Info

BankBosun Podcast | Banking Risk Management | Banking Executive Podcast

BankBosun is a biweekly syndicated audio program that provides the multi-tasking bank C-suite officers ideas and solutions from key executives from all types of businesses operating in the banking ecosystem. BankBosun provides relevant ideas and solutions clearly, concisely and credibly to better enable them to navigate risk and discover reward. Kelly Coughlin is a CPA and CEO of BankBosun, a management consulting firm helping bank C Level Officers navigate risk and discover reward. He is the host of the syndicated audio podcast, BankBosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyds Bank, and Merrill Lynch. On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C suite officers, risk management, technology, and investment ideas and solutions to help them navigate risks and discover rewards. Kelly earned his undergraduate degree (BA) from Gonzaga University and a master’s degree in business administration (MBA) from Olin Graduate School of Business at Babson College in Wellesley, MA. Kelly lives in Edina, MN.
RSS Feed
BankBosun Podcast | Banking Risk Management | Banking Executive Podcast
2017
September
August
July
May
April
March
February
January


2016
December
November
September
August
July
June
May


All Episodes
Archives
Now displaying: November, 2016
Nov 17, 2016

Hello, this is Kelly Coughlin, CEO and Program of BankBosun. Oysters open completely when the moon is full and when the crab sees one, it throws a piece of stone or seaweed into it and the oyster cannot close again so that it serves the crab for meat. Such is the fate of him, who opens his mouth too much and thereby puts himself at the mercy of the listener.

 

Announcer:

Kelly Coughlin, is CEO of BankBosun, a management consulting firm helping banks C-level offices, navigate risks, and discover reward. He’s the host of the syndicated audio podcast bankbosun.com.  Kelly brings over 25 years of experience with companies like PWC, Lloyd’s Bank, and Merrill Lynch.  On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-suite offices risk management, technology, and investment ideas and solutions to help them navigate risks and discovery reward.  And now your host, Kelly Coughlin. 

 

Kelly Coughlin:

This podcast is a continuation of a series of interviews of key executives from community and regional banks throughout the US. Community banks play a key and critical role in ensuring that a community has a healthy social and economic ecosystem. This podcast series is being produced to help celebrate and encourage community banking throughout the US.

 

I grew up in the great state of Kansas. My great-grandfather ran a coal mine in Osage, Kansas and was one of the first employers of former slaves who moved to Kansas after emancipation. So, even though I spent most of my adult years out of Kansas, I raised my four daughters in Minnesota, I have a fondness for the state of Kansas.

 

In addition to Business, County and Finance, I studied the classics in college; Greek and Roman history and the language the Roman’s spoke, Latin. I always had an infinity for Latin, even in high school. And, I think it might have something to do with coming from Kansas. No, we didn’t speak Latin in Kansas, but our state motto is a great Latin phrase that in my mind captures the real spirit of the Midwest and perhaps all of us living in America. Facing adversity, challenge and the opportunity that doesn’t come easy, but through hard work. The motto is: Ad astra per aspera – To the stars with adversity.

 

I remember hearing this motto as a very young kid. This motto has always stuck with me and in many ways, has defined me. So, what does this have to do with this podcast? Well, my guest today is the CEO of a bank located in the heart of Kansas, actually about two hours from the dead center of the Country, with a Latin name that comes from the state motto. I’m taking to Kyle Campbell, CEO of Astra Bank in Abilene, Kansas. Kyle, did get all of that right?

 

Kyle Campbell:

You did, and thanks for having me.

 

Kelly Coughlin:

So, let’s talk about the bank name. Does it come from the State motto, or was that just coincidental?

 

Kyle Campbell:

Well, it does from the state motto and you’re exactly correct in the background on that. Where that came from is where our charter located, we’re actuallyabout ten miles south of the Kansas/Nebraska border. And, while there are a lot of similarities that mid-western residents share, they’re also intensely loyal to the state in which they reside. So, we knew any sort of name that was blatantly attributable to the state of Kansas may not be well-received if we ever had an expansion opportunity in Nebraska. So, we looked at the state motto, which you talked about, and thought that Astra Bank would be a great nod to being a Kansas chartered bank. But also, would not preclude us from having opportunity to go into the state of Nebraska, which turned out to be a great move because we actually had an opportunity to move into the state of Nebraska and we do have a location there.

