A fall reunion at Airlie House, Warrenton, VA.
An Old Tale, Updated for Credit Unions
Down On The Farm…?
(by Jim Blaine)
George Orwell masterfully described the erosion of values and the rise of exploitation in his classic novel Animal Farm. The book written in 1945 is a satire of the decline in the Russian Revolution from idealism to the overlord State of Stalinism. To Orwell, what the Revolution had become in post-WWII Russia bore little resemblance to the high hopes of 1917.
In case you’ve forgotten the plot; in Animal Farm the slothful, tyrannical human proprietor of Manor Farm is overthrown by his much abused and neglected farm animals. The revolutionary animals quickly come to realize that when united in cooperative effort, they are quite capable of sensibly managing the farm and their own affairs.
Each animal, by nature and design, has different capabilities and unique qualities. Separately they are weak. But, cooperatively, working together; the united effort becomes far greater than the sum of the individual parts. Each animal contributes in full measure, in its own special way, to the overall success of the enterprise.
The cows and chickens provide milk and eggs for food. The sheep provide wool for cloth; the dogs provide protection; and the horses provide strength for plowing. The pigs, who seem to be the brightest, provide direction and management (surprise, surprise!).
Every civilized society, every social movement, every cooperative effort needs and creates a set of guiding principles – a social compact, a credo, a charter which explains shared beliefs and values. The animals of Animal Farm were no different. They carefully crafted rules for their new social order and painted them on the side of a barn for all to see.
ORIGINAL PRINCIPLES:
1. Whatever goes upon two legs is an enemy.
2. Whatever goes upon four legs, or has wings, is a friend.
3. No animal shall wear clothes.
4. No animal shall sleep in a bed.
5. No animal shall drink alcohol.
6. No animal shall kill any other animal.
7. All animals are equal.
Over time, several incidents occurred which seemed to be out of keeping with those original purposes. The pigs were found sleeping in the former owner’s bed; alcohol reappeared at social gatherings of the pigs; an animal who complained about the changing values was killed; and the pigs seemed to be working less and consuming more than their fair share.
When the animals returned to the barn to review their original principles; they found, much to their surprise, that those principles somehow had evolved into something a bit different!
“EVOLVING” PRINCIPLES:
1. Whatever goes upon two legs is an enemy.
2. Whatever goes upon four legs, or has wings, is a friend.
3. No animal shall wear clothes.
4. No animal shall sleep in a bed with sheets.
5. No animal shall drink alcohol to excess.
6. No animal shall kill any other animal without cause.
7. All animals are equal, but some animals are more equal than others.
The pigs, however, were always there to explain away questions, concerns and objections. Bad became worse at Animal Farm! Eventually, when the animals returned to the barn, they found a whitewashed wall with just one remaining principle.
“CURRENT” PRINCIPLES?
“All members are equal, but some members are more equal than others.”
“Isn’t that what we originally revolted against?,” some quietly asked.
So, what’s the point? In the beginning, there were several essential ideas which formed the core values of the credit union movement: one member, one vote; cooperative; non-profit; equal service to each member; consumer advocacy; volunteer leadership; unstandard answers; shared concerns; us not me.
Have you checked the barn lately?
When did we abandon the average man and woman – the working class; change our focus to the primacy of the bottom line; lower ourselves to worshipping before the false altar of market share; begin acting in the best interest of “the credit union” – not the members !?!; and start offering excuses rather than solutions?
Hey really, what happened…
Who let the pigs in?
A CEO’s Outlook at mid-October
On a recent trip I talked with a CEO to find out how the credit union was responding to four events: Covid, interest rate hikes, liquidity and the regulatory environment. Here are my notes.
On Covid
CU still on hybrid work model. Employer sponsor went all remote, but is now back in person, with little remote. The community around the head office, especially retail shops, became a ghost town. Kept all branches open, but back office staff is still mostly remote.
Expect hybrid work to continue. Commute for head office is a minimum of 30-60 minutes. Labor market extremely tight especially for retail.
Have re-evaluated every customer facing position including salaries, variable incentives, paid lunches and increased job tiers.
