May 21, 2025 • 40 mins
Today’s topic: How to Pass the NCUA Tech Audit (Without Losing Your Mind)
The guest is Mike Robins, COO at Dynamic Edge, a company that’s helped many credit unions - particularly ones with assets between $25 million and $400 million - successfully navigate the NCUA Tech Audit which occurs “periodically,” according to the agency.
Hear what’s involved in the audit, how to pass it and - crucially - how to prepare for it.
Robin’s key point: prepare and you won’t lose your mind.
Interesting, too, is that NCUA provides cheat sheets for the Tech Audit on its website. Robins tells where to find them and how to use them.
He also tells if the auditors are in fact following the cheat sheets.
Listen up.
Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.com
And like this podcast on whatever service you use to stream it. That matters.
Find out more about CU2.0 and the digital transformation of credit unions here. It's a journey every credit union needs to take. Pronto
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_02 (00:00):
Welcome to the CU2.0 podcast.
SPEAKER_00 (00:05):
Hi, and welcome to the CU2.0 podcast with big new
ideas about credit unions andconversations about innovative
technology with credit union andfintech leaders.
This podcast is brought to youby Quillo, the real-time loan
syndication network for creditunions, and by your host,
longtime credit union andfinancial technology journalist,
(00:27):
Robert McGarvey.
And now...
the CU2.0 podcast with RobertMcGarvey.
SPEAKER_02 (00:33):
Today's topic, how to pass the NCUA tech audit
without losing your mind.
The guest is Mike Robbins, COOat Dynamic Edge, a company
that's helped many creditunions, particularly ones with
assets between$25 million and$400 million, and that's the
vast majority of credit unions,successfully navigate the NCUA
tech audit, which occurs, quote,periodically, close quote,
(00:55):
according to the agency.
Hear what's involved in theaudit and how to pass it and
crew Thank you so much forinviting me.
You're welcome.
(01:26):
How can I refuse to talk to aguy who's going to tell me how
to pass the NCUA tech auditwithout losing my mind?
The
SPEAKER_01 (01:34):
marketing hook worked.
SPEAKER_02 (01:36):
Tell me, let's start.
Tell me a little bit aboutDynamic Edge and where are you
located?
SPEAKER_01 (01:43):
Yep.
So Dynamic Edge is a managed ITservice provider.
We started in Ann Arbor,Michigan in 1999.
So we've been in business justabout 26 years.
We opened a second physicallocation in Nashville, Tennessee
in 2007.
For the past 15 years or so,we've specialized pretty heavily
in supporting credit unions,particularly as cybersecurity
(02:08):
risks have become so critical.
So we support credit unions.
We have, of course, lots of themin Michigan and Tennessee, but
we support them all across thecountry from New Jersey to Los
Angeles.
And we do...
everything an internal ITdepartment would do.
For credit unions that are$500million in assets under
(02:31):
management and smaller, we oftendo everything.
So we'll do help desk, we dostrategic planning, we do
one-time project work, and ofcourse, we do cybersecurity.
For those Organizations that arelarger than that, we often do
what we call co-managed.
They have an internal IT teamthat handles some
responsibilities, and then ourteam will supplement them in
(02:51):
whatever way they see fit.
SPEAKER_02 (02:54):
How big is your biggest credit union, your
smallest credit union?
SPEAKER_01 (02:59):
Well, our smallest credit union is quite small,
maybe 25 million.
And largest is probably right inthe 400 range.
SPEAKER_02 (03:08):
400 million?
Yes.
Okay, so that's certainly thebiggest percentage of credit
unions fall in that range.
SPEAKER_01 (03:21):
Yeah, absolutely.
Probably 90% of the 5,200 orwhatever are left, yep.
SPEAKER_02 (03:28):
Yeah, and I get it.
So the$25 million probably needsa lot of help.
SPEAKER_01 (03:34):
They all need a lot of help.
SPEAKER_02 (03:36):
Well, they all need a lot of help, but there's some
thin staffing in that$25 millioncredit union.
SPEAKER_01 (03:42):
So, I mean, right, 25 million, you're talking
about, you know, four people onthe staff, very, very, very
small.
That's not our average size, butthat is the, that's the small,
the small line for sure.
SPEAKER_02 (03:52):
Now, I was reading up on the NCUA tech audit, and
the thing that really caught myeye was, they say it's periodic.
What does periodic mean?
SPEAKER_01 (04:05):
It's a good question.
I don't know if that wordappeared before COVID or not.
We were used to, for years,either the NCA or a state
examiner coming physically onsite once a year.
And since COVID, it's been alittle, I don't know, maybe more
sporadic than that.
(04:25):
We have some clients who maybehave had an exam every 18
months.
So I don't know if I know theanswer to your question
specifically, but, you know,historically...
There's been some sort of anexam, either from the state or
the feds, once a year.
And that seems to be mostly truewith most of our clients.
But as I say, we've had some whohave an exam every year and a
(04:46):
half.
SPEAKER_02 (04:48):
I'm familiar with the financial audits of credit
unions.
Is it the same team or adifferent team that does the
tech audit?
SPEAKER_01 (04:57):
You've seen both.
I mean...
Typically, the tech audit orexam is part of the overall exam
that an examiner is doing.
It's just the one that, in myexperience, the credit union
executives and certainly boardmembers have the least amount of
knowledge on.
I
SPEAKER_02 (05:14):
know a lot about the financial stuff, and I'm more a
tech guy than a financial guy.
SPEAKER_01 (05:19):
Yeah.
SPEAKER_02 (05:19):
But I...
So the CPA comes in, it's kindof look at the tech.
I mean, okay, sounds good to me.
SPEAKER_01 (05:31):
No, it's really interesting.
We work with a number of formerexaminers who our clients hire
to do a third party audit, youknow, before they're going to
have their real exam.
SPEAKER_02 (05:42):
Sure, sure.
That's pretty common.
SPEAKER_01 (05:45):
Yeah.
Yeah.
And they can't make heads ortails of some of this either.
Right.
The range of skills in theexaminers is all over the place.
There are people come in verysharp, very knowledgeable, very
up-to-date, and it's easy.
There are people who seem to befumbling through some of it.
One of the things I thought wemight talk about at some point
(06:06):
is the NCUA has offered somestandardization in the last year
and a half or so, which I thinkis really encouraging.
The application of thosestandards varies wildly based on
who's doing the exam.
Sometimes they're just sort ofby the letter.
Sometimes they seem to be makingthings up on the spot.
It's all over the place, whichis why I think this is so
challenging for credit unionexecutives.
(06:28):
They think they've got the rightthings in place and then
somebody throws something elsein.
SPEAKER_02 (06:32):
Your credit unions have a lot of technology that's
not homebrewed.
In other words, they're buyingit from third parties.
Most of it.
Pretty much all of it in manycases.
Now, is the third party involvedin this audit?
Indirectly, yes.
But do they have any directinvolvement?
SPEAKER_01 (06:51):
Not really.
Not in my experience.
I mean, what the It's aninteresting point you raised
too, because I think it'ssomething like 86% of credit
union vendors.
So the third party people, youknow, software providers or
security application providers,they've got holes in their
environment.
And then sometimes those holesare in the product that they
(07:15):
provide.
And that's a vulnerability thatthe credit union doesn't have a
lot of control over.
So In my experience, the vendorsthemselves are not involved in
the assessment of theenvironment because what we're
really trying to see is like,does the credit union have the
controls in place to make up forthose deficiencies?
Is there enough layers ofnotification systems and so on?
(07:38):
I
SPEAKER_02 (07:39):
think some vendors do third-party testing of the
services that they're providing.
SPEAKER_01 (07:48):
Yep, that's true.
That's true, and we have donethat for clients at times.
But if your core is provided byFiserv, you're not likely to be
doing any third-party testing ofFiserv.
But if Fiserv has a majorvulnerability, and I'm just
picking them because they'resuch a prominent vendor.
SPEAKER_02 (08:03):
Oh, everybody picks up Fiserv.
I do too.
That's
SPEAKER_01 (08:08):
cool.
That's cool.
if they've got a vulnerability,you know, one time I was doing a
tabletop exercise for a client,a tabletop exercise for people
who don't know is you simulatesome negative thing happens and
then you test whether thesystems or the people or the
processes you have in place aregoing to do well.
And somebody, this was a clientthat was in Manhattan.
They said, well, let's say theinternet is out for Manhattan.
I'm like, man, if the internetis out in Manhattan, we all have
(08:30):
all kinds of problems.
And so if Fiserv has a majorvulnerability, that whole world
is going to be shocked.
And so I don't think anindividual examiner is going to
care too much about that whenthey're examining an individual
credit union.
SPEAKER_02 (08:44):
What is the examiner looking for with the technology?
SPEAKER_01 (08:48):
It's a good question.
So in general, I think thatthey're trying to make certain
that there are the physical andvirtual controls in place to
protect the members' assets andto protect the members'
information.
The reason, as you know, thatcredit unions are such a target
of cyber terrorists is becausethey've got two sets of very
(09:11):
valuable information.
The first thing is they've gotlots of money.
And the second thing is they'vegot all that PII or personally
identifiable information of allthe members.
