Skip to main content

The future of the cyber fiduciary

The modernization of technology means more ways cyberthreats can affect a company. Cyber risk should be viewed as financial risk and therefore, we can expect it to become similarly regulated. It's likely credit union leaders are going to be pulled further into a formal fiduciary role over cyber risk. 

In this webinar moderated by Mark Norcini (SEI Sphere), guests Dennis Dollar and Kirk Cuevas will discuss how fiduciary responsibility is evolving in the credit union space, and how fiduciary leaders can take charge for their organization. In this webinar you will learn:  

  • The encroaching oversight of regulatory authorities 
  • What fiduciary duty means for executives and board members in the credit union space 
  • How to be proactive with intertwining regulatory supervision, legal liability, and cybersecurity issues 

 

Dennis Dollar is a former Chairman of the National Credit Union Administration and credit union CEO. He is currently the Principal Partner of Dollar Associates, LLC, a full-service consulting firm for credit unions headquartered in Birmingham, AL. 

View transcript

Close transcript

Mark Norcini:    All right. Well, hey, thanks for everybody who is joining us today. I'm sure some people will be trickling in here in the next few minutes, so let's just do some quick housekeeping. In case you're not familiar with the ON24 platform, which we happen to like very much, what you see on your screen, all of these engagement tools are resizable and moveable. So feel free to play around. Around the edges here, you'll see the double lines, you'll see some arrows. If you tap [00:00:30] the double arrows, you can make your slides full screen and maximize it that way. If you have any questions during the webcast, you can submit them through a Q&A tool. We are going to try and answer all of them. If a fuller answer is needed, if we don't get to them, things like that, we are capturing all those questions. So we will provide any follow-up to something that we can't get to for whatever reason.
    A copy of the slide deck [00:01:00] will be available. It should be shown up in related content if it's not there. In the related content box that you see, there should be two blogs, one written by Dennis, one written by SEI, on this topic, today's webcast, the fiduciary responsibility for the 2023 cyber vault. For the best viewing experience, just know the webcast is run on bandwidth, so if you're not getting a good feed, try shutting a few things down. This is [00:01:30] streaming so there's no dial-in. You can't play around with your audio. There is not a dial-in option, just to make you aware. Also, any questions about the content, if you're not seeing it, you're not getting it, feel free to put that into the Q&A. We'll make sure we get to you. But afterwards, we will be sending everything as well by email.
    So, my name is Mark, Mark Norcini. I'm with SEI Sphere. With me are the stars [00:02:00] of the show today, former NCUA chairman of the board, Mr. Dennis Dollar, and current President of Dollar Associates; and former counsel to the chairman of board at the NCUA and partner of Dollar Associates, Mr. Kirk Cuevas. Kirk, my wife's an attorney, she makes me call her doctor, but you haven't asked me to do that yet, so I won't just yet.
    The reason that we're here today, the reason SEI is here with Dennis Dollar and Kurt Cuevas is because, [00:02:30] unfortunately, the war on cyber crime, it grows. We're not out of the woods yet. Everybody's getting better. But in this war against cyber crime, financial institutions, as we have been viewed as stewards to our members, to our customers, to our business' data from a financial standpoint, we've been stewards to our financial assets. We are now becoming stewards to that financial data and to the protection and security [00:03:00] of it for the benefit of our membership, for the benefit of our stakeholders. So we are here to address a forecast on what we believe the NCUA is probably going to be moving towards, that's what Dennis is going to be talking to, to maintain trust in the system and around data security.
    So as I said, my name is Mark. I'm with SEI. Quickly on SEI, we are a financial institution. [00:03:30] We're in the financial services industry. We're doing that for about 50 years. I think the best way to think about what our business is, we're a larger financial institution and our clients are all financial institutions, primarily in the investment management industry. So think about a core provider and how they serve the credit union and the banking space and the data flowing in and out of that core provider's data center every day from all those financial institutions. That's analogous to how we serve the investment [00:04:00] management industry, and hence why we're here.
    Because we're a larger group, we have trillion in assets management and assets under advisement. We have 10,000 financial institutions getting to know Dollar Associates. They've seen that a larger financial institution has the scale to do some things differently. Some of those things that we're doing, those concepts are going to begin making their way through the regulatory environment into [00:04:30] credit union space, into small, medium-sized businesses in general. The goal of the regulators is to force growth and maturity in the cyber space by incorporating the C-suite, by pushing it onto the board. And that might be a good thing in some ways for IT because it'll help determine the investment that needs to be made to fulfill a fiduciary duty over that.
    So the good news is, we're all getting better at this. We're at the beginning of a big wave of cyber investments, and we're [00:05:00] going to get to the point, all of us, collectively, where we're able to manage our cyber risk as well as we're able to manage things like credit risk and begin to sleep a little bit better at night. So with that introduction, I'm going to turn it over to Dennis. Dennis, talk a little bit about what he sees coming in the regulatory environment.
Dennis Dollar:    Well, thank you, Mark. And thanks, on behalf of Kirk and myself at Dollar Associates, for the invitation from the folks at SEI Sphere to [00:05:30] be a part of this webinar today. We have been aware of them for a number of years and have done some regulatory work with them. We know not only their size and their scale, but really their leadership in this particular area. They are not only an offer of a great product in this regard, but they're really a thought leader as it comes to cybersecurity. And for that reason, we were glad to be able to accept their invitation to [00:06:00] talk about it today.
