A

Welcome everyone to this very special episode of grc and me coming live from Chicago at the Agility Conference, I'm Megan Maneval, your host, and I'm joined here by three special guests. First, I'd like to welcome Steph Southard, the Chief Security Officer at BCU, who brings a wealth of experience in financial services, cybersecurity, and of course, the risk cloud platform. Thanks for being back again, Steph.

B

Thank you, Megan.

A

Next up is the Chief Risk officer from Centurbank, Donald Rome. Donald brings a wealth of traditional banking knowledge and some special tips on how to not be surprised in your GRC programs. Next up is Steve Gazellamas, the Vice President of Information Security at Bilgo. And I'm really excited to hear your perspective on trends from a non traditional financial standpoint. We're going to go ahead and get started with our Myth Busters section. And Steve, we're going to start with you. So myth or fact, AI will eventually eliminate human error in risk management.

C

I'm going to go with myth what? And the reason for that is with our industry that we're all in, you cannot eliminate risk, so you can mitigate it as much as possible. But at the end of the day, you have to measure this technology just like with any other new technology that comes out. And fortunately, you still need some human interaction with this technology. Eventually. Everyone's worried about AI. Me personally, I'm worried about AI, of what that does look like for the future and how that is going to impact the human race and what that's going to look like. As anyone has alluded to ever seen the movie in 1984 called the Terminator, There is a lot of animosity out there. There's a lot of unknowns, anxiety to what the technology is going to bring to the future, how that is going to directly impact the industry and what we're doing every single day. It is definitely in my business and my company. It's the latest buzzword basically, for our industry, for my company, on meetings, things of that nature. If we're not hearing AI every single day, there is something that's not being. Not being discussed, but it is definitely a huge, like, director of, of where we're headed for the future. The biggest thing that I'm trying to do literally right now is I'm trying to police all of our AI technologies, like introducing it to the environments. What is safe, what is not. How is this going to be a direct impact? How is it going to be useful and helpful for our companies? I mean, the biggest thing the biggest driver for us in AI is obviously do more with less. And we've been hearing that throughout our entire lives. Do more with less. And this time, and where we're headed in the future, our company, it's where we're at right now. So we're trying to measure, like, where we need to put that in our technologies and where we're going to get the most bang for our buck is really what it comes down to.

A

Yeah, yeah. So not eliminating human error, but augmenting it, trying to reduce. Find those efficiencies.

C

Correct.

A

All right, Steph, this one's for you. Avoiding AI will protect your business from hackers.

B

That one's totally a myth. Right. You can run from it, you can avoid it all you want, but it's going to sneak right up on you. So it's everywhere. It's probably already in your organizations, it's probably already being utilized by your third parties. Your best bet is to go ahead and figure out an adoption plan, making sure you have clear guidelines, making sure you have guardrails. And you're always analyzing and understanding not only the risk, but how is it working within your organization for value, because you need to understand the true value that it brings. And then you can put in place all of your guidelines, your guardrails, and all of your controls behind it.

A

Okay, makes sense. So we can't avoid it, but we have to do some proactive steps to protect ourselves, Correct? All right, that makes sense. All right, Donald, this one has to be a myth. So the trend towards deregulation is no big deal and you're feeling totally relaxed about it, right?

D

Well, I'm going to have to agree with the fellow panelists here and say that that would also be a myth. As with all things, there are both sides of that. So obviously we are in a highly regulated business and regulations tend to with administrations or time either be more strict on the swing of the pendulum or less. We're clearly in a phase of deregulation right now. In fact, the escalation of this deregulation is. Has been near shocking and just the speed and what has come out of it. But not all deregulation or the timing of that is good. Clearly, you know, from many perspective, the enforcement actions of some of the agencies, well, they were really pronounced. Right. I don't want to say that they were necessarily extreme, but they were very pronounced. They were very headline grabbing. And so, you know, trying to get used to that and what does that look like. But then the possible certainly slimming down of different Agencies, some have even talked about the elimination of agencies. You know, there is certainly a place for regulation. We do need some of that. And so like with everything there will be opportunities with some of the deregulation and we're also going to have to continue to manage the risk and what could come out of a deregulated environment.

A

Yeah, yeah, that's a really great point. And I think you're right in the sense that really shifting towards what's the impact there? And so that brings us to our first question actually is what do you think some of the regulatory trends or changes are going to be that'll have the biggest impact? And we'll start with fintech. So starting with you, I'm sorry, starting with you Steve, with FinTech, what do you think some of those regulations, how will they impact you, sir? Or regulations and deregulations? Excuse me.

