Cybersecurity is one of the hottest topics in the housing economy, and this panel is about how lenders, fintechs, and regulators are working together to turn cybersecurity readiness and leadership into an opportunity. What does readiness mean from operational, compliance, and customer service perspectives? What cybersecurity topics don't make headlines but are the biggest concerns? This panel is where you get prepared.
Transcription:
Andrew Martinez (00:10):
Hello everyone. My name is Andrew Martinez. I'm a reporter at National Mortgage News. I cover cybersecurity and tech topics in the industry and today we're going to be talking about cybersecurity and hear from various perspectives. We've already seen high profile incidents affect the industry this year disrupt lending activity. So today our experts are going to discuss the concerns that mortgage players should be watching out for and some guidance for cybersecurity readiness. Just today I'm going to be joined by John Levonick, a Regulatory Attorney, a Senior Partner at Garris Horn, Randy Raw Chief Information Security Officer at Veteran's United Home Loans, Lindsay Barbera, VP of Third Party Risk and Strategy at Atlantic Bay Mortgage Group, and I am sitting next to Greg Pettersen EVP of Growth and Innovation at RWM Home Loans based here in San Diego. Yes sir. Awesome. Alright, so thank you everyone for attending today and just really want to set the stage today and begin by asking about the risk that mortgage companies, not just lenders but companies are facing today. I was wondering if each of you in brief could just talk about the biggest risk that mortgage industry companies are facing today from a cybersecurity standpoint. John, I'll start with you and I'll come down the line.
John Levonick (01:26):
I guess I can go after the most obvious perspective as a financial institution. I think right now the single largest concern from a risk perspective as it relates to cybersecurity is the supervisory and examination exposure that you face as it relates to the controls you have within your organization to not only ensure that your controls adhere to best practices as it relates to cybersecurity and data privacy, but now based on the amendments to the GLBA, the enhanced safeguards rule, state regulators are out there, they're commencing assessments on financial institutions and they are looking very closely using the safeguards rule as a framework to ensure that you are protecting as a financial institution your consumer data in an appropriate way. The bureau is so kind to deputize state regulators and a certain way that permits the state regulators now to enforce GLBA. So the state regulators are out there, they're armed with knowledge conference of state banking supervisors is doing a great job on ensuring that the state regulators have the requisite understanding on what and how to conduct an examination as it relates to cybersecurity. So be prepared as an organization, your license is on the line and at this time I guess is the biggest barrier to business.
Randy Raw (02:59):
I think there are a couple. One is making sure that we don't knee jerk and go spend money on things that don't actually move the needle. There are so many vendors that I go to conferences and see and their point solutions, especially around AI and that sort of thing. Right now, most of us probably don't need AI security things to the point of the last panel. We're just not doing that much. It's kind of like that's the new thing that everybody's talking about, but are we doing the essentials? Are we doing the basics and making sure that the pieces to John's point of our controls that the examiners are going to ask about the CSPS has put forward some really good guidelines that if you just look through those and look at the basics, are we doing the basics? We are not protecting the gold at Fort Knox.
(03:51):
We're not protecting the stealth bomber plans. We're originating mortgages. Now we are impacting people's lives, but how do we do that in a way that doesn't break the bank that we use more than five to 10% of our tool set? One of the challenges that we have in the practitioner side is people get enamored by the shiny thing. Oh, I got to have that tool because it does this well, this tool does mostly that too, but I don't like the way it does that. I want to do this. Let's consolidate and think about the tools we're already using and try to do as much as we can with what we have. And then don't get bent out of shape whenever somebody says, no, you can't spend that amount of money. Well, you don't care about security. We do care about security, but we need to do it in a way that is fiscally responsible.
(04:37):
And then I think the second one is if you have people that have developed a cyber program, a lot of them are like me, they either have no hair or gray, they're going to retire at some point. The succession planning or lack thereof in many of our organizations around cybersecurity is going to become a real problem and we're doomed to maybe create or recreate the sins of the past if we're not careful and helping new people come into the organizations, into the industry and learn quickly what some of the basic risks are and how to mitigate those risks.
