Credit unions have for decades earned their members’ trust, and ultimately more and more of their business, through a proven track record of delivering high quality financial products and services with the member needs foremost in their focus.
Today, however, credit unions are also faced with the challenge of maintaining that trust through the availability of IT systems, protection of data, and security of assets in an environment with an ever increasing number of bad actors every day. Many observers feel that the traditional cybersecurity providers have not historically put financial institutions such as CUs in a position to succeed when it comes to measuring and, particularly, managing this risk as effectively as needed.
In this webinar sponsored by Dollar Associates, you will learn about the credit union industry disconnect between:
- A marketplace that offers products, instead of solutions
- Providers that alert the user there is a problem, but do not fix it
- The business’ responsibility to conclude that their security investments are "doing enough" to keep everything safe
- The inevitable growth in regulatory demands
Dollar Associates has asked the experts at SEI to participate in this timely webinar as their guest presenters. Watch this overview, covering the type of expertise needed to guide credit union leaders through the cybersecurity demands of today, including international disruption and dramatically increasing cyberthreats from Russia, China and elsewhere on the globe.
Moderator: Dennis Dollar
Panelists: Dave Detweiler, Mark Norcini
Credit unions and cybersecurity
Dennis Dollar: Good afternoon. This is Dennis Dollar with Dollar Associates, and we welcome you to our webinar this afternoon on Credit Unions And Cyber Security: Are You Doing Enough in this Environment? And we appreciate you taking a little bit of your time this afternoon. We have a very large turnout for this particular webinar. It's one that our clients have been asking us as a part of our webinar series to address over the last year. And it has really ramped up in recent weeks with what's going on in Ukraine, and with Russia, and the additional warnings that are coming down from the financial regulators, including MCWAY. And so we felt like the timing was right, and we obviously, by the number of you who have signed up to be a part of this webinar today have had that validated.
We always try at Dollar Associates to be thought leaders to bring you and your leadership team at your credit union both our clients, who are always the majority of those who participate in our webinars, but also others that are on our notification list and on our webinar invitee list to come and to be with us.
As always, you'll be in listen-only mode throughout the webinar. We'll be taking questions through the chat feature. We always get a lot of questions. And if we run out of time in respect for your time, we will make sure that we follow up with any questions that we did not get answered during the webinar.
Also to let you know that you will be receiving a link to an archived copy of both the audio and the video of the webinar, probably within... well, we say within the next 48 hours, but it's probably tomorrow. And you'll also see over there on your right hand side, that there is a PDF of the slides from this presentation that you can access at any time.
So we do appreciate you being with us. And with that, we're going to kind of jump on into it here. I'm going to move on to my first slide and do a little bit of an overview before we bring our experts in, because I think most of you who know me know that we know credit unions here at Dollar Associates, but claiming to be a cyber expert is not something that is necessarily in our strike zone. So we went out and tried to find somebody who it was in their strike zone to be able to talk with you today.
And it's more than just a challenge, this whole cyber security issue; it is a fiduciary is issue. And I was really pleased by the number of directors who signed on for the webinar today. Because as a fiduciary of the credit union, it is an area of operational and reputational risk for all financial institutions today, but particularly credit unions, because I believe, and this is just my true believer as a credit union, that as member-owned financial institutions, that our institutional credibility is more at risk if our members are impacted, than even are some for-profit banks, when their customers are impacted.
Yes, everyone's reputation is impacted if there's a major cybersecurity break, but as an institution, which a credit union is, it's a not-for-profit financial cooperative, our members, I think depend upon us as a trusted fiduciary, if you will, on their behalf many more times than do a for-profit bank, just owned by the stockholders. They turn to us for that assurance. And I think that we've been very fortunate not to have major headlines in the credit union industry, but there have been breaks. There have been threats.
There have been certainly examples of malware and ransomware and DDoS and phishing and all the other things we have limited here that have been in the credit union press, some within just the last couple of weeks. In fact, in the last 30 days there have been new threats that you see listed here APT28, and Gamaredon, and Contin, and Whispergate.
It just seems to be that every day there's some new cybersecurity challenge that's coming up, some new breakthrough that we're having to be ready for. And the primary targets seem to be government, utilities, and financial institutions.
And yes, the global events that were mentioned a moment ago have expanded the threat. A lot of the cyber threats were originally from Ukraine. Now that Russia and Ukraine are involved in the war there, you have both as a possibility for attacks. You've got China and Iran that are also pushing the envelope at this particular time because of what's going on in Russia and Ukraine and the uncertainty that this is created.
And then you've got the advent of cryptocurrency that has accelerated really the ability to secure ransom for a credit union, for a bank, for a utility company, for a governmental agency, to be able to remove maliciously destructive malware.
And you are also getting more and more media coverage of cyber attacks. And the reputation risk factor is really, I think, is greater than ever before.
As the next slide shows, it's kind of interesting, I bet you didn't know that NCUA had a foreign policy. Well, if you have been following the NCUA website and their publications over the last two months, they have issued two major cybersecurity warning alerts already in 2022, in which they dealt with specific state-sponsored cyber threats from Russia. They've joined with the FBI, CSA, NSA to warn about some specific threats from individuals in Ukraine, China, and Iran.
And the Federal Reserve has just recently moved cyber attacks from their number 15 worry on the financial stability of the nation to number seven in its list to the greatest threats to the US economy.
So NCUA, our primary regulator or insurer of just about every credit union that's on this call today, certainly the Federal reserve, which we also have to live by their rules, both of them are focusing on it more and more. I was at a luncheon meeting with a member of the NCUA board just last week in which he told me just how extensive the NCUA's budgetary commitment for 2022 and 2023 has been ramped up for investing in expertise in the cyber arena, even to the point of setting up a separate cyber security division with NCUA, which was certainly not the case when I was there as NCUA chairman back in the early 2000s, and has not been the case over the last 15 years after that.
But now they are actually developing their own cyber security department at NCUA. We're going to see it more and more and more being an integral part of our examinations.