C

I think it really depends on where the fintech and what industry the fintech is in. So obviously if you're talking in the financial industry, there is direct impact, especially if you are regulated or examined by one of the governing bodies. In my situation right now I have to deal with state regulations, state regulators and examiners. I do have to say though, from the AI side of the house, the technology, there's not been a lot of drive asking for what is our AI footprint and what are we looking at right now. It's not to say that it's not what you guys are seeing in the banking world right now, but there hasn't been a big driver just yet. Where I have been seeing it though is the third party relationships that I'm having with my vendors, the client contracts that I have to maintain. There's a lot more appendices under AI and so I am actually pivoting more in that area right now. Not so much on the regulation side of the house, but on the contractual, my contractual obligations. And that is kind of driving us to get to a more mature AI type program and an AI infrastructure I guess you want to say. But I definitely, I think my biggest thing that I see right now is it's such, even though it's a new technology, but it's not a new technology. AI has been out for a long time. It's just trying to, just trying to caress it and understand it and, and put some guardrails around it. And I think that's where we are at right now. Like I'm maturing my AI program daily and I'm trying to find what is that common balance between, you know, people need to Use it, but yet you still need to protect that set information. And that's the biggest key that I have right now is the driving factors are more like the contracts of how do I protect your data? Are we going to use your data and data modeling and things of that nature for analytical type items? So that's where I'm at today.

A

Interesting. And I see you nodding along, Steph. Now, do you see similar trends impacting on the credit union side or what's your perspective on this?

B

Absolutely. So. Right. It's just a little bit different flavor, but it's a lot of the same regulation and a lot of the same controls around our third parties and our regulators really trying to understand exactly what we as a whole should be doing with it. And that's where it kind of leaves us determining what we're doing in between that. We do put a lot of pressure behind our third parties because we've seen in the past that's where a lot of our incidents and breaches end up happening. And not only are we trying to control within our own walls, but now it's that third and fourth parties that we now have to figure out how we can manage that impact. So we do a lot of that. And it also is formulating what we think are best practices in a new world of living in. So all of that combined with the budget, the needs of what the board wants, and also how are we really making sure we're protecting ourselves with all the new privacy laws that are now coming into place is where we find we have that struggle. But we definitely know we have to come on the other side of it instead of being behind it and catching up.

A

Yeah, that's a good point. I think it's interesting to hear both. You know, I'll ask you in a moment. Donald as well is really kind of learning from the past of we can't wait, you know, we need to jump in. And Donald, are you seeing something similar as well on your side and specifically with some of the business leaders, how are they feeling about deregulation, regulation and some of these trends coming in?

D

Yeah, no, certainly everything that you guys are saying would agree with that. We're seeing that. I think from a business leader standpoint, there's going to be opportunity with deregulation and there is going to be some of the things may quicken in pace and some of the things that we know of have pulled back. So some of the regulation that we thought were going to be rolling out in the next couple years, we know that they are going to be slowed. So 1033, 1071, those have slowed down some and how they're going to impact us CRA modernization, for example. But on the deregulation side, acquisition, the space for acquisition and the time to be able to be acquisitive, there should be additional opportunity there. Now, clearly we're in a really dynamic environment right now. So markets are adjusting, administration's adjusting, we have the deregulatory environment. But circling back to what these guys say, the governance and good risk practices make good business practices. And so we can't just throw the risk practices out or any of the regulatory pieces. We need to self regulate and keep ourselves in check. Because at the end of the day, if we take on too much risk, we will pay for that later. And if we don't take on any risk or take advantage of the environment that we're in, then we may not get the returns that we want.

A

I like how you said that. That's actually a great segue. And I don't know if you knew that this was my next question. But talking about the risk with some of these digitalization and the new emerging tech, going beyond AI, things like blockchain, cryptocurrency and things like that, how are you seeing some of your tradition risk and GRC programs? And I'll start with you, Donald, you know, how are you seeing those adjust to some of these new technologies, these new threats, these new risks?

D

Well, fundamentally they shouldn't be okay, so clearly we're changing to the way that we're monitoring or mitigating the risk. But good risk practices, we should be identifying these things. We should be identifying them as they're coming, as they're emerging. However, I would say the pace that changes are happening, the pace that these things are coming into the environment, the impacts that they have on us from a competitive standpoint, from a revenue standpoint, are immense. It really is. Is the program sophisticated? Is it mature enough? Does it have the backing? Is there a strong enough culture that you can move at the pace that these things are coming in? Right, because they're not going to stop. And fundamentally, banks really, if you break it down, only do a couple of things. It's access to capital markets, it's movement of money. So as different things are going to come in for movement of money, we have to be able to respond and compete and also know that our clients are going to be using those verticals. We will probably be using some of those verticals. And how do we manage both that risk as a consumer and also defending the traditional space.

A

Yeah. Interesting. Steph, I'm curious, are you seeing similar things on the credit union side and what challenges might you be? Are you seeing that you can share about balancing that. Right. Balancing that security with compliance and innovation?

