Due diligence is the number one most important step any C-level executive has to complete in order to move forward with an agreement or contract with a third-party vendor. This process is crucial to any company, but one must be wise when going over all the legal obligations. Think of due diligence as a domino effect. If something goes wrong with any third-party vendor, what precautions should the company take to keep true of the due diligence? Or if a data breach happens, what would be the proper steps a CU must take in order to complete all the steps of due diligence? These questions and steps are what each C-level executive must figure out and have planned in order to prevent any issues from happening.
Now let’s think about this. What is the number one most important attribute any credit union has? Security. There are millions of hackers whose number one priority is to grab any sort of valuable financial information they can. Hackers are after the most basic security pieces for any member’s identification; birth date, social security, driver’s license, credit or debit card number, checking routing, and account number. It can be as simple as a virus or your firewall being compromised.
So, what are some steps a credit union can take in order to protect their members’ information? You already have these in place at your credit union and they should be followed diligently, but what about those third-party vendors that you are working with? Here are some questions that should be included in your due diligence process:
- How can I make sure that all my information is safe?
- What happens if there is ever a breach in the system?
- Will the CU give out my information to any other CU or vendor?
- How can I make sure that the CU is taking proper precautions to ensure my account information is safe?
- Do they have an emergency recovery system or procedure in place?
- Are they compliant and following regulation standards?
- Is data overshared with third-party vendors?
- Is there a support department?
- Do they have a compliance department?
- What is their reputation and how long how they been in business?
All U.S. financial institutions are required by the Gramm-Leach-Bliley Act to let their customers or members know how they share information and keep sensitive information secure. Plus, most states have laws that require credit unions, banks, and other businesses to notify members and consumers when a data breach happens and their information is “at risk.” Knowing how your members’ information (security pieces from above) is going to be stored and managed is crucial in making sure that if something were to go wrong, those members would be notified immediately.
Furthermore, an interesting application many third-party vendors have come to rely on is cloud storage. With cloud storage, yes, many credit unions are taking the chance with this storage infrastructure, but is it that secure? It has been stated that over a quarter of users that have their personal information in cloud storage have been struck by data theft. Even with all the sensitive encryptions the company gathers from its members, this type of storage is not as reliable as one may have come to realize. Data available on different devices should remain encrypted and safe from hackers.
Think about ACH and wire transfers. Credit unions and their members suffer from such threats on a daily basis. One of the latest scams is receiving a call where your caller ID says that it is from the “social security” or even an email that looks pretty much like it is from your financial institution with header and colors to match asking you to confirm the account number. Everyone has received that “special call” where even your credit union members are fooled with the newest scams compromising his/her account. Your member ends up sending funds to an unknown and unwanted person. Now the credit union member’s data is compromised and stored “somewhere” for future scams. Is your credit union diligent with wire transfers threats? The first step is to keep up with current scams and update your credit union policy.
When a credit union does not take the proper precautions to keep personal information safe because they were focused on the financial side of it all, many mistakes can happen. The article states, “Pravin Kothari, CEO of cloud security, suggested in the final analysis, cloud providers secure their infrastructure, but it is up to organizations to secure data on their platform. You are responsible. There are tools to help you manage this and protect the data, but you must use them. One solution is to encrypt the data in the cloud. Encrypted data is unintelligible to cyber attackers and thus is not considered breached.” With all of the security flaws cloud storage has, another solution is to choose a vendor who does not use any type of cloud storage.
In conclusion, any credit union who already has cloud storage or is looking into possibly adding it into their system, needs to realize the precautions it comes with. The protection of members’ security is crucial to not only the members’ lives, but to the CUs. Keep in mind that there is not a one-size-fits-all type of approach when it comes to the Due Diligence process. Certain questions may only apply to certain vendors, and the process should be to tailor toward the specific vendor’s solution. Without the act of due diligence, the system wouldn’t function correctly, and any future contracts with vendors would be shaken. So, taking into account what works best for the company and its members should always be the number one priority.