Chief Operating Officer at the Co-operative Credit Union League of T&T, Dianne Joseph is warning those in the credit union movement and the financial sector by extension that if steps are not taken to protect themselves from cyber attacks then there could be financial losses among other negative repercussions.
In a news release in August, Venture Credit Union Co-Operative Society Limited informed the public that it was the target of a cyberattack, potentially leading to thousands of its customers’ personal data being leaked to the dark web.
According to Venture Credit Union, the ransomware attack took place on July 18.
In an interview with the Business Guardian, Joseph gave details about how the credit union sector is seeking to protect itself from these types of threats.
“Failing to protect a credit union from cyberattacks exposes it to risks which may include financial losses, including fraud, remediation, and fines, operational disruption, like system downtime, significant reputational damage and loss of members and trust,” she said.
It is in this context, she said that her body continues to pursue continuous developmental initiatives aimed at capacity building of the leadership in credit unions.
“Not only from the perspective of cybersecurity, but from several other viewpoints such as leadership, emerging governance standards, operational and reputational risks, along with partnerships and strategic alliances with credit unions in the global space so that they may learn from each other and strengthen their internal control.”
The Co-operative Credit Union League of T&T is the national umbrella organisation for credit unions in the country. They represent 133 credit unions, 763,000 members and manage assets of $20 billion.
She pointed out that as the umbrella organisation, they consider it imperative to keep abreast of all emerging threats and guide credit unions accordingly.
Credit unions being the victims of cyberattacks is not just a local phenomenon but a growing global threat.
In the United States, the National Credit Union Association (NCUA) in 2024 submitted the latest Cybersecurity and Credit Union System Resilience Report. This is an annual, statutorily required report to the US Congress that describes the association’s ongoing cybersecurity efforts.
According to the NCUA, credit unions suffered 892 cyber incidents between September 1, 2023, and May 1, 2024.
According to an article on the topic from blog, barracuda.com, credit unions are attractive targets to threat actors for several reasons. In March of 2024, the NCUA listed 4,571 credit unions in the US controlling a total of US$2.31 trillion in assets.
This leads threat actors to believe that credit unions are a rich opportunity with fewer defences than the larger banks. Threat actors will always target banks, but credit unions are profitable targets as well.
Joseph spoke about what the credit union body is doing to counter the emerging threats of cyber attacks.
“Our League, over the years, has been engaging several experts in the field of cybersecurity and we continue to host educational webinars for the collective group and in other case, one-on-one meetings with others to assess their internal controls and to provide guidance on the need for further strengthening where necessary.”
She also warned that criminals will continue to come up with new ways to carry out their nefarious activities.
“We are ever minded that despite our best efforts to protect our organisation from cyberattacks, cybercriminals will also continue to change their strategy to counter what we do and as such we are committed to standing strong together to protect our organisations and our brand.”
She said there continues to be the need for strong systems and controls in several areas of the operations of credit unions.
“Cybersecurity being one of the critical areas due to what appears to be a growing trend in attacks on organisations globally. It is the practice of protecting computer systems, networks, programmes, and data from digital attacks, damage, or unauthorised access. Key to effective cybersecurity is maintaining the confidentiality, integrity, and availability of information and systems, and it requires a multi-layered approach involving people, processes, and technology to ensure a strong defence.”
She added that ransomware attacks typically involve the encryption of critical data, which can only be decrypted upon payment.
“It is a profitable form of cyber extortion used by threat actors to target individuals, businesses, or organisations. It is malware that encrypts your files or stops you from using your computer until you pay money (a ransom) for them to be unlocked. If your computer is connected to a network, the ransomware may also spread to other computers or storage devices on the network, creating challenges for the organisation.”
In an age where cybercriminals deploy long-lasting sophisticated tactics, she noted that their network of credit unions, in several respects, has embarked on a comprehensive strengthening of its defences to protect members’ data and maintain operational continuity.
“Recognising that no single layer of security suffices, we have adopted a defence-in-depth strategy that spans our infrastructure, digital controls, data protection, personnel practices, incident response and governance. These measures ensure that, from the teller line to the executive suite, every facet of our organisations is prepared to detect, deter and defeat cyber threats.”
Joseph pointed out that at the foundation of their strategy lies in a modernised network architecture built on the principle of zero trust, instead of treating internal systems as inherently safe.
“We continuously verify every user and device, even those already inside our perimeter. Segmented network zones isolate critical assets such as core banking servers, member databases and payment systems, so that a breach in one segment is unlikely to cascade across the entire organisation. Our strategy for replicating and backing up data, applications and servers along with standby capabilities, decreases the risk uninterrupted service in the face of denial-of-service attacks or natural disasters.”
She also informed that since there are very small to extra-large sized credit unions, strategies may differ and be dealt with on a case-by-case basis.
“Therefore, on the digital front, many have rolled out multi-factor authentication for staff and privileged accounts, eliminating reliance on passwords alone. Endpoint Detection and Response (EDR) tools monitor real-time behaviours on workstations and servers, leveraging machine learning models to spot anomalies that signal an intrusion. Penetration tests replicate the tactics of real adversaries, ensuring that our technical controls and staff remain strong against emerging attack vectors.”
Joseph added that securing credit unions’ data against ransomware and other destructive malware has been a top priority.
“We continue to keep focussed on maintaining strong backups to prevent alterations and other private strategies to guard against simultaneous compromise. Rigorous disaster-recovery drills, complete with documented recovery time and recovery point objectives in several respects, verify that we can restore member records and transaction histories within a short timeframe of an incident.”
Finally, she said that understandably, technology alone cannot prevent every breach.
“That is why many credit unions have invested heavily in cultivating a vigilant security culture. Employees undergo continuous awareness training, featuring live phishing simulations that deliver real-time feedback to those who click on fraudulent links. Role-based access controls strictly limit each person’s permissions to only the systems they require.”