    I'm going to talk about it from the regulatory point of view as a former NCUA chairman. And then Kirk Cuevas, who is my partner, but Kirk is an attorney. Kirk was my chief of staff and counsel to the chairman at NCUA when I was there on the NCUA board and when I served as chairman. Kirk is going to talk about it more from the legal point of view, the fiduciary responsibility, [00:06:30] because there is a real likelihood that this is going to end up being not only a question of regulatory compliance of what you're doing to keep up in the cybersecurity arena, but it's going to be an area that you're going to see the plaintiff's attorneys begin to look at, to see, if there is a breach of some type, what did you do to try to mitigate that, to prevent that? What will be your defense when they take you to court in a class action lawsuit [00:07:00] accusing you of not having done enough from a fiduciary point of view?
    And the fiduciaries on this, of course, ultimately are the boards of directors at your credit unions, but they are designating this. They are delegating this to you, the CEOs, you the COOs, you the chief technology officers and others. But ultimately, that fiduciary responsibility, Kirk's going to talk a little bit about that. And then we're going to come back at the end and I'm going [00:07:30] to give you just some practical suggestions, knowing NCUA like I know it, of what to expect as the examiners begin to come in.
    But I want to kind of start with this, that there are very few issues today that the Republicans and the Democrats agree on. This is probably the most bifurcated time in certainly the last 40 or 50 years of the Democrats, the Republicans don't seem to find anything that they can agree on. [00:08:00] It's created a stalemate in Congress, a stalemate in the federal government and even in of a number of state levels. But interestingly, one of the areas that I have seen, whether it's on the NCUA board or whether it is in Congress, in the House or the Senate or even the state legislatures, is that the Democrats, Republicans all seem to feel like that cybersecurity is a major issue and one that they're willing to set side their differences to pass legislation.
    There have been 64, 64 [00:08:30] bills introduced in the current session of Congress that deal directly or indirectly with cybersecurity. And they've been authored by both Democrats and Republicans. Two have actually consolidated many of those individual proposals. They passed both houses and have been signed into law by President Biden. So when you say Congress has done nothing over the last two years, and there's a long list of things that they have not been able to get together on, but one of the things they have been able to get together on is on [00:09:00] two consolidated cybersecurity bills. Kind of like the NCUA board, which has a Democratic chairman and two Republican members today, they haven't been able to get together on a lot of pieces of significant regulation because their philosophies are so different, but they have managed to pass two regulations over the last two years, one of which is out for comment now, on cybersecurity.
    In fact, when the National Defense Authorization Act [00:09:30] came up before the House of Representatives about three months ago, there were 34 amendments offered that were directly or indirectly dealing with cybersecurity. Now, they have not passed the final bill. It's still in the Senate. How many of those end up getting included? I don't know. Probably no one does at this day. But I just make that point to show you that cybersecurity is an issue that is on top of mind in Congress. It is on top of mind in [00:10:00] the administration. It's on top of mind at NCU. And it's very much on top of mind at the CFPB, the Consumer Financial Protection Bureau.
    As recently, as just two months ago, in August of this year, CFPB put out a circular in which they listed cyber protection of consumer data as a liability area for financial institutions that the CFPB intends to enforce and to include [00:10:30] into their enforcement mechanism. They have set up a special designated consumer complaint focused on its website for data security complaints. They have their consumer complaints portal, but they have set up a special designated portal for consumers to complain about violations of their personal data. So it's a big deal.
    [00:11:00] Each action, in Congress and at the federal regulatory agencies, have built upon the previous action. Whatever they did last year, they seem to be going a little bit further this year. I think what that is reflecting is the fact that the hackers, who only have to be right once, and we as credit unions have got to be right every day, all the time, 24/7, but that hackers are getting better every year. They're building upon what they learned last year. So therefore, [00:11:30] Congress and the regulatory agencies feeling like that the government oversight and government requirements will make you as a financial institution pay more attention to this. I submit that you would be paying attention to it because of the reputation risk to you and to your members. I've maintained you would be paying attention to it anyway.
    But Congress and the regulatory agencies, NCUA, CFPB, they are intent upon making sure that you do. So they continue [00:12:00] to build upon what they did last year with something new this year. I think it's very possible that NCUA may even come with another cyber roof, from some of my contacts there, before the end of this year, early part of next year. But where you're going to really begin to feel it from, I think, NCUA for those of you that are federally insured, so whether you are state chartered or federal chartered, NCUA examinations come your way, is that they are going [00:12:30] to incorporate this into their examination program.
    More and more and more of a discussion in Congress, and particularly at NCUA and with the regulators, has been about, "We are going to be sending our examiners into your credit unions in addition to checking your compliance with regulations, in addition to checking on your financial safety and soundness as a credit union, but also how are you handling the fiduciary nature [00:13:00] of your credit union as it relates to cybersecurity." They are looking at this from the point of view that it was a fiduciary responsibility of a board in the 1970s to make sure that the vault was secured and the ATMs were properly managed.
    It was in the 1980s that they were not considering you to be financially responsible if you did not have certain checks and balances [00:13:30] in place. That moved on into Y2K and other issues along the way. And they have continued to say that you have got to maintain the security of your credit union. Well, today, the security issue has moved from whether there's doubled locks on the ball, whether or not we've got the proper cameras in place to protect against [00:14:00] intrusion and armed robbery in the light. Those were the issues of the '60s and the '70s and '80s. The issue today, where they feel like the credit unions are either going to or going to miss the mark, is their fiduciary responsibility on cybersecurity.