Interest Rates
The 30-year fixed rate mortgage is now at 7.5%. Member interest has evaporated and don’t see it coming back until late 2023. Increase in second mortgage demand.
Member spending is still strong and credit card volume has surpassed pre-pandemic levels. Will recession hurt consumer spending? Labor market great for employee, but creates inequities with current staff.
Biggest concern is inflation’s impact on costs and operating expense structure. Large increases in vendor contracts which have the ability to pass through costs based on a CPI index. In some cases this will be 8.5% to as high as 15%. Fortunately, we have caps in our contracts but many credit unions do not.
We are a unionized shop with approximately 70% of employees covered under a labor contract. Sponsor negotiates contract and we will have to see what happens to those costs.
Liquidity
Have difficulty selling to secondary market. Rates are extremely volatile day to day. Our mortgage pipeline is down 60%. Refinancing has all but stopped.
In ’20 and ’21 had share growth of 20% and 13%. Money stayed with us. This year members feel it’s time to spend. Grown only 2% in shares so far, but may end up flat at the end of the year.
Even though originations are lower, loans are staying on the balance sheet because there is no refinancing.
Paying up for CD’s: 11 month at 3.25% and 15 month at 3.5% with a minimum of $5,000.
Actively monitoring our wholesale funding sources. FHLB is about 100 basis points more expensive than CD’s. Also have brokered CD’s with SimpliCD.
So far this year ROA is at 80 basis points down from 92 bps in 2021. But for our 28 state peers over $500 million, the average is closer to 50 basis points.
Our top operational priority will be managing expenses.
Regulatory Environment
State chartered. All exams remote. The beginning of the year I was really concerned about the NEV test that would put us in the extreme risk category. But they have backed off with just a “high” rating.
Definitely a different level of NEV risk now and more pressure on liquidity.
Looking past current events there are two items. Should we move beyond our sponsor’s brand and FOM to open up markets for further growth? We have several special loan programs, credit card and provide financial literacy events. Sponsor brand is ours as well. So not a simple issue.
Secondly, we have always been a state charter; would a federal charter be an option for the future?
However our biggest challenge going forward is to control operating costs.
A 60-Year High School Reunion
The first question in many gatherings is, where are you from?
I answer Springfield, Illinois which is where I finished high school 60 years ago. The class gathered again this past week, the first time since the 50th reunion.
The experience is truly a re-union. I was able to interact with the city, the school and classmates. The event reconnected past recollections and the present. The impressions may even continue to shape the future for some or all.
Michael De Sapio has written about the importance one’s local community:
We spend much of our time concerning ourselves with places and people far removed from us. The things closest to us, by contrast, often become negligible and disposable. If you make an effort to reconnect with your neighborhood, town, and community, you may come to see your home in a new light—hallowed by time and … and history, and perhaps even imbued with heroism or romance.
Reunions remind attendees of the influence of the place we once, or maybe still, call home. It made a difference in who we are today.
The State Capital and Land of Lincoln
Abraham Lincoln defines Springfield’s soul. On February 11, 1861 he delivered a farewell address to his fellow residents. He would never return. His parting words are remembered for their emotional honesty. They illustrate his debt to a place that helped shape who he was.
My friends, no one, not in my situation, can appreciate my feeling of sadness at this parting. To this place, and the kindness of these people, I owe everything. Here I have lived a quarter of a century, and have passed from a young to an old man. Here my children have been born, and one is buried. I now leave, not knowing when, or whether ever, I may return. . .
Springfield is flat, except for the meandering of Lake Springfield at the outer edge. The sky and corn or wheat/hay fields on the way seem to stretch to an endless horizon.
The city’s topography is a geometric with one-way streets to facilitate traffic. But there are few cars, even in rush hour. Downtown is dominated by buildings whose former lives are now lost in their current role as state office buildings. Vacant lots are paved over for parking; but we never saw a lot filled.
(Capital spire and former State Armory)
The city is so level that sounds travel great distance. Amtrak and freight trains still run through the center of town along 4th Street, day and night. The doppler effect of train whistles’ signals this constant coming and going.