The next slide shows that this is one of the areas, and this particular board member shared with me, he said, "One of the reasons that we're doing more not only is the great reputation risk that credit unions have, but the fact that we are getting pressure at NCUA from Congress, where both Democrats and Republicans, there's not many things they agree on these days, but they both have introduced and have held hearings on legislation that is really not itself designed to get tough on cyber issues, but to require the regulators in the various industries to get tougher on cyber issues."
So how they're approaching it from Congress is not, "We're trying from Congress to prescribe what the solution should be on cyber issues, but we're going to put pressure on the regulators to be able to come before us and have to answer what they are doing, how much expertise they have, how on top of it they are, what they are requiring from those that they regulated."
And the NCUA board, which is often divided on certain philosophical issues, as you know, it's a bipartisan board. You have a democratic chairman, you have two Republican members. There's been quite a few issues in credit union land that they have not agreed on, but the NCUA board has been unanimous and united on the priority they're placing on cyber security, in both regulation, and most importantly, supervision.
Whether there is a new regulation passed in the cyber area is not so much your concern, as is what is going to be the focus of your exam team the next time that they come in through the supervisory process. And if there has been created, as there is going to be, a separate cyber department within NCUA, those staffers are going to become parts of either the exam teams themselves or training the exam teams. It is going to be a major focus of exams in 2022 and 2023.
As a former regulator, I think one of my responsibilities to you, my credit union clients, as well as other credit unions who participate in our webinars, is to say that if there is something sneaking up on you in the regulatory arena or in the supervisory arena through your examiners, we feel like it's important to bring that to your attention and at least give you an understanding of what they're going to be looking for.
Yes, no matter what you do, there's always going to be some holes in the cyber arena, because again, we have to be right every time the hacker only has to be right once. However, there are some things that the examiners are going to be looking for. Some of the things that it is general consensus, that is the direction this is going, and we wanted to be able to give you some information on that today that hopefully would help you as you evaluate your own cyber program.
So as my next slide goes, we know that you're going to have to respond. You're going to have an impact upon your capital and your earnings from the investment that you have to make and the potential risk that's going to be the focus of your examiners. However much you have spent on cyber in the past is going to be a down payment on what is going to continue to have to be done to stay ahead of the game here.
So it is not only going to impact your examination score, it's going to impact your capital because of the investment that you have to make in it. And so the examiner's going to be looking at that, not so much does the credit union have individual threat protection, is going to be what the examiners look at, but does what you have work together and are they sufficient to today's threats?
I don't think there's a one of you on this call that is not invested dollars over the course of the last five years, 10 years, to be able to try to stay ahead of this. And no matter how much you try to stay ahead of it, you still somewhat lay in bed at night and wonder, "Do I have all the holes plugged, and will these various purchases that I have made, these vendors that I have retained, these tools that I have brought into my toolbox, do they work together sufficiently to stay up with today's threat? And can the credit union both identify and fix cyber issues and threats with the existing expertise, staff, and products, or do I need to relook at that question?"
What we have heard more and more from the examiners that have come into our credit unions, our clients at Dollar Associates, they're asking not only do you have the tools to identify a problem, but you remember the old commercial where the dentist looked in your mouth and says, "Yes, you've got a cavity, I've never seen one that big."
And then he takes gloves off and he gets ready to walk out. And the person in the chair says, "Well, aren't you going to fix it?"
He said, "Oh, no, I just identify the problem. I don't fix the problem; you'll have to go to someone else to fix the problem."
I think that there is a growing interest on the part of the cyber experts at NCUA to see that you have not only the ability to identify cyber issues, but to fix them as well.
There have been 16 credit union clients of ours that have seen examiner findings become DORs, and three DORs become LUAs in 2021 and 2022 on cyber issues alone. So it is a growing area. It is an area of focus. You are rightly focusing on it, or you would not be on this webinar today, but we felt like that what we wanted to try to do is see if we could provide you some expertise to at least help you determine if you're headed in the right direction.
So with that said, I'm going to move on to the next slide and move on to bring in some experts here. And in fact, the next slide, let me introduce the experts, and let me get out of the way and let them take the lead here. I've kind of set it up with what the regulators are expecting and what the marketplace is demanding today.
And I will tell you this, when we began to look at who we could bring in to try to help give us some guidance on this one of the things we looked at was we wanted someone who dealt with the cyber issue, not just in credit union land. I know that there are some vendors out there, and some good people who deal with cyber in the credit union land, but it is not something that's unique to just credit unions, the banking industry, the insurance industry, the utilities industry, just name it. And there is not an industry that is not subject to these same threats, these same issues.
And so we wanted to try to find a firm that was big enough and dealt with enough of the wide range of cyber issues. And we came up with that with SEI.
I'll let David and Mark tell a little bit more about SEI. Do a little Google research on these guys. It is a top line cybersecurity firm that I think deals with something like 11,000 financial institutions. And when I learned about them, had a chance to talk with them a little bit, look at what they do, how they coordinate all of this, I asked them, I said, "Guys, I'd like to have you on a webinar."
And they said, "Well, sure, we'd be more than glad to do that." So with that, David Detweiler, and Mark Norcini are with us from SEI. SEI Sphere is their particular division that focuses itself on cyber security; SEI deals with so many different arenas, it is truly a top-500 type of company.
But David and Mark are going to particularly focus in on cybersecurity today. Their purpose is not to try to sell you on SEI, it's to be experts on the issue. During the course of that, I'm sure that they will speak to how SEI approaches some of these things, and the purpose there is for you to look at how you're approaching it and see if you're approaching it the same way. If you're missing something, if there's some hole there that perhaps through what they guide you through today, you can help to fill.
And then we'll take your questions at the end, and try to be able to give this back to you by the top of the hour.
So with that, David, I'm going to turn it over to you first, and we appreciate very much you and Mark, and the folks at SEI being willing to share with us in this webinar today.
