Podcast: The future of the cyber fiduciary
Fiduciary responsibility for banks and how leaders can take charge for their organization.
Podcast: The future of the cyber fiduciary
Advancing technology can lead to more cyber threats against companies. And, with more regulatory oversight expected, financial leaders will likely be pulled further into a formal fiduciary role over cyber risk.
Dave Detweiler, Managing Director for SEI Sphere, recently spoke with NJ Bankers about the growing level of financial risk to banking organizations and what steps leaders should take.
What should banks consider?
- The encroaching oversight of regulatory authorities
- What fiduciary duty means for executives and board members in the financial industry
- How to be proactive with intertwining regulatory supervision, legal liability, and cybersecurity issues
John Mangini: Hello, this is John Mangini, Vice President of Marketing with the New Jersey Bankers Association. Welcome to the New Jersey Banker Podcast. Today, our president and CEO, Mike Fuso, sits down with Dave Detweiler, managing director for SEI Sphere to discuss the latest cybersecurity regulations. What a fiduciary's responsibility is it when it comes to cybersecurity and more. This episode is brought to you by SEI Sphere as a managed security services provider. [00:00:30] SEI Sphere provides comprehensive business solutions that delivers cybersecurity, network operations and cloud services. For more information, visit s e I c.com/sphere.
Mike Fuso: Thanks John, and thank you, Dave for joining us today. We really appreciate you taking the time to, join us for our, New Jersey Banker podcast. So let's start with the basics. What is the fiduciary and what's the responsibility when it comes to cybersecurity?
Dave Detweiler: [00:01:00] Thanks, Mike, and, and thanks for having me here today. I appreciate that and we'll start with a very in-depth definition. How about that, Mike? But, I think we've all heard that term fiduciary, you know, in our lives, especially in the financial, you know, backdrop that we all work in. and really it comes around from, you know, how the regulation applies to data and information security, but it fiduciary and its baseline is one who stands, you know, in a special re relationship of trust, right? Confidence and responsibility. That's what we all know. And really as we're [00:01:30] seeing this, if, you know, as we're seeing this evolution, Mike, and how the evolution of everything evolves, I think especially from a cybersecurity standpoint, our fiduciary re responsibilities re revolve a lot around data, right? We're capturing a lot of data today, Mike, and the idea is we have responsibility of that data, just like we have responsibility, you know, as a fiduciary of a 401K program, for example, Mike. But I think that's how we're viewing it. And, and a lot of us are capturing, a lot of information today, and that's not just what we house, but it's also us, you know, interoperable with our [00:02:00] third party vendors and data that might be flowing back and forth, from those folks as well.
Mike Fuso: So that's, that's great. But tell us, you know, when you're really looking at it, what do fiduciary leaders really care about when, when you look at the it part of, of the fiduciary duty?
Dave Detweiler: It's a good question, Mike, right? So I think the biggest thing that everybody looks for is that it, it, it works. They want their systems to work. There's this, there's this line of convenience and security that I think all [00:02:30] business leaders are, are struggling with today. You know, when you think about a system availability and, and protection of, of company and customer data, intellectual property, right? Compliance, especially from an executive standpoint, you know, staying out of the headlines. how do we future-proof the organizations? Those are all things that I hear executives talk about today. and really the joke of it, Mike, is, you know, what's the most secure system? You can have one that's offline, right? If you shut everything out and it wasn't connected to anything, then that would be the most secure system. But that wouldn't [00:03:00] be the system used to run your business cuz it wouldn't be very successful, right?
Dave Detweiler: So I think we're all working on this line of, yeah, we need system availability, we need protection as well, but there's a line of convenience and protection, right? And that's that line that we always evolve on. I think the easiest one, you know, as, as folks are listening to this, the easiest one in your head to think about from a security standpoint today is, different websites that people go to, right? So there may be a need for a marketing group to go to a Facebook website or [00:03:30] a Twitter website, whereas, you know, the mass employees, you might not want out on TikTok or Twitter during the day, but that's a decision we have to make as leaders. And, and obviously that comes with that convenience and the promotion of, of your organization.
