We continue to hear stories in the news about cyber attacks on businesses, governments and very recently the National Security Agency. Many co-ops are taking the necessary precautions to protect their member and employee data as well as their system.
However, there are some myths that persist and the purpose of this article is to explore and perhaps dispel those myths while providing some facts and guidance to help boards perform the necessary oversight to help their co-op mitigate cybersecurity risks.
MYTH 1: We’re just a small co-op. Nobody would bother to hack us.
Not true. Cyber terrorists don’t discriminate between small and large businesses. They indiscriminately sniff around for vulnerabilities until they find one. An analogy would be a burglar walking down the hallway of a hotel, gently checking each door . . . until one opens. The unlocked door in this case is an unprotected (or insufficiently protected) information system. Cooperatives typically maintain a website, electronic member and employee records, a customer information system, etc. which may allow the bad guy — once in the cooperative’s network — to engage in a common form of cyber mischief known as phishing where he may masquerade as your co-op while engaging in fraudulent communications with your trusted business partners such as power suppliers, bankers, insurers, vendors, or the statewide. Find out if your co-op is vulnerable. Ask management what is being learned from talking to the statewide, G&T and/or your neighboring systems about what types of protections they’re taking. Ask staff whether they have considered penetration testing – that is, hiring an outside firm to attempt to hack into your system. Many co-ops have learned valuable lessons in this way and are staying one step ahead of the bad guys.
Questions for the board to consider asking:
Who is in charge of cybersecurity at our co-op?
Have there been any breaches or attempted breaches to our system in the past year?
And if so, what were they and what impact, if any, did they have?
What steps have we taken to try to avoid these same types of occurrences in the future?
Have we done a security audit at our co-op in the last 12 months?
Should we consider purchasing cyber insurance? (Or if your co-op already has it, is a review of coverage areas needed?)
MYTH 2: We don’t have anything that hackers would want anyway.
Not so. Co-ops maintain member data that may include Social Security numbers, credit card information, usage data (particularly at systems using automated metering) or other personally identifiable information (PII) which is extremely valuable to hackers. The cooperative (read, the board) has an obligation to keep this data secure. Co-ops also have employee PII for employees that may include salary data as well as medical records. All of this information is valuable in the hands of a hacker who can easily sell it to a third party anywhere in the world via the Internet.
Questions for the board to consider asking:
Have we inventoried the data we maintain at our co-op (e.g., electronic files, records, member and employee information, rate schedules, contract information, member energy usage data etc.)?
In what three areas is our co-op most vulnerable to cyberattack?
What parts of our system would we protect first?
Have we adequately funded cybersecurity in the budget?
MYTH 3: Because we are a co-op, there are no cybersecurity requirements applicable to us.
Not true. A variety of different consumer privacy and data security laws, regulations and contractual requirements may apply to a cooperative depending on its activities. These may include:
State data breach notification laws (a number of which include provisions on ensuring secure disposal or destruction of protected consumer data),
Consumer financing and credit reporting regulations, and
Payment card industry standards (imposed on “merchants” who accept credit cards via contract with credit card brands like Visa and Mastercard).
Questions for boards to consider asking:
As part of our cooperative’s overall compliance efforts, are we keeping up with various cybersecurity requirements as they become effective?
Even in a risk area with no specific requirement, how are we staying current on good practices?
MYTH 4: The board really doesn’t play a role in cybersecurity at the co-op.
Not so. While it’s true that the board doesn’t get into the details of protecting the co-op from cyber attacks, it does have oversight responsibility to ensure that the cooperative is taking appropriate measures to protect itself.
Questions for the board to ask:
Has staff received information and appropriate training to sensitize them to cyber threats?
What regular reports should the board receive from management to fulfill its oversight responsibilities regarding cybersecurity?
COOPERATIVE.COM RESOURCE LINKS
— NRECA’s Business & Technology Services(BTS) is doing groundbreaking work in the area of cyber security. By leveraging products from the Smart Grid Demonstration, BTS has developed a number of tools that define the challenges of cyber security and outline practical steps for co-ops to take as they strengthen their systems against cyberattacks. Learn more.
— NRECA Guide to Developing a Cybersecurity and Risk Mitigation Plan has practical guidance. Share the following link with management.
— Former CIA and NSA Director General Michal Hayden, one of America’s foremost experts on cyber security, talked in depth at the 2015 Directors Conference about future threats and strategies for co-ops to survive and prosper against more sophisticated and more deliberate cyber-attacks. Watch Cooperative.com video.
— National Association of Corporate Directors Cyber-Risk Oversight contains many resources of interest to directors.
— Cybersecurity: The Board’s Role.