David: Well, thank you, Dennis. And we appreciate the time. It sounds like you put a little pressure on Mark and I, but I-
PART 1 OF 4 ENDS [00:17:04]
David: ... we appreciate the time. Sounds like you put a little pressure on Mark and I, but I think we're up for the task here today. And hi everyone. Really, what we're going to focus on is Mark and I are going to discuss with you a very familiar topic, which is cyber security, but what we're hoping to do over the course of the next 20 minutes or so, 25 minutes, is kind of maybe give you a different slight on the conversation and maybe something just to take away and think about.
Jeannie, you can move to the next slide. And progress one more. As Dennis mentioned, by the way, as we go through, feel free to submit questions in the chat. Mark and I also have put together a couple questions at the end here for maybe you to think about and maybe take back to the credit union as well and then back to your team.
But as Dennis mentioned, and we'll jump in here, as Dennis mentioned, for those of you not familiar with SEI, we're a 50-year old financial institution. Not necessarily a credit union like you all are, but we've spent the last 50 years providing financial organizations with different products and services, mainly focused on investments, as you're seeing here on our slide, things such as investment processing and investment management. For many of you on the phone, it may be an easy correlation if you think of us as kind of the core processor of the investment world.
But really, what's important to that is some of the things that Dennis mentioned. Over the course of our 50 years journey, 40 of which, by the way, we've been a publicly traded organization, we've grown to over 4,000 employees. Almost 2,500 of those employees are IT professionals here on staff. And as Dennis mentioned, we support close to 11,000-plus customers globally. We happen to process trillions of dollars through our walls. And really, what that has provided us, and maybe some of you will chuckle about this, but we've been designated as what's called a significant service provider by the US Treasury. And what that designation gives us is the pleasure of receiving quarterly audits of our systems and our programs. So, as Mark and I talk to you specifically about cybersecurity, think that the likes of the SEC, the OCC, the FFIEC are all coming into our organization on a quarterly basis, going through these programs from an audit standpoint, some of the things that you guys are seeing as the rules have changed.
But really, I provide this background to kind of help frame our position and why we're so passionate about cybersecurity. Over the course of the five decades, we've constantly questioned, are we doing enough to protect our customers and our own organization? We've tirelessly evaluated different vendors and tools in the market. We're also credited as one of the largest threat intelligence sharers in the financial community, something that we're very proud of. We feel, at this point, if we all can help protect everybody, maybe that rising tide will raise all ships. And really, ultimately, I think everybody understands today that cybersecurity and the nefarious actors are really looking for an ROI. So, if we can take that return on investment out from underneath them, then maybe we would all be better off.
But really, Dennis spoke a little bit about how the threat of cyber and regulation of cyber has evolved, and how, as leaders of financial institutions, we're constantly trying to determine that one question: are we doing enough? It's a very tough topic to scrutinize or at least other organizations like ourself over the years have tried to put data and information together to answer that sole question: are we doing enough? Can I sleep good tonight? Where do I stand from my protections? So, the question is what should we really care about as fiduciary business leaders, like Dennis mentioned? Where should we focus our energy and money? And that's what Mark and I are going to talk to you a little bit about today and kind of how we look at it.
And with that background, Mark, I'm going to ask you, if you wouldn't mind, taking a few minutes to explain how we view this from a fiduciary standpoint and the items that a lot of leaders tend to focus on as we look at it that way. You can forward the slide, Jeannie.
Mark Norcini: So, the fiduciary we're talking about is our executive team or our board. They have a fiduciary obligation over our business, right? They're not cyber security people. In fact, we make a joke that our CISO might come to the board and say, "Hey. Guys, we had 200 broken kill chains last month." And they would say, "That's great. Can you remind me again what's a broken kill chain? And how do we know that it shouldn't have been 201," right? It's not about getting a board or executive management team that are cybersecurity experts. It's about being able to communicate risk in a way that they understand in terms of process and results because what those business leaders do care about is these things that we have listed here: systems availability, protection of data, intellectual property, compliance. Nothing good comes from being out of compliance or getting dinged in some sort of an audit. We all love staying out of the headlines, right? It's important to everybody, especially from a reputation, like Dennis said, with clients.
And then in particular to our executive team, we constantly get challenged on, hey, it's great that we had a successful month or successful quarter. How are we looking around the corner for what's next and future-proofing our organization? And what that all really comes down to is trust. How do we, or how does the executive team or the board, trust the information security or the IT team that's overseeing cyber security? And then how do they use that to portray confidence of the trust that our clients have put into us, into SEI as a business, as a data steward for the data that's flown in and out of our data center on their behalf, as well as those assets that Dave mentioned? And it really just comes down to, how do we address risk? And that's a process that we're going to talk about.
So, here is the NCUA-
David: This slide... I should cut you off here real quick, Mark. This slide should look familiar to our friend, Dennis Dollar. I believe, Dennis, you were part of this NCUA risk assessment at one point during your tenure at the NCUA. So, probably familiar to everybody on the call, and I'm sorry for cutting you off, but I figured I'd give Dennis a little promotion there too, Mark.
Dennis Dollar: That was from back in my regulator days, but yes, the NCUA risk assessment that we developed in 2002 came out in a letter to credit union signed by Dennis Dollar when he was chair of the NCUA board. And these seven risk categories that Mark's about to cover have stood the test of time, if you will. And, as he's about to point out, they certainly intersect with the cyber risk as well.
Mark Norcini: Yeah. So, I'm guessing cyber might be its own bucket one of these days, especially given what you said about the NCUA's investment. But if we look at this, we make the argument that four of these risk categories overlap with cyber. And these are generally areas of risk, especially the financial ones, that have a long track record of refinement on how do you gather the data, what's the process to measure and manage that risk. And cyber is just younger and it's less established. And for most financial institutions, there's tools. So, there's tools in place. There's compliance. And then beyond that, it's just undefined and having tools in place and having compliance, we were there one time. There's just potential for a false sense of security how that's set up. And we talked about managing risk. Well, the general rule is whatever you can measure, you can manage. And that's the bottom line here. So, that's what we're going to talk about today.
