Protecting Your Credit Union from Third-Party Cyber Risks

In the ever-evolving landscape of cybersecurity, credit unions face increasing threats, particularly when it comes to third-party risks. The recent NCUA report underscores the critical importance of managing these risks to ensure the resilience of the credit union system. For senior collections and lending leaders, understanding these risks and how to mitigate them is paramount to safeguarding your institution and members.

Understanding Third-Party Risks

The NCUA report highlights several key concerns related to third-party risks:

1. Vendor Management: Ensuring that third-party vendors adhere to stringent security standards.
2. Data Security: Protecting sensitive member information from unauthorized access.
3. Operational Resilience: Maintaining continuous operations even when third-party services are disrupted.

These concerns have real-world implications for the security and stability of credit unions. The NCUA's report found that, since September 1, 2023, cyber incident reports from credit unions show that compromises within third-party services have led to systemic risks across the credit union ecosystem. Notably, incidents related to third-party vendors accounted for approximately 73 percent of total reported incidents. A breach or failure at a third-party vendor can lead to significant financial loss, reputational damage, and regulatory scrutiny. Most recently, this was made clear when a small bug in a content update by cybersecurity firm CrowdStrike crashed enterprise Windows-based systems, causing a global technical outage.

Lexop's Approach to Mitigating Third-Party Risks

At Lexop, we prioritize security and legitimacy in all our operations to address these very concerns. Our solution is designed to connect with your systems while providing robust security measures to protect your institution and your members. Here’s how we do it:

1. Ensuring Secure and Authentic Communication

We know phishing and scams are significant threats. To combat this, all communications from Lexop originate directly from your domain, ensuring they appear legitimate to your members. Our fully white-labeled payment portal makes Lexop invisible to your customers, enhancing trust and reducing fraud risks. By sending communications from your domain, you educate members to recognize the signs of legitimacy—like your logo, email address, and consistent messaging—helping them trust real messages and stay vigilant against phishing scams.

To do this, Lexop works closely with your IT team to implement several configurations that enhance security:

• Sender Authentication: All messages sent through Lexop appear as if they are coming directly from your institution, eliminating confusion and building trust.
• Domain Redirection: Our payment portal can be accessed via a link like payments.yourcompany.com, reinforcing your brand and ensuring consistency.
• Brand Customization: We configure your company’s image, logos, colors, links, and wording into all communications and pages, ensuring a seamless extension of your brand.

Members will see a consistent and familiar brand, which fosters trust and reduces the likelihood of scams or phishing attempts.

2. Robust Data Encryption

While encryption is a key part of keeping your data safe, it’s not the only line of defense we use. We also enforce strict access policies to control who can see your data and where it can go. Here’s how we keep your information secure:

• Server-Side Encryption: Data stored on our servers is encrypted to prevent unauthorized access.
• In-Transit Encryption: When data is sent over the Internet, we use secure protocols to prevent it from being intercepted.
• Database Encryption: We encrypt sensitive details like credentials and Personally Identifiable Information (PII) in our databases to add an extra layer of protection.

By encrypting data both during storage and transmission, we ensure that sensitive information remains secure, even if intercepted or accessed by unauthorized parties.

3. Reinforcing System Reliability

Relying on third-party services for critical functions like payment processing comes with significant risks. At Lexop, we prioritize security by focusing on redundancy, disaster recovery, and availability. We rigorously test our code for vulnerabilities and errors, ensuring our system is resilient and reliable. With strong SLAs in place, we commit to being a dependable partner, knowing that any disruption in our service could impact your operations and increase delinquency. In high-stakes situations, selecting reliable partners is crucial, and we’re dedicated to maintaining that trust through our robust approach to security.

4. Compliance and Regular Assessments

Compliance with recognized standards like SOC 2 and PCI means you can assure your members and regulators that their data is handled with the highest level of security. Lexop is SOC 2 Type II certified, which means we follow strict guidelines to manage data securely and protect our clients' privacy. SOC 2 compliance covers five key areas: security, availability, processing integrity, confidentiality, and privacy. A Type II certification involves an independent audit over a period of time to ensure ongoing compliance. Additionally, we follow strict security standards, including PCI compliance, to keep payment information safe during transactions. But we don’t stop there— we safeguard all types of financial data, including banking information like ACH transactions, ensuring your members’ information stays secure and their trust in your institution remains strong.

5. Strong User Authentication

We enforce Multi-Factor Authentication (MFA) for all users, along with session timeouts, to prevent unauthorized access and enhance overall security. Implementing MFA means that even if a password is compromised, unauthorized access is mitigated, significantly reducing the risk of data breaches.

Questions to Ask Third-Party Vendors to Manage Risk

The NCUA report is a crucial reminder of how important it is to manage third-party risks. To ensure that your third-party vendors are up to the task of protecting your credit union, consider asking the following questions:

1. What security measures do you have in place to protect data at rest and in transit?
2. How do you ensure that all communications appear legitimate and secure? Do you implement Sender Authentication?
3. What compliance certifications do you hold, and how often do you undergo third-party security assessments?
4. How do you safeguard your development and deployment pipelines? Do you have any codebase security checks such as static code analysis? How do you prevent regressions - are there automated tests? 
5. What methods do you use to protect sensitive information?
6. What authentication protocols are enforced for users accessing your system?
7. How do you customize your solution to align with our brand and security requirements?
8. Can you provide examples or case studies of other credit unions that have successfully implemented your solution?
9. What kind of support do you offer during and after the integration process?
10. How does your infrastructure handle disaster recovery and availability requirements? Are there redundancies within and across geographic regions?

By asking these questions, you can make sure your third-party vendors, like Lexop, are ready to handle the challenges of cybersecurity and risk management, protecting your institution and its members.