    And because boards are the fiduciaries of the credit union and they're going to see a heightened demand for applying proper fiduciary standards, you're going to begin to see the examiners want to look at the minutes of the board [00:14:30] to determine whether or not they are getting regular updates on cybersecurity, whether or not they are getting regular recommendations as to ways to improve and enhance their cybersecurity. And they are going to be looking at the budgets that boards approve as to whether they are allocating appropriate resources. Now, of course, when that liability comes to the board, you know what happens. It gets passed downhill to the CEOs, and then from the CEOs to the [00:15:00] executive teams. And this is no longer going to be just an issue for this-
PART 1 OF 4 ENDS [00:15:04]
Dennis Dollar:    ... executive teams. And this is no longer going to be just an issue for the CIO or the chief technology officer. The look at this issue from a fiduciary point of view is going to raise the stakes. And so that's why I thought it was good when SEI decided to sponsor this webinar. And we were, as I said, honored that they asked us to be the regulatory and the legal experts to talk about it a little bit, because it is becoming more [00:15:30] and more of an issue. So when we talk about the fiduciary responsibility, I'm going to hand it over to Kirk now at this stage. Kirk is the attorney half of our partnership. And then I'm going to come back at the end and talk about some practical solutions for you in preparation for the examiner coming in. But let's go ahead and move on over to the fiduciary's responsibility to kind of get you into law school 101 a little bit with Attorney Cuevas here. So Kirk, kind of take it and run with it from here.
 Kirk Cuevas:    [00:16:00] Thank you, Dennis. And I too echo Dennis's comments earlier. We are delighted to be here with you this afternoon and talk about an issue that has really risen to the forefront in recent years. And there's no mistake about it that it is an issue that will occupy a lot of our time as fiduciaries in the credit union space, but also the examiners that will be coming in are going to be, as Dennis pointed [00:16:30] out, very focused on this as we go forward. It's one of the things that credit unions, as we've matured and as we've become more sophisticated as financial institutions, relying more on technology to deliver financial products and services. One of the give and takes with that is that as we get a little bit more ability to provide those products and services through technological means and digital means and what have you, the flip side to that is there's an expectation on the regulatory [00:17:00] front and even from the members' point of view that that is being done in a very safe and sound manner.
    So what does it mean when we start talking about fiduciary duty? I think to echo what Dennis talked about earlier with law school 101, let's just pull out what the legal definition of fiduciary is. I know for many of you, this is old school and old hat, but as we begin our comments today, it probably makes a lot of sense to just be refreshed. Black's Law Dictionary [00:17:30] describes a fiduciary relationship as one founded on trust or confidence reposed by one person in the integrity and fidelity of another. Sounds very legal. Well, let's bring it down to maybe some layman language and look at what the dictionary says. It says, "A fiduciary is one who stands in a special relationship of trust, confidence or responsibility in his or her obligations to others as a company director or an agent of the principal."
    So you start seeing some common themes [00:18:00] in both of these definitions. You see the words like trust and confidence and responsibility. And over the years, the definition of fiduciary duty has really become associated with core duties of care and loyalty. When you hear the word fiduciary duty in a legal context, it really starts boiling down to what was the duty of care? And was there a duty of loyalty there? is primarily where those issues start getting focused [00:18:30] upon. So how does that look in a practical sense? What does it look like in today's environment? Well, when you go back and you look at the law, fiduciary duties of directors were really first elaborated on by common law judges. They didn't really have any formal written law to guide them in defining what that duty was. It's just sort of case by case they formed what we call in the law common law [00:19:00] that says, "Well, in this case, the duty of care was X. In this case it was Y." And over time, that sort of formed the basis or a theme, if you will, of what a fiduciary duty should look like.
    And even today, if you look at the laws of the United States and even other common law countries, our jurisdictions, they don't really contain any statement at all about what constitutes the core fiduciary duty of care and loyalty. In other words, it's not going to be a specific [00:19:30] list, "If you do this, this, this, this, this, this, you're good." Generally, when determining whether or not a director or a fiduciary has met their duty, they look at that through matters of interpretation. And it's broadly been addressed in regulation, credit union bylaws, case law, et cetera, if you go today and you look at the regs that the NCUA has or even your state regulators may [00:20:00] have, you're going to be hard-pressed to find that the duty of care is spelled out for every specific example that may face a board of directors.
    It's really evolved over time. Dennis referenced earlier, what does the progression of fiduciary responsibility in the financial industry look like? Well, got a few photos here that really speak to that. For years, when we talked about safety and soundness of a financial institution [00:20:30] back in the '50s and even before, it was how strong was your safe? How strong was your vault? How many locks did you have on it? And boy, I can remember growing up in South Mississippi and you'd go into some of these financial institutions that had been around for years and one of the things they'd love to showcase was, "Boy, look at how big our vault is and how secure it is." Well, then that involved later to, "Well, do you have alarm systems in place? I mean, we need to be able to protect our tellers. And in case of a bank robbery or a [00:21:00] credit union robbery, can we access an alarm that will alert the authorities in ample time to get there and maybe prevent a loss or an instance at the institution?"
    Well, that evolved as we've got into video and security cameras. We started saying, "Well, of course we got to have that in place, because the place needs to be safe and sound. We need to be able to identify potential threats and the like." And as you see, just over the last half a century, [00:21:30] there's been an evolution. There's been a progression that no one would question that is part of the responsibility of being a good steward. A safe and sound fiduciary responsibility would be to make sure that the financial institution is the place, the credit union is the place where members can come and feel safe, that their deposits are safely secured and that the credit union is operating in a safe and sound manner.