And so there's a double dippingthat goes on.
Bad guys, they implement somekind of a ransomware event, lock
up some system, say, give us amillion dollars.
while you're deciding what todo, they take a copy of all that
(09:32):
data and you pay them themillion dollars.
They give you access to yoursystem back, but they've now got
a copy of the data and then theygo sell that off on the dark
web.
And that's a very rudimentary,simplistic example, but credit
unions are under significantthreat.
And so I think what the exam istrying to do overall is make
sure that the controls are inplace that somebody can't break
(09:55):
in easily.
And if they do break into oneplace, that that breaking
doesn't spread widely.
And the NCUA has been sort oftightening the screws on how to
do that over the last few years,which is good because it was
really the Wild West until acouple of years ago.
And all of the things that wewere checking for in credit
unions were sort of derived fromthe banking regulations, but not
(10:19):
specific to credit unions.
And of course, as you know, youtalk about it in your podcast
often.
Credit unions, they don't havethe cash that the banks have,
certainly not the large ones.
And so as the NCUA has refinedits regulations over the last
few years, and I think it'sfiltered down my interpretation
to the state regulators as well,we're finally getting some
standardization on what youshould expect them to ask about
(10:42):
when they arrive at the door.
When you're referring to a CPAaudit, well, you know, when...
Ernst& Young or, you know, PlantMoran comes in to audit, we all
know what they're going to belooking for.
We can get the boxes ready, youknow, before they get there.
It's been different when itcomes to technology and credit
unions.
And I think that's finallystarting to take shape.
And I can, you know, talk abouthow that shape is happening in
(11:04):
any, you know, whatever level ofdetail you're interested in.
SPEAKER_02 (11:06):
Now, is the audit, the tech audit primarily focused
on cybersecurity?
SPEAKER_01 (11:13):
Yes.
Yep.
Cybersecurity, which has acouple different you know,
significant sections.
One is just what do you think ofas traditional security?
A physical server has to bebehind a locked door.
There have to be some accesscontrols.
Who can log into that server?
You know, identity management,all the sort of normal things.
(11:35):
But it's also a more complex orlayered mindset.
How do we help them not losetheir mind when they're going
through an exam?
It's all the work you do in themonths leading up to it.
And there's been a paradigmshift in cybersecurity in the
last couple of years that Ithink is super interesting.
(11:56):
It used to be that you built upthis very strong perimeter
around your network.
The old fashioned model was thatof a castle and the castle has a
moat around it.
And I'm on a horse and I ride upto the castle and I say, I want
to come in.
And somebody is on the otherside and they ask me a security
question and they decide, okay,I give them the right answer.
And the drawbridge comes downand I ride in.
(12:18):
And once I'm inside the castle,I have free reign.
That's old fashioned or what youwould call perimeter security.
You make a really strongperimeter or a wall outside the
network, really, really, reallymake sure the person who's
trying to come in deserves to bein there.
And then once they get in, theycan see everything.
What's happened in the lastcouple of years has been an
introduction of this zero trustsecurity mindset.
(12:42):
And that phrase zero trust isnot just some techie term.
It's actually the term the NCUAis using in the regulations.
And what zero trust means, is noimplicit trust and continuously
verifying who you are.
So if you've ever seen the movieOcean's Eleven, they're planning
the group of gangsters to robthe Bellagio in Vegas.
(13:05):
And they're going through theplan.
And when they go through thisplan, they have to have
fingerprint detection.
They have to have retinaldetectors.
They have to have signatures.
They have to get past armedguards.
It's multiple layers.
And as they're getting closerand closer and closer to the
vault of money, they haveconstantly having to figure out
how to verify that they're theperson that they aren't really.
(13:26):
And so zero trust is not justsome piece of software like
antivirus.
You buy it in a box, you installit, and now you have zero trust.
It's a mindset.
that credit union executives andthe tech teams that support them
have to use.
And if you use that mindset,trusting at every level of
access to verify who that personis, that helps to unravel or
(13:50):
solve the mystery of what theNCUA is looking for.
My
SPEAKER_02 (13:54):
sense is a lot of institutions, and I think I'm
saying something similar to whatyou just said, a lot of
institutions aren't at thatinterest in having an
impenetrable wall because it'sprobably not possible.
What they're really interestedin is, A, what is the person
(14:14):
doing inside the system?
And B, most importantly, whatdata are they exfiltrating?
And if they're just sittingthere looking, hey, I don't
care.
It's...
SPEAKER_01 (14:27):
I'm not, yeah, I mean, I agree with what you're
saying in part.
I mean, I think there is atremendous focus on access and
identity management, making surethat I can't get somewhere
within the environment Ishouldn't be.
And again, it used to be youlogged into the network and once
you were inside the network, youcould see everything.
Now it's, well, I can only seethe folders that I'm allowed to
(14:47):
see.
What's sort of interesting anddramatic about what some of the
cyber criminals do is they getinside your network and they
wait.
So they get inside and they pokearound.
The first thing they try to dois destroy your backups so that
when they launch a ransomwareevent, you can't just tell them
to go away because you have agood backup to revert to.
They're going to destroy that.
(15:08):
I had one colleague, differentindustry, a law firm, but there
was a ransomware event.
The bad guys asked for this veryspecific amount of money.
It was an odd number.
And this colleague said, why areyou asking for this money?
And of course, at this point,he's talking to a cyber
terrorist who's working in acall center.
(15:28):
You know, it's like thetime-life operator thing from
the old days.
But they are run just likebusinesses because they are
businesses, and they'recertainly for-profit businesses.
And they explain to thiscolleague of mine that, well, we
asked for this specific moneybecause that's what we know is
in your cyber policy.
So they had spent enough time inthe environment to find a copy
of the policy.
Why ask for$10 million if youcan only get two?
SPEAKER_02 (15:50):
Right.
Makes perfect sense.
Yeah, I mean...
Certainly in all big companies,executives have what's called
signing authority.
In other words, how big anexpense can I approve?
SPEAKER_01 (16:00):
Yep, that's right.
SPEAKER_02 (16:02):
And if you bring an expense for$1 million and
someone has a signing authorityfor$100,000, he can't help you.
That's right.
Yeah,
SPEAKER_01 (16:09):
right.
So, you know, as you point outcorrectly...
I don't think anybody'sinterested in building in the
impenetrable wall.
Even if they were interested inthat, they can't afford it and
they don't have time to do it.
So we try to coach or mentorpeople to make the list of
priorities, make sure that listof priorities aligns with what
(16:30):
the NCUA is recommending, do thethings you have to do.
then you prioritize the group ofthings that would be nice to
have and just always be makingprogress.
My experience, again, on theseexams is examiners aren't
looking for perfection.
They know that's not possible,even for the largest credit
unions.
However, they are looking forprogress.
So they don't want repeatfindings.
(16:51):
And if something is a criticalfinding, you want to take care
of that right away.
And I'm glad that they're doingthat.
There's so much discussion aboutfederal regulation.
And of course, right now, wedon't know what the future of
the NCUA is exactly.
But I'm glad that the NCUA iscodifying some of these things
because it's all our moneythat's insuring these deposits.
And I don't want people to gothrough the heartache of having
(17:13):
their information stolen orhaving their money stolen.
And I definitely don't want mytaxes going to bail out credit
unions that haven't done thethings that they need to do.
SPEAKER_02 (17:22):
And 20 years ago, I thought a lot of the regulation
was aimed at protecting creditunions against robbers with
guns.
SPEAKER_01 (17:32):
That's
SPEAKER_02 (17:32):
right.
And that's why many times thedirector of security was a
retired police officer in thetown.
And that might have made sense20 years ago.
It makes no sense at all now.
SPEAKER_01 (17:45):
Correct.
I mean, it's the same thing inwarfare.
You know, cyber warfare countryto country is certainly a bigger
threat than thinking there'sgoing to be an army at the
border invading.
SPEAKER_02 (17:55):
Now, does the NCUA give sort of a sample test?
In other words, if I'm sittingin a credit union saying, ah,
the tech auditor is comingtomorrow, what do I do?
Is there a cheat sheet that theNCUA or perhaps that your firm
provides?
SPEAKER_01 (18:13):
I'm really glad that you asked that question because
the answer to that until lastyear was no.
We've always had things, but ourthing has been based on what are
just cybersecurity bestpractices.
Last year, the NCUA releasedsomething they call the
Information Security Exam orISE.
And they say in it specifically,they're trying to tailor the
(18:33):
exam based on the asset size andcomplexity of the organization
that they're evaluating.
And they also say in thepreamble to this document that
they're trying to standardizethe exam of information security
and cybersecurity programs.
So this is great.
And the nerds out there can findall this stuff in the NCUA
regulations.
It's part 748 and 749.
(18:54):
But for regular people, you cango to the NCUA website.
And underneath the informationsecurity exam, they actually
have three cheat sheets.
They call them statements with acapital S.
And the three statements aresupposed to address different
size organizations.
So the first one is actuallycalled the Small Credit Union
Examination Program.
(19:14):
And it's tailored for creditunions that are under 50 million
in assets under management.
Then there's a second one.
The second statement is calledCORE.
And that's the cheat sheet fororganizations that are over 50
million.