 

Kelly Coughlin:

Excellent. Tell me a little bit more about the founders, early history, etc.

 

Kyle Campbell:

Well, the interesting part about Astra Bank is that we actually started in a community that we no longer serve. It started as Peoples State Bank in Courtland, Kansas, in north central Kansas. And the integration of my family into that, was my grandfather went to work for Peoples State Bank which was chartered in 1911. He went to work for them shortly after that and he started work in May of 1929. As a student of history, you know he picked a great time to enter banking. As he puts it, he made it in time just for the big bank holiday that happened later in 1929. That really influenced a lot of his early views on banking. What came out of that was, throughout Kansas and a lot of the country there were a lot of bank failures that happened in 1929, and one of the neighboring communities was left without a bank. But the two banks that were in Courtland, Kansas both survived the great depression and what happened in 1929.

 

So, the city father of Scandia, Kansas, which was a community just seven miles to the east of Courtland, Kansas came over and a made a pitch to both banks trying to get one of the two of them to move over to Scandia. Well, Peoples State Bank decided they would move and they moved in 1939 to Scandia and renamed them Scandia State Bank. We’ve grown from there, through that point in time. My grandfather, over the course of the 50s, 60s and early 70s, gradually came to acquire ownership of the Scandia State Bank. My father, my grandfather’s son-in-law went to work in the bank in the 1970s and started there and is still active in our bank today.

And then, we’ve grown by acquisition, we acquired a bank in Belleville, Kansas which was ten miles to the east of Scandia. And then we’ve grown by acquisitions since then and we now have locations from central Kansas, north central Kansas, all the way up into south central Nebraska and now have eight locations overall.

 

Kelly Coughlin:

And you are running the show?

 

Kyle Campbell:

I am running the show.

 

Kelly Coughlin:

So, your grandfather passed and your father is still involved?

 

Kyle Campbell:

My father is still involved and still comes in on a regular basis. One of the things that he enjoys working with, is he enjoys managing a securities portfolio, which in this rate environment, trying to find somebody who enjoys that is a challenge. So, if I’ve got somebody who’s got an interest in it and enjoys doing that, it’s a good fit for us.

 

Kelly Coughlin:

Let’s talk about your background. You grew up in the Midwest where you’re raising your family?

 

Kyle Campbell:

I was raised in Scandia, Kansas. So, I spent most of my life actually living in a house in Scandia right next to the bank, so it was a really short commute for my dad. He just essentially walked next door and was at work. I grew up and had what I call a delayed childhood rebellion. In college, I decided I was going to major in Engineering and made the statement that I was never going to work in the family bank. You can see how well that proclamation worked for me.

 

Kelly Coughlin:

You went to school in Kansas? Did you say K State, is that where you went?

 

Kyle Campbell:

Yes, I went to school at Kansas State and majored in Chemical Engineering. After K State, then I went to Kansas City and I worked for Procter and Gamble and their manufacturing plant there for five and a half years as a Process and Project Engineer for them. And then, at that point in time, had some opportunities that came available to me in the company, took advantage of those and used it to get my MBA through Rockhurst University in Kansas City. Then came back into banking in 2002 and I’ve been working in the bank and in banking ever since.

 

 

 

Kelly Coughlin:

Right. That’s terrific. Let’s talk about your early customer market and the current customer market that the bank has. In the early years, what was the primary market for the bank during the first 50 years of operation?

 

Kyle Campbell:

Well, I think that in the first 50 years of operation, really the customer base was not a whole lot different that it was today. We have always been in a very agricultural oriented area in the state of Kansas. Our focus has been very much oriented towards agriculture, since our founding and also serving our community needs, which meant that in our case, our commercial credits looked like providing credit to Main Street merchants in our communities. Which, very often for us, were very small mom and pop shops that the types of services and stores that were needed in small communities to keep them growing and thriving.

 

Kelly Coughlin:

That has been pretty consistent throughout your entire operating history, correct?