    Today that looks more and more... [00:22:00] Products and services are delivered today primarily through electronic means and digital means. I think if you look at some of the statistics, I think the most recent, 75% of all credit union members prefer to have their products and services delivered to them primarily through digital means or electronic means, which means that there's a greater expectation that the cybersecurity, that the way that product and service is delivered over the internet and through the waves, [00:22:30] are done in a very safe and sound manner. So just as it was important to have the safe, just as important to have the cameras and the alarms, today, there's an expectation that we're doing this in a very safe and sound manner, protecting member information and their assets.
    So what does duty of care really look like? Well, many have described this duty as the duty of a director to be informed and try to make good decisions. As a director, you have the responsibility [00:23:00] to be informed about an issue prior to making the decision about the issue. Now, that doesn't mean you got to make the right decision all the time. It just means you got to consider all the material information reasonably available to you prior to making the decision. And from a legal standpoint, you're going to have them consider to fulfill this duty if you follow the policies and procedures of the credit meeting, if you've consulted with the appropriate committees, management and outside experts. That is important when [00:23:30] we're talking about cybersecurity.
    Again, this is a refresher. A lot of you realize that, but we want to make the point is that, and Mark started this conversation, that we have to really look at this as just as you're paying attention to the credit risk policies and procedures, you also need to pay attention to cyber risk and the reputation risk that it may cause the credit union if we don't handle it properly. So the duty of care really extends to that. So as I said [00:24:00] earlier, it's not so much whether you make the right decision or not. It's how you make the decision. And that really brings into the forefront the business judgment rule. And that's relative to the duty of care.
    I think it's important for all of us as fiduciaries to recognize, hey, the United States court systems have traditionally not held directors liable for business decisions that were made without a conflict of interest, unless there was completely irrational [00:24:30] thought basis assigned to it. They do something that just not a reasonable, prudent person would've done. Then that could give rise to breaching the duty. But they're not really going to go in there and say, "Well, we're not going to get hung up that a decision went opposite of what they thought it was going to be." They really want to know what did you do and how did you make that decision.
    So the business judgment rule has really been a doctrine of non-interference. They're not going to get into your deciding whether it was the right decision or the wrong decision. They've concluded [00:25:00] that they're not that great at second-guessing or coming up with hindsight decisions, because there's a presumption that the board has acted in good faith or an honest belief that they're making a good decision. So that's a recognition that we can't eliminate risk in the decision making. We can't eliminate the fact that some decisions work out and some don't. I'm not going to suggest here that if you go out and you select a provider for cybersecurity and you say, " [00:25:30] Well, there we go. We've picked the right one, and I hope it all works out," that that necessarily eliminates you from any risk in that decision. No. You know there's risk. You know, as Dennis said earlier, the hacker only has to be right one time. We have to be right all the time. But directors are going to have been considered to have met that fiduciary duty if they make informed decisions, if they make decisions with the proper information.
    So all the point's going to come down to not what the board decided but how they decided the issue. [00:26:00] So that brings it really in to from my perspective making sure you have the proper information in front of you to make a well-informed decision. Consider experts. Consider the questions that you need to ask and making sure that we're asking the right questions at the time when presentations are made and so forth.
    So what does it look like with regulation and cybersecurity? [00:26:30] Let's take a look here. What does legal liability for breach of fiduciary duty mean? Well, guys, I know that on the credit union side, most credit union directors, there are some exceptions in states, serve on a voluntary basis. That means they're not compensated. There are some state chartered credit union boards that do get compensation, but for the most part, credit union directors are volunteers. But that does not relieve you of [00:27:00] your fiduciary obligations. In fact, you can be subject to civil money penalties and even prohibitions and potentially you can be held liable for breaching that fiduciary duty. That could even result in prison time if it's something that's against the law and blatant as it relates to fraud.
    But that said, we do need to be mindful that we are in a very letigious society. Plaintiffs attorneys have been quite zealous [00:27:30] in going after class action suits. Some examples of that have been overdraft programs, NSF fees, collection tactics, lending policies. You name it, they have gone after credit unions and named the boards of directors in those lawsuits. And the way you protect yourself is making sure that you're making those informed decisions and that you've had the proper information ahead of you and in front of [00:28:00] you to do so. It's only a matter of time I believe before we start seeing lawsuits resulting from a major security breach at a credit union. It doesn't take much. You can go back and look at some of the trade press and some articles recently. We've seen several fines, large fines, levied against organizations, companies for breaches of confidential information or cybersecurity breaches. I think [00:28:30] that it's just a matter of time before we see that plaintiffs' lawsuit wave coming as a result of a security breach.
    So we need to be mindful of that. And the way we insulate ourselves is, again, making sure that the resources are there available to have proper systems in place but also making sure that you're asking the right questions that you're considering this as something that is [00:29:00] important on the forefront. Often when we talk about cybersecurity, I compared a little bit to the hot water heater at home. As long as the hot water heater is working and hot water is coming, you don't think much about it until there's a problem. And if the hot water heater's 20 years old and it goes out and it floods the basement, then you're all of a sudden, "Okay. We need to really do something about that." But now with the advancements in technology, the advances in delivery of financial products and services, [00:29:30] it may be that there's a better way to deliver the hot water. Maybe the hot water heater that you have is not sufficient for the amount of service that you're talking about.
    And so with a credit union that's very much engaged in cybersecurity, in the environment that we're in now where it's more and more of a potential liability and threat, it makes a lot of sense to regularly ask those questions and make sure that you have those proper systems in place. So acting [inaudible 00:29:57]-
Dennis Dollar:    Hey, [inaudible 00:29:58]-
 Kirk Cuevas:    And oversight is going to be [00:30:00] important as you go forward.
