CUNA Mutual takes Information Security very seriously. This document is meant to give our business customers an overview of the practices that we follow in order to protect both our computer systems and the data that has been entrusted to us. 

Password Policy 

Access to CUNA Mutual’s online services and business functions is secured by user ID and password. However, our ID and password rules for Credit Union employees (who do business on behalf of the Credit Union) are different than the rules for Credit Union members (who do business only on behalf of themselves).

The initial password for Credit Union employees must be changed the first time that the account is used. We also require these passwords to be changed every 90 days thereafter.

While it is true that many Internet sites do not force their customers to change passwords at all, please remember that these are frequently retail sites. For these types of sites, if your password to these sites is compromised, you are usually the only person affected. On the other hand, credit union employees are doing business on behalf of the credit union, and have access to much more data than just their own. If their passwords are compromised it could have disastrous effect on the data of many members of that credit union. A forced password change every 90 days will decrease the risk of this happening.

Credit Union members having accounts with us may choose their own password, and although we recommend that they change it periodically, we never "force" them to do so. 

Data Encryption

We support 128-bit SSL (Secure Socket Layer) data encryption for our online business services that require data transmission. We believe that this provides powerful data security. 

Internet Service Provider Connectivity and Reliability

CUNA Mutual’s Web activity is routed through a local Internet Service Provider (ISP). This ISP’s Network Operating Center features multiple high-bandwidth Internet connections and redundant power protection. We believe that this provides us robust and reliable Web capability.

The Network Operating Center is a controlled environment featuring physical and electronic security measures that include hand-scanning devices, digital video surveillance, multiple firewalls, and electronic intrusion detection technology. Its team of security specialists understand our critical business need to be able to offer 24 x 7 Web capability to our customers. 

Computer Viruses and Malicious Software

We attempt to ensure that all files coming in to the CUNA Mutual network are scanned for viruses and other malicious software. It is our custom to deploy anti-virus software on our mail, web, and application servers as well as on all desktops. Our regular procedures call for regular updating of Virus "signature" files. In addition, emergency procedures designed to contain any virus outbreaks are in place. 

Intrusion Detection Capabilities and Firewalls

Intrusion Detection systems are in place through which we attempt to monitor all network traffic both to and from the Internet. These systems are designed to note and intercept or block suspicious activities as deemed appropriate. In addition, our networks are also protected by firewalls which further serve to filter and block suspicious traffic that is detected.

Incident Response

CUNA Mutual has established a process for evaluating and responding to potential security incidents. A core team from our Legal, Compliance, Security and Audit areas are available in the event an incident involving our electronic systems is detected. This team is charged with:

• Evaluating the incident
• Determining the appropriate mitigation strategy
• Determining the appropriate notifications to be made which may include law enforcement officials, credit union customers and other third parties.

Data Backup

Our policies require that all production data be backed up on a regularly scheduled basis. The backups are done centrally. The data backup process is automated and monitored for any error situations. Our procedures call for each backup to be copied and stored off-site in a protected, climate controlled environment.

Independent Security Assessments

CUNA Mutual employs the services of various external consulting and auditing firms to test our defenses and report on any vulnerabilities detected. 

In addition, CUNA Mutual Group's online data security procedures have been certified by the Cybertrust - an internationally recognized security consulting organization. This certification means that Cybertrust has tested us for vulnerabilities, and has determined that CUNA Mutual meets Cybertrust's standards for protection of systems and customer data. 

Cybertrust’s certification requires a series of evaluations and recommendations on overall network architecture, connectivity, physical security, redundancy and disaster recovery capabilities, environmental controls, system configurations, and operational policy compliance. Once the site is officially certified, Cybertrust security analysts work with us to regularly monitor adherence to their practices and standards.

We are proud of our Cybertrust certification, and certification is not a function of simply letting Cybertrust technicians attempt to break into our systems. A team from CUNA Mutual’s Information Security, Technical Services, and Electronic Commerce areas worked with the Cybertrust consultants, and regularly works with them, to identify potential data security threats, and to take what we believe to be appropriate actions to minimize or eliminate these threats. We take these measures to attempt to assure that the sensitive financial data we receive from our credit union customers and others is handled according to appropriate data security practices.

Additional Information

From time to time our customers, business partners, and other interested parties ask for more detailed information about CUNA Mutual Group’s information security infrastructure, including specific questions about the types of firewalls we use, how they are configured, operating systems on our servers, and details on our Intrusion Detection and Response procedures. However, we do not believe that it is in the best interest of our customers and others with whom we do business to divulge this type of detail about our computer systems and defenses, nor the details of our audits or security reviews. If this type of information were to get into the wrong hands, it could potentially be used against us. The first step in any hacker attack is to determine what types of defenses are in place at the targeted site. Armed with this knowledge, the potential hacker has one less step to go through in order to breach any defenses in place.