So, if I could just make a quick analogy. Probably relevant to you all on the call. And you all are the experts at lending, but let's just take credit risk. When you're making a loan, whether it's a person or a business, there's the collection of data that goes along with it, right? Information about that individual, maybe other debts that they have, the income that they have to service that loan. Might do some confidence intervals on peer analysis, demographic data, or even economic projections and say, "Hey, what's the environment that's going to allow this individual to make money to pay us back?"
So, from that, all the credit union cares about ultimately is how do we know, how do we have confidence that this money is going to get paid back? And so, there are levels of failure and recovery along the way. And I'm going to translate this to cyber ultimately, but, for example, person or the business has income. But if that income were to become impaired and that fails, the next point would be, oh, well, are there savings to then cover that payment? And if that savings element were to fail, is there a recoverable value of the asset, as if it were a mortgage on a home? Can we recover any value from the asset with which the loan is associated? Now, if somehow that recoverability were not to exist, or it were also to fail, the credit union might ask themselves, hey, can we insure ourselves against this loss? And then ultimately, if you can't insure against it, at the end of the day, can the business survive a loss of this situation, a complete wipeout of the situation?
I only say that because what if we could create a process around cyber risk that was as clean and transparent and understandable for our fiduciary leaders to then understand how that process is working? So, we believe the ability to inform our leadership is completely correlated with the quality of the process to manage cybersecurity. We're going to talk about that here. So, go ahead, Jeannie.
David: I think this is important too, Mark, that everybody... it should resonate with everyone. And I know the credit risk is a great example. We all do this every day in our lives, right? And this is why we think that, from a standpoint of cyber, it's been difficult to articulate back to management and back to our boards because it's a topic that's fast, it's new, like Mark said, but if you associate that back to everything else you do in your personal life, your private life, you make decisions every day on risk, and how far you'll take it or how much you're willing to open yourself up to that risk possibly. And that's really what we're trying to figure out. Like, when I said at the beginning, kind of a different look at this, it's really kind of the center of this diagram and the next slide that we talk about here. But really, how do you pull this all together? And Mark, I think this is a great diagram. Plus, every PowerPoint should have a good Venn diagram. So, hopefully, everybody's excited from that.
Mark Norcini: You're just checking the Venn diagram box here, but it is a good way to simplify this, which all the threats in the world is an impossible task to manage. So, through peer groups or industry groups, things like that, we have a whole process around, which one of those are relevant to us, which should we expect to see in the next 60 or 90 days because they're live or they're attacking people that are similar, businesses that are similar to us. And then what protections do we have in place for those relevant threats? And then we deployed all of our efforts and resources towards that part in the middle. And if we're going to measure our risk, we need to start with a process of identifying which risks to be looking at and then how we're protected against them. The problem with this is that the industry has kind of put us all, as financial institutions, in a situation to fail.
So, Jeannie, you want to go to the next slide. So, a history of being set up to fail. It's a marketplace of products. That's why we think it's a set up to fail. Attackers are attacking us with systems, and we're defending with products that we buy on the market that were not designed to work together. They're operating in silos, as you see on the left there. Think about your email tool, your network tool, your endpoint. So, it's most likely not all from the same company. And even if it is, it doesn't necessarily mean that it is integrated or working together as a system.
The other issue with that is, with cybersecurity products is, it's really hard to tell what's inside those things. So, if we're trying to identify what protections we have in place and we have all these tools, it's not like you can open it up and just see a list of everything, let alone, would not be pretty exhaustive, especially for credit unions that have an IT staff of 3, 4, 5 people maybe. But that transparency, that visibility into the tool, what it's actually blocking, it doesn't actually generally exist. So, it's an issue of our team, our products and our vendors not really pulling in the same direction. Dave?
David: Sorry. I was on mute there, Mark. I think that it brings a good point that I'm sure that many of you attendees have experienced in your life. So, you've gone through some audits. To check the boxes in those audits, you've put specific tools in place. Those tools have come from different vendors, like Mark said. So, now, you have an aggregate or a stable of vendors. And some of you may spend a couple hours a week, maybe a couple hours a day managing those vendors. And I'm sure none of you have ever been into the point where sometimes having multiple vendors ends to a grayness of who actually owns the situation. The fabled tale in technology is, oh, is it a hardware problem or is it a software problem? Both vendors are blaming each other. You know what I mean? Or is it, to Mark's point, an email problem or is it a network problem? And oh, by the way, both vendors are now giving me a bunch of things to look at, but no one really solved the problem. And who owns that problem? How is it solved?
And really, from our standpoint, what we found as we were going through this journey ourselves, like we mentioned, over the last five decades, is, if you had some of this finger-pointing going on, especially in the cyber world, that led to untimely responses. And that could be the worst-case scenario in this world. The nefarious actors, they act quickly, they move quickly, they're agile. And the idea that if you're sitting around waiting for a fix or a patch or something that has to occur on a following weekend, it really starts to constrain the team. It also constrains the program.
And then ultimately, what this leads to, and Dennis mentioned this, when you have those silos on the left and you have multiple vendors or tools in place, how does that help in fixing the problem so it doesn't happen again? What we've seen historically in cyber is a lot of people are really good about telling you what's wrong, to Dennis' dentist scenario and picture that he painted for all of us. The idea is, why aren't these vendors fixing it so it doesn't happen again? You're getting the same repeated alert over and over again. You're seeing the same thing come up on your list of logs. And you still go to bed at night wondering whether you're doing enough to really solve the problem.
So, I think if you take it to the next slide. And I'll start on the visual here and hand it over to Mark. But really what we've put together here to eliminate those silos and eliminate the potential of any finger-pointing that might occur... and this is a visual of what we've put together. And Mark, maybe you can walk us through this a little bit.
Mark Norcini: Yeah. So, we kind of made the investment in our team back in the mid-200s, which is kind of light years ago in cybersecurity world, but shockingly, the same problems exist today. But we made an investment in a team. And the job of that team was to integrate, to bring together the team with our tools and our vendors. It wasn't to get rid of the tools that we had. We liked our tools. But how do you make them all pull in the same direction and integrate it into that system?
