These cyber attacks have grown in frequency and severity and extortion demands have risen significantly. Additionally, ransomware developers and affiliates are more frequently publicly releasing exfiltrated data and internal company secrets despite the victim paying the ransom. Unfortunately, six- and seven-figure demands have become routine.

The impact of ransomware remains a disproportionate problem for small and medium-sized businesses. In fact, nearly 75% of attacks occur on companies with less than 1,000 employees with the median number of employees at 234, according to Coveware’s Q4 2021 Ransomware Report.

Keep all systems including hardware, mobile devices, operating systems, software, cloud locations, and content management systems (CMS), patched and up to date. If possible, a centralized patch management system should be used. Implement application whitelisting and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.

Activate two-factor / multi-factor authentication (2FA/MFA) on all systems — including managed service provider software platforms, administrator systems, and end-user systems wherever possible. Efforts should also be made to understand the current state of 2FA / MFA strategies, upcoming enhancements, and multi-vendor relationships with third parties who are provided credit union network access. MFA provides a critical second source of identity confirmation that can eliminate a vast majority of data breaches within an organization.

Backup data regularly and verify the integrity – ensure backups are not connected to the computer or networks that are being backed up (i.e., securing backups in the cloud or physically storing offline). Backup systems should allow multiple iterations to be saved in case a copy of the backups includes encrypted or infected files. Routinely test backups for data integrity and to ensure it is properly operational, accessible, and protected. Ransomware has the capability to lock cloud-based backups when systems continuously back up.

Apply the principles of least privilege and network segmentation - the principle of least privilege states that an end user should be given only the privileges necessary to complete tasks related to their role in the credit union. If an employee does not need an access right, the employee should not have that access right. Categorize and separate data based on organizational value and where possible, implement virtual environments with logical separation of networks and data.

Cybersecurity needs to run horizontally through your entire credit union. It is not just an IT problem. Every single staff member, regardless of department and status, needs to be engaged and held accountable. Anyone can mistakenly expose credit union or member data to risk.

Provide frequent social engineering and phishing training to employees so they are your first line-of-defense. Reminders to not to open suspicious emails, not to click on links or open attachments contained in such emails, as well as to be cautious before visiting unknown websites should be made regularly.

Third-party vendors are an essential part of doing business, but they do extend the risk of the exposure and misuse of your credit union’s data. It may seem simple, but your credit union should have an easily accessible list of all third-party vendors and what type of access they have to your credit union and member data.

If your third-party vendors are entrusted with your credit union’s member data, their cybersecurity strategy is just as important as your own. On a regular basis, it is important to ask what safeguards they have in place to lessen the risk of a breach of your data? Threats to cybersecurity evolve and so should your vendors’ risk management. You should know your vendors’ policies on reporting data breaches. Set expectations for your vendor relationships and make cybersecurity a part of the vetting process and ongoing monitoring.

Related Resources:

Access CUNA Mutual Group’s Protection Resource Center at for exclusive risk and compliance resources to assist with your loss control efforts. The Protection Resource Center requires a User ID and password.

Beazley cyber insurance policyholders can access resources and online training at

Please complete this brief form to route your question to one of our Risk Consultants.

*Username and password required.
This resource is for informational purposes only. It does not constitute legal advice. Please consult your legal advisors regarding this or any other legal issues relating to your credit union. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value, and implementing loss prevention techniques. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group.