Imagine this scenario: You are the assistant branch manager of the Pleasantville location of Happy Trails Credit Union, a fast-growing community charter with $75 million in assets, three branches and 50 employees. Upon arrival at your branch, you open an e-mail that contains the following message:
“Your credit union is under our control. Do not contact police. We will send our demands.”
Now what? In this scenario, Assistant Branch Manager Diligent Debbie starts by showing the email message to Branch Manager Practical Pam, and they attempt to assess the situation.
But things only get worse for Debbie and Pam. While they are debating what to do, they receive an e-mail from IT Ted, informing senior staff that one of the credit union servers is not functioning. They wonder if the malfunction could be related to the initial email, or if it is just a coincidence.
Twenty minutes later, the document server goes down. Debbie and Pam’s suspicions of a cyberattack grow. What should they do? Contact the CEO? Contact the board? Notify members? What outside vendors should be contacted, and what could they do anyway?
Before Debbie and Pam can answer these questions, things continue spiraling out of control. Credit union employees receive an email stating that unless the credit union meets the following demands, its computer systems will be unable to function:
- immediately cease all foreclosure actions;
- forgive all car loans;
- provide all the members of the credit union an unlimited number of free ATM transactions; and
- transfer $50,000 worth of bitcoin to The Financial Tea Party.
Then, suddenly, credit union workstations freeze and employees in all three branch locations are unable to access their computers. While the full extent of the problem is still not yet known, it’s clear that the credit union is under cyberattack, raising serious legal, compliance and insurance questions.
As the cyberattack continues, the credit union’s webpage is taken over. Nervous Nancy is getting phone calls from concerned members. Media outlets are inquiring about what is going on at the credit union.
Credit union professionals and volunteers attending an upcoming New York Credit Union Association Cybersecurity Workshop will have the opportunity learn how to respond if their credit union is the victim of a cyberattack. They will be able to participate and actively respond to each phase of a facilitated, interactive and realistic credit union cyberattack.
A post-exercise de-briefing will include a panel discussion by legal, compliance and operational experts focusing on the lessons learned from the scenario, and suggestions on how credit unions can take further proactive action to guard against cyberattacks. Attendees will also hear from panelists about:
- designing a cybersecurity plan that reflects the specific needs of credit unions;
- putting a plan into operation;
- scenarios to test the ability of credit union teams to respond to cyberattacks;
- legal considerations to keep in mind once a cyber-incident has occurred; and
- how to best communicate with members about cyberattacks.
Registration is open now for “Your Credit Union is Under Attack, Now What?” The workshop will be held from 9 a.m. to 3 p.m. on March 26. Visit the Association’s website for more information or to register.