Like we said, attackers are attacking us. And what's important here is the investment in the team. There is no tool to integrate tools. That's a lot of marketing. It takes craftsmanship, and thus the team that we talked about bringing on board. But when they were done, what they had or what they made, would operate today, is our own business for cybersecurity is this here on the left, where the three major pillars of infrastructure for our business: email, network, and endpoint. And then they all tie into what we call our centralized cybersecurity platform, which is a [inaudible]. If you're a cybersecurity person, it's kind of a central aggregation tool with a backend operations that allows us to deploy all the threat intelligence that Dave mentioned. And the important thing is that what they did is they created a system that allowed us to have a holistic view of infrastructure by integrating all those tools and layers of resilience...
PART 2 OF 4 ENDS [00:34:04]
Mark Norcini: ... Good infrastructure by integrating all those tools. And layers of resiliency, which I'll hit in just a second, but much that credit analogy. And most importantly, a single point of execution. We got to the point where we're fiduciary to 11,000 other institutions, we don't want to have to rely on vendors to do anything in a timely manner. Not because we don't our vendors, but the operating model just didn't work for us. And if you think about that team's job, it's to look into those tools as well, right? We have to define the protections that are in place, if we're going to be able to stop them precisely. So in looking inside each of those tools and then aggregating that out, and then that team has the ability to then close those gaps. And so when I say gaps, if you asked our information security people, "Hey, open up our tools that we bought, our third party tools, what coverage do they have for all of the things that we need to cover?" And they'd say probably only about 60%. So there's a gap of 40% between the risks that we've identified ourselves, and the coverage that we get from our tools.
Now our team is able to cover that gap and I'll show you in a second what that looks like. But consider what's actually going on in your tools, right? Trust versus verify. Even if it's a great company, you got to know what's going on in there. And so look back, we're going to make an analogy here. The financial crisis of 2008. Imagine many of you were working in the industry at the time. If you had a triple-B loan or triple-B asset, hey, the ratings agency told you triple-B, that's investment grade, that's safe. You're good. Hey, you're compliant. But what we know is that financial crisis is that some of those triple-B's, if you didn't know what was inside, they were full of junk. And companies that relied on that, that rating, went bankrupt.
So going back to my earlier analogy, that last question in the fail/recovery cycle is, can the business survive failure? So we open up those tools, we build the system, we trust, but we verify and have the craftmanship to not rely on those products or tools. And I'll end with this, the objective of all this will work, not to get too detailed, but much the income to the savings, to the recoverability of the asset, to an insurance, and then just basically surviving. The equivalent in cyber world would be, let's pick on Dennis here, Dennis and Kirk go into new business as hackers and they create a dollar bot, which is a ransomware threat. And dollar bot delivers through email, they try to get sent a bad email into an email box and get someone to click.
Well, we know from our program that we have protection for dollar bot in place, and we've tested it, we validated it, we're good. But on the off chance that somehow dollar bot gets through, and someone in our company clicks on that email, and it tries to go to their laptop, right? Endpoint, we got coverage. We know on our end points, we've already tested it, "Hey, we're ready for dollar bot, we've got that coverage. Because look, the system's been ready for it, our team's ready for it." And then in a scenario where two 99% chances fail us, right where we have 99% confidence and somehow it fails, and sometimes it does. And that badness tries to call out to its layer on the internet, through our network, we know we're going to block it on the network. So that recovery and failure point we have with each of these threats, not just by the tools, but threat by threat, identified on each of these different pillars, the protections that we have, the relevancy of that threat to our business, whether that protection is going to work. And then of course validated that.
And that's how we measure risk. That's how we deprioritize threats that might come our way, and spend some time looking around the corner to what's next. But that's how we know ultimately the answer to that question we've talked about, is, are we doing enough to keep the business safe? And that's a process that our leadership can have faith in. They don't need to be cyber people, but they know that process in place. They can see the data involved with it. They understand that flow. And that is what keeps our leadership and our information security program tied to one another.
David: I think that it's, trying to wrap this up into a nice, neat bow. Again, there's a lot of moving parts, but many of you sitting on the phone, as Dennis mentioned, we just went through kind of the geopolitical things that are happening in the Ukraine and Russia. And I'm sure either you yourselves, as I see some of the titles on the call here, or some of the people maybe sitting in the chair that we're speaking with today, may have been asked the question, "Hey, are we good? Are we covered?" And I think the question is, what was the answer to that, right? How do you know that? And to Mark's point, well, we have intelligence, and we got initial releases of that malware, and the tools that were being used by those attackers. And we ran them through our system to make sure that we had rules written and codes written to make sure that we were protected and our customers were protected.
And then on top of that, we wrote some additional rules and codes just to be double sure, right? It's a topic, really Dennis made the comment earlier, a lot of people make the comment, attackers only have to be good one time. And then you have to be good a hundred out of a hundred times, right? You have to stop them a hundred times. Really what our system and our tools have put into place is it makes the nefarious actors have to be good five, and six, and seven times. It's not just one time that they get lucky. Because of having that integration, and then having that ability, as Mark mentioned to relate the risk back, and have a full understanding of that kind of transparency of that world, that Venn diagram we talked about, really allows us to feel good that we are doing enough to answer that question, right? And really-
Mark Norcini: And five, six times a day without being noticed.
David: Right, exactly. Yeah, exactly. Five or six times without ever being noticed, which is, to your point, there's never a silver bullet in this market. And anyone that tells anyone there is, you know, "Oh, this will stop everything." I think we all know to question that. But really, if you can put this layering together, it'll create better resiliency. And as we look at it, the alternative is really kind of a false sense of security, right? A lot of us will come up to our audit and the auditor will say, "Well, you need this tool in place," and we put the tool in place, and that checks a box. Well, does that really solve that problem of knowing you're doing enough? It may have just checked that box. Or the regulator has asked us to do this, or, "Hey, I'm going to wait until CISA pushes out their latest warning or recommendation."
