The FLEX Connexion Blog

Credit Union Cybersecurity: What You Need to Know About TLS Changes

Written by Preston Packer | Sep 13, 2017

Cybersecurity is in the forefront of all business owners' minds. As we become more interconnected, we open ourselves to more potential breaches. This concern is especially prominent in the financial sector. When you're talking about member's hard earned dollars, there's no room for error. There is an imminent deadline approaching that credit unions need to be aware of as it relates to credit union cybersecurity: An authentication protocol called TLS.

 

 

TLS 1.0 was established in 1990, as a way to secure communications between machines, such as communication and transactions between a member's browser and their credit union desktop and mobile banking, as well as between credit union servers and their credit union technology vendors. The protocol has been increasingly vulnerable to hackers and cyber-attacks and is particularly a threat to mobile and internet banking breaches, as well as file transfers between credit union machines and their core vendor. Due to its age, there are no fixes or patches that are able to repair TLS 1.0, leading the PCI Security Council to withdraw support of the archaic protocol effective June 30, 2018, opting instead for merchants and banks to upgrade to the more current versions TLS 1.1 and 1.2. 

This TLS mandate is impacting credit unions directly. The credit bureaus, and other major players, are requiring updated TLS security, and many small to mid-size credit unions use servers that don't support TLS. Upgrading a server is expensive, but the risks associated with being out of scope on security can be detrimental. Now more than ever it is imperative to ensure your core and technology vendors stay ahead of the curve and are supplying you with the information you need to plan and budget for necessary changes.

Not sure your technology partners are educating and preparing your CU for the future? 

  • Step one is ASK: You don't know what you don't know. So ask...every single vendor... are they aware of the deadline? Will it impact your operations? Will some services stop working? What needs to be done on your end to ensure there are no issues? Of utmost importance, your core provider should have an action plan in place to work with your credit union to ensure there are no issues.
  • Demand action or get out. If you have a technology partner who is not aware of the mandate, or has no plans to comply, consider enacting that breach of contract clause. 
  • Perform a system audit. This shouldn't be too difficult since most CU's prepare for audits and examinations and have a good handle on their machines and vendor relations. Adding a check for TLS compliance should be included on the checklist.
  • Talk to members. This change will impact members who use older PC's and who have not updated their operating systems in ages. Be sure it's not a surprise, or at the very least, CYA and send out notifications so if a member does get angered when their access does not work after the deadline, you can point to this communication they chose to ignore.
  • Budget time. This is not a quick fix for many small to mid-sized CU's. Be sure to budget 3-6 months for a transition plan. This means by January of 2018 the transition plan should begin.  
  • Keep records. As with all protocols, the next versions will eventually be obsolete and not supported years down the road.  Keep track of what you did right and what you could improve upon so you are more prepared for the next transition. 

 
View full post