Dennis Dollar:    Kirk, now just-
PART 2 OF 4 ENDS [00:30:04]
 Kirk Cuevas:    ... important as you go forward.
Mark Norcini:    Now just, Kirk, that you brought up legal liability, I just wanted to let everybody know, we're going to have a couple of things after Dennis talks to show you that you might be able to bring back to your team with some of those questions and with an outline of an example process that we think is going to be good for helping you think through how to meet these types of standards. Thank you.
 Kirk Cuevas:    So all that to say, before I turn it back over to Dennis, [00:30:30] I just want to say from a fiduciary standpoint; and this is the lawyer wearing the hat here; is there's really no room for complacency on boards of directors here. You can't simply hope for the best and pray that the last decade's investor's going to cover the exponentially greater amount of risk that we're going to see going forward. I don't think that we can just sit back and say, "Well, we've got a system in place, it's done pretty well," and hope that that carries you through. It's going to be something that requires [00:31:00] that active oversight. You can't separate the fact that regulatory supervision and legal liability are going to be intertwined into this. You just can't separate the two.
    So the best way to go about this; and Dennis is going to go in and talk about some specific examples for boards to look at and management teams; is that you just have to be committed to taking a proactive approach. I believe that is the best option. It's the only option going forward. That's the way you're [00:31:30] going to protect the institution, but you're also going to protect yourselves from some of these lawsuits that may be on the horizon. If you've done these things, you've asked the right questions, you've made informed decisions, you will have been held, I think, in almost every jurisdiction to have fulfilled your fiduciary duties. So with that, Dennis, I think it's a good time to turn it over to you and you can talk about the regulatory approach to cybersecurity.
Dennis Dollar:    Well, thank you, Kirk. [00:32:00] And as the attorneys always do, they always scare us about what may happen in court. But we've seen some lawsuits over the last several years, as Kirk mentioned, in areas like overdraft programs and NSF fees and collection approaches and the like that have really required settlements on the part of credit unions. And it all comes back to not necessarily that what they were doing was right or wrong, but that the process that [00:32:30] they went through to make the decision, they shortcutted the process, and they did not meet that duty of care. And again, who is the fiduciary? It's the board. But because we have more executives on this webinar today, I'm sure, than we have board members, let's remember that who do the fiduciaries depend upon for helping them to meet that duty of care? It's you, the CEO, you, the COO, you, the CIO.
    [00:33:00] One of our questions that we have, came in a moment ago, what is our thoughts on the expertise of boards regarding cybersecurity? And I don't think the expertise of our boards is very strong in that regard, because again, most of our boards are longer serving. We have not got as many of a newer generation into our volunteer board positions as we do have those long term board members that have served our credit unions well. They've been on the boards for 10, 20, 30, 40 [00:33:30] years sometimes. They're the pioneers that built the credit union. But they're not necessarily out there on the cutting edge of the technology issues that are required to run a good credit union today. So they're depending upon you, depending on the CEO, the CFO, the COO, the CIO, to be able to help them meet that duty of care.
    And I think we're doing a good job in that regard when it relates to digital delivery of [00:34:00] services and those kind of things. We have convinced our boards that even though they may not use the app, that we've got members that use the app. Even though they may not use home banking, we've got members that use home banking. So we've got to invest in doing that right. Cybersecurity comes along that same vein. We've got to be able to show them that we are making the proper investment, so that if there is a lawsuit; or more likely than a lawsuit, let's not let the lawyer scare us too much here; even if there's not a lawsuit, the examiners are coming.
    [00:34:30] And when the examiners come and say, "What are you doing to make sure that you are staying up to date with what's happening in the cyber arena?" I think that we need to have an answer. And I'm not sure that the answer can be, as Kirk said a moment ago, "Well, we bought this program 10 years ago and we haven't had a problem yet." That's the 10 year old water heater, and we've got today water filtration systems and we've got water systems and we've got tankless water heaters and there [00:35:00] are newer things that we could at least be looking at. Have we looked at those? Are we still just hoping that the old water heater doesn't bust?
    The three member NCUA board, as I said a moment ago, is unified on this issue. They are currently budgeting and they are looking at literally millions, millions of dollars, millions of your dollars, because NCUA is funded by the exam fees that federal credit unions pay and an overhead transfer rate that comes [00:35:30] from the share insurance fund that all credit unions fund. So they're currently budgeting and preparing to budget and establish an entire department on, in effect, technology risk management, cyber risk management.
    And one of their expectation is going to be; I've had a lot of discussions with my old colleagues at NCUA, some great folks who are I think intending well, although sometimes they overreach, I will admit; but their hope is that they [00:36:00] think credit unions should be able to do more than merely identify cyber risk. They think they should be able to, that you should be able to both identify and correct cyber risk and cyber attacks in real time. They do not want us to be in the situation where, if you remember the commercial about the dentist who is in the mouth of the patient, comes up and said, "Yeah, that is a bad cavity. That thing is so [00:36:30] deep and it definitely needs to be addressed and you don't need to go any further without addressing that. It's going to cause you major problems." And then takes off his gloves, gets ready to walk out, and the patient says, "Well, aren't you going to take care of it?" Says, "Oh no, I just identify the cavities. Someone else will have to be the ones to come in and to fix it."
    Well, you're not going to be able to take that approach. And so many, so many of the existing cyber programs that [00:37:00] are in place out there; and there are a lot of them and some are better than others; so many of them are really good at identifying problems, then having it on the desk for the CIO and his team to fix the next day when they get to the office. Well, NCUA is moving to where they want to be able to know that your system will both identify and correct in real time, 24/7, to where the next morning when the CIO comes in, he sees here was the problem, here's how it was fixed. And now [00:37:30] you move on to try to make sure that that problem never happens again, not coming in and expecting to fix it.