I don't know why they made 50million the break point, because
that feels very, very small.
I would have done it at 250 orsomething like that, but that's
okay.
(19:35):
And then they have a thirdstatement, and that's called
Core Plus.
So we had small credit union,then Core, and now Core Plus.
And Core Plus is not a list ofthings for any particular size.
It's just sort of said, tailoredat the discretion of the
examiner.
So you can go to the NCUAwebsite and you can download,
(19:56):
they're just Word documents,these three checklists.
And I encourage everyone to dothat with their tech teams.
We use it as a reference for it.
We've created something, Ithink, a little bit more
elegant, but it does give you anidea of the things the examiner
is supposed to be checking whenthey come on site.
Interestingly, With a lot of ourclients in the last year, their
(20:18):
examiners aren't using it.
They're still working off of oldchecklists.
It doesn't mean they're notchecking a lot of the same
things, but I had hoped the sortof standardization that was
presented was going to be alittle more rigidly enforced or
really standardized.
And I haven't quite seen thatyet.
But these checklists, which areavailable from the government
site, are a really good startingplace.
SPEAKER_02 (20:37):
So you get a client, a new client, the client says,
I'm concerned about this techproduct.
What's your process?
What do you do then?
Do you say just take some Advilsand call me in the morning?
SPEAKER_01 (20:51):
That would be so much easier to just resell
Advil.
What we do with a new engagementis we do what we call a security
assessment.
And a security assessment is intwo parts.
The first part is this is not anexternal penetration test like
so many credit unions properlypay for, which can cost$15,000
or$20,000.
That's not what we do.
We do a two-part interview.
The first part is I sit downwith the relevant people.
(21:13):
Sometimes it's the CEO,depending on the size of the
credit union.
Sometimes it's the tech person.
Sometimes it's a VP or CFO.
And I just ask them, it's abusiness interview, 30 minutes.
Let me understand how you'reworking, what are the
initiatives, what concerns youabout tech?
Have you had any securitybreaches in your recent history,
et cetera?
And then we run a scan with aproprietary tool on the system
(21:35):
itself.
We get the results of that scan.
We get the results of theinterview.
We collate that and we presentthem with a list of findings.
And we say, here are all thethings we found.
Here's what we would do toremediate them.
If you would like us to work onit with you, great.
If you want to take this back toyour tech team or to a different
vendor, that's great too.
We get a lay of the land thatway.
(21:55):
We will also, during thatprocess, ask for a copy of their
last exam, either from the NCOAor the state.
And that often will tell us, didthey make any progress since the
examiner was here?
Is the examiner kind of beingtough unnecessarily on certain
things?
We'll just get a sort of the layof the land with that.
And then we come up with a planto do two things going forward.
The first is we have atechnology roadmap.
(22:19):
We say, we think you need to dothese 12 things in the next 18
months, and here's why, andhere's what they'll cost roughly
if there's a cost associatedwith them.
And I want to say, Robert, thata lot of the things that are in
those checklists that Ireferenced, a lot of them are
just elbow grease.
They're policy changes, usingexisting technology.
(22:39):
There is this misperception outthere, and maybe we'll talk
about economic scale or how thisaffects mergers, et cetera.
But there's this perception thatto be compliant, you have to
spend a ridiculous amount ofmoney.
And I do not at all agree withthat.
There are ways to scale withvendors like mine.
It doesn't have to be mine thatcan help you get compliant and
more importantly, protect yourmembers stuff.
(23:02):
The second thing we do is we domonthly proactive vulnerability
scans.
So we scan an environmentbecause IT people, including us,
aren't perfect.
This allows us to find thingsahead of time and fix them in as
close to real time as ispractical.
And regulations change.
(23:22):
Insurance carrier requirementschange.
So what we're trying to do isinstead of When it's time to
renew your cyber insurance atthe end of the year, you get
this laundry list of things youneed to do to either get
approved or to get a reasonablerate.
We're trying to stay on top ofthem going forward.
So it's initial assessment,monthly scans, and a roadmap for
the next 12 to 18 months.
SPEAKER_02 (23:43):
Have you seen any changes in the behavior of
insurers in the last year ortwo?
And I ask because there havebeen dramatic changes in, say,
home insurers.
I know it's different people,etc.,
SPEAKER_01 (23:57):
But dramatic changes, dramatic changes.
It was, let's say, around thetime, let's say maybe 2020, I
would say most credit unionsthat I talked to did not have
any kind of cyber insurance.
Some of them started to getcyber insurance coverage through
the same provider that they weregetting their general liability
(24:18):
or their workers comp.
And then this niche opened upfor insurance providers that
specialize in cyber.
And those vendors had a fieldday for a couple of years
because everybody was buying upthe insurance.
Well, now the bad guys got moreclever and they started playing
all these claims.
And as a result...
What has really changed and Iwould say the last two years in
(24:39):
my experience is that the costof premiums is just getting sky
high.
I think it was like a 74% chanceyear to year from 23 to 24.
We don't know what it'll be yetthis year, but big increase.
And the other thing that I wannapoint out to listeners that's
super important is it'simportant to know a number of
things about your insurancepolicy when it comes to cyber,
(25:02):
not just the total amount ofcoverage, But we have seen
changes in particularlyexclusions.
So there'll be exclusions forthings like acts of war.
I mean, we're in a prettyhostile, violent world right
now.
What does that mean if a threatcomes from a certain place
they're not going to cover?
I don't know the answer in thismoment.
Everybody's got to evaluatetheir policy closely.
(25:25):
The one that scares me the mostis I have seen in a number of
policies this generic phrase,quote, failure to maintain
standards.
We know that it is really hardfor any provider, even the
greatest, to stay on top ofevery security update.
Microsoft has patch Tuesday oncea month.
They release security updatesthat we need to install on all
(25:45):
of your environment servers.
And who knows why, but sometimesnine of the 10 install or eight
of the 10 install.
There's a communication error.
It times out.
And so you have to clean it up acouple of days later as you
realize that not everything wasdone.
Is that going to be the holethat the insurance company uses
to not pay my claim becauseeverything isn't up to date?
And so I implore our client, andwe help them through this, look
(26:10):
at the policy carefully.
And if you have any questionsabout those exclusions, any of
them, get better definitions onthem or look for providers that
make that stuff a littleclearer.
SPEAKER_02 (26:19):
Well, just speaking broadly, I think it's fair to
exclude claims that result fromfailure to maintain standards.
If you go out and get a new BMW,drive 30,000 miles a year and
never get the oil changed,never.
And then the third year, theengine blows up.
If I'm a BMW, I'm going to say,hey, dude, it's your fault.
SPEAKER_01 (26:42):
I agree with that completely.
I mean, an example in the techworld is that Microsoft offers a
new operating system for itsservers or workstations every
couple of years.
Right now, the world is usingWindows 11 on workstations.
That's the current operatingsystem.
Windows 10, last time'soperating system, is still out
in the world and still beingpatched, but it's coming to end
(27:04):
of life, which for Microsoftmeans they're not going to
support it anymore, and they'renot going to update it with
security patches anymore.
And so we're in a time right nowwhere we need everybody to move
to Windows 11.
It would not be fair be runningwindows 7 or windows 10 and then
be upset or frustrated whenthere was some kind of a breach
however if you're working on awindows 11 machine and you get
(27:26):
patches once a week for it ifyou don't have every single
patch installed that's sort ofthe reasonable course of you
know regular life and we justwant to make sure that you're
not paying a bunch of moneytoward an insurance policy
that's going to be that specificin denying a claim.
So I think that there's a middleground that is appropriate and
makes sense between what youdescribed and what I'm
describing.
(27:47):
And I think that smart peoplecan ask those questions and get
that clarification.
SPEAKER_02 (27:51):
Yeah.
I was offering a gross negligentdriver.
SPEAKER_01 (27:55):
That's right.
Exactly.
Yep.
Right.
That person deserves their carto blow out.
SPEAKER_02 (27:59):
Yeah.
Now, what are your costs?
What's your fee basis?
SPEAKER_01 (28:07):
Yeah, so depends, of course, on the range of
services.
If certain larger credit unionswill engage with us just for
cybersecurity, we put togetherwhat we call our stack.
And if you use the tools thatare in our stack, it usually
runs in the range of about$83per user per month.
If you are doing the full suiteof services that we offer, so
(28:29):
not just the cybersecurity, butalso the help desk, the
proactive strategic planning, etcetera, prices range anywhere
between$150 and$200 a month peruser.
And that's a recurring fee thatcovers all the licensing costs
for everything we use.
And it's unlimited support otherthan things like hardware
purchases, which we procure foryou, but they have to pay for it
(28:51):
because it's their capitalexpenditure.
SPEAKER_02 (28:54):
Now, a while ago, you mentioned mergers.
How do mergers figure into this?
SPEAKER_01 (29:01):
Because
SPEAKER_02 (29:02):
everybody in credit union land is talking mergers.
SPEAKER_01 (29:05):
Yes, they are.
I speak at, I don't know, eightto 10 conferences a year.
From our vantage point, we seetechnology as becoming the
scapegoat for a little bit oflazy leadership.