We were stopped at a railway crossing for a freight train consisting of only flatbeds carrying one or two shipping containers. I counted a freight car passing every second. The gates were down for over five minutes. And there was even a second engine in the middle of the train for more power. The train extended for at least three miles.
There is a church bell in the center of town that sounds every 15 minutes and strikes the hour. This passing of time is heard throughout the downtown.
The capital building dominates the skyline. Empty lots, some still grass but most paved over, were meant to accommodate people driving to work. But the legislature is out of session. The elected representatives and lobbyists have gone. Offices are quiet and often closed. The town seems empty even on a work day. Is this the mirror side of working from home?
Sixty years ago Springfield was a manufacturing and business center, as well as the state capital. Allis Chalmers and Sangamo Electric had manufacturing plants. Franklin Life and Horace Mann had their corporate insurance headquarters near the city center. Frank Lloyd Wright designed a prairie style home in the same area.
Today state government and the service sectors dominate. A modern downtown brick constructed Methodist church is now the office of the Springfield Chamber of Commerce, complete with steeple. The state capital is across the street.
Tourists trace Lincoln’s legacy beginning with the two blocks reconstructed as they existed in 1860 around his home. The Old State Capital and new Presidential museum and library are major draws.
Health care and new community and college campuses are additions to the city’s evolving economy.
The density and intensity that is characteristic of larger cities is absent in Springfield.
The pace feels more akin to farming than to the modern workday culture. Saturday’s farmer’s market in downtown was the most crowds we experienced. Lots of younger people were here as well, both shopping and making a living. Every stall is carefully ordered in its presentation, except for water color paintings.
Amongst these every day events, there is a feeling of something more consequential about the town. Lincoln’s heritage is central. The spirit of the place which formed him still animates today. Patient and timeless lessons seem to grow in this center of flatland farms of corn and endless, open sky.
The Springfield poet Vachel Lindsay referenced this spirit in his 1914 poem Abraham Lincoln Walks at Midnight. Both the sense of place and Lincoln’s profound insights seem timeless, especially relevant to today’s events.
It is portentous, and a thing of state
That here at midnight, in our little town
A mourning figure walks, and will not rest,
Near the old court-house pacing up and down. . .
A bronzed, lank man! His suit of ancient black,
A famous high top-hat and plain worn shawl
Make him the quaint great figure that men love,
The prairie-lawyer, master of us all. . .
His head is bowed. He thinks on men and kings.
Yea, when the sick world cries, how can he sleep?
Too many peasants fight, they know not why,
Too many homesteads in black terror weep. . .
He cannot rest until a spirit-dawn
Shall come;—the shining hope of Europe free;
The league of sober folk, the Workers’ Earth,
Bringing long peace to Cornland, Alp and Sea.
This reunion reconnected us with a momentary phase of our lives. Springfield’s special history sits amidst an ever evolving generation of new enterprises. Revisiting our one-time home sparked new insights. A place alive with past and present activities busily weaving a new future.
In later blogs I will share how my high school has changed, yet still remains the same, and impressions from former classmates.
What Large Credit Unions Might Learn from Elephants
The largest, most powerful land animal is the elephant. In many of their traditional habitats in Asia and Africa, their numbers are falling due to the loss of their traditional habitat and poachers.
The Elephant Whisperer is the story of a person who lived with elephants on a game preserve to try to preserve a “rogue” herd.
The author Lawrence Anthony devoted his life to animal conservation protecting the world’s endangered species. He was asked to accept a wild elephant herd on his Thula Thula game reserve in Zululand. His common sense told him to refuse, but he was the herd’s last chance of survival: they would be killed if he wouldn’t take them.
To win the herd’s trust, he had to convince the Matriarch of the herd. The eldest female is the leader, until she relinquishes it. He slept in his Land Rover near them until they accepted him.
In the years that followed he became a part of their family. In creating a bond with the elephants, he came to realize that they had a great deal to teach him about life, loyalty, and freedom.
He learned elephants mourn their dead , and recall the time lapse of a year to the day of death to assemble round the remains. When Lawrence Anthony died in 2012 , they gathered to mourn him.
