League of Southeastern Credit Unions & Affiliates
Director’s Resource League of Southeastern Credit Unions
|
July 2014 | Vol. 5 Issue No. 2
President’s Message One of the hottest topics among credit unions this quarter has been the NCUA’s risk-based capital proposal. The League hit the road in April and May to educate and inform credit unions about the proposal as well as provide ideas on writing a comment letter. We held 12 meetings with great discussion in each one. Credit unions, system partners, and lawmakers sent more than 2,000 comment letters to the NCUA. This was a record number of comment letters and a great start. However, we have more work to do. This summer’s NCUA Listening Sessions are vital toward getting change to the proposal. This will be the first opportunity for credit unions to talk directly to the NCUA. The League will attend the Chicago and Alexandria, VA, sessions. Another factor in the future of the proposal is the confirmation of Mark McWatters to the board. He replaces Mike Fryzel. We all need to educate him on our thoughts about the proposed rule and the changes that need to be made. He says he’s committed to looking at it closely. By the end of July we should see if we can get much needed changes to the proposed rule. Thank you to all who wrote a comment letter. I want you to know the League is continuing to push for changes, and we will do everything possible to make sure the NCUA listens to credit unions.
The Board’s Role in Overseeing Cybersecurity Risk The risk of cyberattacks can directly affect both operations and the broader brand or reputation of a company, often resulting in significant financial repercussions. According to Risk Intelligent Governance in the Age of Cyber Threats, a 2012 Deloitte publication, the median annualized cybercrime-related cost in 2011 was $5.9 million, which was a 56 percent increase over the prior year. A primary responsibility of the board is to provide risk oversight, and the audit committee is often delegated the task of overseeing the risk programs and policies, including cybersecurity. The trend has been for other committees to be delegated the task of overseeing risks associated with their areas of expertise. For example, risks to the compensation plan might be overseen by the compensation committee. Ultimately, however, the full board is accountable for risk oversight. In many instances, the committees are delegated the oversight of risk, however, the full board also discusses and continually monitors the most material risks and those for which the company is most vulnerable (i.e., where no controls exist to mitigate the risk). Typically when addressed, cybersecurity is a topic on the short list of risks and is typically discussed at the full board level rather than left solely with a committee. (continued on page 2)
Save the Date Southeast Regional Director’s Conference July 13-16 Sunday - Wednesday Savannah, GA Click here for more information Southeast Supervisory Committee Conference Aug. 3-6 Sunday - Wednesday Point Clear, AL Click here for more information Southeast Leadership Development Conference Nov. 4-7 Tuesday - Friday Destin, FL Click here for more information
(continued from page 1)
Cybersecurity is a significant risk that can have a material impact. At least annually, boards should proactively ask questions of management, champion education and awareness programs company-wide, and treat risk as a priority. As cybersecurity issues increase and become more visible, boards may decide to take an active role in understanding the risks associated with those issues. Many boards hear from the chief information officer, chief technology officer, or others who are tasked with monitoring cyberrisks. In addition, some company boards are engaging third-party specialists to speak with them about the risk, how to mitigate it, and signs that may signal a breach. The full board should take the necessary actions to stay informed on management’s risk practices so it can effectively oversee cybersecurity. Robert Mueller, director of the Federal Bureau of Investigation, said cyberthreats will eventually equal or eclipse the terrorist threat. “There are only two types of companies—those that have been hacked and those that will be,” Mueller said, adding that boards should ask themselves what type of company they are and what are they doing about it. Boards may consider asking themselves questions such as the following related to cybersecurity awareness: • Is there someone on the board who serves as an IT expert and understands cyberrisks? • Does the company have cyberinsurance? • Is there a committee assigned to address cybersecurity? • Does the company have a chief security officer who reports outside of the IT organization? • Is social media a concern for the company? • Do the outsourced providers and contractors have controls and policies in place and do they align with the company’s expectations? • Is there an annual company-wide education or awareness campaign established around cybersecurity? Increasingly, cybersecurity is becoming a top-of-mind issue for most boards, and directors are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprise-wide risk management issue and not limiting it to an IT concern. The board plays a fundamental role in understanding the risks associated with cybersecurity and confirming preventative and detective controls are in place. Source: Deloitte Insights