So they'll say the NCUA and itsregulations are making it
impossible to keep up.
(29:26):
And as a result, I can't affordto run$125 million credit union.
So I'm looking to merge, whichreally means they're looking to
be acquired.
The analogy I would use is youcan have an effective workforce
working remotely.
After the pandemic, we had toall figure out how to do that.
And do I wish everybody was backin the office?
(29:48):
I do, because I think there'ssome things lost.
But if you have the right KPIsor right performance metrics in
place, you can get a fullyremote workforce to be just as
productive.
They're just productive in adifferent way.
And I think that there's a lotof technology becomes the butt
of the joke.
It's, you know, governmentregulation is what's keeping us
(30:08):
from making any money and it'sgetting in the way.
And so we have to merge becausewe can't scale.
And what I'm here to tell you isthat actually every credit
union, no matter what size, hasto make some investment in their
technology.
But as I said before, the littlebit of elbow grease and working
with a partner who knows whatthey're doing, meaning when you
buy some cybersecurity toolsfrom me, I can get them cheaper
(30:32):
because of my volume than youcan off the street, get them
through me.
Let me tell your vendor like mewhich apps you should use, how
this positions you for the exam,and you will do just fine.
So we have been able to protectlots and lots of small credit
unions.
The economies of scale in thefinancial sector, that's not my
(30:52):
specialty.
I don't understand mortgagerates or loans or those other
things that are critical to thebusiness.
But I can tell you thattechnology is not getting in the
way of your bottom line.
There are ways to do it withelbow grease and working with a
good partner or with a smartinternal hire to get these
things done.
And I don't like when I hearthat technology is the reason
(31:14):
they think they need to merge.
I'll also say, parenthetically,that one of the things I really
love about working with creditunions is that they serve their
members.
That's the number one thing.
The number one thing isn't tomake money.
It's to serve your members.
During all these mergers,particularly of the behemoths
that you described a few weeksago, we're just becoming banks.
(31:35):
And I want to be part of anindustry and help support things
in a way to keep thesecooperatives alive.
I think it's an important partof sort of the American fabric.
And technology is important,takes a bunch of time, takes
some investment, but you do notneed to merge in order to scale
properly with tech.
SPEAKER_02 (31:55):
I've thought a lot about mergers in recent years.
Every merger is unique.
But one thing I would say isthat if you're merging to
equally economy of scale of aChase, you ain't never going to
get there.
SPEAKER_01 (32:11):
That's right.
Not even close.
SPEAKER_02 (32:13):
Chase is barely aware that Navy Federal exists.
And Navy Federal is a greatcredit union.
It's the biggest by far.
But Chase is many, many, many,many, many multiples bigger.
And they have an economy ofscale.
That's just the way it is.
So is AI figuring into this techthing?
And every credit union that I'mtalking to, the two things they
(32:38):
want to talk about is mergersand AI.
They don't want to talk aboutanything else.
And AI has some serious securityissues associated with it, I
believe.
And I don't know that they'rebeing addressed properly.
SPEAKER_01 (32:53):
I think that's probably true.
I mean, AI is almost like sayingair, water, fire.
It is such a gigantic term thatencompasses so many things.
We've all been carrying AI inour pocket for years because we
have Siri or we have GoogleAssistant at home.
So it's tricky to make sure thatwe're talking about the right
thing.
I'm
SPEAKER_02 (33:13):
particularly talking about generative AI, the chat
GPT world, which this is thebest thing since sliced bread,
man.
And you got to get sliced bread.
That's what credit unions tellme.
SPEAKER_01 (33:27):
I think that that's true.
I mean, I think what we'reseeing, I mean, I'll tell you,
I'm a service provider andcredit unions are a service
provider.
I have a call center just likecredit unions have a call
center.
I'm very interested in the waysthat AI will help enhance the
client or in the case of acredit union, the member's
experience.
So many of them are using itwhen it comes to phone trees
(33:47):
already.
But where they might look for itis in searching their member
database for opportunities basedon very specific life events.
Somebody's of a certain age, youmight start feeding them things
about wedding planning.
You might start feeding themthings about first home
purchase.
There's a lot of trending thatthe AI applications can do that
(34:07):
don't take a lot ofsophistication that I think
regular marketing people couldtake advantage of.
In terms of security concerns, Iagree with you.
You need to vet those vendorshard and make sure that they've
got the right things in place.
You have to be extremely carefulrelated to privacy.
(34:29):
I would say in that last bit iswhere we can help.
I'm a little out of my elementwhere I'm not the right person
to recommend how AI is going tobe applied to make loan
originations go up.
I just know that what I seethose applications being used is
very sophisticated.
It is that jump from using anabacus to a calculator times a
(34:51):
million.
I'm excited about theopportunities we have not to
replace people on our team, butto be able to enhance the client
experience.
But you have to be very careful,particularly with the generative
models, not to feed it through,not to put a bunch of private
information in there and thenjust have the regular old engine
off the shelf, tell you what youshould do next.
(35:12):
Very dangerous.
Many organizations, not justcredit unions, I know are
installing their own version ofan engine like ChatGPT in their
own environment with the propersecurity around it, and then
starting to teach it about theirorganization, about their
members so that they can processtrends or learn in a faster way.
SPEAKER_02 (35:34):
That certainly is happening.
But if you just look at basicopen AI, ChatGPT, generative,
what they've done is scrapedtogether a whole bunch of
information to answer yourprompt, to respond to your
prompt.
You don't know what they'vescraped together.
You don't know where they'vebeen scraping.
(35:56):
And
SPEAKER_01 (35:57):
it's not always right.
What's a little scary for me,just as a regular old person, is
I forget one of the large modelsthey asked, like, what's the
average temperature in FortLauderdale in April?
And it said something like 73.
And it turned out that theanswer is really 75.
I'm making those numbers up.
It was something like that.
And it's like, well, do thosetwo degrees matter?
(36:20):
Well, they do.
Facts matter.
So we have to be very, verycareful with the application of
that technology.
I'm not saying anything originalhere, other than from my
perspective, if a credit unionis engaging with it, it needs to
really vet the vendor that theyare working with, and certainly
make sure that the security ofboth their internal technology
(36:40):
and their members' informationis properly secured.
SPEAKER_02 (36:43):
Now, have you seen NCUA auditors expressing any
significant interest in AIwithin credit unions?
SPEAKER_01 (36:52):
I haven't seen that yet.
SPEAKER_02 (36:54):
That's coming.
I'm sure it's coming.
SPEAKER_01 (36:57):
Yeah, and it should, and it should.
And I think that it is thelargest credit unions that are
using it in a significant wayalready.
And as I say, we do co-managefor the largest organizations.
And so I'm not as privy to someof those exam results as I am
for the people that we, a couplehundred that we cater to.
SPEAKER_02 (37:16):
What would concern me about the smaller credit
unions is they take a consumerproduct like ChatGPT and start
playing with it inside thecredit unit.
Which is okay, but you need tohave some safety nets there for
yourself.
SPEAKER_01 (37:33):
Absolutely.
Yeah.
And that we can help with allday long, but it's a bad idea to
do it on their own.
And it's a terrible idea to doit on a credit union device
until they make sure thatthey've got the security in
place they should.
SPEAKER_02 (37:47):
Right.
I mean, you don't want...
That doesn't exist anymore, butyou don't want to issue...
a laptop to somebody and havethem install TikTok and Hotmail.
SPEAKER_01 (37:57):
Exactly right.
Exactly right.
Yeah.
And if you're using zero trustmindset in your environment, you
would never allow them thecapability to install anything
on their own.
SPEAKER_02 (38:07):
I'm sure you could go on YouTube and find a video
that tells you how to do it.
Now, have you ever had a clientwho really just had a breakdown
because of a tech audit?
SPEAKER_01 (38:20):
When you say breakdown, do you mean like an
emotional breakdown or?
SPEAKER_02 (38:23):
Yeah, like starts wrong things at the auditor.
I don't know.
SPEAKER_01 (38:27):
I have.
I did have no breakdown.
No, but I have had clients ofmine, credit union CEOs, very
frustrated because they feltthat they had made progress and
they felt that the examiner wasbeing difficult.
I had a state examiner inTennessee just a couple of weeks
(38:50):
ago who suggested something veryspecific be done, which seemed
unnecessarily complex.
And I know that my client wasgoing to follow up with that
person's supervisor to find outwhere in the world is this
coming from.
So I do see frustration there.
(39:11):
I see frustration around a lackof organization, a lack of
comprehension about some of thethings.
But I'm telling you all thecomplaints.
With a lot of clients, I wouldsay the majority have a very
good experience with theirexaminer.
When I say very good experience,it's like having a good
experience with your CPA at taxtime.
It was as expected.
(39:31):
You've got some things to fix.
Everybody's professional.
Everybody's organized andtimely.
The roadmap is clear afterwards.
I would say that's most of thetime.
SPEAKER_02 (39:42):
Before we go, think hard about how you can help
support this podcast so we cando more interviews with more
thoughtful leaders in the creditunion world.
What we're trying to figure outhere in these podcasts is what's
next for credit unions.
What can they do to really,really, really make a difference
in the financial scene?
Can't all be mega banks, can it?