The Instincts of the Herd
Elephants care for newborns together. When one is unable to stand up to nurse, they surround to help lift her up to the mother. Sometimes realizing the infant needed more nutrition, they would seek out Lawrence and his team.
The elephants thrive very much together, protecting and playing with each other but ferocious if threatened. They will accept help from humans they trust.
An iconic picture of this group effort is when the herd will lie down to sleep for several hours each day. As shown below the matriarch is at the top, the smaller, younger elephants protected by the older ones. Most importantly, the picture shows how each member stays touched by another as they sleep.
Is there a lesson for cooperatives from this natural behavior of the world’s largest land animals?
What is the “New Normal” Interest Rate Curve?
The recent Federal Reserve increase in short term rates to fight inflation, is seen by some to be a “temporary” increase. At some point when relevant price indices have fallen into an acceptable range, the Fed will settle back to some lower initial reference point such as 1%. Interest rates will then revert to the pattern of the decade of the 2010-2020 pre-covid era.
But what if that assumption is wrong? What if the Fed’s definition of normal, a 2% real rate of interest on top of an assumed 2% long term growth rate, means the overnight baseline is closer to 4%?
Today the overnight rate is 3%. The Fed is promising at least two, maybe three, more rate hikes this year? How would a “new” 4% normal affect the rest of the curve? What pricing and investment assumptions from the most recent decade would have to be rethought?
What If Recent Past Rates Are Abnormal?
A commentator on MSNBC observed this past week, that interest rates have not been “market determined” since at least 2008. He commented that the Fed policy of low overnight rates and quantitative easing created an artificially low interest rate curve to respond to economic crisis and to get the economy growing. Some would move the starting point back to the post 9/11 era of lowered rates to avoid a recession following the attack on the World Trade Center.
Two analysis can help address this question of what the “normal” post Covid, inflation fighting yield curve might be like.
One is a May 4, 2022 article by Tony Yiu, which asked Why was there Basically No Inflation in the 2010’s? Here is part of his analysis.
Why did inflation not arrive earlier during say 2014? Or 2017? After all the Fed had been stimulating the economy and markets using easy monetary policy and QE since 2008. So why did inflation not spike until a few months ago?
So back to the question of where was all this inflation in the 2010s? My theory is that during most of the past decade, the stock market (both private and public), the real estate market, and new markets like crypto acted like a massive sponge that soaked up all the money that could have otherwise gone towards pushing up the prices of goods and services.
This created a positive feedback loop where:
- Stock prices and home prices go up incentivizing people to put more money in the stock and real estate markets.
- Money going into asset markets instead of chasing goods and services keeps inflation low (home prices are ironically not a part of CPI).
- Low inflation allows the Fed to keep interest rates low, which stimulates credit growth (along with rising collateral values).
- Credit growth causes even more stock and home price appreciation as significant amounts of the newly borrowed money gets plowed back into asset markets. And back to step 1 to repeat the cycle all over again.
Notice two things about this. First, this feedback loop results in the financial economy getting increasingly bigger than the real economy as money keeps getting sucked into well-performing assets like stocks and real estate.
And second, it’s not just low inflation and low interest rates that cause asset prices to go up. But because of feedback, there’s a causal effect in the other direction as well where increasing asset prices help soak up money keeping inflation low.
This positive loop obviously can’t go on forever. At some point, like the players in the casino, people will start to realize that there’s just not enough real stuff to go around (and not enough future earnings to justify the valuations). People seem to be finally realizing this based on the massive declines of stocks like Zoom and Netflix.
This realization kicks off a rush for the exits and a decline in asset prices. And because rising asset prices helped keep inflation low, the reversal into a negative feedback loop forces all that soaked up money to pour back into the real economy to chase goods and services, thus higher inflation (and higher interest rates).
Finally, a unique aspect of this current selloff is that where Treasury bonds are usually a place that investors can escape to during a market downturn, they’re part of the problem this time. Near zero nominal yields (and extremely negative real yields) mixed with high inflation makes Treasury bonds all risk and no reward (I first wrote about this here).
Long-Term Mortgage Market Rates
The decade of 2010 also saw the lowest 30-year mortgage rates ever, fueling a housing boom with double digit price appreciation.