Lindsay Barbera (05:13):
Yeah, I'll touch on a little bit of what y'all both said, but in my specific area as well, it's vendor risk. I mean, you talk about wanting the shiny things or the GLBA and the Safeguards Act. Vendor risk is such a issue and can be such an issue if you're not careful because the more vendors you have, the more data is being shared, the more data is being shared, the more it's out there, the more you're susceptible for repercussions, whether it's on an exam or things like that. So from a vendor risk perspective, I think that's a huge issue that's not really, that just needs to be top of mind when you're doing due diligence when you're looking at another vendor like you said, it does this, but it doesn't do it the way I want it to. Well, we vetted this one and it is great.
(05:56):
So just being mindful of vendor risk and all the integrations and APIs and how the data is out there, it really goes further than just vendor risk. It goes into enterprise apps and all these different things that mortgage bankers are like, oh, on teams, I can do this or I can do this, and they want to get it and that's great, but they're not truly reading the permissions that that app then has to your computer and what control it has. We're all guilty of it. I mean, some of y'all might read the terms of use when you download an app on your phone. I don't. Some of you might, but I guarantee you we would all be very shocked to see what we're allowing when we download that app.
Greg Pettersen (06:37):
These are all great points. I could hand it now. I'm just kidding. I have one thing to cover, but no, a hundred percent. I think from the app standpoint, we get that all the time. Our IT teams like, Hey, is this app approved? And it's like we're really not trying to approve all these third party apps. You have people that try to use multiple CRMs, Calendly, whatever it might be, but they are directly integrating into your systems, potentially have access to emails, so on and so forth. So great point there. But no, I want to cover kind of what Randy said back to the basics because the greatest vulnerability point for us is really our employees and our people at our organization. So we're an IMB, and if somebody's not paying attention, they click on the wrong email, people get access to our system. So I love what you said about back to the basics and for us it's making sure our employees are educated and fully understand the risk that's out there.
(07:28):
Phishing emails are getting so sophisticated nowadays. You're seeing QR codes come through where somebody could just be like, oh yeah, access. And they don't really realize they don't read the email strong enough or with as much detail. So that's what I would say. Make sure you have a strong training program set up because your first line of defense is your people. When you look at all the breaches that have happened, majority have come from a point of entry from an internal employee that clicked on something they shouldn't have. So I love back to the basics and that's my addition there.
Randy Raw (07:58):
Andrew, can I go one more level on that too? I think we decided something this year and this was our own risk assessment. The majority of breaches still happen with phishing emails.
(08:10):
Most of us probably either have a singular or we depend on Microsoft email security platform. We came to the conclusion that that's probably not a sufficient amount of layers of security. We went ahead and doubled up and added, and I hate redundant spending with a passion. I tell my team that all the time, redundant spend is bad, duplicate spend, bad layered, security good. We added an additional layer of email security because to your point, the phishing emails are so sophisticated anymore. Even people that are really paying attention, it's easy to get duped. And so that is something that I think may become more important for us to think about is how are we layering appropriate controls in place? We do still have to rely on our humans to do the right thing, but doing the right thing is really hard. I don't want loan officers having to think about security all the time. I don't want developers having to think about security all the time. I want them thinking about doing that thing that they do that we hired them to do that makes us money and how do we help them do that safely?
Lindsay Barbera (09:19):
And as we are all hoping that the rates go down, that means that volume's going to pick up. And when volume picks up and people get busier, busier leads to negligence, negligence leaves to, and the intentions are the best. Hopefully there's no employee at your company that's like, I want to go click on this. There might be obviously, but more often than not there. So they have good intentions and it's an honest mistake, but that honest mistake can have a really large ripple effect. So as business picks up, that's an additional threat and hackers, as they get smarter, they're going to start picking up on that and so they're going to see that as a vulnerability and increase their hacking mission.