(40:04):
It's my hope it won't all bemega banks.
It'll always be a place forcredit unions.
That's what we're discussinghere.
So figure out how you can help.
Get in touch with me.
This is rjmcgarvey at gmail.com.
Robert McGarvey again.
That's rjmcgarvey at gmail.com.
Get in touch.
We'll figure out a way that youcan help.
We need your support.
(40:25):
We want your support.
We thank you for your support.
The CU2.0 Podcast.
Welcome to the CU2.0 podcast.
SPEAKER_00 (00:05):
Hi, and welcome to the CU2.0 podcast with big new
ideas about credit unions andconversations about innovative
technology with credit union andfintech leaders.
This podcast is brought to youby Quillo, the real-time loan
syndication network for creditunions, and by your host,
longtime credit union andfinancial technology journalist,
(00:27):
Robert McGarvey.
And now...
the CU2.0 podcast with RobertMcGarvey.
SPEAKER_02 (00:33):
Today's topic, how to pass the NCUA tech audit
without losing your mind.
The guest is Mike Robbins, COOat Dynamic Edge, a company
that's helped many creditunions, particularly ones with
assets between$25 million and$400 million, and that's the
vast majority of credit unions,successfully navigate the NCUA
tech audit, which occurs, quote,periodically, close quote,
(00:55):
according to the agency.
Hear what's involved in theaudit and how to pass it and
crew Thank you so much forinviting me.
You're welcome.
(01:26):
How can I refuse to talk to aguy who's going to tell me how
to pass the NCUA tech auditwithout losing my mind?
The
SPEAKER_01 (01:34):
marketing hook worked.
SPEAKER_02 (01:36):
Tell me, let's start.
Tell me a little bit aboutDynamic Edge and where are you
located?
SPEAKER_01 (01:43):
Yep.
So Dynamic Edge is a managed ITservice provider.
We started in Ann Arbor,Michigan in 1999.
So we've been in business justabout 26 years.
We opened a second physicallocation in Nashville, Tennessee
in 2007.
For the past 15 years or so,we've specialized pretty heavily
in supporting credit unions,particularly as cybersecurity
(02:08):
risks have become so critical.
So we support credit unions.
We have, of course, lots of themin Michigan and Tennessee, but
we support them all across thecountry from New Jersey to Los
Angeles.
And we do...
everything an internal ITdepartment would do.
For credit unions that are$500million in assets under
(02:31):
management and smaller, we oftendo everything.
So we'll do help desk, we dostrategic planning, we do
one-time project work, and ofcourse, we do cybersecurity.
For those Organizations that arelarger than that, we often do
what we call co-managed.
They have an internal IT teamthat handles some
responsibilities, and then ourteam will supplement them in
(02:51):
whatever way they see fit.
SPEAKER_02 (02:54):
How big is your biggest credit union, your
smallest credit union?
SPEAKER_01 (02:59):
Well, our smallest credit union is quite small,
maybe 25 million.
And largest is probably right inthe 400 range.
SPEAKER_02 (03:08):
400 million?
Yes.
Okay, so that's certainly thebiggest percentage of credit
unions fall in that range.
SPEAKER_01 (03:21):
Yeah, absolutely.
Probably 90% of the 5,200 orwhatever are left, yep.
SPEAKER_02 (03:28):
Yeah, and I get it.
So the$25 million probably needsa lot of help.
SPEAKER_01 (03:34):
They all need a lot of help.
SPEAKER_02 (03:36):
Well, they all need a lot of help, but there's some
thin staffing in that$25 millioncredit union.
SPEAKER_01 (03:42):
So, I mean, right, 25 million, you're talking
about, you know, four people onthe staff, very, very, very
small.
That's not our average size, butthat is the, that's the small,
the small line for sure.
SPEAKER_02 (03:52):
Now, I was reading up on the NCUA tech audit, and
the thing that really caught myeye was, they say it's periodic.
What does periodic mean?
SPEAKER_01 (04:05):
It's a good question.
I don't know if that wordappeared before COVID or not.
We were used to, for years,either the NCA or a state
examiner coming physically onsite once a year.
And since COVID, it's been alittle, I don't know, maybe more
sporadic than that.
(04:25):
We have some clients who maybehave had an exam every 18
months.
So I don't know if I know theanswer to your question
specifically, but, you know,historically...
There's been some sort of anexam, either from the state or
the feds, once a year.
And that seems to be mostly truewith most of our clients.
But as I say, we've had some whohave an exam every year and a
(04:46):
half.
SPEAKER_02 (04:48):
I'm familiar with the financial audits of credit
unions.
Is it the same team or adifferent team that does the
tech audit?
SPEAKER_01 (04:57):
You've seen both.
I mean...
Typically, the tech audit orexam is part of the overall exam
that an examiner is doing.
It's just the one that, in myexperience, the credit union
executives and certainly boardmembers have the least amount of
knowledge on.
I
SPEAKER_02 (05:14):
know a lot about the financial stuff, and I'm more a
tech guy than a financial guy.
SPEAKER_01 (05:19):
Yeah.
SPEAKER_02 (05:19):
But I...
So the CPA comes in, it's kindof look at the tech.
I mean, okay, sounds good to me.
SPEAKER_01 (05:31):
No, it's really interesting.
We work with a number of formerexaminers who our clients hire
to do a third party audit, youknow, before they're going to
have their real exam.
SPEAKER_02 (05:42):
Sure, sure.
That's pretty common.
SPEAKER_01 (05:45):
Yeah.
Yeah.
And they can't make heads ortails of some of this either.
Right.
The range of skills in theexaminers is all over the place.
There are people come in verysharp, very knowledgeable, very
up-to-date, and it's easy.
There are people who seem to befumbling through some of it.
One of the things I thought wemight talk about at some point
(06:06):
is the NCUA has offered somestandardization in the last year
and a half or so, which I thinkis really encouraging.
The application of thosestandards varies wildly based on
who's doing the exam.
Sometimes they're just sort ofby the letter.
Sometimes they seem to be makingthings up on the spot.
It's all over the place, whichis why I think this is so
challenging for credit unionexecutives.
(06:28):
They think they've got the rightthings in place and then
somebody throws something elsein.
SPEAKER_02 (06:32):
Your credit unions have a lot of technology that's
not homebrewed.
In other words, they're buyingit from third parties.
Most of it.
Pretty much all of it in manycases.
Now, is the third party involvedin this audit?
Indirectly, yes.
But do they have any directinvolvement?
SPEAKER_01 (06:51):
Not really.
Not in my experience.
I mean, what the It's aninteresting point you raised
too, because I think it'ssomething like 86% of credit
union vendors.
So the third party people, youknow, software providers or
security application providers,they've got holes in their
environment.
And then sometimes those holesare in the product that they
(07:15):
provide.
And that's a vulnerability thatthe credit union doesn't have a
lot of control over.
So In my experience, the vendorsthemselves are not involved in
the assessment of theenvironment because what we're
really trying to see is like,does the credit union have the
controls in place to make up forthose deficiencies?
Is there enough layers ofnotification systems and so on?
(07:38):
I
SPEAKER_02 (07:39):
think some vendors do third-party testing of the
services that they're providing.
SPEAKER_01 (07:48):
Yep, that's true.
That's true, and we have donethat for clients at times.
But if your core is provided byFiserv, you're not likely to be
doing any third-party testing ofFiserv.
But if Fiserv has a majorvulnerability, and I'm just
picking them because they'resuch a prominent vendor.
SPEAKER_02 (08:03):
Oh, everybody picks up Fiserv.
I do too.
That's
SPEAKER_01 (08:08):
cool.
That's cool.
if they've got a vulnerability,you know, one time I was doing a
tabletop exercise for a client,a tabletop exercise for people
who don't know is you simulatesome negative thing happens and
then you test whether thesystems or the people or the
processes you have in place aregoing to do well.
And somebody, this was a clientthat was in Manhattan.
They said, well, let's say theinternet is out for Manhattan.
I'm like, man, if the internetis out in Manhattan, we all have
(08:30):
all kinds of problems.
And so if Fiserv has a majorvulnerability, that whole world
is going to be shocked.
And so I don't think anindividual examiner is going to
care too much about that whenthey're examining an individual
credit union.
SPEAKER_02 (08:44):
What is the examiner looking for with the technology?
SPEAKER_01 (08:48):
It's a good question.
So in general, I think thatthey're trying to make certain
that there are the physical andvirtual controls in place to
protect the members' assets andto protect the members'
information.
The reason, as you know, thatcredit unions are such a target
of cyber terrorists is becausethey've got two sets of very
(09:11):
valuable information.
The first thing is they've gotlots of money.
And the second thing is they'vegot all that PII or personally
identifiable information of allthe members.
And so there's a double dippingthat goes on.
Bad guys, they implement somekind of a ransomware event, lock
up some system, say, give us amillion dollars.
while you're deciding what todo, they take a copy of all that
(09:32):
data and you pay them themillion dollars.
They give you access to yoursystem back, but they've now got
a copy of the data and then theygo sell that off on the dark
web.
And that's a very rudimentary,simplistic example, but credit
unions are under significantthreat.
