In addition to placing heavy emphasis on securing their internal systems, credit unions are continually exposed to threats that exist completely outside of the credit union’s own environment. For instance, the recent data breach at the Interior Federal Credit Union (IFCU) was caused by the actions of a third party, which occurred off of the IFCU network, and underscores the expanding attack surface associated with current technologies that allow for sharing data between organizations.

The Complexity of Data-Sharing Ecosystem

Credit unions utilize a growing array of external partners as they strive to deliver optimum operational performance. Examples of these external partners include marketing agencies, print houses that produce statement printing, loan-processing software solution providers, compliance solution providers, and customer engagement solution providers. These service providers will invariably have to handle sensitive member data in order for these partners to be able to deliver their respective products or services to the credit union. The moment an external partner requires or requests access to a credit union’s member information, the partnership creates an additional point of entry for the external partner within the ecosystem that now has access to sensitive member information. Depending on the external partner's level and type of security controls in place, these may or may not have the same level of protections that are implemented by the credit unions.

The relationship between outsourcing and organisational efficiency is correlated closely to an increase in the potential for fragmented accountability within the shared ecosystem. Because of the association between the external partner and the member data.

Broadened Attack Surfaces and Indirect Exposure in Cybersecurity Risk

Cybersecurity risk is no longer limited to perimeter controls (i.e. firewalls) and internal access controls. Instead, it is becoming increasingly common for attackers to target third-party vendors as these vendors often serve as a central point of aggregation for multiple financial institutions. As a result, when an attacker is able to successfully compromise the systems of a vendor, they could potentially obtain sensitive data from hundreds or even thousands of organizations (referred to as "downstream" exposure).

In the case of ransomware and intrusions (e.g., a service provider being compromised), the attacker may gain access to the data of many organizations without ever having to compromise an individual organization’s internal systems. This is because the attacker exploits the vulnerabilities associated with third-party vendors by taking advantage of their weak security practices, outdated applications and systems, and/or misconfigured infrastructures to gain access to sensitive datasets, such as lists of customer names and account details, Social Security numbers, and other personally identifiable information (PII).

This form of indirect exposure poses unique issues for credit unions, as credit unions may be responding to incidents that they did not create or that are difficult to identify quickly, even when they have implemented strong internal security programs.

Regulatory Expectations Are Evolving

The regulation expectation continues to evolve on an ongoing basis. Recent guidance from Financial Services Boards (FSBs) and other regulators continues to evolve as the regulatory expectation around vendor risk management continues to grow. The guidance states that even though organisations may choose to outsource services, the organisations remain responsible for protecting the information they have outsourced. Other FSBs require Credit Unions to perform appropriate due diligence prior to sharing any confidential or sensitive data with a vendor and will continue to hold Credit Unions accountable for ongoing oversight of the vendor performing work for them throughout the life of their relationship.

Audit and questionnaire tools currently used by many organisations do not provide a complete picture of the true current security environment of the vendor. It is possible that only months after onboarding a vendor could experience a security breach. Changes in the vendor's threat and/or technology environment will likely go undetected until an incident has occurred.

As a result, customers will increasingly be required to re-evaluate the amount of data that they are sharing with vendors, how long the data remains with the vendors and whether all vendors need access to sensitive personal data.

Member Trust and Reputational Impact

Members’ trust and reputation are heavily affected by vendors. When members’ sensitive or financial information is compromised, members lose trust in their institution, regardless of whether the compromise was due to a vendor or the institution itself. Institutions also have to deal with the continuing impact on members of notifying them, reporting to regulators, and addressing reputational issues, even when they can demonstrate that their internal systems were secure.

In addition, vendor-related breaches raise larger questions about the lack of transparency regarding vendors’ access to members’ data. Therefore, as data ecosystems become increasingly complex, institutions need to communicate more clearly to members regarding how and why their data is shared with third parties—and how the institution manages the risks associated with this data exchange.

Rethinking Data Minimization and Vendor Access

One of the key lessons learned from vendor-related breaches is the need for institutions to minimize the amount and sensitivity of data they share with vendors. This strategy will minimize the downstream effects on the institution in the event of an incident involving the vendor. Institutions are now considering whether to provide vendors with complete datasets or whether it may be acceptable to provide anonymized or tokenized data to the vendor instead.

Finally, institutions are identifying the need to include ongoing monitoring, contractual security requirements, and incident-response coordination as standard components of vendor agreements, as opposed to being considered optional.

Looking Ahead

As cyber threats continue to evolve, credit unions must recognize that data security extends well beyond their own networks. Protecting member information increasingly depends on understanding—and managing—the full ecosystem in which that data moves. In a connected financial landscape, resilience is only as strong as the weakest external link.