Andrew Martinez (10:03):
Yeah, I think some really good points. I really like the different perspectives and I think I just want to maybe dive a little bit deeper on what everyone touched on. I think the biggest question, what are just some steps mortgage companies can do to build resiliency? Realize that's a big open question, but just given the different perspectives. Curious everyone's take John again. I'll start with you.
John Levonick (10:22):
Can you repeat that question?
Andrew Martinez (10:24):
Just what are some steps mortgage companies can do to build resiliency, realize that's pretty wide open. So curious from a regulatory compliance standpoint. I'm curious what companies should be doing
John Levonick (10:34):
Well, I think the first step is to understand what you're protecting against. The term breach comes in many different forms. Talking about phishing, talking about penetration to your system. What are you trying to protect against? Are you protecting against data exfiltration? That means the breaching entity comes in and takes your data. Are you protecting against the bricking of your infrastructure, meaning that your core corporate network is locked down and you and all of your employees are locked out of it. So you can't conduct commercial activities. You really have to stop, start and assess not what needs to be done, but for what purpose are you doing it Because what needs to be done really depends upon the various avenues. I see a lot of organizations that look at cybersecurity as a checkbox item, whether you're a fine institution or more importantly as a mission critical vendor.
(11:30):
I try to appeal to the finer sense of CEOs of these organizations and instead of talk about the overwhelming fear of a breach, you talk about all you cannot conduct services or this is what you need to do to not only secure the consumer data of your clients, but to obtain and get their business as a vendor. Financial institutions need to oversee their vendors. They need to conduct organizational and operational due diligence on their vendors to ensure that their vendors adhere to the financial institution's regulatory obligations. Understanding what the financial institutions regulatory obligations are. It's critical for a vendor knowledge of not only what you're doing I think is we got to start the conversation with why are you doing it?
Randy Raw (12:21):
And I would agree completely with that and help the business chunk things. So one of the things that we went and have been doing for a long time is actually do tabletop exercises on a regular basis. My teams often hear me say, never waste a bad day, especially when it's somebody else's bad day. So when somebody has a bad day, we get together and say, could that happen to us? If so, how do we need to put a different control in place? Maybe we don't need to put a different control, we need a different process. We need to talk about when MGM happened and they got socially engineered to have a help desk person change the password of someone that had privileged access. We went to our help desk team at that point and said, we need to review the process. We don't need to buy anything.
(13:06):
We don't need to do anything different really other than help us understand how you're validating remote employee password changes and make sure that we've got the right process there. But that was one piece and to John's point, we then go to different parts of the business to our business partners that we've got two people from product strategy here. Okay, what would happen if your project that you're working on, your product that you're working on was unavailable? How does that impact the daily function of closing loans? Some people would say, well, what we're working on here has none. Okay, then we don't really need to worry about the resilience there. Payroll runs twice a month if it's the off week of payroll, nobody really cares. Payroll people care, but employees don't care because they're going to get paid. But if it's the week of payroll, that's a problem.
(13:56):
If it's something with the CRM, the phone system being down, email being down, that's a whole different impact to the company. So recognizing the significance, the impact of whether it's internally developed, but particularly our vendors, we're looking more at that because we have so many more reliances and integrations with vendors that are beyond our control that we're reaching out to through the internet that we've really got to think about. Even internet redundancy and resilience. And then I guess the last part I would say is also people resilience. There are oftentimes where we have one person that really gets it and understands how to make that thing work. They know just where to rub it on the side or do you kick it on this side or do you pump it up here? People resilience is also a really big struggle to begin bringing that up because sometimes it's a threat to someone. They think they're really important and I'm like, yeah, you are, but you also can't go on vacation. You're on call all the time. That's a lot of stress. We don't want that for you.