    So that's going to require to meet, I think, that standard of care, that duty of care that Kirk mentioned, an ongoing evaluation of cyber protection software and systems that's got to be integral to the day to day operation of the credit union. And here's the big thing, the reason we're talking about fiduciary here, that I think this is going to be one of those issues that NCUA drops [00:38:00] at the feet of the board, to say this is not enough to just say, "Oh, our CEO and his team are handling that." I think they're going to be looking at ways that you can prove that you are, as a fiduciary and at your credit union, meeting that duty of care.
    So I'm going to give you four or five bullet points here. Mark mentioned that the guys from the SEI sphere are going to give you some individual questions from their perspective that you [00:38:30] can ask. But I want to give you a third party consultant's recommendation of some actions to consider, not necessarily that you have to do, but something to consider that I think would help prepare you for what the examiners are going to come in and ask. And heaven forbid, if you're ever brought into court through some type of plaintiff's action over some type of security breach.
    First of all, I really think that you ought to schedule a report [00:39:00] at least semi-annually, twice a year, to your CU board on cybersecurity and what action you are taking. I think you ought to record this in the board's minutes. I think that if there are any new rules that come about from NCUA or CFPB, I think they need to be in that report to say, "This rule has passed or this new law has passed or this new regulation has passed since we last met. Here's how we're dealing with it." I think it needs to be a written report [00:39:30] that is perhaps also either presented verbally or at least provided to the board at least semi-annually, for where you have in the records that we're not just sitting back and hoping that the water heater doesn't blow up, that we are actually monitoring this on an ongoing basis.
    The second one is to ensure that your IT budget reflects that commitment to cybersecurity, and it really should, unless the financial condition of the credit union requires otherwise, it really needs to increase annually. [00:40:00] This is one of the areas where the examiners are going to look at as to whether or not your board is putting its money where its mouth is. Saying we're committed to cybersecurity and not being willing to put the money into it is like saying that, "We're all in favor of extending more services to purses of modest means, but I'm not going to do anything to market in those parts of town." You have to back it up.
    And I realize that so many times it all comes back to money, but that's because so many times in life it all comes back to money, [00:40:30] and to ensure that your budget reflects that commitment. Now, if you just got through making a major commitment, perhaps then through your reports on a semi-annual basis, you're able to show how that commitment is helping you meet and stay ahead of this. But I think that those first two areas are areas in which the board can show that we are doing everything reasonably to meet that duty of care.
    I think you ought to shop for a cyber firm that can run a test as to how strong [00:41:00] your current system is, particularly on emails, because frankly this is how the hackers get in more times than not. 95% of the times it comes in through an email source, through somebody clicking on an attachment in the wrong email, opening the wrong email. And I think that no matter who your firm is now, there are other firms who would be willing to run a test on your current firm. Have that done, see if they can [00:41:30] penetrate the system. If they do not, well then, that is a plus for your current firm. That's something to put in that report to the board. And if you found a problem there, well then now let's talk about whether or not your current provider can fix it or whether or not we might look at somebody who can.
    And then make sure that your cybersecurity program can not only identify, but as I said a moment ago, fix in real time any cyber threats. [00:42:00] And that's one of the questions that I hope is on Mark's list. I haven't seen his list, but my guess is that it probably is; that ask, can our program not only identify but fix in real time any cyber threats? And if not, well then, maybe it's time to at least go back and shop whether or not your current provider can provide that or some other provider can provide that.
    The next one is to prepare for your examiner questions [00:42:30] on your cyber program and make sure your partners can help you answer them. Now I want to tell you, as an old NCUA guy, the examiners always get suspicious when they ask you a question and you say, "I can't answer that, but I need to let whoever answer it for me." They say, "Well, this is your responsibility, this is your fiduciary liability here. You need to be able to answer the question." But your third party can help you answer those questions. They can make sure that you can answer those questions. [00:43:00] And if they are not, an answer is not going to be, "Well, We hire ABC to handle that." NCUA says, "Well, we don't regulate ABC, we regulate you." So whoever your partner is, it needs to be somebody that can help you answer those questions.
    And then lastly here, any cybersecurity partners... And none of us are able to do it on our own, so we all do it in partnership with some third party. [00:43:30] Any of those that you invest in, make sure you do and you document solid due diligence, and not just patchwork your approach to how we examine them. I want to go so far as to say this, and I realize that my host here are the folks at SEI and I realize that many of you who are on this webinar, because this is an SEI sponsored webinar, may use SEI's product. And [00:44:00] it is a good product, and I'm aware of it, and I've got credit unions that do use it.
    But I don't care what product you're using, even if it's SEI product, when you get within six to nine months of the end of your contract or when the next automatic renewal comes up, do some due diligence. Go to at least three or four sources. I think last count there's like 30 firms who do and offer cybersecurity products in the credit union area. Some better than others, [00:44:30] but certainly I think that you ought to bring in at least two or three, maybe four, and have them look at what you have, have them talk to you about what they can offer, and just see if you are keeping up. As we said a moment ago, the hacker only has to be right once. You've got to be right all the time. And as NCUA puts more and more emphasis on this, as the attorneys are out there looking for the most recent cyber breach so that they can bring a lawsuit, the ability [00:45:00] to be able to show that you have done your due diligence, that you have met the duty-
PART 3 OF 4 ENDS [00:45:04]
Dennis Dollar:    ...you to be able to show that you have done your due diligence, that you have met the duty of care, that you have shopped this thing. And I don't mean just shopping it on price. A lot of times when we come to the end of a contract, we shop for price and say, "Look, I want everything that I've got right now, but I want it for $5,000 less a month." I think in the cyber arena it's going to be, what does it have that I didn't have last time? What is its features that go beyond what I have been depending upon? What is moving me more [00:45:30] toward the tank less water heater that may last me and meet my needs for a longer period of time than that 10 year old one that I have out there that I'm here hoping every night doesn't flood the basement?