B

Yeah, absolutely. Right. A lot of the same things. It absolutely is determining what those emerging risks are and how we've been monitoring those going forward. We started calling AI an emerging risk about two years ago and quickly learned we. Well, it's already building a lot of our system, so is it truly emerging or are we late? So we had to kind of figure that out and then quickly jump into, how does that work with compliance, how does that work with regulation? And AI has made phishing scams or phishing emails so much more sophisticated. We can no longer tell them, look for the misspelled word, you know, look for this, look for that. Because it's come such a long way. But now we have deep fakes and now we have. You're able to clone voices or clone phone numbers. And it's becoming harder and harder for us not only to defend internally, but back to our members. They're seeing more fraud on their side. Right. So, yes, it becomes a struggle of how do we continue to fight the fight, but also kind of get ahead of it and figure out ways where can we be more proactive than reactive? And that's kind of where we fall into that. This is a high risk for us.

A

Yeah, yeah. And I like how you mentioned that too. It's. I think people started maybe paying attention, if you will, a couple years ago, but you go back and you think about some, some of the systems that we've used that already have it embedded there. And Steve, are you seeing kind of similar things on your side? I'm particularly interested in sort of like the, you know, the digital banking and what you see on the fintech side, obviously, has always been a little bit more, I think, cutting edge, if you will. What challenges are you seeing or trends that might be a little bit different?

C

I think the biggest thing that we're seeing right now is using AI to fight AI. Oh. So that is the biggest thing that I am concentrating on right now is the security tools that are out there or the advanced AI technologies that they have to help discover the deep fakes, the advanced phishing mechanisms that are out there today. So that's one of my biggest drivers right now, is truly trying to find that technology or the existing technologies that I have in my tool chest. How can I use that to fight the emerging threats and cyber, you know, the cyber type of attacks that we have going on on a daily basis. So that is one of our biggest items right now. And then getting back to kind of like the crypto and the blockchain, fortunately or unfortunately, however you want to look at this, the Fintech, the company that I work for right now, we actually have a partnership with our correspondent banks or sponsored banks. So it's, it's really a mutual type of relationship of, hey, do we take on crypto? Do we not take on crypto? And the banks that we're working with right now, they're kind of sitting on the sideline when it comes to crypto technologies and trying to get that into their environments now is that I don't know what that is to their, you know, what their idea is and their roadmaps, but realistically, we work with them and if they say no crypto, we're kind of of them. I would imagine. My leadership probably wants us to dabble a little bit in the crypto industry. But as of right now, we're kind of sitting on the sidelines. But I'm sure there will be some form of AI technology that will help us get that in the future. But, yeah, I mean, that's the biggest thing. It's just making sure we have enough coverage. And another big thing that I'm going through right now is a lot of overlapping technologies that I have in my environment and trying to figure out what is redundant, what can I get rid of, where can I get some cost savings, where can I get that AI technology to help us, one, protect us, but two, also save us some expenses. And I know my CFO would be loving me saying this right now, but, yeah, that's, that's the delicate game that I am playing right now is making sure that I can use this technology to fight the technology. Like with quantum computing, quantum memory. I mean, there's a number of items out there now that I have to take a look at, and how do I use that to our advantage? You're always playing catch up. In this role that we are in, we're always playing catch up. And we'll never, ever get a. Like, we always try, but we will never, ever get to what they're doing against us because they're learning something new every day. They have countries fighting us every single day. And we are just individual companies trying to protect their assets. And that's where we're at.

B

Fighting the good fight.

C

Yeah.

B

And how can we do it together is definitely one of those things we all have in common.

C

Yep.

A

And I love that, I think so often when we talk about security and risk management, companies try to keep it a little bit close to the shelf. And it's like we're all vulnerable. Like, stop pretending. But I always joke, too, that the hackers don't have to test it in a sandbox and go through change management. Right. It takes us a little while to react sometimes.

C

And I hate to say it, but technically what we try to accomplish, at least what I do is, hey, have enough to make that hacker go down the street, annoy them. But that's, I mean, that is also the difference. Right. We are kind of like an individual type of organization to try to block that. You are definitely going up against countries that are well organized and they know exactly what they're looking for. They know exactly how they're going to get in. And that's what we. Like you said, fighting a good fight every single day.

A

Thanks so much. That's really interesting, too. And you've given us a lot of advice as we've been here, but as we wrap up, I want to focus in a little bit on that then the use of artificial intelligence and like I said, to fight the risk of artificial intelligence. So for folks at home watching, and I'll start with Steph, and we'll go down the line, how can financial institutions really balance that AI innovation? And what advice do you have for folks at home who want to start using it?