Lindsay Barbera (14:55):
Yeah, look like you said, I think they covered it all, but no, I'll speak both have some really great points. And I'll say that, and it's kind of like you mentioned about cybersecurity being a checkbox item. I feel like there's some companies and vendors out there that are treating business continuity plans the same way. Oh, we've got it. You've just type in ChatGPT, business continuity plan and print it out. And I had one vendor come across the other day, we asked for their AI use case policy and I literally typed that in chat GBT, and it was word for word except they entered and that's fine and it was great data, but it wasn't Goes a step further. You can have the business continuity plan, you can have the incident response, but are you testing it? Are you doing tabletop exercises to make sure that you've got resiliency?
(15:40):
Are your vendors doing that? Are they with my team? We do vendor due diligence. That's one of our primary focuses and it's important for my team to understand the critical vendors, the additional requirements that we have for critical vendors versus maybe like a tier three, not as risky, not as front facing, no consumer data. And are we checking those things? Are we making sure they are up to date with protocols? Are they up to date with if there is a breach that they understand regulatory requirements for notifications? I mean, you might have a question in there, Andrew, about CrowdStrike, but that was a great example for all of us to see how many, we were fortunate to not be affected by CrowdStrike much. However, it was a great opportunity for our team to be able to make sure that we're checking all of those things, making sure that those business continuity, they're resilient and they're being tested. That's the thing, you can have it on paper, but are you testing it? And for the critical areas of work, how would, if your loan operating system goes down, what do you do? What's the plan? How do you, I guess it's just kick the computer and see if it starts working again kind of thing. But yeah, I would say making sure those plans are being tested and taking it a step further than just putting it down on paper.
Greg Pettersen (17:08):
So everything they said, but I would add, just going back to the basics as well, you'd be blown away how many companies don't have two-factor authentication, multi-factor authentication. So there's small incremental steps across the board, not only for your systems, but your vendor systems. They can implement, it's a pain loan officers or employees might kick and scream that X, Y and Z, it takes forever to log in, but these are imperative steps that are extremely critical to implement that are free and very easy. So things like that, password reset protocols, truncating and making sure people have limited access to need only info, so on and so forth. That way if one individual gets breached, then it's an isolated incident you could clean up very quickly, whatever it might be. But these are all different things to think about when we talk about going back to the basics and making sure you're resilient in addition to what everybody else said.
Lindsay Barbera (18:00):
Yeah, and infrastructure resilience. How quickly can you get back up? What's your turn time on if you are down, how strong are you and have you tested it? Not waiting till the bad thing's going to happen because it's going to happen. So are you testing it regularly to make sure that if this was to go wrong, what's our downtime? How quickly can we get back up and running and closing loans?
Randy Raw (18:20):
Something that we did we started doing this last year was to look at the incidents that happened on a regular basis. We shoot our own foot off daily. Somebody deploys something, it didn't go as planned or it had unintended consequences. So we're trying to use those as an example test case for our resilience. Okay, how do we roll back? What do we do wrong? How do we learn from that and use those individual, like I said, nearly daily, but for sure weekly issues that we have with something that was unintended. It was an unplanned resilience challenge for us. Let's document it and learn from it and get stronger and get better. As we look at experiences with regulators, that's what they want to see from us is how often have you tested your plan? Well, they don't want to see us shut off all the lights in a data center and see what happens when you turn 'em back on. That's really risky to try to do that, but what are you doing every day to document and identify weak spots and get better at that? And I think we miss those opportunities because to Greg's point, those are free. Those are free tests of our problems that we induce or create upon ourselves on a regular basis. So how are we learning from that?