And so I think what the exam istrying to do overall is make
sure that the controls are inplace that somebody can't break
(09:55):
in easily.
And if they do break into oneplace, that that breaking
doesn't spread widely.
And the NCUA has been sort oftightening the screws on how to
do that over the last few years,which is good because it was
really the Wild West until acouple of years ago.
And all of the things that wewere checking for in credit
unions were sort of derived fromthe banking regulations, but not
(10:19):
specific to credit unions.
And of course, as you know, youtalk about it in your podcast
often.
Credit unions, they don't havethe cash that the banks have,
certainly not the large ones.
And so as the NCUA has refinedits regulations over the last
few years, and I think it'sfiltered down my interpretation
to the state regulators as well,we're finally getting some
standardization on what youshould expect them to ask about
(10:42):
when they arrive at the door.
When you're referring to a CPAaudit, well, you know, when...
Ernst& Young or, you know, PlantMoran comes in to audit, we all
know what they're going to belooking for.
We can get the boxes ready, youknow, before they get there.
It's been different when itcomes to technology and credit
unions.
And I think that's finallystarting to take shape.
And I can, you know, talk abouthow that shape is happening in
(11:04):
any, you know, whatever level ofdetail you're interested in.
SPEAKER_02 (11:06):
Now, is the audit, the tech audit primarily focused
on cybersecurity?
SPEAKER_01 (11:13):
Yes.
Yep.
Cybersecurity, which has acouple different you know,
significant sections.
One is just what do you think ofas traditional security?
A physical server has to bebehind a locked door.
There have to be some accesscontrols.
Who can log into that server?
You know, identity management,all the sort of normal things.
(11:35):
But it's also a more complex orlayered mindset.
How do we help them not losetheir mind when they're going
through an exam?
It's all the work you do in themonths leading up to it.
And there's been a paradigmshift in cybersecurity in the
last couple of years that Ithink is super interesting.
(11:56):
It used to be that you built upthis very strong perimeter
around your network.
The old fashioned model was thatof a castle and the castle has a
moat around it.
And I'm on a horse and I ride upto the castle and I say, I want
to come in.
And somebody is on the otherside and they ask me a security
question and they decide, okay,I give them the right answer.
And the drawbridge comes downand I ride in.
(12:18):
And once I'm inside the castle,I have free reign.
That's old fashioned or what youwould call perimeter security.
You make a really strongperimeter or a wall outside the
network, really, really, reallymake sure the person who's
trying to come in deserves to bein there.
And then once they get in, theycan see everything.
What's happened in the lastcouple of years has been an
introduction of this zero trustsecurity mindset.
(12:42):
And that phrase zero trust isnot just some techie term.
It's actually the term the NCUAis using in the regulations.
And what zero trust means, is noimplicit trust and continuously
verifying who you are.
So if you've ever seen the movieOcean's Eleven, they're planning
the group of gangsters to robthe Bellagio in Vegas.
(13:05):
And they're going through theplan.
And when they go through thisplan, they have to have
fingerprint detection.
They have to have retinaldetectors.
They have to have signatures.
They have to get past armedguards.
It's multiple layers.
And as they're getting closerand closer and closer to the
vault of money, they haveconstantly having to figure out
how to verify that they're theperson that they aren't really.
(13:26):
And so zero trust is not justsome piece of software like
antivirus.
You buy it in a box, you installit, and now you have zero trust.
It's a mindset.
that credit union executives andthe tech teams that support them
have to use.
And if you use that mindset,trusting at every level of
access to verify who that personis, that helps to unravel or
(13:50):
solve the mystery of what theNCUA is looking for.
My
SPEAKER_02 (13:54):
sense is a lot of institutions, and I think I'm
saying something similar to whatyou just said, a lot of
institutions aren't at thatinterest in having an
impenetrable wall because it'sprobably not possible.
What they're really interestedin is, A, what is the person
(14:14):
doing inside the system?
And B, most importantly, whatdata are they exfiltrating?
And if they're just sittingthere looking, hey, I don't
care.
It's...
SPEAKER_01 (14:27):
I'm not, yeah, I mean, I agree with what you're
saying in part.
I mean, I think there is atremendous focus on access and
identity management, making surethat I can't get somewhere
within the environment Ishouldn't be.
And again, it used to be youlogged into the network and once
you were inside the network, youcould see everything.
Now it's, well, I can only seethe folders that I'm allowed to
(14:47):
see.
What's sort of interesting anddramatic about what some of the
cyber criminals do is they getinside your network and they
wait.
So they get inside and they pokearound.
The first thing they try to dois destroy your backups so that
when they launch a ransomwareevent, you can't just tell them
to go away because you have agood backup to revert to.
They're going to destroy that.
(15:08):
I had one colleague, differentindustry, a law firm, but there
was a ransomware event.
The bad guys asked for this veryspecific amount of money.
It was an odd number.
And this colleague said, why areyou asking for this money?
And of course, at this point,he's talking to a cyber
terrorist who's working in acall center.
(15:28):
You know, it's like thetime-life operator thing from
the old days.
But they are run just likebusinesses because they are
businesses, and they'recertainly for-profit businesses.
And they explain to thiscolleague of mine that, well, we
asked for this specific moneybecause that's what we know is
in your cyber policy.
So they had spent enough time inthe environment to find a copy
of the policy.
Why ask for$10 million if youcan only get two?
SPEAKER_02 (15:50):
Right.
Makes perfect sense.
Yeah, I mean...
Certainly in all big companies,executives have what's called
signing authority.
In other words, how big anexpense can I approve?
SPEAKER_01 (16:00):
Yep, that's right.
SPEAKER_02 (16:02):
And if you bring an expense for$1 million and
someone has a signing authorityfor$100,000, he can't help you.
That's right.
Yeah,
SPEAKER_01 (16:09):
right.
So, you know, as you point outcorrectly...
I don't think anybody'sinterested in building in the
impenetrable wall.
Even if they were interested inthat, they can't afford it and
they don't have time to do it.
So we try to coach or mentorpeople to make the list of
priorities, make sure that listof priorities aligns with what
(16:30):
the NCUA is recommending, do thethings you have to do.
then you prioritize the group ofthings that would be nice to
have and just always be makingprogress.
My experience, again, on theseexams is examiners aren't
looking for perfection.
They know that's not possible,even for the largest credit
unions.
However, they are looking forprogress.
So they don't want repeatfindings.
(16:51):
And if something is a criticalfinding, you want to take care
of that right away.
And I'm glad that they're doingthat.
There's so much discussion aboutfederal regulation.
And of course, right now, wedon't know what the future of
the NCUA is exactly.
But I'm glad that the NCUA iscodifying some of these things
because it's all our moneythat's insuring these deposits.
And I don't want people to gothrough the heartache of having
(17:13):
their information stolen orhaving their money stolen.
And I definitely don't want mytaxes going to bail out credit
unions that haven't done thethings that they need to do.
SPEAKER_02 (17:22):
And 20 years ago, I thought a lot of the regulation
was aimed at protecting creditunions against robbers with
guns.
SPEAKER_01 (17:32):
That's
SPEAKER_02 (17:32):
right.
And that's why many times thedirector of security was a
retired police officer in thetown.
And that might have made sense20 years ago.
It makes no sense at all now.
SPEAKER_01 (17:45):
Correct.
I mean, it's the same thing inwarfare.
You know, cyber warfare countryto country is certainly a bigger
threat than thinking there'sgoing to be an army at the
border invading.
SPEAKER_02 (17:55):
Now, does the NCUA give sort of a sample test?
In other words, if I'm sittingin a credit union saying, ah,
the tech auditor is comingtomorrow, what do I do?
Is there a cheat sheet that theNCUA or perhaps that your firm
provides?
SPEAKER_01 (18:13):
I'm really glad that you asked that question because
the answer to that until lastyear was no.
We've always had things, but ourthing has been based on what are
just cybersecurity bestpractices.
Last year, the NCUA releasedsomething they call the
Information Security Exam orISE.
And they say in it specifically,they're trying to tailor the
(18:33):
exam based on the asset size andcomplexity of the organization
that they're evaluating.
And they also say in thepreamble to this document that
they're trying to standardizethe exam of information security
and cybersecurity programs.
So this is great.
And the nerds out there can findall this stuff in the NCUA
regulations.
It's part 748 and 749.
(18:54):
But for regular people, you cango to the NCUA website.
And underneath the informationsecurity exam, they actually
have three cheat sheets.
They call them statements with acapital S.
And the three statements aresupposed to address different
size organizations.
So the first one is actuallycalled the Small Credit Union
Examination Program.
(19:14):
And it's tailored for creditunions that are under 50 million
in assets under management.
Then there's a second one.
The second statement is calledCORE.
And that's the cheat sheet fororganizations that are over 50
million.
I don't know why they made 50million the break point, because
that feels very, very small.
I would have done it at 250 orsomething like that, but that's
okay.
(19:35):
And then they have a thirdstatement, and that's called
Core Plus.
So we had small credit union,then Core, and now Core Plus.
And Core Plus is not a list ofthings for any particular size.
It's just sort of said, tailoredat the discretion of the
examiner.
So you can go to the NCUAwebsite and you can download,
(19:56):
they're just Word documents,these three checklists.