Mike Fuso: So this, this risk as you define it, is, you know, it's a lot different than financial risk or credit risk, which our bankers are very adept at dealing with. you know, there's been financial models that have been used, you know, for, for a century to determine [00:04:00] what's a good risk, who's a good risk, how to mitigate those kinds of risks. How do you define this risk and how do you really translate that into, something that's operable for our bankers that are really folks that deal with numbers and with, with the credit risk and financial risk?
Dave Detweiler: It's a great question, Mike. We talk a lot about it, right? I don't know that anybody's has the silver bullet yet. There's a lot of different modeling tools [00:04:30] that are out in the market right now, but I think what everybody struggles with is what does that model mean? What does the result mean? There's nothing necessarily at this point, where we're an executive can look at it and be like, okay, now I, I know that in the gradings Gama b you know, like that, it's very tough to, to understand where you stand. But I, I would say that to your exact point, we have risk models for everything else. We, we all take on risk every day in our personal and professional lives. And, and in our head we make that calculation. So really [00:05:00] at the end of the day, it, it requires better visibility across the organization from a, a protection standpoint, from a security standpoint.
Dave Detweiler: And what I mean by that is, if you really think about what you're looking at, there's all these threats out there. What are all the threats, right? And tough to consume, but obviously pure relationships and some of that sharing and stuff like that. But really what it comes down to or what are the relevant threats? So if you think of a Venn diagram in three bubbles, there's relevant threats, there's all the threats out in the market, and then it's the current protections you have in place. And as an organization that should give [00:05:30] you the visibility to say, okay, I feel like we're good in this coverage, right? So now I'm starting to, to apply that risk model saying, oh my Mike's more risky, you know, decision to lend money to maybe than Dave. The idea that, hey, this area of our infrastructure, this segment of our assets are important.
Dave Detweiler: I, I would say, Mike, at a baseline, one of the things we talk a lot about to organizations is at a baseline understand all the assets you have out there that you're supposed to be securing and controlling. Like, it's funny, we all went home over the last two years and, [00:06:00] you know, the pandemic and people started using their personal devices and people are using their personal phones, not just their home, their laptops. So the idea is what are you really securing? What does your landscape look like? That's the important piece. And once you start to understand that, I think we can come back to quantifying that risk. Okay? I am a bank, I am an organization that's in a highly targeted sector in the United States. That increases my risk, right? That makes me a high risk company. But by the way, I have these seven things in place and we know that they test against these [00:06:30] strategies.
Dave Detweiler: That helps me start to understand the risk. I think the thing that, you know, is really tough sometimes to hear from folks as well, you know, I haven't been hacked so I, you know, we must be doing a good job. And I think that's the thing that we're trying to get to. Cause I think, you know, on one side mic, you're like, Hey, I'm an executive that really wants to be informed and I don't have a good model to come back to and say, I need to spend more money on this. And that's what this all revolves around, right? Can we get, how much should we spend to be better at security? How much should we spend [00:07:00] as an organization? And then where is my risk appetite associated with that? Just the same way we make other business decisions within our organization. I think that's what we're trying to get to. and I think that leveraging that visibility, Mike, and getting it to a point where we understand truly what is relevant and attacking us, and at a minimum what we're protecting and the the assets we have, I think we'll be in a better spot.
Mike Fuso: What it, that what you're defining is, is much more amorphous than, you know, the dollars and cents of, of [00:07:30] credit risk. How would you drive at home to a C-suite executive that, you know, it's really worth the spend, right? We didn't have somebody kick in our door, so we must be safe. and I know it's a a a lot akin to, you know, how do you know the CIA's doing a good job? They're doing a good job. Cause it's not a terrorist event, <laugh>. but you really don't want to get into the back and forth with what the CIA's actually doing. How do you, how do you define that? And, and I guess [00:08:00] going back to the CIA question, should their budget be a dollar or should it be 10 billion because nothing bad has happened, so maybe you don't need to spend the 10 billion. So how do you really, to toggle with that question of, you know, folks that are really financially savvy and focus on the dollars and cents, how do you, you know, you've defined what the risk is, but how do you kind of push that through to people that are really, you know, [00:08:30] credit risk, financial risk kind of people?