    So that's just some recommended actions to consider and I really encourage you and your COO and your CFO and your CIO and the CEO, if not on this call, to really talk about this [00:46:00] somewhat, to maybe take this list and work it a little bit and to keep your board involved because that's where the problem is going to hit the fan, if you will, when the examiners come in and say, "They are missing their fiduciary responsibility as a board," because they're not holding you accountable for this, go ahead and make sure that you put them ahead of the game by looking at these types of items here. So with that, I'm going to give it back over to Mark to close us off and we've [00:46:30] got some questions I know that have already come in and we'll be here to answer those as well. But Mark, I'm going to kick it back to you.
Mark Norcini:    Gotcha. Yeah. Thank you Dennis. So I'm going to show you an idea of a process. Like I said, we're a financial institution, first and foremost. We're regulated by the FFIEC, we've been fighting this battle for a while. I'm going to show you a little bit about something that we do, packaged up so that you could maybe take it back to your teams and have a useful discussion. The things [00:47:00] that I heard from Dennis and Kurt, I heard you say things around standard of care, duty, making an investment, and being proactive. Dennis, you ended there on "Hey, the executives rely on you. If you're the CIO, CTO, you're in IT, the executives rely on you to help them figure out what this process." That's really what we're about to get to here, is what is a process that we can set as that higher standard, [00:47:30] that fiduciary standard?
    And then it allows everybody to be an equal party and say, "Hey, we don't have the data to meet this process' standard and thus we need to make an investment." And then it's not a matter of who gets the budget or what, it's, "Hey, is the process being met?" So let's talk about that for a second. And what I mean here, I'm talking about detection and response. Things like patching and scanning and multifactor [00:48:00] authentication, security awareness, fishing testing. These are all things that we're all doing. We're audited on them, we are required to do them in many cases. And I imagine we're doing them pretty well and they are important part of a process. Just want to be clear that that's not exactly what I'm here to talk about today. I think we're doing those things pretty well. What I want to point out is, if one of those preparations fails and we get to that point of, "Hey, how are we going to know if we're going to see it?" What's a good process [00:48:30] to be proactive to invest in to make sure that we can do this ahead of time?
    Instead of getting an alert and saying, "Hey, we saw something. Now we have to make sure it gets taken care of or make sure our provider fixes it." The fiduciary standard will be a little bit higher. How are we peering around the corner to give ourselves the best chance that if that thing shows up, it's not going to be a problem and we know that already? So the questions I have listed here, this is our process. Doesn't need to be your process, just giving you some ideas, [00:49:00] but what's active in our industry amongst our peers? And what threats should we expect to be seen? So there could be just being in the fiduciary space. It could be businesses that look like us, but this is a great start. It's not going to cover everything, but it sure is going to cover a lot, because if they're attacking my peers, that's a pretty good chance they're going to be coming after us.
    What's our process for choosing these? This is defining our scope, defining how we prioritize. So it might simply be, " [00:49:30] Hey, what are the attacks that are live right now?" In our process at SEI, we're typically looking at somewhere between 60 and 75 of the most relevant live attacks in the space, in the financial industry amongst our peers and using our team to prioritize those as our focus. Not only our focus, but we're constantly building that priority list because they're most likely to hit us. Your number doesn't need to be 60 or 70, but whatever that number is, establish why is it that number and [00:50:00] then what does it cost to maintain that number, to maintain a rolling list of the 25 most active threats right now? If that's half of an employee to maintain and stay on top of that list, now we have a neutral terms for what investment needs to be made to maintain that process.
    How regularly are we updating this forecast? This is a constant process for us. Could be daily for your credit union, involves networks and community sharing, right? We [00:50:30] don't compete when it comes to cyber security as a financial institution. We share relentlessly. There's a lot of available intelligence out there that you can get and then you have to figure out what to do with it. And what you do with it is the next question. If this list that we made, if these threats that are alive in our world, they do show up, what protections do we have in place? How do we know that we're going to be alerted? And so here it's really important to note that we're not talking about having an email tool [00:51:00] or having an end point security tool or having an intrusion detection tool. This is where we get to, like I said, the higher fiduciary standard could look like this for your business is, "Hey, we have 25 or 30 different threats that we know are out there. How are we mapping this threat to the coverage that we have on our systems?"
    Attacks need to take five or six successful movements throughout our infrastructure to get what they want. [00:51:30] It is very possible to map out based on what we know about them, what's their first move? What's their second move, right? We call this, in our world, the cyber kill chain, right? There's five or six stages. How are we mapping the covers that we have to the specific kill chain of events that this particular threat has? And then do that for the entire list. What happens if we fail? If we're doing that well, we now know, not trust, we're not trusting that our tools are going to see it. We know that [00:52:00] we have either found and verified coverage or created and deployed coverage so that we can fail five or six times before these threats are going to have any success.