Jim Duplessis of Credit Union Times published a September 26 article which examined the outlook as current mortgage rates hit a 20-year high. His analysis with the relevant data link follows:
Rates in the 7% neighborhood might feel high for those who started buying houses in the last 10 years but they are on the low side for the past 50 years, based on Freddie Mac data published by the St. Louis Fed.
For more than half of the 2,687 weeks from April 1971 through Sept. 22, the rate was at least 7.4%. The median was 9.1% from 1971 to 1999 and 4.8% from 2000 to the present.
Rates peaked at 18.63% for the week ending Oct. 9, 1981 when the Fed under Chair Paul Volcker was battling inflation that had started during the Vietnam war. Volker’s aggressive rate hikes sent the nation into a recession, but knocked back inflation.
The lowest rates from 1971 to 1999 were 6.49% for the week ending Oct. 9, 1998, when the nation was in an economic boom. The lowest over the past 51 years was 2.65% for the week ending Jan. 7, 2021 at the peak of the refinance boom that vanished as rates rose this year to tame inflation.
A “New Normal”
Both analyses suggest the most recent two economic decades are an aberration in terms of a significantly lowered interest rate yield curve.
The efforts to reduce inflation will be a central part of where current rates end up. But then what?
History suggests that the yield curve will shift to a higher level versus what many consumers, businesses and investors grew accustomed to since 2008.
There are other factors as well. There is increasing evidence that lower rates while seemingly consumer friendly, do distort the allocation of economic gains disproportionately to higher income individuals while incentivizing multiple forms of financially driven wealth (speculative) strategies.
Anyone can predict the future. No one knows it. But believing that recent experience is the best or only guide to future rates, would appear a much too narrow perspective.
Karl Hoyle and His Powerful Cooperative Talent
Last week Karl Hoyle (1943-2021), a credit union advocate, was interred in Arlington Cemetery.
There are 450,000 other graves, an honor earned, not bought.
The ceremony starts with a brief service in the Old Post Chapel. The Honor Guard brings in the urn. The Chaplain reads the 23rd Psalm; the attendees say the Lord’s Prayer. The organ plays America the Beautiful and On the Wings of Eagles.
Following the service the congregation goes with the honor guard to the gravesite. The American flag is meticulously folded in a triangle.
There is the seven gun salute, the bugle playing taps and the sacred moment when the flag is presented to Kathy Hoyle, Karl’s wife, by an officer on bended knee.
Afterwards, roses are placed on the grave next to the urn where the only identifier on the wooden box is Karl’s military medals.
The Air Medal and Purple Heart
I learned during the reception that Karl had been awarded the Air Medal. This Medal recognizes military and civilian personnel for single acts of heroism while participating in aerial flight in actual combat. It is the equivalent of the bronze star.
Karl was deployed to Vietnam as part of the 9th Infantry Division. At the support base, a call came for helicopters to medivac the wounded from a platoon still in the midst of battle. He volunteered, got on the chopper and went straight into the firefight to evacuate his fellow soldiers.
As his military colleague stated: “Karl was the guy you wanted on your team.”
His life subsequently expanded to be much more than that moment of choice marked by courage and duty.
Joining the Cooperative Team
Jim Barr and Karl were the top lobbyists in CUNA’s Washington Office when Ed Callahan, Bucky Sebastian and I arrived at NCUA at the end of 1981. Both had worked together in the late 70’s at the newly organized NAFCU.
Karl would sometimes remark that his profession’s reputation was not always the highest. His favorite line was, “If you run into my mother, tell her I am just the piano player in a whorehouse.”
However when mentoring many others on the Hill, he counseled that : “To be a professional with integrity, know that everything you say will be remembered.”
Three Personal Contacts
Of the many occasions Karl and I spoke, three stand out.
- Karl learned that I had moved to Bethesda, MD in 1982 to be near NIH because my wife was being treated for breast cancer. We hoped to get accepted in one of their special cancer studies, but had no idea how to begin. Karl offered to call and see what might be possible. Shortly he informed us that because Mary Ann had already been on several chemo therapies, she was not eligible for their new protocols. The studies were limited to patients with no previous treatments.
