Stay with me for a moment. I suspect you don’t think this is a good idea. I’ve heard many times, when asking CISOs and CIOs about their cybersecurity practices, “we do not talk about what we do; we don’t want to help the hackers by telling them how to attack us.” And I get that, at a granular level. Details don’t need to be shared.
But hear me out. When it comes to broad policies applied and software applications used, the bad guys already know. You aren’t unique or special; but you are invested in your efforts, and you should share enough to ensure your members know that you are engaged and working hard. It will help you in both your security efforts (members are more likely to pay attention to your security education initiatives) and your member satisfaction efforts (it’s always better if they know and understand the value of the effort you are making).
In today’s digital-first economy, members increasingly embrace online banking, mobile payments, and digital investing, and these advances have also become fertile ground for cybercriminals. From phishing scams to ransomware and identity theft, cyber threats are escalating in complexity and frequency. As stewards of some of the most sensitive personal and financial data, credit unions are rightly investing heavily in cybersecurity.
Yet, a crucial opportunity remains largely untapped in your efforts to protect members’ data: openly sharing your cybersecurity policies and practices with members (no deep details, but enough information to impress upon them your efforts and their needed participation). Transparency can build trust and foster a collective approach to cyber defense. I hope you will consider doing it.
By making policies more transparent and accessible, your organization can empower your members to understand the mechanisms protecting their data and to take proactive measures themselves, measures you encourage. This approach transforms cybersecurity from a solely institutional concern into a shared responsibility, fostering a more resilient relationship and financial ecosystem.
The rising tide of cyber threats in financial services
The financial services industry is among the most targeted by cyber attackers. According to the IBM X-Force Threat Intelligence Index, financial services consistently rank in the top three most-attacked industries. Attackers are often driven by the potential for high-value gains: access to banking credentials, account numbers, or credit card data.
Common attack vectors include:
- Phishing and social engineering to obtain login credentials.
- Malware and ransomware that exploit unpatched systems.
- Business email compromise targeting bank employees or vendors.
- Third-party vulnerabilities, including fintech integrations or vendor platforms.
Amid this landscape, financial institutions spend millions annually to fortify their defenses, often implementing tools like:
- Endpoint detection and response (EDR) solutions
- Threat intelligence platforms
- Zero-trust architectures
- Application whitelisting and memory protection (more of this, please)
- Real-time anomaly detection via AI/ML
But while institutions defend their perimeters, customers and members remain one of the weakest links. And a compromised customer account can have as much financial impact as a breach of the institution’s own infrastructure. This is true because of the possibility of broad access gained through a singular breach and, also, because of class-action legal claims prompted by account and personal data theft.
Why sharing cybersecurity practices with members matters
1. Building trust and transparency
We like to think TRUST is the cornerstone of any customer relationship in financial services. In surveys, large majorities of banking customers have said cybersecurity and data privacy were top factors in choosing a financial provider. Yet few can articulate what their bank or credit union does to protect them.
I suspect some of that large majority “believe they should care about how you perform”, so they say it, but they don’t really make their decision based on it. Still, perception counts, as does aspiration. And when you fail and are breached, and you will be if you haven’t already, you must contend with the fall-out.
If you share your cybersecurity policies—that you encrypt data, monitor threats, vet third parties, and more—you provide members with evidence that their safety is a priority. Transparency fosters trust, particularly when paired with easy-to-understand explanations and user guidance. This practice can only help when the time comes to lean on members’ faith and loyalty—both of which you worked to earn.
2. Strengthening the customer’s security posture
Much financial fraud begins with a customer mistake: clicking a malicious link, using a weak password, or failing to recognize social engineering. By educating customers about common threats, safe practices, and what to do when suspicious activity is observed, institutions can significantly reduce risk.
Some banks and credit unions already offer:
- Security awareness content on phishing and fraud
- Alerts and transaction monitoring tools
- Two-factor authentication (2FA) options
- Customer-facing security policies outlining what the CU will and won’t do (e.g., never asking for login credentials over email)
But I see more institutions starting to publish their cybersecurity frameworks, outline the technologies used to secure interactions, and share updates on new threats or procedures. They see gains to be made for their security and with their customers.