    So I'll show you what this looks like. Here's an incident. This is a real incident shown to the IT steering committee with our executives on it. This is what we call the sleep well at night report. When our investments and our process are in place and they're doing what we're doing, then we know that not only are we good from a fiduciary standard of care or legal [00:52:30] posture, but from a, "Hey, the business is going to be okay," posture. So this example, and you can take a screenshot, it'll be in the deck. So in this example, a phishing email hits an employee inbox. So fail number one. Second, the employee, boom, clicks on it. And in stage two, the network tools that were programmed with signatures for this attack, as part of that process I said, it sees it mitigates the problem and it re mediates the issue.
    Now, [00:53:00] sleep well at night, because of this mapping process, because of getting ahead with intelligence and having all of our tools and system work as one, security is able to confirm using those threat's traits that a militia zip file would've come back. If that had actually worked and the endpoint tool, we know that it would've seen it. So we got another level of resiliency. Next, the employee would've had to put in a password. So hopefully they weren't naive enough and they would've been suspicious. But had they failed, we do know that [00:53:30] there was an additional control on the network tool for that call out to the internet. That would've seen it. Three levels of resiliency, password, we found it. And four, we know and we can see that there was coverage on the network tool for this attack when they try to bring back their bad guy payload onto our infrastructure.
    And then in this example, the team goes out and finds all the indicators of compromise available. All the intelligence out there, we do what's called a regression test to make sure that it hasn't been seen for the last [00:54:00] 60 days and we just happened to miss it. That comes out positive. We clear, we can say, "Hey, for this incident and representation of the process that we've invested into, we are confident that there is no further compromise and we caught this thing. And we're going to fail.
    Things are going to happen, we're never going to be a hundred percent. So like Dennis said, we need to have some resiliency because they only need to be right once or twice to be able to get where they need to be. So what does this mean? Look, I think there's a lot of you that are out there that are [00:54:30] doing it well, I'm sure. I don't know if they do it the way that we do it, but as we look to get better, a good process allows the fiduciary team and the executive suite with the IT team to connect together and know that the investments that they're making are working, not working, and it's a good process.
    If this is something that you're not doing well, having your tools working together, managing a lot of alerts, not sure if your providers...what they are not doing and able to be covered for, you don't have that access, we might be a [00:55:00] company that you want to work with. So large financial institution, SEI sphere is the business unit of SEI that makes this process, this cyber security into a managed service and available to credit units. So we are doing that. Feel free to reach out, our contact information will be here. But I hope that we've given you some good examples on how to have this conversation internally. Dennis.
Dennis Dollar:    My only comments, [00:55:30] Mark, are that we'll be more than glad to take any questions that you have. As I said a moment ago, certainly from experience and from the opportunities that we have had to work with SEI from a regulatory point of view, I can certainly vouch for the fact that they have a true, true commitment to make sure that they stay ahead of the game on this. I'm not going to sit here to say to you that they're the only person, that they're the only group out there that offers these products and that [00:56:00] you should put all your eggs in their basket without even talking to anyone else. I would not make that claim. I doubt the folks at SEI would make that claim. I think it's important that you'd be able to show that you have done your due diligence, you have done your homework, that you've looked at more than one source.
    And I certainly think that they would certainly be worth considering. But as I said, there's some 30 companies out there that are offering it right now. I'm sure many of you are working with other companies, [00:56:30] I don't say just lightly and without any consideration, just change from them to someone else. But there is a process that I think is worth going through. And I think that now with the examination authority and with the potential of legal action, I think that going through that process is more important than it has ever been. And making sure that you have multiple folks to look at it and maybe even someone outside come in and test what you're doing now [00:57:00] to determine whether or not I need to go even further in looking into any weaknesses. So with that, Mark, thank you for the confidence of SEI, for asking Kirk and me to participate. We're glad to do that and we'll take any questions anyone has if we can answer them.
Mark Norcini:    Thank you. So we do have a quick one here on zero day attacks. And Jay, I think makes a good point that we don't want to give the perception that every attack is defensible. However, I'll say two things about zero day attack. One is we talked [00:57:30] about that, "Hey, what's live in the world as a part of the process?", and investing in the capability to do that and be on the pulse of the industry. That helps us react quickly and get intelligence that we can incorporate onto our systems for zero day attacks, assuming that where they got attacks do eventually share. Like I said, we can't be perfect on everything. The second thing is that there are a lot of mixed characteristics or shared characteristics of different types of [00:58:00] attacks. And so first, having all those tools in place, the layered security. Second, is some attacks are going to look and do things similar to other attacks.
    And so there is a part of intelligence that puts controls and different types of controls in place. And you can talk to your provider about this that block, not just the yellow hammer, but anything that's trying to hit a nail, it's the best way I can describe it to you. So, "Hey, we blocked this attack, [00:58:30] this other attack, it's zero day, it looks like this attack." We might already have coverage in place for that, for shared characteristics of the attack. So that's the quick answer, Jay. I'd love to talk to you more about it if it's something you would like to. But yes, layered security is really important to buy time to identify and take care of that issue. So we are at time, I don't see any other questions now, feel free to email us with any, we will get some materials for this out to you. [00:59:00] Dennis, parting words?
Dennis Dollar:    No, except that I'm sure glad you answered that question, because that is not necessarily in my strike zone, but that's why you guys are the expert and I'm the guest presenter. So I felt like saying to Jay when I saw that question, "That question Jay is so easy that I'm going to let Mark or [inaudible 00:59:21] answer."
Mark Norcini:    Well, Dennis and Kirk, thank you for joining us and everybody here, really appreciate your time. If you made it all the way [00:59:30] with you and like I said, you'll get some materials and feel free to reach out with any questions. Thank you.
Dennis Dollar:    Thank you. Have a good day.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.

More from The Sphere Blog

Helping to identify the intersection of people, process, tools and budget for optimal risk control.