John Levonick (19:36):
You guys give institutions way too much credit while obviously you're here, your respective institutions are well protected because they have you on staff. I conduct infrastructure reviews and assessments for clients, whether they're vendors and financial institutions. You would be amazed to see, to the point, bringing it back to the basics, an organization does not even have an inventory of the applications, the services, the third party, we'll call 'em subcontractors or third party services that persons within their organization use. They don't know where their consumer's data goes, they don't know where it resides. And I'm not talking about fractionalizing data and having it bounce between two co-location centers. I'm talking about, oh wait, we allow our LOS to use the CRM and the LOS store closed loan files in that CRM because it's the LO's relationship and that CM is commutable with the organization doesn't even realize that NPI is walking out the door when they fire an lo. They don't understand that LOS are using calculators, web-based calculators. They're using web-based tools. The shadow infrastructure, shadow it that means the use of an LO's use of a technology that's not overseen, understood or managed by the organization, which is used to receive non-public personal information to the consumer. Where does that data go? Does that data purge? Does it come back? Is it processed through? It really, really starts at the fact that these organizations really need to understand who they are, what they do, what they do, and most importantly how they're doing it.
Andrew Martinez (21:24):
Yeah, and actually I think you guys touched on some good points. One of the next questions going to ask is what are the cheapest and easiest ways that companies can really prepare? I think Greg, you started off with a good point about the two-factor authentication that it'd be one of the easier steps a company can take and I guess start with you this time. I was wondering, is that expensive to get an organization to fa or maybe it's, or is there another thing that companies can do that's cheap, fast, easy if somebody's just really behind?
Greg Pettersen (21:53):
Pretty much every technology for the most part allows two A nowadays, multifactor authentication, all the Microsoft systems. So it's literally just clicking a button, enabling it for everybody. So no, that doesn't cost money. You would still be blown away. I get passwords that you're like, okay, you need to make a more secure password than that, or they try to use the password for everything. So different things like that are critical and free and it comes down to education and making sure your employees adhere to it.
Lindsay Barbera (22:23):
I mean, one thing that's free is, and that I don't think we do enough of is education and training of our people. Like Randy said, our employees are our frontline of defense, and so training them and making sure that they understand and that they are properly trained and have the information to not only to protect our company, but to protect their consumer data, to be able to then downstream that to the consumer to understand what to be on the lookout for. If you get unusual calls after you've started making sure you're uploading your information into a secure portal or using email encryption, if you train your frontline of defense, then they can then pass that knowledge onto their consumers, which therefore is kind of doubly advantageous.
Randy Raw (23:13):
I think there's a lot of places that we have built in controls that Microsoft provides on the Windows side or Apple provides on the Mac side that we just simply don't, they're not sexy, they're not cool, they're not ai. Now there are beginning to be companies that are using gen AI to go out and look at your configurations to help us figure out how do we get more out of the free stuff that's there. Microsoft has a bunch of guidelines that talk about how to secure systems, but they also come down to something that John mentioned is in a different way, least privilege access. GLBA gives you some options if you're doing least privilege access for how you manage data. Most of us unfortunately, are in a most privileged access posture, especially as we go to cloud because typically it's a development team standing up something in the cloud and it doesn't work if you don't have all the permissions.
(24:08):
So everybody just gets all the permissions and before you know it, you've got a production system where everyone has all permissions to do whatever, and that doesn't take, that's not costly from a, you don't have to buy a product, you just have to implement least privileged access thought processes around, oh, well, you don't need access to all that. My team knows I don't have administrative access to anything anymore. I gave up all my admin accounts, I became a threat to the company with people either trying to fish me or people thinking that I had God-like access to things and I'm like, I just don't need it or want it. But we've got to think about that from a technician standpoint of how do we take ourselves out of that space where we are not the target anymore and minimize that attack surface, if you will.
John Levonick (24:59):
I always tell organizations the last thing they want to do is hire a lawyer to help them out. They're worried about the costs, the runaway costs, right? And your question was how do you do it in most affordable manner? Every infrastructure audit I do, and I am supported by CSO level consulting firm who comes in behind me and everything is done through privilege, so gives inherent protections. I find to Randy's point earlier, we find so much unnecessary spend. If you have questions as to your cybersecurity footprint, that means you do not have capable IT people on staff, which most likely means that you're overspending on IT and infrastructure. And the joke always is you can cover the costs of the audit and the assessment through the cost that we can identify as part of this process that you don't need. We could save you a hundred thousand dollars, but we're only going to charge you 25 cents on the dollar to get there. And it's a way to spend money, not necessarily spend money that you're already spending. It's not additional spend. You're saving money, you're getting better information on who you are and how you do things. And from that you can right size your IT stack, you can then assess what you need to do to get better. I would say three out of five reviews, the client ends up saving money after this whole process is done and completed.