Dave Detweiler: I think it's, you know, it's something we kind of stay away from a little bit, Mike. There's this whole term fud, right? Fear, uncertainty and doubt. And that's a tough one to get across to people, but I think what we can all do is better security professionals is show our work. Think about math class back in ninth grade or whatever, right? You come up with the right answer. Cool. Well, did that take you an hour to come up with the right answer or did you just write, you know, show me your work, Mike, how'd you come up with that? What did it take to get that done? And I think that type of reporting is [00:09:00] gonna be seen at the board and executive level. We need to roll that up into some type of a report card. I think that there are organizations out there doing it today, but that's what we need to get to Mike.
Dave Detweiler: Just like a risk score where you show up and you're like, okay, am I gonna take this risk on Dave? We have to come up with that type of score. And I think that exists today. Now there's some numbers there and a lot of times people hear the term cybersecurity. What's that really mean? Well, guess what? There are threats actively coming after your organization. I guarantee you there's a number to that. Guess what, you know, we had 4,000 threats coming at us [00:09:30] this month and we protected the organization, Mike, that's worth something that's valuable. And I think all of us have to get maybe a little bit more self promotional for the great work that we do on the cyber side. and then I do see the opening of the executives eyes kind of with that. So I think there's gotta be a way that they can consume the information for all the work that goes into it.
Dave Detweiler: So, hey, here are the threats that we've seen. By the way, here's how we stopped all those threats. Here's all the further they made it. It's, you know, a pretty simple, scoring mechanism. And then I think lastly, [00:10:00] what, executives are really going to wanna see Mike is kind of some kind of, peer-to-peer kind of grading system, right? How am I doing against the other banks? Like, how am I doing in New Jersey today, you know, against all my peers. And I think that's, that'll probably be the eye-opening moment, but it's tough. It's the aggregation of data. It's the integration and aggregation mike to get to a scorecard.
Mike Fuso: Yeah, that's, that's really important. And, and that's, that's a a, a really good way of, of, of, positioning it to folks that are, that are sea level, you know, these folks that, that are [00:10:30] sea level executives. They wear so many hats and it's very hard for them to keep up with new regulations. Can you shed some light on what some of the, the latest regulations are, in this sphere?
Dave Detweiler: Yeah. Well, I like the sphere comment there, mikes. Thanks. Thanks for that. the idea that, I I, you know, every, every, the regulations are constantly evolving. Everybody's asking for sh more stringing guidelines. What that means, I think at a baseline is we're gonna see additional requirements [00:11:00] for documentation. I think that benefits for what the con the question you just had for me, right? Better documentation is gonna produce better numbers, which is gonna produce better results to the organization to see what's actually being done. I think that you're gonna have additional reporting requirements that are coming out and we're seeing those happen. So now this is where teams are getting together to say, Hey, how can I bubble up those reports again, maybe solving some of that vagueness that we had of what's the value of this and what are we really doing right?
Dave Detweiler: the, the other area I think that we're gonna see a trend, [00:11:30] especially with these executives wearing many hats, is what's coming down right now with the Uber ciso, right? Joe Sullivan guys may be familiar with his name actively right now going through the process of how long or how little, prison term he might serve. Anybody's not familiar. Joe Sullivan's, ex CISO from Uber. you know, there was a a, a pretty bad, <laugh> hack or leak, if you will say from over. But, but I think really what it came down was Joe Sullivan [00:12:00] actually was nefarious in his actions. He was trying to hide information. He wasn't being as forthcoming. And Mike, I think this is really part of the regulation that everybody, especially from an executive standpoint should be thinking about is there is some new accountability measures being put in place and I think everybody's looking to this, you know, the legal process to see how it unfolds because yeah, we can all put additional, you know, documentation and policy and stuff like that in place, but if there's starting to be litigation coming back through our houses, [00:12:30] I think that that's something we all should be aware of and, and, you know, ensure we're doing the right things.