And I encourage everyone to dothat with their tech teams.
We use it as a reference for it.
We've created something, Ithink, a little bit more
elegant, but it does give you anidea of the things the examiner
is supposed to be checking whenthey come on site.
Interestingly, With a lot of ourclients in the last year, their
(20:18):
examiners aren't using it.
They're still working off of oldchecklists.
It doesn't mean they're notchecking a lot of the same
things, but I had hoped the sortof standardization that was
presented was going to be alittle more rigidly enforced or
really standardized.
And I haven't quite seen thatyet.
But these checklists, which areavailable from the government
site, are a really good startingplace.
SPEAKER_02 (20:37):
So you get a client, a new client, the client says,
I'm concerned about this techproduct.
What's your process?
What do you do then?
Do you say just take some Advilsand call me in the morning?
SPEAKER_01 (20:51):
That would be so much easier to just resell
Advil.
What we do with a new engagementis we do what we call a security
assessment.
And a security assessment is intwo parts.
The first part is this is not anexternal penetration test like
so many credit unions properlypay for, which can cost$15,000
or$20,000.
That's not what we do.
We do a two-part interview.
The first part is I sit downwith the relevant people.
(21:13):
Sometimes it's the CEO,depending on the size of the
credit union.
Sometimes it's the tech person.
Sometimes it's a VP or CFO.
And I just ask them, it's abusiness interview, 30 minutes.
Let me understand how you'reworking, what are the
initiatives, what concerns youabout tech?
Have you had any securitybreaches in your recent history,
et cetera?
And then we run a scan with aproprietary tool on the system
(21:35):
itself.
We get the results of that scan.
We get the results of theinterview.
We collate that and we presentthem with a list of findings.
And we say, here are all thethings we found.
Here's what we would do toremediate them.
If you would like us to work onit with you, great.
If you want to take this back toyour tech team or to a different
vendor, that's great too.
We get a lay of the land thatway.
(21:55):
We will also, during thatprocess, ask for a copy of their
last exam, either from the NCOAor the state.
And that often will tell us, didthey make any progress since the
examiner was here?
Is the examiner kind of beingtough unnecessarily on certain
things?
We'll just get a sort of the layof the land with that.
And then we come up with a planto do two things going forward.
The first is we have atechnology roadmap.
(22:19):
We say, we think you need to dothese 12 things in the next 18
months, and here's why, andhere's what they'll cost roughly
if there's a cost associatedwith them.
And I want to say, Robert, thata lot of the things that are in
those checklists that Ireferenced, a lot of them are
just elbow grease.
They're policy changes, usingexisting technology.
(22:39):
There is this misperception outthere, and maybe we'll talk
about economic scale or how thisaffects mergers, et cetera.
But there's this perception thatto be compliant, you have to
spend a ridiculous amount ofmoney.
And I do not at all agree withthat.
There are ways to scale withvendors like mine.
It doesn't have to be mine thatcan help you get compliant and
more importantly, protect yourmembers stuff.
(23:02):
The second thing we do is we domonthly proactive vulnerability
scans.
So we scan an environmentbecause IT people, including us,
aren't perfect.
This allows us to find thingsahead of time and fix them in as
close to real time as ispractical.
And regulations change.
(23:22):
Insurance carrier requirementschange.
So what we're trying to do isinstead of When it's time to
renew your cyber insurance atthe end of the year, you get
this laundry list of things youneed to do to either get
approved or to get a reasonablerate.
We're trying to stay on top ofthem going forward.
So it's initial assessment,monthly scans, and a roadmap for
the next 12 to 18 months.
SPEAKER_02 (23:43):
Have you seen any changes in the behavior of
insurers in the last year ortwo?
And I ask because there havebeen dramatic changes in, say,
home insurers.
I know it's different people,etc.,
SPEAKER_01 (23:57):
But dramatic changes, dramatic changes.
It was, let's say, around thetime, let's say maybe 2020, I
would say most credit unionsthat I talked to did not have
any kind of cyber insurance.
Some of them started to getcyber insurance coverage through
the same provider that they weregetting their general liability
(24:18):
or their workers comp.
And then this niche opened upfor insurance providers that
specialize in cyber.
And those vendors had a fieldday for a couple of years
because everybody was buying upthe insurance.
Well, now the bad guys got moreclever and they started playing
all these claims.
And as a result...
What has really changed and Iwould say the last two years in
(24:39):
my experience is that the costof premiums is just getting sky
high.
I think it was like a 74% chanceyear to year from 23 to 24.
We don't know what it'll be yetthis year, but big increase.
And the other thing that I wannapoint out to listeners that's
super important is it'simportant to know a number of
things about your insurancepolicy when it comes to cyber,
(25:02):
not just the total amount ofcoverage, But we have seen
changes in particularlyexclusions.
So there'll be exclusions forthings like acts of war.
I mean, we're in a prettyhostile, violent world right
now.
What does that mean if a threatcomes from a certain place
they're not going to cover?
I don't know the answer in thismoment.
Everybody's got to evaluatetheir policy closely.
(25:25):
The one that scares me the mostis I have seen in a number of
policies this generic phrase,quote, failure to maintain
standards.
We know that it is really hardfor any provider, even the
greatest, to stay on top ofevery security update.
Microsoft has patch Tuesday oncea month.
They release security updatesthat we need to install on all
(25:45):
of your environment servers.
And who knows why, but sometimesnine of the 10 install or eight
of the 10 install.
There's a communication error.
It times out.
And so you have to clean it up acouple of days later as you
realize that not everything wasdone.
Is that going to be the holethat the insurance company uses
to not pay my claim becauseeverything isn't up to date?
And so I implore our client, andwe help them through this, look
(26:10):
at the policy carefully.
And if you have any questionsabout those exclusions, any of
them, get better definitions onthem or look for providers that
make that stuff a littleclearer.
SPEAKER_02 (26:19):
Well, just speaking broadly, I think it's fair to
exclude claims that result fromfailure to maintain standards.
If you go out and get a new BMW,drive 30,000 miles a year and
never get the oil changed,never.
And then the third year, theengine blows up.
If I'm a BMW, I'm going to say,hey, dude, it's your fault.
SPEAKER_01 (26:42):
I agree with that completely.
I mean, an example in the techworld is that Microsoft offers a
new operating system for itsservers or workstations every
couple of years.
Right now, the world is usingWindows 11 on workstations.
That's the current operatingsystem.
Windows 10, last time'soperating system, is still out
in the world and still beingpatched, but it's coming to end
(27:04):
of life, which for Microsoftmeans they're not going to
support it anymore, and they'renot going to update it with
security patches anymore.
And so we're in a time right nowwhere we need everybody to move
to Windows 11.
It would not be fair be runningwindows 7 or windows 10 and then
be upset or frustrated whenthere was some kind of a breach
however if you're working on awindows 11 machine and you get
(27:26):
patches once a week for it ifyou don't have every single
patch installed that's sort ofthe reasonable course of you
know regular life and we justwant to make sure that you're
not paying a bunch of moneytoward an insurance policy
that's going to be that specificin denying a claim.
So I think that there's a middleground that is appropriate and
makes sense between what youdescribed and what I'm
describing.
(27:47):
And I think that smart peoplecan ask those questions and get
that clarification.
SPEAKER_02 (27:51):
Yeah.
I was offering a gross negligentdriver.
SPEAKER_01 (27:55):
That's right.
Exactly.
Yep.
Right.
That person deserves their carto blow out.
SPEAKER_02 (27:59):
Yeah.
Now, what are your costs?
What's your fee basis?
SPEAKER_01 (28:07):
Yeah, so depends, of course, on the range of
services.
If certain larger credit unionswill engage with us just for
cybersecurity, we put togetherwhat we call our stack.
And if you use the tools thatare in our stack, it usually
runs in the range of about$83per user per month.
If you are doing the full suiteof services that we offer, so
(28:29):
not just the cybersecurity, butalso the help desk, the
proactive strategic planning, etcetera, prices range anywhere
between$150 and$200 a month peruser.
And that's a recurring fee thatcovers all the licensing costs
for everything we use.
And it's unlimited support otherthan things like hardware
purchases, which we procure foryou, but they have to pay for it
(28:51):
because it's their capitalexpenditure.
SPEAKER_02 (28:54):
Now, a while ago, you mentioned mergers.
How do mergers figure into this?
SPEAKER_01 (29:01):
Because
SPEAKER_02 (29:02):
everybody in credit union land is talking mergers.
SPEAKER_01 (29:05):
Yes, they are.
I speak at, I don't know, eightto 10 conferences a year.
From our vantage point, we seetechnology as becoming the
scapegoat for a little bit oflazy leadership.
So they'll say the NCUA and itsregulations are making it
impossible to keep up.
(29:26):
And as a result, I can't affordto run$125 million credit union.
So I'm looking to merge, whichreally means they're looking to
be acquired.
The analogy I would use is youcan have an effective workforce
working remotely.
After the pandemic, we had toall figure out how to do that.
And do I wish everybody was backin the office?
(29:48):
I do, because I think there'ssome things lost.
But if you have the right KPIsor right performance metrics in
place, you can get a fullyremote workforce to be just as
productive.