B

Yeah, definitely. Advice starts with come together as a collaborative committee or organization that says, here's what we feel the value is of bringing AI into it. And as we were talking about earlier, that's when you figure out what your guidelines are, what your guardrails are, what your regulation says about it, and all of the types of information that you think would be involved in AI. We strictly say, stay away from pii. If it's something we would not want to share, then why would we want to be having a machine share it for us? Right. Is a key way of looking at it. And that was a very hard exercise because we learned that people couldn't really identify all the types of information that they wanted to throw at AI. And it took us a long time to simmer down our list to say, here's where we're going to start with. I also think it comes with a lot of checks and balances, because what you're doing today or something that a service you're getting from a vendor may change, and that may change how you're interacting with AI and your data or your information so always stay on top of that ever changing emerging risk, as you call it, because it can one day come up and bite you very quickly. Right. So learn it, know it, and then slowly implement it into your fostering environment.

A

That's great advice, Donald.

D

I would echo a lot of that. I think that it starts with governance. Understand. Get an understanding of it and an understanding of what is in and out of bounds for your organization, the way that you want to use it. Make sure that that's clearly communicated and then make the determination, how do we want to use this and does that fit the way that we want to govern? And if it doesn't, then you need to kind of go back to that because if you don't have the governance in the first place, it's going to be impossible to catch up and the use case will already get well ahead of you. And so there are so many different use cases that we can use it for. But what fits us? What's the right type of information? What problem are we trying to solve? What efficiencies are we trying to gain? And then with the right governed platform, you can move forward.

A

Yeah. And not doing AI for the sake of AI. Right. It has to have a reason there.

D

Yeah, More than, you know, obviously there's a ton of efficiency plays, but it's got to be something more than that.

A

Yeah, great.

C

Yeah. Again, echo everything you guys are saying. I mean, the biggest thing that we're always looking at is protection of the data. And a lot of my contracts are now written to protect that data. So if someone were to come and say, hey, I need to use this set of data or this set of information for this AI modeling tool that I want to try to introduce to the company to better improve our functionality, that's the very first thing that you have to take a look at is at the end of the day, that is the crown jewels. That is what you're trying to protect. So that's basically our baseline. It says, hey, how are you going to protect this set of information if you're going to use it? So the other big thing that I'm waiting for, which I would imagine it's going to take a little time, but like for instance, we're PCI DSS certified, we carry a SOC2 type 2 with the AICPA, I am still waiting for them to like the OCC or the NCUA to start introducing some of the NIST type of AI practices and frameworks that are out there into their annual audits and examinations. So once I see what that looks like then I can also then help tailor our frameworks and our governance and our programs to kind of make sure that we meet, that the underlying element is this. Any. The security that you're doing today is the same security that hasn't changed over the many, many years in our industry. We're just modifying it, we're just, at the end of the day, it still comes back down to the protection of the information that you're housing. So how do I just make sure I morph those controls into all the emerging technologies that are coming out at a fast pace to us? And that to me, that's the key. Security to me always bleeds compliance. If you're doing good security, the compliance is just the icing on the cake. And that's how I've lived my entire career. And the fintech banking industry is good security bleeds good compliance.

A

Compliance becomes a byproduct of good risk management and good security. And I think I'll double down on that. My advice on this is really to, as you mentioned, follow the data, look at what's out there, but look at all the nuances of AI systems. I think sometimes folks think about, you know, the concepts are the same, but you might have to go a little deeper with those controls. You know, the data moves differently. There's more opportunity for risk and threats to materialize in there. So being more aware of those things in our environment. Well, let's talk a little bit about Risk Cloud for a moment. So I joined in July last year and was really, really impressed with the connectivity of some of the modules. And right around that time, Logic8 launched the AI governance solution. You've had some experience with that, right? Steph, can you tell us a little bit?

B

Absolutely. Sorry to cut you off because I'm so excited to actually get it implemented. Just as Steve was talking about with NIST and the ncua, we were looking for a tool, a software that could actually come in and help us manage that. And that's when we learned about Risk Cloud's AI Governance module. And we're so excited to be able to put that in place so we don't have to have our hands around all of the different steps in the process. It can actually just be flowed through the committee. Everyone's available, or everyone's going to be available to upload their thoughts or their wishes within the AI and then we'll run it through the governance module that will be able to decide if it's got that value, approve it, and then we'll have it on record for our regulators when they come in. So we are super excited. Have been looking for that tool since we started discussing how we're going to manage the whole governance of AI and more to come. Come back and ask me again.

A

I will. The AI model use case workflow really tailorable to what you were just saying as well. Different stakeholders, different people have to review, maybe re review things like that. And then baking and control assessments. Right. As part of that. Absolutely.

B

Yep.

A

Great. Well, thank you everyone for joining us today. And for those of you at home for joining us in Chicago. These were some great, interesting trends about cyber risk and governance in cybersecurity. Join us next time on this episode of GRC and Me.