The fiduciary responsibility for the 2023 cyber vault.

In last month’s blog post , Mark Norcini, leveraged his investment management background to help leaders use their business acumen to drive cyber risk management. In this post, we’ve asked former NCUA (National Credit Union Association) board member, Dennis Dollar, to share his perspective on what fiduciary duty means for credit unions, their board of directors, and what to expect in 2023 and beyond. 

Just as board members who are the fiduciaries of credit unions were responsible for making sure the vaults were safe in the 1950s, alarm systems were installed in the 1960s, and video cameras were in place in the 1970s, the progression of fiduciary responsibility at credit unions in the 2020s has moved to ensuring the integrity of the cyber vault. As board members come to recognize this fiduciary responsibility, the delegation of that authority to executive teams will become increasingly demanding in the cybersecurity arena.

Courts have ruled again and again that among the fiduciary duties of a board at any institution–particularly a financial institution–is the duty of care. The duty of care, as the courts have held, is the responsibility of boards to make sure their process is solid and sound as they make policy and strategic decisions for their institutions.

In other words, the liability for a fiduciary is not so much whether a decision proved to be the right decision. Rather, the liability is determined by the process the board went through to take the decision seriously, gather all available data, evaluate the data with the institution’s long-term best interests in mind, and act on the decision after this process with no conflict of interest other than the viability of that fiduciary evaluative process.

When we look at the 2020s, which brings more cyberthreats and a greater likelihood of financial and reputation losses stemming from potential cyberattacks, the process that boards follow to protect the vault in 2023 will be the key line of defense from both regulatory actions and legal liabilities.

Let’s start with regulation. There is no current issue that I have seen with as much unanimity on the NCUA board and among the agency’s staff than that of cybersecurity, despite the disparate political parties and regulatory philosophies of the three board members. NCUA is currently budgeting and staffing up for a major regulatory and supervisory initiative to make sure the 4,900 federally insured credit unions nationwide are not just doing the minimum when it comes to cyber risk management.

The regulators–and their examination teams–want to see that credit unions can do more than simply identify cyber risks. The supervisory demand for a clean exam is going to be whether the credit union has a system in place 24/7 that not only identifies cyber risks, but also stops and corrects cyberattacks in real time.

Using cyber protection software or subscribing to an online service will be viewed as a minimalist approach that carries more risk than doing nothing because credit unions cannot afford to think that they have cybersecurity covered.

Cybersecurity investment, and the quality of that investment put into place in a proactive manner that becomes integral to the daily operations of the credit union, is going to be a key–if not, the key–evaluation point of every NCUA and joint state regulatory exam in the next five years.

But there is more than just regulatory pressure on cyber risk. The legal liability is huge, and fiduciaries know that legal liability is actually their liability on behalf of the credit union and, in some cases, personally.

Plaintiff attorneys have found credit unions with recent class-action suits challenging overdraft programs, NSF fees, collection tactics, and lending policies. The basis of much of this litigation has been the contention that credit unions, as smaller financial institutions compared to their larger bank brethren, have not adequately followed industry standards and best practices because of their lack of scale.

It is inevitable that a significant security breach will occur in credit union land. When it does, it will bring out legal vultures looking for other instances where credit union fiduciaries have not followed the duty of care in their investment in, oversight of, and protection through their cybersecurity programs.

The fiduciary responsibility of directors, partnered with their delegated management through their executive teams, will be on the line–perhaps because of a breach at the home credit union or maybe through legal action stemming from actions at another credit union.

The ability of credit union boards to be actively involved in evaluating and overseeing the cybersecurity programs at the credit unions they serve is crucial. Board and executive complacency–hoping for the best and praying that last decade’s investment will cover this decade’s exponentially greater risk–will carry little weight with either the examiners or before a jury.

Regulatory supervision and legal liability are inexorably intertwined with the cybersecurity issue these days for fiduciaries. Separating the two is not an option. Being proactive is the only option.

Dennis Dollar is a former Chairman of the National Credit Union Administration and credit union CEO. He is currently the Principal Partner of Dollar Associates, LLC, a full-service consulting firm for credit unions headquartered in Birmingham, AL.