Rise Above Your Risk Cybersecurity A Dynamic Risk

Rise Above Your Risk Cybersecurity: A Dynamic Risk to Manage

Main Threats to Data Security CONFIDENTIALITY INTEGRITY AVAILABILITY If the confidentiality of your data is breached; it has been stolen or copied. Phishing attacks are a common method of breaching data’s confidentiality or privacy. The integrity of your data refers to its accuracy and safety. Perpetrators of a data integrity breach aim to alter, corrupt, or even completely destroy data or complete information systems. Data availability is your ability to access it. Ransomware and distributed denial-of-service (DDo. S) attacks are two common methods of compromising data availability. Pressure continues to increase on all fronts

ransomware attacks $233, 817 One of the most disruptive and costly attacks you can suffer. Business interruption downtime averages 19 -21 days. 1 Most Identified Infection Points • Phishing emails Average Ransom Payment in Q 3 2020 1 • Corrupt attachments 239% • Weak remote desktop protocols • Unpatched system vulnerabilities and untimely anti-virus updates • Extensive reuse of passwords • Lack of multi-factor authentication Percent of increase in claims from 2018 to 2019 2 Payments have increased 228% during the same timeframe 1 Coveware Quarterly Ransomware Report – Q 3, 2020 2 Beazley internal claims data - 2020

mobile is a preferred target work-from-home trend will continue to define threat landscape and mobile endpoints are becoming the attack vector of choice • Spyware designed for reconnaissance • Critical security vulnerabilities • Relying on open Wi-Fi • Phishing, Vishing, SMS attacks • Malicious Apps • Poor password security An ineffectively secured personal mobile device could expose an organization or employee to data loss or a privacy compromise 1 1 NIST Special Publication 1800 -22 A- March 2021

cloud and remote service attacks 630% pandemic response forced credit unions to quickly adopt new cloud services, remote access tools and collaboration apps • Poorly configured solutions • Lack of vetting • Cloud storage isn’t always well protected • Poor cyber hygiene • No restriction of access Remote Attacks on Cloud Service Targets Rose 630% Amid COVID-19 Cisco Web. Ex +600% Microsoft teams +100% Zoom +350% 1 Mc. Afee cloud adoption risk report - 2021

Patch & Update Data Backup Apply the Principles of Least Privilege and Network Segmentation Monitor Third-Parties Unified Threat Detection Systems Engage Employees Implement Multi-Factor Authentication 7 Proactive Prevention Measures

Three Lines of Defense in Cyber Risk Management and Control Governing Body / Board / Audit Committee Senior Management 3 rd Line of Defense Financial Controls Security Management Controls Internal Control Measures Risk Management Quality Regulator 2 nd Line of Defense External Audit 1 st Line of Defense Internal Audit Inspection Compliance A best practice approach to improve the effectiveness and efficiency of risk and control functions within organizations 7

Common workforce challenge 52% report “too few security personnel” 51% suggest “missing skills in existing cybersecurity team personnel” Source: ISACA, CMMI Institute, Infosecurity Group; State of Enterprise Risk Management 2020 Prioritize skills, knowledge, and willingness to learn Understand the characteristics of a successful cybersecurity professional Have unbridled curiosity, passion for problem-solving, and strong business understanding

A comprehensive C-suite approach • Ensure established governance and objectives are compatible with strategy and goals • Provide necessary focus and oversight • Grow a strong cyber-friendly workforce through recruiting, training & development Executives are more confident of organizations’ ability to understand assess cyber risk than of mitigating or responding to it. One in five are highly confident in their organization’s ability to manage, mitigate, respond, and recover from a cyber attack. Source: Marsh-Microsoft Cyber Perception Survey, 2019 9

Risk & Protection Response Center 800. 637. 2676 Select you’re a credit union, then choose option 4 riskconsultant@cunamutual. com online consult scheduling

This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc. , our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Cyber policies are underwritten by Beazley Insurance Group or other nonaffiliated admitted carriers. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. © CUNA Mutual Group 2020 All Rights Reserved. www. cunamutual. com