Andrew Martinez (26:37):
Yeah, that's good stuff. And I think we are coming closer to time, so I just wanted to ask a few last questions here, but I am interested in maybe some of the topics in cybersecurity. You guys hit on some good ones today, but stuff that really kind of goes under the radar, maybe the stuff that doesn't make the headlines, the stuff that doesn't get reported on, maybe the stuff that only the cybersecurity experts know. I'm curious, Greg, I'll start with you. Is there a cybersecurity issue or topic I guess in this case concerning mortgage companies that you think everyone here should think about?
Greg Pettersen (27:11):
When we look at client data, I just got an email the other day from Google. They're like, Hey, your password might be compromised. You should change X, Y and Z. We saw the SSN, social security number breaches that just came out. So I think we all have to assume that all of our data is already out there, and so what can we do to then protect as much as we can? And to your point, a lot of it comes down to consumer education too, so really helping our consumers as much as possible, whether it's freezing their credit, we already assume that their data's out there, so how can we help them from a business standpoint, whether it's through educating them as well, freezing your credit monitoring, so on and so forth. There's a lot of opportunity that's out there in the atmosphere. And could you repeat your question to make sure I'm on track as well?
Andrew Martinez (28:02):
Oh yeah, no, you're good. Just really what are the kind of unknowns, the unspoken to the, I guess the hidden threats.
Greg Pettersen (28:09):
Yeah. And in addition to that, I would say that the CrowdStrike breach really was a wake up call I think for everybody. And I like to break it down to when you go on LinkedIn, you have your first connections and you have your second degree connections, third degree connections. And what we didn't realize we're so sorry. We're so focused as a mortgage company on our vendors and our first degrees that have inroads, but then what about who they're using and then who they're using? And it's like where does the puck stop at that point? So that was a big wake up call for us as far as that question
Andrew Martinez (28:44):
For sure.
Lindsay Barbera (28:46):
I would say one of the things that we've noticed that goes kind of unreported I guess, is when a breach does occur from a vendor standpoint, the cost to the lender, everybody wants to talk about the cost that it's going to have to CrowdStrike or to, I don't know, let me just say Optimal, whatever, somebody works for Optimal Blue out here. I'm sorry, it was the first thing that came to mind, but to a vendor, the cost that it's going to for them, but when you're a lender user of that vendor, the cost that the lender now incurs, whether it's having to hire counsel, whether it's reputational risk, is it your cyber liability, your policy coverage? I mean, from that standpoint, an underwriter could then start looking at the industry as risky as a whole, increase the cost of your cyber liability coverage. If you have to file a claim, the cost of your policy is going to increase. So really starting the conversation about the downstream costs that come from a vendor breach or a breach of any type of third party relationship and the users of that and that people think that it's only rare is that a fire drill? We having a fire drill
(30:16):
Can't understand
Andrew Martinez (30:18):
If
Lindsay Barbera (30:18):
There's an emergency. Nobody heard that
Andrew Martinez (30:21):
Good.
Lindsay Barbera (30:22):
But anyways, from that standpoint, it is really just, I don't think anybody talks about the cost that a lender user faces when something like that happens.
Randy Raw (30:32):
We had an experience up close and personal with a vendor that had a problem, had our data, and the least expensive thing for us was the data breach. The most expensive thing was explaining to Jenny Mae, why we didn't know how much money we owed investors not a good place to be. And so what we learned from that was we've got to think instead of just from a cyber standpoint, we've got to think bigger about what we do impacts the business. And it was interesting when I went back to my team and they're like, so how much is this going to cost us in cyber liability? I'm like, zero. The contract already said if they lose our data, they have to pay. They have to alert the regulators. We also alerted regulators, but there were other far reaching negative business impacts that we didn't think about way beyond data breach.
