CYBER SECURITY

How safe is the data of your owner-members in the custody of your (the credit union’s) hands?

1. The owner-member has entrusted the credit union with their data.
    
2. This has been done willingly by filling in a membership or loan application.
    
3. The owner-members own their own data completely.
    
4. The credit union has been placed by the owner-member voluntarily in the position of trust and custody of their data.
    
5. Notwithstanding all natural right of privacy and client (owner-member) confidentiality, legislation and regulation confirm that this personal data can only be released to an “officer of the state” with the correct authority and right to have it as part of their duty.
    
6. The only other reason for its release to another party is with the prior consent of the owner of that data – the owner-member.

Why should this data be protected?

1. Notwithstanding the reasons set out above; the possession of this data and consent for its use to fulfil the trading purposes of a credit union is the core intellectual property of the credit union.
    
2. Put more crudely, would a trading body – a credit union give away free to another party the source of its wealth generation?  Sadly, some credit unions do.

Who can have access to and sight of this data within the credit union?

1. Obviously selected and named personnel in the credit union.
    
2. This access should be defined by the nature of the task to be performed – requiring sight and access, as well as the necessary oversight confined to sight only. 
    
3. Access to and egress from key working areas where key and sensitive (need to know) areas of the premises of the credit union must be controlled at all times.
    
4. Are both the possession and use of any personal electronic handheld devise by any lay leader or member of staff, prohibited in any administrative area of the credit union?
    
5. Is the credit union carrying out prudent personal employment and proof of identity reference checks on all
   i.   Paid employees
   ii.  Lay leaders/volunteers - all are unpaid employees of the credit union
   both before they assume post and discretely carrying out “life style” checks during it.  This is not an invasion of privacy and should be confined to visible observations, speech and reported speech.
    
6. Has the credit union carried out probity tests, i.e. suitability for office of those whose duties permit sight of the data of owner-members, say but not inclusively or exclusively the
   i.  Supervisors/Money Laundering Reporting and Prevention Officers
   ii. Director with oversight of delinquent loans
   
   and those whose specific oversight duties require sight of operational data, say but not exclusively
   i.  Treasury
   ii.  Supervisors/Money Laundering Reporting and Protection Officers
   iiii. Director with oversight of all aspects of risk
   iv.  Director with oversight of compliance

Who can have access to the data of owner-member from outside the credit union?

1. The credit union could already or might have commercial or pro bono (it makes no difference) arrangements in place or contemplated providing complimentary or ancillary services to the core savings and loans facilities of the credit union.
    
2. It is thought if the owner-member is identified as an “actual person” (an individual transaction) at any stage in a transaction flow (this includes aggregate savings and loans policies) then the prior consent of the owner-member is required before any identity data is released – difficult with a death claim!
    
3. So it is thought prudent to include a clause giving consent to the release of this individual information to a third party contractor of a credit union in any new owner-member membership applications. It is thought that under the new GDPR, the owner-member has the right to decline.  It is suggested a legal opinion is sought.
    
4. The credit union appears to be duty bound to ensure that the third party contractor such as but not exclusively a computer hardware/software providers and maintenance companies, electronic money providers and their staff have undergone the prudential tests of individual probity noted under “Who can have access to and sight of this data within the credit union”- Items 1-6 particularly before they have access to the operational areas of the credit union or its data.
    
5. It is more than probable that this declaration cannot be obtained easily and replaced by one from the third party contractor itself takes on the responsibility for undertaking these verifications.
    
6. As any contractor of the credit union receiving or having access to sensitive aggregated performance or individual owner-membership data, any contractual arrangement either commercial or pro bono should contain a
   i.   Non-circumvention clause stating that the owner-member cannot be approached other than with the prior knowledge and consent of the credit union.
   ii.  Non-competition clause that if the contractor engages in any activities at the time or afterwards that compete in any way with those of the credit union, then the contractor cannot use any data of the identity of an actual owner-member to introduce its product or service.
    