- In 1984 NCUA and the entire credit union system endeavored to find a Congressional bill in which to insert wording to redesign the NCUSIF in the Federal Credit Union Act. Democrat Bill Bradley was a key player on the Senate Banking Committee. Karl was aware that Bill and I had played basketball together.
He brought me up to the Hill and sent a messenger into a banking hearing saying Chip Filson wanted to talk to the Senator. Bill came out, motioned me into an elevator with him. Lobbying Congress was not something I did for a living. I don’t remember what was said, although I suspect Karl gave me the points to make.
Later that year Congress passed the Deficit Reduction Act, with bipartisan support, creating the NCUSIF’s new cooperative financial structure based on credit union’s 1% deposit perpetual underwriting.
- In May 1985, Ed, Bucky and I left NCUA to set up Callahan & Associates with a first office in the Triangle Towers building in Bethesda. Initial capital, $1,000. The location allowed me to be close to home, since I was a single parent with two teenage girls.
Shortly after, Karl called and asked if we needed any furniture. CUNA was moving offices and had several old desks and chairs which we could have if we moved them ourselves. We did.
He also asked if we needed any staff. All three of us had worked in state or federal government for the past decade and were used to having support. We said yes. He said his wife Kathy, a superb office manager, was looking for a new opportunity. She became Callahan’s first hire.
Karl’s Essential Cooperative Skill-Connecting
Karl’s special talent was facilitating the power that results from connecting people for common purpose. Connections are what tie us together in community or when confronting personal circumstances.
Bucky said Karl’s success was the result of his building relationships with the staff in Congressional offices.
A former hill staffer at the reception knew Karl. Her husband had been killed in the Air Florida crash in the winter of 1982 when the Potomac had frozen over. She said Karl’s way of helping was: “Don’t call. Just show up.”
Tawana James, Karl’s deputy when he was Executive Director at NCUA, said “he cared about people.”
Credit unions’ competitive advantage is at its strongest when leaders collaborate. Karl’s talent for connection came naturally, it was not an artifice.
Staying Connected
Two examples of his talent are in the pictures below. One was a note to Bucky when Karl was in Madison at CUNA’s headquarters. The second, a photo with the coach of the credit union team at the time, on which Karl was such a vital player.
Kathy like Karl has filled many roles within the credit union system. This year she will retire after working more than a decade at InFirst Federal Credit Union.
Kathy and Karl: A relationship bound by common purpose and service.
People Say the Darndest Things
With an important agenda of public meetings including the Federal Reserve, I think it is helpful to start the week with a little humor.
Quotes from a court reporter’s favorite testimonies.
ATTORNEY: She had three children , right?
WITNESS: Yes.
ATTORNEY: How many were boys?
WITNESS: None.
ATTORNEY: Were there any girls?
WITNESS: Your Honor, I think I need a different attorney. Can I get a new attorney?
************************
ATTORNEY: Is your appearance here this morning pursuant to a deposition notice which I sent to your attorney?
WITNESS: No, this is how I dress when I go to work.
***********************
ATTORNEY: ALL your responses MUST be oral, OK? What school did you go to?
WITNESS: Oral…
***********************
ATTORNEY: Now doctor, isn’t it true that when a person dies in his sleep, he doesn’t know about it until the next morning?
WITNESS: Did you actually pass the bar exam?
***************************
ATTORNEY: What is your date of birth?
WITNESS: July 18th.
ATTORNEY: What year?
WITNESS: Every year.
******************************
ATTORNEY: The youngest son, the 20-year-old, how old is he?
WITNESS: He’s 20, much like your IQ.
******************************
A Valuable Case Study of a Ransomware Attack on a Credit Union
This morning’s news started with the report of a ransomware attack on the country’s second largest school system in Los Angeles.
The warnings or reports of cyber security threats occur daily. However, until reading the article below I had not seen an actual account of responding when this happens in a credit union.
The case study appeared in CUSO Magazine. It was written by Matt Sawtell, VP of Managed Technology Sales at CU*Answers who had first-hand experience with the event.
Facts are given and lessons learned. I would urge anyone in this area of responsibility to read this account.