And I think at the speed that this cybersecurity kind of topic flows, you never want to be behind that. So I think that as we pull all this together, hopefully this give you a little bit of insight on how we look at it from an SEI perspective, it's a topic that's constantly evolving. As Dennis said, we work with 11,000 plus financial organizations, we're constantly in this conversation. And as Mark and I mentioned, we did create a couple questions here that might be helpful for you all to take back. I think one of the things our CISO mentioned to us was that, when he comes to webinars, and Mark and I prepped, and we talk with Dennis Dollar, and we went to our internal group, right? Our CISO, and our ISO, and our compliance officer and said, "Hey when you come to these webinars, what type of information would be helpful?"
And both of them mentioned something to take back, some something for me to think about. So the thought here was, we put together a couple different questions, things that you might think about, or take back to your team meeting and ask about, just to start the conversation. Because again, from our standpoint, we're all part of this financial industry, that is the most highly targeted and highly attacked industry in the world, right? I mean, this is what everyone's coming after. So as we all get smarter, we're all going to be safer. And that's really how we come about it. We don't view this as a competitive advantage. I doubt many of you from a credit union standpoint are out touting on your website that you have really good cyber security in place. It's not something like that, really. But the idea is that you don't want to be hacked. You don't want to have an incident, and that's the security we're all looking for, that's the question we all ask, when we ask, are we doing enough? So there are a couple questions here, Mark. I think that you want to point out one or two here?
Mark Norcini: Yeah. Well the second one goes back to some of that product stuff I talked about, what's on the inside, what's going on in our products, right? So even if we don't have a process to identify threats, if we hear of something in a sharing community, can we go to our vendors and find out if they have coverage for that? That might be a simple question to take to your team. Is our vendor responsive to that at least within a couple hours?
David: Yeah. And it's wild too, where all the information's coming from, I'm sure many of you have your ears to the ground, or whatever it is. Twitter is a great tool nowadays, where information is being passed around. It's wild to see the different tools. And if you go to the next slide, there's a couple more questions that, again, will be part of that. And if any of you downloaded the handouts, you'll have this in there, as well. These are some of the more higher level questions that we talk about around additional investments need to be made in cyber risk. How do we go about that? I think it's a... Hopefully you'll take away from today that idea or that concept that, all the other risk that you're working on at the credit union has some type of a calculator or analyzation to it, and cyber's difficult to analyze. And that's hopefully what you'll take away from here today. It is difficult, there are ways to do it though. And hopefully that'll help you be safer tomorrow.
I think we always... Mark's favorite question when we talk to organizations is around, how confident are you, right? Zero to 10. Well, what's that mean? You know, what does that really mean? I think that question has a lot of different areas to it, but what will it take for us to be a 10? Sometimes that's a question that is difficult to answer internally, right? And some of that comes from peers, and just having the conversation about different things that people are seeing across the industry. So hopefully a couple good questions here. I love the trust to verify. I think that's one of our favorite topics, right? You always want to make sure it's happening, but definitely verify. And with that, hopefully that gave the group some things to think about. I think we had a couple questions come in here too, Dennis. And keep an eye on time, I'm going to hand this back over to you, and seeing if we can answer a couple of those questions for everybody.
Dennis Dollar: Well, you have had some questions come through, and Dave and Mark, thank you for that. I think that what I took out of that, I don't want to speak for you guys who are on the call that are much more cyber security experts than am I, but that we've got a lot of siloed solutions to various aspects of the cyber industry. But what is the unifier there, that lets us know that they are working together and that our system, our process, is more than just a series of silos, put something that is actually giving us some protection? I've got a question here with CISA issuing warnings multiple times, in regards to the Russia-Ukraine situation. What did that look for SEI's team? I guess the question is, have you guys uncovered any particular activity as it relates to Russia, Ukraine, and what that may be generating in the cyber arena?
Mark Norcini: Well, yeah, and Dave touched on this a little bit. I think we did what most people did, which is hardened systems, right? We accelerated any external patches that needed to be put up, just to make sure that we didn't have vulnerabilities that were under our control. And then second was, I think the night of the invasion is when a lot of the cyber activities started happening. And I think being tied into some of these communities, where it's not just SEI is a part of the community, but the actual skilled information security specialists, the analysts, engineers, they have their own communities of like-minded, I guess kind of wannabe superhero types, who just want to get rid of the bad people. And they're great, but they share a lot of information. And so Dave touched on this, but we were, by being in one of those communities, able to obtain what that... It was a Russian wiper malware and it just wipes data. That was the main thing that was being launched at that time.
And so we were able to obtain what that looked like, and what it was, sandbox it, play around with it a little bit. And then going back to the process I explained, we were able to say, "Hey, how many detections do we have currently in place?" Whether they were from our tools or things that we had deployed, would identify this, either see it, right? Detect it, or prevent it. And then how much more do we need to get really comfortable with it? And so the conclusion of that was, 8:00 AM the morning after the invasion, CISO was able to walk to our executive team and say, "Hey, here's what they're doing. Here's what we know about it. Here's how they're trying to do it. And here's the defense that we have in place..." And back to that kind of measuring and quantifying risk. "... Here's why we have basically decided we're just going to monitor, because we feel like that, that risk has been measured down to a almost near zero concern for us."
Dennis Dollar: So basically, you were able to stop it because of, basically the networking process?
Mark Norcini: Yeah, the process of... Yeah, the integration of everything, along with the team that then added address gaps on top of those things that our tools don't have. Yeah.
Dennis Dollar: Going back to my earlier dentist analogy. So in that particular case, by having the integration of the systems, you were able to not just identify it, but you were able to stop it. I guess you say it happens overnight with the invasion. So by the time everybody got to work that next day, was it already in their inbox? "Look, this happened last night and here's how we fixed it." Or did they have to fix it when they got to work the next day?
Mark Norcini: Yeah, so they didn't have to fix it, right? It's already taken care of, we're in front of it, there's a summary of kind of what we did, and what they need to know, what was important to know. But yeah, ultimately it's a, we're going to take on that responsibility of making sure it's taken care of.