Dave Detweiler: And, and again, I'm not associating everyone, anyone that might be listening to this, Mike as Joe Sullivan who was hiding stuff nefariously, but at the end of the day, I think that this is the first time we've seen, at least here in the US someone, of, you know, a, a CISO like that's going through the, the actual legal process.
Mike Fuso: So, so this might be a question a little bit out of left field, but you create, you create this whole process. You create all these documents of all the safe things that we're doing, how we make everything safe and [00:13:00] super secret and super safe. What happens when that gets hacked?
Dave Detweiler: Yeah. <laugh> J Mike, I, I, I think that's a, a great question, right? Like, I, I think that we, I we just went through this a couple weeks ago with a a, a pretty longstanding cyber professional. We all have to be prepared for the eminent, right? We're gonna get hacked. Like, it, it's not a matter of when, or you know, how, it's a matter of when now I think is what everybody says. There's no silver bullet out there. Mike, I think that if they're gonna steal my pol policy [00:13:30] documents and stuff like that, I'd, I'd rather 'em steal that than maybe the, the p i i data that I have stored in my, you know, in my other database. And I'd, I'd be happy with them taking the policy information. I think that what really what the policy and documentations are really saying is how you're prepared as an organization and that's irrelevant of the, the threat actor, right?
Dave Detweiler: Even if a threat actor got my standard operating procedure saying that I'm gonna go do a backup, if they haven't thought of encrypting that backup already, I'm already one step ahead of 'em or vice versa, right? Because most [00:14:00] times now you're seeing that threat actors are smart enough to go to that next step. Oh, well I know Mike's gonna go to a backup, so guess what? I'm gonna go encrypt the backup before Mike gets there. So I, I don't know that the threat is necessarily them taking the documentation. Cause I think they probably wrote and have files on all the documentation that we're writing. I think the idea is that as long as we're following that documentation as an organization, they can have it. We'll succeed. Cuz they won't, they won't get what they need. Do you know what I mean? And I think that's probably the better play of it.
Mike Fuso: I gotcha. So, so [00:14:30] we see this trend now that cyber threats and bad actors are beginning to kind of act in concert and work together now more than ever. How do partners in the cyberspace, like you need to evolve to better support us?
Dave Detweiler: Yeah, I think that's a, a really good question. Think for everybody that's on the phone. You're seeing this now, right? We all, as professionals came to the term of SaaS, right? Software as a service. Bad guys now have ransomware [00:15:00] as a service. They have, they've figured out the organizations that are good at the things they should be good at, and now they've partnered together. So some people are better at getting into organizations. Some people were better at writing the actual malware. Some people are better at actually, you know, if you will, taking the data out, right? Harvesting the data and they have now started to work together. We're seeing legitimately a cyber, society where people are retiring, where people are [00:15:30] actually merging organizations together. We just saw one two weeks ago, Mike, if you probably saw it come across your radar, I think we were actually together as, as it came up.
Dave Detweiler: But the idea that, you know, a hacker maybe took it too far and one after some children and a hospital and that hacker got kicked out of the hacking groups, right? Like, so there, there's actually like the, there's kind of guidelines to these organizations. Your question is how do we solve that? How we solve that is we have to work together. New Jersey bankers has created a great cybersecurity committee, for example, [00:16:00] where sharing of this information, there is no proprietary data. There's nothing that is making your bank better from a cyber standpoint. You're not gonna put on your website that you're the best bank at cyber. So the idea is we all have to share this information. That's our belief. That's s sci i's belief from our beginning is that if we can share threat intelligence out into the markets, it'll help everyone be smarter.
Dave Detweiler: That's, that's what has to happen, right? The idea that yeah, these guys all work together and yeah, they're extremely smart and yes, there is a person sitting on the other side of the screen that's trying [00:16:30] to do this to your organization. But at the end of the day, Mike, it's, I mean, you lived in the city. I lived in the city before too. At the end of the day, what are bad guys doing at trying to rob a car? They're just walking through the city checking locks, right? They're not gonna go after the car that's locked right away. So the best thing we can do is get, you know, get our house in order, Mike, but also become a community ourselves of good guys, not just a bad guys. So that way we all are here and what's happening, we get current information. I'm sure everybody's aware of the ION event that's happening this week right now, right in the uk [00:17:00] and some of maybe you guys aren't, but there's a lot of trades and, and financial information swirling around that hack right now. The idea, if we're all aware of that much quicker and we keep each other informed, I, I think that's the best way that we can do it. I think that, again, when we start using that fiduciary term and things like that and, and you start thinking about bad guys all working together, I think the good guys have to just make sure that we're commonly working together, especially in this area, Mike, cause it, it won't necessarily add any competitive, you know, advantage or disadvantage.