(31:27):
That was the easiest part, and it was a real eye-opener to all of us of, okay, yeah, while we thought that was the bad part that that would be our bad day, that wasn't really our bad day. We are still trying to figure out how, because regulators just wrote in the letter, we realize you've outsourced this function, you're still accountable. What are you going to do about it? To John's point, how are you going to manage that vendor differently? How are you going to have data that you can reconcile your records differently? And that was just a total eyeopener for us. In addition, so many cyber people like to put on the Superman cape until they get really fatigued and they just keep going to bed with the weight of the company on their shoulders. Stop doing that. Go talk to people and say, Hey, I think your system is an issue.
(32:21):
Let's talk about that and let's talk about that in business risk terms. Let's talk about that in how are we going to mitigate that? Or are we okay with accepting that level of risk? And if we are, let's accept it, move on, document it, come back and revisit it in a year. Has that risk changed? If not, then we're going to continue to accept that risk. Again, not Fort Knox not protecting stealth bomber plans. How do we help the business? I try regularly to have my team. We want to be the department of no, but it's not NO, it's k and OW how is it that you're trying to do something that I can enable what you're trying to do more securely, and if you bring us in on the early part of it, 0.01 degree change means nothing. You get out about a mile and a half and now I got to make a one or two degree change. That's a problem. So involving those security teams early to just get a look at what is it you're trying to do really is helpful and we just don't do that enough. Agree.
John Levonick (33:29):
I really want to build on what Lindsay talked about is the cost. If you're financial institution, your licensed or charter are at risk, you're subject to enormous regulatory penalties in the event of something going bad. Are you a public company? You're subject to shareholder lawsuits for not meeting baseline standards. If you're a venture capital backed firm, your venture back might walk away, draw down or force action on your company because the liability associated with your organization is too high. Cyber insurance is one of those things that we really haven't talked about today. Don't presume anybody can get it. The cyber insurance industry is undergoing such immense cost drawdowns right now. They have no choice but to tighten the underwriting standards on whom and under what circumstances and at what cost. That gives cyber insurance to financial organizations. If you're a financial organization, sure you need it for various reasons.
(34:38):
If you're a vendor, you have contractual reasons to need it to support your clients. But remember, the sophistication of insurers is growing. They are conducting examinations and audits of or going to be of your infrastructure. When your policy comes up for renewal, don't think it's just going to auto-renew, come in, look at it and say, whoa, wait. There's a lot of risk here. We're not offering an extension of the policy or here's, here's a new policy, but it just happens to be five times the cost that it was last year. The lack of cost predictability, the potential loss of cyber insurance could be catastrophic for a financial institution. When you're talking about the potential for attorneys general filing civil lawsuits against organizations for broad brush stroke failures, the cost, when you have hundreds of thousands of consumer records per consumer record, the cost for credit monitoring a loan could impair an organization, and if you don't have an insurance policy to draw it down from that risk alone could be bring your liability to a negative number. Then you violate all the corporate covenants in your organizations. I know I'm talking about a lot of strange things, but at the end of the day, cybersecurity is the single riskiest driver to financial organizations and their vendors today because of the waterfall impact it has on every aspect of not only their ability to conduct business going forward, but their ability to exist going forward.
Andrew Martinez (36:03):
Yeah, I think that was a great way to close it. Unfortunately, we're out of time right now, but yeah, sorry to leave everyone hanging. We'll have to do a longer panel next year, but appreciate the insights today, guys, and yeah, stay tuned. I think right now we're heading into a break. We have demos coming up after that in the other room, so I hope to see you guys there. Thank you.
Lindsay Barbera (36:19):
Thank you.
Cybersecurity Perspectives: Lender, Consumer, Litigator, Fintech
September 27, 2024 11:54 AM
36:27