Credit Union Exam Solutions Presents With Flying Colors

Hey everyone.

This is Mark Trifle with another
episode of With Flying Colors.

This is another short take where we
will talk about operational risks, cyber

communication, strategies for cyber legacy
system conversion, nightmares, uh, core

conversions, and other operational risks
that occs talking about we're seeing

with our clients, et cetera, et cetera.

Thanks for listening.

Treichel: Next up the general
topic in the, uh, the risk report

was operational risks being
elevated across multiple fronts.

Any thoughts on that broad topic?

Bauer: Yeah, the only thing I wanted
to add or talk on is cyber right?

Cyber risk.

We spent a lot of time obviously
developing our incident response plan.

And I think that is so key for every
credit union is to have a incident

response plan that is ready and tested.

And probably the most important part of
that is just your communication plan.

So you take the, we took the
approach that we're gonna have a

cyber incident, something's gonna
happen, we're gonna get hacked, we're

gonna have some kind of exposure.

Um, so we took that approach in
developing our incident re response

plan, and, uh, we spent a lot of time.

All the different aspects
involved with that.

But, but the hard part, I think at the
end and is it's not the technical part

of, of cyber, but it's communication.

How do you communicate to all the
stakeholders, to your board, to

your staff, and most importantly,
how do you communicate this

to your, to your membership?

'cause that's so critical because
you can, if you mess that up, then

you could have a huge reputation risk
'cause social media will explode.

And you're gonna have bigger issues.

So that to me is the most important
part of dealing with with cyber.

And then obviously having
proper cyber insurance in

place, understanding your risks.

Um, you might have to have multiple cyber
policies to get the coverage you want.

But that to me is so key for,
uh, for accrediting today.

Treichel: Great points, Steve.

Todd.

Miller: Just kinda one thing they
point out in the risk report along

this line and operational risk,
they talk about legacy technologies

creating competitive disadvantages.

Well, we, we've seen this
with a couple of our clients.

You know, they try and upgrade systems
so they can keep up with the rest

of the world and they end up having
conversion issues and members lose

access to payment systems and they
get accounts that can't be reconciled.

And so while all these upgrade
paths are very important, it's

like you need to have good plans
and testing before you go through

conversions of some of these older.

Legacy systems, the cost of
doing a conversion improperly is

pretty significant and sometimes
it drags you for a couple years.

Back to Dennis's whole thing about
having a plan for when something like

this does happen, you know, you had
the big credit union in the news last

year on the West coast where members
couldn't access their funds for where

to drag on for a week or more, more.

Um, you know, those are
pretty significant risks.

NCUA has been really good about how
they handle this with credit unions.

They have their information security
officers, they rarely write doors,

but they're really good about findings
and they issue a lot of findings.

And I think their whole attitude is
amongst their information security

officers is they are there to help
you and improve your security profile.

Um, that's generally the
course of action they take.

Some of this gets back to a cost thing.

Again, what can you afford?

So I would just say, you know, for the
cranes out there, when you get multiple

findings in your information security, ask
your examiner, prioritize them for you.

Because some of the stuff is
very expensive and you know what

has to be done today versus.

What kind of residual risk can I take if
I don't spend that money, for six months?

So ask them to prioritize.

I don't think operational risk
and cybersecurity risk will ever

leave the top three or four risks
from our regulators ever again.

And the AI fraud tools, there's,
you can go on the dark web and find

AI tools to help you commit fraud.

So it's just gonna be an ever growing kind
of a race to the top or race to the bottom

depend if you're a criminal or a credit.

You trying to keep criminals out.

Plan on spending money in this area.

Treichel: Forevermore, Steve?

Farrar: No, I think we covered it.

'cause I, I had wr written down and
Todd covered it was you that we, you

know, are surprised that, you know,
the conversion issue has become.

Something that's, uh, when it
rears its head, it is just so ugly.

Yep.

Bauer: Yeah, that's one thing.

We did a pretty much a wholesale
change back in 2018 through 2022.

Right.

We upgraded core digital debit card.

Right.

We did a lot in a in a
three year period of time.

But just the core itself, I mean, take
the time to do the necessary data cuts.

I think we did three or four, um,
before we were, we were comfortable.

Before we moved to our core, we, so
then when it came to, uh, conversion

weekend, it went without, incident.

Um, and then o other thing I've
seen out there is you credit unions

purchase a new a new, uh, core system,
and they don't necessarily know a

hundred percent what they purchase.

It's, it's too much.

Um, they don't have the expertise.

So I think understanding exactly what,
what you're getting into before, um, you

know, what's all involved, particularly
at the end as, as far as generating the

necessary reports that you need, how the
report writers work how the accounting

function's gonna work, how that's gonna
maybe integrate with a third, uh, a

third party type of accounting system.

Making sure that's all tested.

So that's so key.

Taking as, as Todd and Steve said
taking your time and spending

the money to do it right.

And if you've gotta overspend a little
bit to get it right I think it's well

worked out so you don't have issues with
your membership at the end of the day.

Treichel: As someone once said, if
you don't have time to do it right,

you don't have time to do it over.

Miller: Exactly.

Treichel: All right.

Fraud schemes targeting traditional
payment methods and otherwise, Dennis, I