Cybersecurity in a financial world

Speaker 1:  SEI Sphere provides managed technology services to support and secure the evolving IT needs of today's regulated and fast growing businesses. With comprehensive business solutions that deliver cyber, network, and cloud services, SEI Sphere helps organizations build a technology foundation and strengthen their cyber maturity. Providing financial technology platforms and solutions for more than 50 years, SEI enables clients to focus on strategic initiatives and drive future growth. For more information, visit seic.com/sphere. SEI Sphere, the future of cyber protection.

Ron: In a post COVID world, cyber attacks are more prevalent and sophisticated than ever. In the fast moving and dynamic digital age, credit unions have the responsibility to not only secure their members' financial assets, but protect the reputational risk as a trusted and secure financial institution of choice. I'm Ron [inaudible] Steve Bomberger, Head a SEI Sphere, discusses the latest developments in cyber security and how credit unions can protect their financial assets, employees, and members. Among the topics Bomberger addresses in this interview are the latest threats, risk management, third party partnerships, and successful recovery plans. As Bomberger says in this interview, because cybersecurity touches so many aspects of operations and risk, it's become an all encompassing issue for credit unions and it's more important than ever that credit unions and their employees making it an everyday part of their daily lives and routines. So Steve, tell us a little bit about SEI Sphere and what you guys do. Cybersecurity is always a big topic for our listeners.

Steve Bomberger: Yeah, thanks Ron. SEI itself is a 54 year old organization that has really lived in the financial services ecosystem. We've operated both as a financial institution and really a FinTech organization. All of our businesses over those 54 years have been focused in on delivering technology and services and solutions to help our financial clients really do their jobs faster and more efficiently, so to allow them to focus on the growth while they know they have a partner that's really going to help them with a core function that they've determined they want to find a partner for.

SEI Sphere, which is who I represent today here within SEI, is really a managed technology services business that we're really, really excited about at SEI. We launched it about three years ago, and the concept was to take all of that heritage, all of those 54 years, and think about the internal teams, the best practices, and the services and solutions that we've naturally become very good at and developed through that heritage to deliver really IT programs and business outcomes for clients. So where we are today is we offer complete cybersecurity programs, cloud services, and network operation services to small and medium sized institutions.

Ron:    So cyber security, it's a huge topic. That said, who should care about it?

Steve Bomberger:    It's certainly something I think we all realize we should care about at this point. We've probably all seen the news the last two and a half, three years.

Ron:    Exactly.

Steve Bomberger:    I think we care as consumers and individuals, and we also care as employees and business professionals. It has become a part of our everyday life. I think we see it in all of those facets. It's no longer a topic that can be swept underneath the rug. And when we think about businesses, it's not just an IT issue anymore. It has become an all encompassing business issue. So it's not just the IT team's task and problem or issue anymore, it's become an issue that we all need to think about. It's IT, it's finance, it's audit, it's compliance. Really, I think we're finding ourselves in a period of almost a cultural shift within organizations where cybersecurity needs to be thought of across every context of the business, from the C-suite to the employees, and ultimately we got to be thinking about the customers, the customers of our businesses, and our duty and fiduciary responsibility to protect their sensitive information as well. So I think we're all at a point where we know it's a big issue and it's something that is not going away.

So we need to determine how to address it as best as possible. So the short answer is I think we all care about it at this point and it's in our face every day within the news. The why I think really supports that as well. The why really fits with the who should care. We all see legislation and regulation, whether that's the NCUA that is adopting more rhetoric around getting serious about what cybersecurity means to financial institutions and to community credit unions. The SEC this year came out earlier with a proposed legislation that's going to add some additional burden or clarity, however you want to look at it, but add some additional regulation around cyber security to SEC audited organizations. So legislation and regulation is coming, and as businesses, we have to think about both legislation and making sure that our audits and our policies are tight. But then also operationally, we want to make sure we're doing all we can to support our own businesses and protect our client data. So it's here and it's not going away.