3. Regulatory alignment and risk management
Although privacy disclosures and breach notifications are typically required by regulatory bodies, institutions that proactively share aspects of their cybersecurity governance with customers and members demonstrate leadership and due diligence—both, as I mentioned earlier, will prove useful in the event of future breaches or litigation.
What should financial institutions share?
It’s neither practical nor advisable for credit unions to publish every technical detail of their cybersecurity infrastructure—such disclosures could help bad actors. Instead, you should focus on sharing information that empowers members without compromising defenses. Here are five key areas:
1. High-level cybersecurity policies
Provide summaries of internal cybersecurity strategies, such as:
- Use of encryption for data at rest and in transit
- Multifactor authentication standards
- Incident response procedures
- Network segmentation and zero-trust principles
- Regular third-party risk assessments
This helps members understand that your institutional safeguards are robust and evolving. And by pointing out “all you are doing” you strengthen your bond with your members, as opposed to the posture we see in privacy and data breach notices which come across as “CYA” and weaken that bond. Being proactive is simply better.
2. Customer security best practices
Offer plain-language tips, FAQs, and guidelines on how customers can protect themselves, including:
- How to recognize phishing emails or fake websites
- Password management advice
- Secure device usage
- Mobile banking app security settings
- How to report suspicious activity
Many credit unions are engaged in the above, but it will prove more valuable and effective when packaged with discussion of your institutional efforts, and of the broader environment.
3. Fraud and threat notifications
Credit unions should issue real-time alerts about known scams or active fraud campaigns affecting their members. This can be done via email, SMS, push notifications, or a dedicated security center on the institution’s website (Yes, make this part of your public profile).
Examples include:
- Alerts about spoofed bank websites
- Emerging SMS phishing (“smishing”) campaigns
- Updates on global cybersecurity incidents (e.g., MOVEit vulnerability)
4. Incident response transparency
When incidents do occur, how you communicate can make or break your reputation. Sharing:
- What happened
- What systems were affected
- What customer data, if any, was compromised
- What immediate actions are being taken
…can reassure members and minimize panic. Proactive communication outperforms reactive damage control every time. But don’t stop. Don’t underplay what has happened. Don’t gloss over what must happen. Don’t fall short and leave the impression that it is business as usual. See https://www.cuinsight.com/sisyphus-is-still-pushing-that-rock/ for my fuller complaint regarding breach notifications. And, no, regulatory requirements aren’t a strong argument for what you’ve been doing. You can do more.
5. Third-party risk and vendor information
Members increasingly want to know whether their credit union shares data with vendors and, if yes, whether those vendors meet rigorous cybersecurity standards. Members read the news too. They have heard about supply chain risk. So, you should consider:
- Disclosing vendor due diligence practices
- Outlining data-sharing policies
- Publishing certifications or compliance benchmarks (e.g., SOC 2, ISO 27001)
Challenges to overcome
While sharing cybersecurity practices offers clear benefits, it isn’t without challenges:
Operational complexity
Creating and maintaining clear, customer-facing cybersecurity content requires dedicated teams—often across departments like IT, compliance, legal, and marketing. This can stretch your already overburdened resources.
Balancing transparency and security
Over-disclosure of internal controls could arm attackers with too much insight. You must walk a fine line between informative and overexposed.
Member engagement
Even well-designed cybersecurity communications can fall flat if your members ignore them. To drive engagement, you must deliver content through the right channels (mobile apps, email, account dashboards) and at key moments (e.g., during onboarding, after a suspicious transaction, or as part of regular digital hygiene checkups).
Conclusion: A cyber partnership, without finger pointing
Cybersecurity is no longer the sole domain of IT teams hidden behind firewalls and data centers. It’s a shared responsibility—and, likely, a competitive differentiator in the future. By sharing cybersecurity policies and practices transparently, you can move from passive guardians to active partners in your members’ digital safety, lowering risk and strengthening relationship bonds.
The future of secure banking lies not only in advanced threat detection or regulatory compliance, but in how effectively you engage and empower your members. Succeeding in this effort can reduce fraud, earn trust, loyalty, and lasting brand value. So…
- Review your current cybersecurity disclosures and identify gaps in member-facing transparency.
- Launch a digital security education initiative aligned with your brand.
- Treat customers as allies in the fight against cybercrime, not liabilities.
Because in cybersecurity, silence isn’t golden—it’s a missed opportunity.