They're just productive in adifferent way.
And I think that there's a lotof technology becomes the butt
of the joke.
It's, you know, governmentregulation is what's keeping us
(30:08):
from making any money and it'sgetting in the way.
And so we have to merge becausewe can't scale.
And what I'm here to tell you isthat actually every credit
union, no matter what size, hasto make some investment in their
technology.
But as I said before, the littlebit of elbow grease and working
with a partner who knows whatthey're doing, meaning when you
buy some cybersecurity toolsfrom me, I can get them cheaper
(30:32):
because of my volume than youcan off the street, get them
through me.
Let me tell your vendor like mewhich apps you should use, how
this positions you for the exam,and you will do just fine.
So we have been able to protectlots and lots of small credit
unions.
The economies of scale in thefinancial sector, that's not my
(30:52):
specialty.
I don't understand mortgagerates or loans or those other
things that are critical to thebusiness.
But I can tell you thattechnology is not getting in the
way of your bottom line.
There are ways to do it withelbow grease and working with a
good partner or with a smartinternal hire to get these
things done.
And I don't like when I hearthat technology is the reason
(31:14):
they think they need to merge.
I'll also say, parenthetically,that one of the things I really
love about working with creditunions is that they serve their
members.
That's the number one thing.
The number one thing isn't tomake money.
It's to serve your members.
During all these mergers,particularly of the behemoths
that you described a few weeksago, we're just becoming banks.
(31:35):
And I want to be part of anindustry and help support things
in a way to keep thesecooperatives alive.
I think it's an important partof sort of the American fabric.
And technology is important,takes a bunch of time, takes
some investment, but you do notneed to merge in order to scale
properly with tech.
SPEAKER_02 (31:55):
I've thought a lot about mergers in recent years.
Every merger is unique.
But one thing I would say isthat if you're merging to
equally economy of scale of aChase, you ain't never going to
get there.
SPEAKER_01 (32:11):
That's right.
Not even close.
SPEAKER_02 (32:13):
Chase is barely aware that Navy Federal exists.
And Navy Federal is a greatcredit union.
It's the biggest by far.
But Chase is many, many, many,many, many multiples bigger.
And they have an economy ofscale.
That's just the way it is.
So is AI figuring into this techthing?
And every credit union that I'mtalking to, the two things they
(32:38):
want to talk about is mergersand AI.
They don't want to talk aboutanything else.
And AI has some serious securityissues associated with it, I
believe.
And I don't know that they'rebeing addressed properly.
SPEAKER_01 (32:53):
I think that's probably true.
I mean, AI is almost like sayingair, water, fire.
It is such a gigantic term thatencompasses so many things.
We've all been carrying AI inour pocket for years because we
have Siri or we have GoogleAssistant at home.
So it's tricky to make sure thatwe're talking about the right
thing.
I'm
SPEAKER_02 (33:13):
particularly talking about generative AI, the chat
GPT world, which this is thebest thing since sliced bread,
man.
And you got to get sliced bread.
That's what credit unions tellme.
SPEAKER_01 (33:27):
I think that that's true.
I mean, I think what we'reseeing, I mean, I'll tell you,
I'm a service provider andcredit unions are a service
provider.
I have a call center just likecredit unions have a call
center.
I'm very interested in the waysthat AI will help enhance the
client or in the case of acredit union, the member's
experience.
So many of them are using itwhen it comes to phone trees
(33:47):
already.
But where they might look for itis in searching their member
database for opportunities basedon very specific life events.
Somebody's of a certain age, youmight start feeding them things
about wedding planning.
You might start feeding themthings about first home
purchase.
There's a lot of trending thatthe AI applications can do that
(34:07):
don't take a lot ofsophistication that I think
regular marketing people couldtake advantage of.
In terms of security concerns, Iagree with you.
You need to vet those vendorshard and make sure that they've
got the right things in place.
You have to be extremely carefulrelated to privacy.
(34:29):
I would say in that last bit iswhere we can help.
I'm a little out of my elementwhere I'm not the right person
to recommend how AI is going tobe applied to make loan
originations go up.
I just know that what I seethose applications being used is
very sophisticated.
It is that jump from using anabacus to a calculator times a
(34:51):
million.
I'm excited about theopportunities we have not to
replace people on our team, butto be able to enhance the client
experience.
But you have to be very careful,particularly with the generative
models, not to feed it through,not to put a bunch of private
information in there and thenjust have the regular old engine
off the shelf, tell you what youshould do next.
(35:12):
Very dangerous.
Many organizations, not justcredit unions, I know are
installing their own version ofan engine like ChatGPT in their
own environment with the propersecurity around it, and then
starting to teach it about theirorganization, about their
members so that they can processtrends or learn in a faster way.
SPEAKER_02 (35:34):
That certainly is happening.
But if you just look at basicopen AI, ChatGPT, generative,
what they've done is scrapedtogether a whole bunch of
information to answer yourprompt, to respond to your
prompt.
You don't know what they'vescraped together.
You don't know where they'vebeen scraping.
(35:56):
And
SPEAKER_01 (35:57):
it's not always right.
What's a little scary for me,just as a regular old person, is
I forget one of the large modelsthey asked, like, what's the
average temperature in FortLauderdale in April?
And it said something like 73.
And it turned out that theanswer is really 75.
I'm making those numbers up.
It was something like that.
And it's like, well, do thosetwo degrees matter?
(36:20):
Well, they do.
Facts matter.
So we have to be very, verycareful with the application of
that technology.
I'm not saying anything originalhere, other than from my
perspective, if a credit unionis engaging with it, it needs to
really vet the vendor that theyare working with, and certainly
make sure that the security ofboth their internal technology
(36:40):
and their members' informationis properly secured.
SPEAKER_02 (36:43):
Now, have you seen NCUA auditors expressing any
significant interest in AIwithin credit unions?
SPEAKER_01 (36:52):
I haven't seen that yet.
SPEAKER_02 (36:54):
That's coming.
I'm sure it's coming.
SPEAKER_01 (36:57):
Yeah, and it should, and it should.
And I think that it is thelargest credit unions that are
using it in a significant wayalready.
And as I say, we do co-managefor the largest organizations.
And so I'm not as privy to someof those exam results as I am
for the people that we, a couplehundred that we cater to.
SPEAKER_02 (37:16):
What would concern me about the smaller credit
unions is they take a consumerproduct like ChatGPT and start
playing with it inside thecredit unit.
Which is okay, but you need tohave some safety nets there for
yourself.
SPEAKER_01 (37:33):
Absolutely.
Yeah.
And that we can help with allday long, but it's a bad idea to
do it on their own.
And it's a terrible idea to doit on a credit union device
until they make sure thatthey've got the security in
place they should.
SPEAKER_02 (37:47):
Right.
I mean, you don't want...
That doesn't exist anymore, butyou don't want to issue...
a laptop to somebody and havethem install TikTok and Hotmail.
SPEAKER_01 (37:57):
Exactly right.
Exactly right.
Yeah.
And if you're using zero trustmindset in your environment, you
would never allow them thecapability to install anything
on their own.
SPEAKER_02 (38:07):
I'm sure you could go on YouTube and find a video
that tells you how to do it.
Now, have you ever had a clientwho really just had a breakdown
because of a tech audit?
SPEAKER_01 (38:20):
When you say breakdown, do you mean like an
emotional breakdown or?
SPEAKER_02 (38:23):
Yeah, like starts wrong things at the auditor.
I don't know.
SPEAKER_01 (38:27):
I have.
I did have no breakdown.
No, but I have had clients ofmine, credit union CEOs, very
frustrated because they feltthat they had made progress and
they felt that the examiner wasbeing difficult.
I had a state examiner inTennessee just a couple of weeks
(38:50):
ago who suggested something veryspecific be done, which seemed
unnecessarily complex.
And I know that my client wasgoing to follow up with that
person's supervisor to find outwhere in the world is this
coming from.
So I do see frustration there.
(39:11):
I see frustration around a lackof organization, a lack of
comprehension about some of thethings.
But I'm telling you all thecomplaints.
With a lot of clients, I wouldsay the majority have a very
good experience with theirexaminer.
When I say very good experience,it's like having a good
experience with your CPA at taxtime.
It was as expected.
(39:31):
You've got some things to fix.
Everybody's professional.
Everybody's organized andtimely.
The roadmap is clear afterwards.
I would say that's most of thetime.
SPEAKER_02 (39:42):
Before we go, think hard about how you can help
support this podcast so we cando more interviews with more
thoughtful leaders in the creditunion world.
What we're trying to figure outhere in these podcasts is what's
next for credit unions.
What can they do to really,really, really make a difference
in the financial scene?
Can't all be mega banks, can it?
(40:04):
It's my hope it won't all bemega banks.
It'll always be a place forcredit unions.
That's what we're discussinghere.
So figure out how you can help.
Get in touch with me.
This is rjmcgarvey at gmail.com.
Robert McGarvey again.
That's rjmcgarvey at gmail.com.
Get in touch.
We'll figure out a way that youcan help.
We need your support.
(40:25):
We want your support.
We thank you for your support.
The CU2.0 Podcast.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.