Ron:    You're absolutely right. Security is not going to go away. It literally keeps CEOs up at night. They can work all day on it and they're still not going to know if they're doing a good enough job. How do we know if we're doing a good enough job on cybersecurity?

Steve Bomberger:    Yeah, it's a great question. It's a question we talk to a lot of our clients and perspective clients about on a regular basis. Organizations are at that precipice of saying, "Are we doing enough? And how do we define what enough is?" Really, it's this hard topic of if we haven't had a problem and it's been an IT cost that I haven't really seen any ROI on, is that good enough? Am I willing to roll the dice on that, even as attacks become more prevalent? Or do I want to try to get ahead of it and start to plan for the future of this evolving industry?" Very difficult to, if you haven't had a problem, put a return on that investment to think about it, as we talked about earlier, a little bit culturally within the organization.

So it's a bit of a definition that isn't perfect yet, and I think businesses themselves probably need to define it more particularly to their daily operations. We talk all the time about good security and balancing that good security with making sure we don't hinder organizations from their growth, from doing their business operations on a regular basis. So definitely a topic that at times you need to self reflect a little bit, decide what your cyber posture looks like, and then make sure you feel like you've put both the policy and the operations in place to make you feel comfortable at night.

Ron:    And cybersecurity, it's not something a credit union can do just internally. You need to reach out for external assistance. So when a credit union is searching for a cybersecurity partner, what should they look for in that third party?

Steve Bomberger:    Yeah, I think it's similar to what we were talking about earlier. It's not really a one size fits all approach. There are an immense amount of options out in the industry today. There are a lot of really new shiny tools and shiny objects that are, a lot of them, very, very good at delivering a piece of security. I think internally, you got to ask yourself first, "What are the things that I want to do as an organization? Do I want to have a small staff that does some things? Do I want to have no staff at all and find a partner that can completely outsource all of it? Do I trust that vendor? What's their track record at delivering the service level equation that I want and do they really understand my business?" So while we believe good security is certainly good security for any kind of institutional organization, organizations that truly understand the footsteps that financial institutions and community financial institutions walk in every day may have a better approach to delivering a quality security program. So I think it's multifaceted.

I think it's certainly a little bit of an internal look at what you desire to do and what you want your partner to do. And at the end of that, when you're able to determine that mix, making sure you find a partner that you're going to have good communication with, so knowing who's going to do what. To your point about CEOs or CFOs or CIOs in the middle of the night, if there's an attack or an incident, do I want to be woken up in the middle of the night or do I have a partner and want a partner that I know is going to be working through that and resolving it and letting me know the following warning? So this is a youthful industry. It's probably really only been around 10 to 20 years. There's a lot of acronyms out there about managed detection and response companies, managed security service providers. But at the end of the day, desiring your cyber security posture, understanding what that looks like, and then finding the partner that's out there that can deliver upon that is where you'll end up at the end of the day.

Ron:    So one of the things that makes cybersecurity so difficult is that it's a moving target. The landscape changes virtually every day. Do you want to talk about the current threat landscape, the type of attacks, the evolution? Do you want to get into that a little bit?

Steve Bomberger:    Yeah, sure. I think all of this revolves around what is good security? We kind of throw that term around a little bit too, why and how it matters, but what at the end of the day is good security? In our mindset, good security is really having a defense in depth mindset because we know, to your point, those threat actors, the threat landscape, is constantly evolving. So 20 years ago, everybody was focused on firewalls and making sure we build the right firewalls in place. Now we know that, especially post COVID world, everybody is in a work from anywhere mentality. We know digital transformation is underway and people are moving from cloud, so infrastructure in a lot of places is getting smaller. So really, knowing that there's no silver bullet to security, good security is making sure you have an integrated system across all of these different attack vectors.