7. The credit union, when dealing with contractors whose product or service provision either/or requires the owner-member to complete a separate application form – so becoming a customer of that organisation - that the interests both pecuniary and non-pecuniary of the credit union in that owner-member are protected and the interests of the owner-member, particularly those who are financially unsophisticated, are protected also (the main credit union difference, we have owner-members of a mutual firm – they have customers of an external profit one!)

What protection should be taken to prevent data hacking and cyber-attack?
Note: the Criminal Acts noted below are cashless and transactional

1. See “Who can have access to and sight of this data within the credit union?”
    
2. See “Who can have access to the data of owner-member from outside the credit union?”
    
3. Ensure that in connection with 1. and 2. above, robust policies, procedures and checking mechanisms are in place.
    
4. These credit unions undertaking mortgage business should watch for the activities of flawed
   i.    Conveyancers )
   ii.    Solicitors          ) report on title; planning consents, restricted covenants
   iii.   Valuers – over-valued properties
   iv.    Actual existence of the property – i.-iii. above colluding to produce myths.
   v.     Any restrictive covenants on the property – decreasing its true value?
   vi.    Employment references – are they genuine?
   vii.   Existence of the employer – is it verified?
   viii.  Employment reference – is it genuine
   ix.    Veracity of bank statements – are they genuine?
   and the connection of the employees and lay leaders of the credit union with any of the above.
    
5. Financial crime can be instigated and perpetrated by a sole individual and/or associates in collusion, parties to elicit gains, both within and without. “Cooking the books” that is by manipulating the software, largely undetected by external auditors and internal Supervisory and Boards.  Upon discovery, principals were or are facing jail and flawed advisers including some auditors have faced massive fines, restraint to their activities or are facing ongoing litigation.
   i.   Nick Leeson, Baring Brothers – sole Trader
   ii.  Bernard Madoff – collusion
   iii.  LIBOR rate fixers – collusion
   iv.  Guinness Insider Trading – collusion
   v.   Carillion – jury out!
    
6. Accept nothing at face value, run constant checks on everything by different people; have very firm separation of powers in place.  Check on the diligent performances of auditors – Supervisors to vet their own internal and external audit programmes (very different from mandatory audit reports under FRS102) and nature of untoward banking transfers – loans/share withdrawals.
    
7. Test loan application agreements and their purposes, particularly for all employees, volunteers and connected persons.
   i.   Watch for loans granted to “non-existent” people.
   ii.  Individuals who are totally unaware of the obligation to repay the debt are not unknown, or
   iii.  the “draining” of dormant and Juvenile Depositor accounts, undertaken through manipulating software.

According to most reports on “white collar” crime, it starts within organisations!

8. Hacking and cyber-crime are usually invisible until discovery.
    
9. Virtually every credit union has anti-virus software installed to prevent hacking, servers, back up servers or data stored on the “cloud” and undertake all the due diligence reports noted above, but if damage is done, what recompense is there available? Are constant tutorials delivered to inform the credit union of newly discovered crooked techniques by preventative experts?
    
10. Motor insurance is needed one day before an accident, life insurance one day before death, credit union loan protection insurance likewise, but premiums for all these covers must be paid in advance of an event that cannot be predicted.
     
11. So, it is possible to purchase either as combined or separate policies from an insurance brokerage/consultancy or direct from specialist insurance companies, who underwrite
    i.   Professional Indemnity Insurance – failures of those in office, resulting in claims made and losses incurred;  this insurance will not cover those who commit offences.
    ii.  Directors and Officers Insurance – that will include “tail off” risks, i.e. failures committed by others when you were in office that come to light after your departure.
    iiii. Cyber and Data Insurance – credit union loss and claims management
    iv.  Crisis containment – the contemporary and knock-on effect of cyber-attack including data and other contingent losses.
     
12. Most good providers of 11.(iii) provide regular online contemporary tutorials as a premium cost inclusive facility.

It’s hoped this information is of use.