The Anatomy of a Ransomware Incident (And What We Learned)
Following a trend that has been developing over the last ten years, cybersecurity is a topic that is no longer reserved for the dimly lit, garden-level, IT-dwelling teams to consider. It is a topic that is on the minds of those in the boardroom.
As events have garnered ever more concerning headlines, from the Colonial Pipeline incident, which was settled for around $5M in Bitcoin, to the various Microsoft incidents, to the cypto.com hack which saw thieves lift approximately $33M from over 500 user wallets back in January, it’s hard to imagine that no credit union has been affected by an incident in the last few years.
The target that financial institutions have on them is especially large. The attackers believe FIs have the dollars to pay and they possess sensitive member information, which has its own value and adds leverage to a potential payout.
In the last year, we have had the experience of participating in the response to one of these attacks on a credit union. The experience reaffirmed the importance of solid cybersecurity plans and operations as essential, and we gathered some takeaways for others as we worked through the event.
The event unfolds
Friday afternoon, nearly the close of business, our support team received a call from a credit union asking some questions about why their access to data on the network wasn’t working. We followed our normal troubleshooting and escalation protocols. Shortly after digging into this troubleshooting, the bad actor reached out to the credit union to say they had exfiltrated member information out of the credit union and communicated the ransom. Our team escalated this to management, who then advised the credit union to shut down systems and to contact their cybersecurity insurer to begin assisting with the incident.
Cybersecurity insurance is crucial
You have cybersecurity insurance, right? Believe it or not, we have run into organizations recently that do not. We view this as very important coverage, not just because of the financial aspects but also the incident response and forensic and legal resources these insurers can bring to bear in order to minimize the impact of an incident like this.
In this instance the response was swift—a forensic team and case manager were assigned from a firm that specializes in that work. They would quarterback the incident from here through the end. The lead had extensive experience working for a federal agency responding to just these kinds of incidents.
Be diligent, there is a pattern of timing with these events. If you look at the recent rash of events, it seems like the news often breaks on a Friday afternoon, weekend overnight, or before a major holiday. The bad guys know they may have a better go of it when we may have relaxed our guard a bit.
The mitigation work begins
From the initial contact Friday, the case manager was working with multiple parties and coordinating that work on daily (sometimes multiple) calls with all involved. The groups included the forensic team, legal team, negotiator, cybersecurity firm, our CUSO, and the credit union.
We were tasked with a few things at the start, such as determining if we had good backup copies offsite and getting the credit union an alternative way to do some of the daily processing and member work that was needed while the network was shut down. Thankfully, the online and mobile banking systems and audio response were unaffected by this outage so members could still do many of the transactions they needed.
The forensic team was digging in and looking for indicators of compromise (IOCs) as well as any information that might point to a known group of bad actors that pulled off the attack. They used tools, requested hard drives be pulled out of equipment and sent for inspection, and on a daily basis made progress in unraveling the who, when, and how details.
The negotiator was busy interacting with the bad actor and working to negotiate down the initial $5M ransom request. This if nothing else would buy time to decide what the options were over the coming days. The updates from this individual made the whole event seem like a spy movie as much as a cyber incident.
The cybersecurity company utilized tools to start monitoring behavior on the network, process and traffic analysis, and ingress and egress.
The credit union had closed itself to the membership for over a week following the start that Friday. They were present for every call and update, and ultimately made decisions on how all parties would proceed with the work they were doing. In the meantime, they also needed to figure out how to communicate with their members, regulators, law enforcement, and other stakeholders.
Do not overlook a communication strategy
Communication is key. When you have an incident, it is a stressful time. We have all witnessed companies that do a good job of communication and manage the incident well and we have also seen those who… leave room for improvement.
Take for instance the Colonial Pipeline incident. If you lived in the DC/Maryland/Virginia area during this incident, you witnessed panic fuel buying almost overnight. Communication between the pipeline company and the government was not forthcoming where it could have been to calm and inform the public.
On the other side of that are incidents like the Kaseya zero-day from 2021, where the CEO was out in front with regular updates, clients were informed and given IOCs before they were in the news, and the credit union provided transparency and clarity about what to do next.
