The NAFCU Journal May - June 2018 - Cover1
The NAFCU Journal May - June 2018 - Cover2
The NAFCU Journal May - June 2018 - 1
The NAFCU Journal May - June 2018 - 2
The NAFCU Journal May - June 2018 - Conferences
The NAFCU Journal May - June 2018 - From the Chair
The NAFCU Journal May - June 2018 - 5
The NAFCU Journal May - June 2018 - Washington and Industry Briefs
The NAFCU Journal May - June 2018 - 7
The NAFCU Journal May - June 2018 - 8
The NAFCU Journal May - June 2018 - 9
The NAFCU Journal May - June 2018 - Trump, Credit Union CEOs Discuss Issues at White House
The NAFCU Journal May - June 2018 - 11
The NAFCU Journal May - June 2018 - 12
The NAFCU Journal May - June 2018 - 13
The NAFCU Journal May - June 2018 - 14
The NAFCU Journal May - June 2018 - 15
The NAFCU Journal May - June 2018 - Growth Strategies
The NAFCU Journal May - June 2018 - 17
The NAFCU Journal May - June 2018 - In Cybersecurity We Trust?
The NAFCU Journal May - June 2018 - 19
The NAFCU Journal May - June 2018 - 20
The NAFCU Journal May - June 2018 - 21
The NAFCU Journal May - June 2018 - 22
The NAFCU Journal May - June 2018 - 23
The NAFCU Journal May - June 2018 - The New Landscape of Mobile Banking
The NAFCU Journal May - June 2018 - 25
The NAFCU Journal May - June 2018 - 26
The NAFCU Journal May - June 2018 - 27
The NAFCU Journal May - June 2018 - 28
The NAFCU Journal May - June 2018 - 29
The NAFCU Journal May - June 2018 - 30
The NAFCU Journal May - June 2018 - 2018 Annual Conference Exhibitor Directory
The NAFCU Journal May - June 2018 - 32
The NAFCU Journal May - June 2018 - 33
The NAFCU Journal May - June 2018 - 34
The NAFCU Journal May - June 2018 - 35
The NAFCU Journal May - June 2018 - 36
The NAFCU Journal May - June 2018 - 37
The NAFCU Journal May - June 2018 - 38
The NAFCU Journal May - June 2018 - 39
The NAFCU Journal May - June 2018 - 40
The NAFCU Journal May - June 2018 - 41
The NAFCU Journal May - June 2018 - 42
The NAFCU Journal May - June 2018 - 43
The NAFCU Journal May - June 2018 - 44
The NAFCU Journal May - June 2018 - 45
The NAFCU Journal May - June 2018 - 46
The NAFCU Journal May - June 2018 - 47
The NAFCU Journal May - June 2018 - Executive Spotlight
The NAFCU Journal May - June 2018 - 49
The NAFCU Journal May - June 2018 - Management Insight
The NAFCU Journal May - June 2018 - 51
The NAFCU Journal May - June 2018 - Compliance Central
The NAFCU Journal May - June 2018 - 53
The NAFCU Journal May - June 2018 - Inside NAFCU Services
The NAFCU Journal May - June 2018 - 55
The NAFCU Journal May - June 2018 - 56
The NAFCU Journal May - June 2018 - Cover3
The NAFCU Journal May - June 2018 - Cover4
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovemberDecember2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_SeptOct2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JulAug2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MayJun2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MarApr2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JanFeb2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovDec2019
https://www.nxtbook.com/ygsreprints/NAFCU/G109023_nafcu_septoct2019
https://www.nxtbook.com/ygsreprints/NAFCU/G106941_nafcu_julaug2019
https://www.nxtbook.com/ygsreprints/NAFCU/G105388_nafcu_mayjun2019
https://www.nxtbook.com/ygsreprints/NAFCU/G103030_nafcu_marapr2019
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2019
https://www.nxtbook.com/ygsreprints/NAFCU/G100235_nafcu_novdec2018
https://www.nxtbook.com/ygsreprints/NAFCU/G98517_nafcu_septoct2018
https://www.nxtbook.com/ygsreprints/NAFCU/G96479_nafcu_julaug2018
https://www.nxtbook.com/ygsreprints/NAFCU/G93390_nafcu_mayjune2018
https://www.nxtbook.com/ygsreprints/NAFCU/G90161_nafcu_marapr2018
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2018
https://www.nxtbook.com/ygsreprints/NAFCU/G83806_nafcu_novdec2017
https://www.nxtbook.com/ygsreprints/NAFCU/G80296_nafcu_septoct2017
https://www.nxtbook.com/ygsreprints/NAFCU/G79086_nafcu_julyaugust2017
https://www.nxtbook.com/ygsreprints/NAFCU/G75911_nafcu_mayjune2017
https://www.nxtbook.com/ygsreprints/NAFCU/G73247_nafcu_marapr2017
https://www.nxtbook.com/ygsreprints/NAFCU/G71923_nafcu_janfeb2017
https://www.nxtbook.com/ygsreprints/NAFCU/G69249_nafcu_novdec2016
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_septoct2016
https://www.nxtbook.com/ygsreprints/NAFCU/g63853_nafcu_julaug2016
https://www.nxtbook.com/ygsreprints/NAFCU/g61005_nafcu_mayjun2016
https://www.nxtbook.com/ygsreprints/NAFCU/g58935_nafcu_marapr2016
https://www.nxtbook.com/ygsreprints/NAFCU/g56716_nafcu_janfeb2016
https://www.nxtbook.com/ygsreprints/NAFCU/g55605_nafcu_novdec2015
https://www.nxtbook.com/ygsreprints/NAFCU/g53582_nafcu_sepoct2015
https://www.nxtbook.com/ygsreprints/NAFCU/g52154_nafcu_july2015
https://www.nxtbook.com/ygsreprints/NAFCU/g50302_nafcu_mayjune2015
https://www.nxtbook.com/ygsreprints/NAFCU/g48554_nafcu_marapr2015
https://www.nxtbook.com/ygsreprints/NAFCU/g47118_nafcu_janfeb15
https://www.nxtbook.com/ygsreprints/NAFCU/g45886_nafcu_novdec2014
https://www.nxtbook.com/ygsreprints/NAFCU/g44155_nafcu_sepoct2014
https://www.nxtbook.com/ygsreprints/NAFCU/g42892_nafcu_julyaug2014
https://www.nxtbook.com/ygsreprints/NAFCU/g41296_nafcu_mayjun2014
https://www.nxtbook.com/ygsreprints/NAFCU/g39799_nafcu_marapr2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38961_nafcu_janfeb2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38041_nafcu_novdec2013
https://www.nxtbook.com/ygsreprints/NAFCU/g36539_nafcu_sepoct2013
https://www.nxtbook.com/ygsreprints/NAFCU/g34910_nafcu_julaug2013
https://www.nxtbookmedia.com