Advocacy Wins in Alabama and Florida Alabama and Florida credit unions saw significant victories during the 2014 legislative sessions. In Alabama, the update to the Alabama Credit Union Act (HB 165) was signed by the governor in April, and a ceremonial signing was done in June with credit unions in attendance. This was the first stand-alone credit union legislation passed in Alabama in more than 20 years. The Alabama Legislature also passed Patent Troll legislation (SB 121) with which the League helped. Gov. Robert Bentley signed this legislation into law in April. This legislation prohibits a person from asserting a patent claim in bad faith, allows the attorney general to investigate bad faith claims, and provides targets of patent trolling to file suit in civil court for damages. In Tallahassee, working with OFR and others, the League was instrumental in the passage of SB 1012 that updated Florida’s financial institution codes. Included were updates to the Florida Credit Union Act such as provisions that clarify to local governments that OFR, not cities and counties, hold regulatory authority over the banking practices of financial institutions. Data breach was a hot topic, and the Florida Legislature passed a bill that was a good start. SB 1524 had some issues to work out such as reporting requirements and over-regulation issues. Most were worked through during the final passage, a testament to the hard work put in by the League and others to ensure that consumers would have protection without harming our credit unions. The bill was signed into law by Gov. Rick Scott on June 20 with an effective date of July 1. Additionally, discussions were held about requiring retailers to reimburse financial institutions when a data breach occurs, though no legislation was filed. If you have legislation you want the League to consider for 2015, contact LSCU SVP of Association Services Jared Ross at 866.231.0545 ext. 1012. For more information on advocacy, visit www. lscuactioncenter.com.
June NCUA Report Now Available Click here to read the June NCUA Report. Get the latest on NCUA Board actions and key issues credit union directors and management need to know.
Five Things the Board Can Do to Lead with Accountability and Transparency 1. Review & Share Organizational Financials: Providing financial oversight is one of the board’s primary responsibilities. It is critical that each individual board member thoroughly review the financials that are provided to the board and ask questions if there is something he or she does not understand. 2. Conduct an Annual Assessment of Your CEO: Conducting a formal, annual review is critical to confirming that the board and CEO are on the same page about the goals and priorities for the next year and ensures that the CEO receives constructive feedback about his or her performance. 3. Regularly Assess Your Board’s Performance: Selfassessment is a critical step in strengthening a board’s own performance, and a powerful signal that the board is committed to effective and accountable leadership. 4. Address Issues Head On: Make sure that your organization demonstrates a commitment to identifying and addressing potential issues. A commitment to handling conflicts of interests is essential to creating an organizational culture of transparency. Make sure that you have a written whistleblower policy, and that all of your employees know how to activate it. 5. Lead with Authenticity: Your board’s actions reflect on your organization and its ideals. Your board’s composition, policies and practices should reflect your organization’s ideals as it relates to diversity and inclusivity. Source: GuideStar
Directors Spotlight from the 2014 Southeast Credit Union Conference & Expo (SCUCE) 2014 LSCU Volunteer of the Year Alabama Credit Union Director Lynne April was awarded the 2014 LSCU Volunteer of the Year award. She was recognized for her 27 years serving the credit union. In addition to her service, April was also instrumental in the formation of Alabama Credit Union’s national award-winning Secret Meals for Hungry Children program.
Director’s Roundtable
The SCUCE featured sessions exclusively for directors. The Director’s Roundtable was facilitated by Dr. Jerry Osteryoung, chairman of First Commerce CU. It provided directors an opportunity to talk about issues that mattered most to them.
John Scott, 121 Financial CU
Southeast Supervisory Committee Conference The Southeast Supervisory Committee Conference, formerly the LSCU & Affiliates Supervisory Committee Conference, is right around the corner Aug. 3 - Aug. 6. at the Grand Hotel Marriott Resort, Golf Club & Spa. Be sure to attend this conference designed especially for directors with sessions on credit union auditing, compliance, and fraud. Click here for more information and to register.
121 Financial CU Director John Scott won a round of golf for four at the Ritz Carlton Golf Course during the SCUCE in Orlando.
To receive the latest news from the LSCU, CUNA, and the NCUA, sign up for the League’s weekly newsletter, eSignal, at www.lscu.coop. To subscribe to the Director’s Resource Newsletter email: submissions@lscu.coop.