Mike Fuso: That's a great answer. [00:17:30] That's a great answer. So let's start, let's, let's finish where we started. you know, we talked a little bit about fiduciary and we, we know that that's a financial term, but how do we bridge that gap into the cybersecurity world and what can we do to take that word fiduciary, very seriously. as, as, as we, as seriously as we take it on the financial side.
Dave Detweiler: It's, I think that's [00:18:00] where we have to get to be, right? And I think here, you know, the suggestions I'd have Mike for today, you know, some of this comes at die level, right? The s e c, some of the governing bodies and everybody out there saying, you know, show good plans to your point, what if, what if bad guy steals 'em but show good plans, have good prep work, right? And have good documentation. But really what I was starting to lean into a little bit earlier in our conversation here, Mike, is what you have to get to is kind of an expectation of what threats are we gonna see. Like, that's, that's where we have to get to. There's never gonna be a crystal ball [00:18:30] to tell you what's gonna happen on Tuesday, but I can damn well tell you for sure Mike, over the course of the last 10 years, there's enough threat intelligence for us to make a good guess, a good physical guess, a forecast of what's gonna happen.
Dave Detweiler: So I think that's the first piece. You know, what's active in our industry, what are the threats that are out there in the industry right now, and what threats should I expect to see? That's the first piece. And as people start to understand that, I think they can start to better consume what they should be doing to protect it. as you go through that, you know, what's the process for looking at these threats? [00:19:00] Cause there's a lot of 'em. So how do you bubble those up? You gotta have a process there. And how do we regularly update that forecast? So how are we constantly back to the point of sharing amongst our peers, amongst the community? How do we continue to get new information that's updated and current, and how often can we make that current? So what I'm talking about there is that picture, that picture of what's out there and what can we see and what do we think is gonna happen.
Dave Detweiler: And then I think as important as that is kind of the joke that we made kind of off the side of our mouth here is [00:19:30] we have to be prepared for what happens if we fail. So what happens if this fails, right? What is the case you saw? There's a stat that just came out about a month ago now, last year, 55% less ransom where it was paid. Okay, well that sounds like a really good stat. That seems to me to say, okay, well it guys probably had their backups ready and as soon as something got encrypted they were like, screw up. We don't have to pay those guys. We'll just go back to the backup and we're up and running again. Right? But maybe what that means is people aren't reporting as it much, or maybe what it means [00:20:00] is, you know, they, they didn't get as far that they, they'd have to promote that out, I guess is the comment.
Dave Detweiler: But the idea here is, I think that as you go through this, you want to see if you can prepare for this and understanding that you're a fiduciary, not just a financial gain and money and all that wherewithal. You have all this other data that is really the most important thing that the cyber criminals want. They want Mike's access and his account number and his S S N and everything else. so the idea is if you can get that clear picture [00:20:30] of what's out there, what threats are present and relevant, work with your peers on what are they seeing and what's out there, that should give you a good idea of what to expect. Understand what protections you have in place so that way you can, you can ensure or feel confident in some of that risk score that we talked about. And then ultimately have a plan and like have a plan. If this happens, what are we gonna do? Have a connection. Have people you can reach out to have professionals in your, at least in your old school Rolodex, I would say Mike, but, have those people that are available. and I think that'll, that'll put you in a good spot [00:21:00] for now.
Mike Fuso: Well, Dave, thank you so much. We really appreciate it. We really appreciate your thoughts and, and everything that SEI Sphere does in this area. And for the New Jersey Banker podcast, I'm Mike Fusa.
More from The Sphere Blog
Helping to identify the intersection of people, process, tools and budget for optimal risk control.