David: And Dennis, I think you know, Dennis, quite aware that, so many credit unions that day, right? We were all getting alerts, just like everybody else. And that was the biggest question, are we prepared? How do we know we're prepared? Right? And that's a very difficult question to nail, you know? The idea that, I think there's a couple terms that float around, around cyber security. I think this is one of the very few adversarial businesses, if you will, we constantly have someone that we're defending against. And I think that from an SEI standpoint, we're always in a wartime stance, right? It's sad to say, but it doesn't stop. You mentioned other countries, I mean just... And I'm not minimizing what's going on in Ukraine and Russia, but you mentioned China and North Korea. We are constantly in a war time stance, every day, 24/7. It's just how it has to work.
Dennis Dollar: Well again, if I've heard once, I've heard probably a dozen times from my sources at NCUA, that we are not that impressed when we walk into a credit union that shows us a series of emails where their products, or their vendors, or their tools identified a problem. But yet it took them 48 hours, 72 hours, to be able to fix the problem once it was identified. And I think that is one of our areas of weakness here. And I'm glad that you addressed that. And I think that a part of the value of what you have offered here to our participants today are those six, seven, or eight questions that you gave there. For the next time you have your cyber team together, just to take those questions as a starting point for discussion to do a serious self-evaluation of, do we have the silos, or do we have the common approach? Another question here, where does compliance, regulatory documents, et cetera-
PART 3 OF 4 ENDS [00:51:04]
Dennis Dollar: ... compliance, regulatory documents, et cetera, fall into the Venn diagram that you showed a minute ago, since it's also a big component of cyber security.
David: I'll take a shot at that, Mark, and then you'll probably want to come in over the top with your tremendous background. I think that is a key foundational element. I think the diagram we were showing was kind of how you can evaluate the different things that are going on and understand you are doing enough. I think everybody at this point knows, fundamentally, policies are in play or in place. How much or how little your employees have access to and things like that are so important today, so I think that the Venn diagram was a specific example. I think that if you were going to put the policies and procedures and things like that, that would be the foundation, if you could, of that Venn diagram, which should be the baseline of each of these programs, which obviously helps us all.
I think that a lot of times, and specifically in this conversation, we were focused on the action of it prior to the building of it, but I think whoever submitted that question is spot on because that is probably just as important. But we don't find as many people struggle as much with the policies or procedures. Some good examples out online, something also that we're happy to share and work with our organizations with as well, to make sure that you get into a good spot, so not minimizing that at all. It is vitally important. I think that Venn diagram probably just doesn't have a foundational element to it, which would be those policies and programs and procedures that you have in place.
Mark Norcini: The other thing I would add to that, and Gartner's big on this, Gartner being an industry-leading research firm, Gartner will say there's a difference between being mature and the performance of your program. A lot of the CAT tool in the financial industry, different measurements of the maturity of the program. Well, that's good to be mature. That doesn't necessarily equate to the performance of the tools, and that goes back a little bit to that black hole nature of investment products or of security products and knowing what's going on inside.
Dennis Dollar: Got another question here that kind of... "I like your questions for our next cyber team meeting, and I feel like we can answer them all, but our credit union board doesn't have the level of understanding we do and seem to want us to be able to prevent any attack. How do we address the expectations of a volunteer board that just doesn't get that there is no way to protect our system against any attack? The attackers only have to be right once. We have to be right all the time, like you said."
David: The first thing that I would mention, and Mark, I'll let you... I'll take a first whack at this too, and then you can come back. So first, we got into this a little bit today. Important that hopefully you put a system together where they have to be better than once. If you heard us talk about it a little bit, we think that they have to be good five or six times without ever being detected to get in, but the underlying problem here that you're talking about is an industry-wide issue.
How do we get boards to better understand this? How do we make sure we have enough money to actually fund these programs to do what they're asking for? And it really circles all the way back to the beginning question and conversation, but I think what we've done and what we try to help organizations with is that greater transparency, to Mark's point, the ability to say, "Okay, well, we did stop 200 attacks, and we're certain we didn't miss 201 because of these protections that are in place, and this is what we've seen historically. And then, oh, by the way, here's our best guess at what's going to happen moving forward."
This is the key question right here. I don't know that anybody has the specific answer. We got some pretty reports. I know we work with a lot of different ISOs and CSOs in helping for them to relay the information up to the board, but you absolutely hit the nail on the head. Many of them don't know what cybersecurity means aside from "I've been hacked or I haven't been hacked," and so I think that education process helps a lot. There's a lot of things that happen behind the scenes that people are never aware of. All the good work that you're doing, I think, can be presented.
I know our CSO does a lot of that with the board, but we still get feedback from our board, too, where they're saying, "Hey, you got to make sure you break that down or keep it at our level" from an understanding because they don't fully understand cyber. So I think part of it is definitely education, but part of it is also having something to show. When you can start showing some diagnostics to it or numbers to it, it starts to become real to them. "Hey, by the way, we saw 3000 attackers coming at our infrastructure this past month." Well, that's probably eye-opening to somebody. But I think that's the best way. I don't know that there's a silver bullet to that, Mark. I don't know if you have anything to add.
Mark Norcini: No, just continuing to speak in business language, which is, what's our process and how does it produce results, and how can we quantify that? And it's really hard to do. We just gave you a quick flyover today. Instead of looking at trailing indicators, like "This is what happened before and we didn't have a problem." That's good, but that's not necessarily sufficient.
Dennis Dollar: I'll make one recommendation here. When you get the archived copy of this webinar, keep it for a while, and make it available to your board members the next time they start asking some of these questions, and let them also hear some of the things that you have today. Actually, got a couple of minutes here. I got a question for me, to Dennis. "Do the regulators at NCUA or the state level have the expertise to truly evaluate the sufficiency of my cyber program. Governmental agencies normally behind the curve themselves, and does it help me to have cyber products and tools that have been used at banks as well as credit unions?"
Well, just the fact that NCUA is just now setting up a cyber department certainly shows that you are correct. They are behind the curve, but when the governmental agencies decide that they're going catch up, they try to catch up fast, and their answer to everything is a new regulation or a new exam finding, so I do think that you're going to see a real effort on their part to catch up, to hire the expertise that's going to be able to ask the tough questions.