And when we say attack vectors in the industry, that's just ways that bad actors can get into an organization to get their data, to get their information. So having a coordinated system across all of these different attack vectors and to know that not one tool or one piece of software within a security pillar is going to be enough, as an organization, you really should have a complete visible picture into the things that are attacking you on a regular basis and the ability to get smarter and understand what that looks like so you can be more proactive in the future. The things to that point that have really changed is if you look now, depending on the data that you look at, 80% to 90% of most attacks originate through the end user. So that tells us that security's only as strong as your weakest link. And as diligent as employees can be and as well educated as employees can be, sometimes you just have a bad day and clicking on that link or not thinking about because you're doing too many things at once.

That's the way most bad actors get into organizations at this point. So you talk about a lot of these different things and terms for attacks and what they look like. Phishing, that's the most prominent way that bad actors get into organizations. They phish through emails and they get information or credentials that allow them to get into a system. So dealing with phishing is the biggest issue right now and focusing on that human, that end user as an attack vector is paramount. Also, ransomware. Malware can be ransomware, spyware, all these different things. That's a huge part of it. Obviously, we've seen ransomware explodes since 2010 in digital currencies becoming more prominent. But ransomware's a huge part of where bad actor organizations are finding their ROI. So phishing and ransomware are easy to deploy and there's great ROI for the bad actors. So really, those are the two most important attack vectors or the most prominent that we see happening today on a regular basis.

Ron:    Well, and as you said, 80% to 90% of the attempts are through the end users, so that gives them a pretty high chance of success. So the recovery plan is the key part of any strategy. So what are the key elements if a credit union is breached? What's the key elements of a recovery plan?

Steve Bomberger:    Yeah, the key elements of a recovery plan, I sort of go back to my youth and being a Boy Scout. The Boy Scout motto was be prepared. I know it sounds cliche, but there is no substitute for being prepared for an incident or a breach. As we've talked about over the last few minutes, there's no silver bullet to this. And to your point, whether you've been attacked and had an issue or maybe there's even a bad actor laying within your organization or infrastructure, now we know a lot of times that happens, bad actors will get into an organization as infrastructure and lay in wait for months and months to find the right time to hit, it's really, really important to be prepared for the situation, even if you have what you think is the best policy and the best operations in place today. So having a good incident response plan, just saying, "Hey, if something does happen, what are we going to do?" In no real particular order, but if you think going through it, if you have an incident, you want to really identify the problem.

You want to make sure it's isolated and that your systems are secure. You want to make sure you've identified this breach and investigate it. How did it get in? Where has it traversed? Where is it sitting? Do we have it isolated again? Can we go back and identify that problem? Then you got to fix it and update it, of course, make the adjustments to ensure that hopefully doesn't happen again. But then also, look across that and say, "Are there any best practices or learnings that we can take away from that?" And I think the part that we're all living right now, and we see it in the news every day, is transparency. Transparency is really, really important for the brand reputation and trust of organizations, especially small to medium sized businesses who live by their reputation. So alerting the appropriate regulatory agencies and certainly being transparent and notifying your customers if there is a breach is a really, really important part of being prepared to respond appropriately if you do have an incident or a breach.

Ron:    Yeah, and that's why conversations like this are so important, so we can share that information with all our members. And to that point, thank you for sharing your time with us today, Steve. We really appreciate it.

Steve Bomberger:    Thanks a lot. I appreciate it. And think before you click, Ron.

Speaker 5:    Thanks for listening to the CUNA News podcast. Subscribe to the show on Apple Podcasts, Spotify, Google Podcasts, and Stitcher Radio.

Speaker 1:    SEI Sphere provides managed technology services to support and secure the evolving IT needs of today's regulated and fast growing businesses. With comprehensive business solutions that deliver cyber, network, and cloud services, SEI Sphere helps organizations build a technology foundation and strengthen their cyber maturity. Providing financial technology platforms and solutions for more than 50 years, SEI enables clients to focus on strategic initiatives and drive future growth. For more information, visit seic.com/sphere. SEI Sphere, the future of cyber protection.