As a financial institution, one thing to consider is having your incident response strategy and even sample messaging ready to go in advance. Have it cleared through your legal team, management team, and board; keep them in the know on the details and approach. Most importantly, understand that in some cases sharing too little, too much, or speculating publicly can do more harm than good.
You can take this a step further even by conducting tabletop exercises where your team will role-play out various scenarios in order to prepare. Finding someone with experience is a great way to guide the conversation and get the most out of one of these exercises.
Backups and the ensuing recovery
The forensic team started to make headway with their analysis. IOCs were found and pointed back to a foreign group that specialized in gaining access to business networks in the west. They could not tell when that original compromise had happened, but the method they used was sophisticated and had been found at other companies that had similar intrusions.
One of the most interesting things they found was that the state-sponsored group had likely sold access to the credit union network to another, likely an organized crime group that specialized in ransomware. This approach we are told is more common these days as the groups then specialize in their respective areas.
In the meantime, we had validated that offsite backups were not contaminated and could be used to help rebuild the credit union network. The cybersecurity firm had a standard process to create a new, separate, air-gapped network and slowly move machines from the dirty network to the clean one after they had been sanitized. This was painstaking work and took many days to complete. We worked very closely with them and at their direction to ensure the details were followed for each system.
While this was happening, the negotiator continued to haggle with the bad actors over the dollar amount requested. The bad actors had also given proof that they were able to exfiltrate member information, including an AIRES file, from the credit union and were prepared to sell that information on the dark web if their demands were not met. This is a newer tactic to add leverage in the hope of getting a payout.
The credit union was closed for this week while all tech was sanitized. Given they had good backups, and there was no guarantee the bad actors would return the exfiltrated member data, they decided not to pay the ransom, which at this point had been negotiated down to approximately $2.5M. The members who wanted to do in-branch transactions were starting to get frustrated, so re-opening as soon as was safely possible was the highest priority.
A more common and costly occurrence
Ransomware events of several years ago were not nearly as sophisticated or as costly as they had become. Ransomware events were often slow to propagate the network, easy to detect if they had already been in the wild by traditional endpoint security software and the ransoms were in the tens of thousands, not millions of dollars.
The involvement of both states sponsored and organized criminal groups point to how effective a revenue generator this has become for groups that are sheltered in countries that either directly support or turn a blind eye to their activities. Think about the number of companies you have read about that publicly disclose this because they must…then think about the many multiples more that do not.
The end of an incident
Thankfully, this incident had as good an outcome as could be expected. The following week the credit union reopened its doors to members. The credit union retained most of their members, for whom they were providing credit monitoring for the next year. They opted to retain the cybersecurity firm to supplement their efforts after the incident concluded. The remediation and recovery was an effort that required over 1,000 hours of work from multiple teams. Our Network Security team had over 400 hours in the recovery alone.
What are the key takeaways for your institution?
- Have a solid plan. It is best to prepare in advance and avoid trying to come up with a response in the stress of the moment. Prepare communications, understand and have contact information for the key players on your incident response team, and make sure everyone knows their roles and responsibilities.
- Understand the technology and security you have. It is difficult to assess cybersecurity risks and gaps if you do not understand both what your team is doing, what your third parties and partners are doing, and what they are not doing. Make sure you have gone through a detailed assessment of this and that you are comfortable with the residual risk based on your approach.
- Align with the right partners. Consider seeking out specialized partners for things like 24×7 monitoring through a security operations center or a managed detection and response service. Make sure your insurance coverage is appropriate for your organization.
- Test, prepare, and practice. People are key in cybersecurity effectiveness and incident response. Make sure you’re training your team on the threats out there, how to use tech safely within the organization and to report suspected incidents as soon as possible. Conduct tabletop incident response scenarios to practice what an event might look like with your team.
Eye Trouble
Since August 1, I have been visually impaired in my reading eye. I have mono-vision so this means I cannot read, type or the normal close vision functions.
Had surgery last Wednesday which will take a couple of weeks to evaluate.
In meantime will produce limited, if any, posts.
Intend to get back in the saddle as soon as circumstances allow.