And the question about products and tools that have been used at banks as well as credit unions, I do think there is an advantage there. Many of you are aware that NCUA is asking Congress, they have not received it, but they've asking Congress for vendor authority. That is the authority for NCUA to go into any company, any vendor that offers products and services to credit unions, and be able to examine that vendor such as SEI says that they deal with quarterly, credit union vendors who deal with just credit unions do not have to deal with that because NCUA does not have that authority.
The banking agencies, FDIC, OCC, Federal Reserve, do have that authority. They have looked at these vendors. They have done exams of these vendors. And even though NCUA could get those exams from those other FFIAC agencies, NCUA wants it themselves, but they don't have it, but the bank regulators do. And to talk about whether it's the SEI product or some other product, or the products that you have now that you're just wanting to go back and do some due diligence to make sure that they're sufficient, I think those that have dealt with banks as well as credit unions, this is one of those unique instances where I think that is to your advantage.
Another question here, which security products does SEI use or recommend?
David: There are a bunch of viable tools out in the market. We do bake some into our offering that we use. We have some end point tools that we use, things like CrowdStrike and stuff like that. I won't make this a commercial about tools because I think there's a lot of really good tool vendors out there, to be honest. I don't think tools are necessarily the problem. I think that the idea of how you get those tools to work together, like Mark said, how you get out of that silo and really how you can control that tool vice versa. So think about that. You're going to have an email tool, you have a network tool, you have an endpoint tool, whatever it is. The idea that when you make a change to one of those, or when you see some kind of disruption that could be occurring, how quickly can you defend against all three of those tools or four of those tools that you might have?
So I'd say that the tool doesn't matter. We do use some. SEI's been fortunate. We do use some commercially available tools like I mentioned. There's also some tools that we've built, but there's some great tools out there, the Proofpoints, the Mimecasts of the world, the things like that from an email standpoint. There's some great tools out there. I think trying to get that overall package together is kind of the slippery slope around tools.
Dennis Dollar: That's one of the things, just before we close here, too, all of the participants. One of the reasons I've wanted these guys on here is although they've got solutions to offer, every one of my credit unions that has worked with them has been impressed with the fact that SEI is able to go in there and say, "Hey, we see you've already invested in this tool. You've already invested in this tool. We're not asking you to undo those investments. We'll come with you and try to find a way to turn these silos into a warehouse, if you will, that all falls under the same roof and accomplishes the same purpose."
We got another question here. It says, "My credit union spent over 2 million on cyber in the last five years, and I still feel like I'm plugging holes and just hoping nothing bad happens. Surely you're not saying there's any tool, product, or system that covers every eventuality, but how do I feel like I've done the best that I can?"
And I think you guys have answered that, but let's close out with that question, as I'm sure that is a question that every credit union is asking, and it kind of fits in with another question, "Any best practices or technologies that can be shared or recommended universally to all credit unions?" I'll let you guys answer that, and then after that, we'll close ourselves out.
David: Perfect. Do you want to take a shot, Mark, or you want me to go first?
Mark Norcini: Go ahead.
David: I think that was a big question. No, there's not a tool, and hopefully everybody's heard me say that. If anyone's out there selling you a silver bullet tool that'll protect you from all cyber problems, they're not telling you the truth, just to be honest. That's that's not the truth. The ultimate answer for securing your credit union is going to be a combination of a set of tools, and probably, like Mark said, the ability to integrate those tools together. So it's a combination of both, tools... And I feel for you. The idea is that we've been set up from a timeline standpoint, to Mark's point earlier about failure, "Hey, buy this product and you'll be better. Buy this product, and you'll be better. Buy this tool, and you'll be better. Buy this tool and you'll be safer." That's the lineage we've all worked in. It started with firewalls and went to antivirus. Now it's email. Everybody's lived it, and I feel for the credit who submitted that question because you've kind of been led down that path. What we're bringing to the table as an offering is a way that an organization, a credit union, can sit down, can be assured on what their spend is going to be over the next course of time. Let's say it's the next three, five years, whatever it is, of the contract, where you know how much you'll spend, and you will know that you're doing enough. And then to Dennis's point, I think something that we're very proud of and that we think that we're changing the industry on, is a lot of these tools still just generate alerts and tell you what's wrong. And we don't believe that's a way to go through life. Let us fix it for you. Every other vendor that you have probably fixes certain things for you. So when you find that cyber vendor that can do both the monitoring and the detection and all of that, but get you all the way through to remediation and get send you a nice little summary. "Hey Dennis, your CFO was hacked over the weekend. We solved it. Here was the solution. By the way, we can assure you it won't ever happen again because we put these things into place, and the phishing email that was sent over was deleted, so he couldn't even click on it." I think that's the results that we should all come to expect from our vendors and the tools we use.
Dennis Dollar: And on and on that, I think that is a great place to end because if there's one thing that I think should be the best practice or the technology, whether it's what you have now, what you may buy in the future, whether or not you try to integrate them or whether you continue to operate with your silos, the question for every one of those vendors to answer is, "Do you identify the problem or do you fix the problem?" I'd rather have an email telling me that you identified the problem, you fixed the problem, and here's what caused the problem, and you can spread that out to make sure that we don't click on that email again. So I hope this has been beneficial to you and worthwhile for your time. Remember, you will be getting a copy of a link to the webinar tomorrow. Feel free to share it within your organization. We appreciate your time being a part of it here today. I want to thank Dave and Mark for your willingness to be our experts today. Their contact information is there. One of the things I asked them to do, I said, "I don't want you to just appear on my webinar and not be able to take questions that come and let people follow up if they want to with both your direct line numbers, as well as your emails." They assured me that they would, so take them up on it. Follow up if you've got follow-up questions. And I think the last slide is mine. If anybody needs me, here is how you get in touch with us. I think most of you already know how to do that. We appreciate the fact that you do regularly. We appreciate the opportunity to work with you. We appreciate your vote of confidence in Dollar Associates. Reach out to us at any time. Have a great rest of the afternoon.
PART 4 OF 4 ENDS [01:05:14]