 

Kyle Campbell:

That has been very consistent throughout our entire operation. In fact, if you look at the information that’s available on us today, you’ll still find that about 50 - 55% of our loan portfolio is still in either ag production or ag real estate credit.

 

Kelly Coughlin:

I read a book a while back, about five years ago, it was called The Worst Hard Time. It was the story of those who survived the American Dust Bowl. Was your bank around during that period?

 

Kyle Campbell:

Well, the bank started in 1911 and really our family history started with it in 1929.

 

Kelly Coughlin:

I think this was in ’35 though, so it would have been around during the Dust Bowl period then.

 

Kyle Campbell:

Right, right. So, I think realistically it was a very challenging time back then. As I mentioned earlier, a lot of that type of situation really was what influenced my grandfather’s view on banking and it’s still something that we keep very much mind with our DNA as to who we are at Astra Bank in that he wanted to run a bank that never went broke. He saw far too many go broke and he saw the impact that it had on the banks customers and on the communities that the bank served and he never wanted to subject his customers or his communities to that.

 

Kelly Coughlin:

Right. That does that mean that he was very, very cautious and careful about the loans that he did or patient about collection on the loans?

 

Kyle Campbell:

It meant both of those. He was very cautious about that because he didn’t want to, if he could avoid it, getting into collection situations. At the same point in time, what he also wanted to do, was to make sure that if he got into a situation where collection was needed, it meant that he had exhausted all opportunities and avenues to provide the customer a way to work through that difficult challenge.

 

Kelly Coughlin:

Yeah, because those were terrible times and I would imagine being a banker at that time, where you were close and integral to the community, it would have been very tough to kind of start squeezing people, squeezing your friends and people you go to church with, during those times.

 

Kyle Campbell:

Yes, and it’s one of those things that Mark Twain, I believe it was said, that history doesn’t repeat itself, but it very often rhymes. My dad was faced with a similar situation in the 1980s when agriculture faced another challenging set of years. I think it was a lot of the example that my grandfather set in place, that my father followed which was really prudent and conservative lending into that, that helped them avoid some really serious credit challenges. Also, looking at the example of patience and allowing the customers all of the opportunities that we could afford them to work through the challenges that the economic times presented.

 

Kelly Coughlin:

Yeah, right great. All right. Looking forward and what you’re faced with today as the third generation managing the bank, what do you see the biggest opportunities and then, consistent with that, would be what are the biggest threats that your bank faces or community or regional banking in Kansas is facing?

 

Kyle Campbell:

Well, I think the biggest opportunity that really faces a bank like Astra Bank and really banks that operate in some less densely populated areas of this country, is there is going to be a drive for consolidation, because of the scope and scale of services that banking customers expect today. That drives a certain inherent level of cost structure with it, which does require some scale.

 

So, I think that is an opportunity that is presented to banks like Astra Bank. Now, that situation may be a challenge for some banks that have found themselves in a position where they don’t know if they have the capacity to actually grow through that, but I think there are some interesting opportunities that I hear bankers looking at in terms of being cooperative with other banks that are facing similar situations. So, I think consolidation is a big opportunity that's out there. It may appear to be a threat to some.

 

Kelly Coughlin:

Well, are you guys on the acquiring side?

 

Kyle Campbell:

Yes. That's one of our strategies because we can see, as we look forward, there is the potential that we need to continue to grow the scale of our bank, just to continue to be able to serve the communities that we serve in an economical manner.

 

Kelly Coughlin:

Give me a brief profile of, what are you looking for?

 

Kyle Campbell:

There's some geographical constraints, because obviously, one of the things we know very well is, we know rural communities well. So, generally, we're looking in smaller communities. Not that there's anything wrong with larger communities, but generally, there's a different style of banking that’s present there. We've seen far too many banks that have thought that there isn't really any significant difference between banking in a rural area and banking in an urban area, and they've gone to urban areas and basically had it handed to them by banks that were already in those markets. Really, what we've come to realize is that the ag concentration that we talked about earlier, we certainly have that concentration, but part of what we feel like we know is, we know how to manage that risk that comes along with that concentration. There are other types of businesses that may be presented within less rural markets that we may as not be as well positioned to handle. We're comfortable with who we are, and so that's where we look to as we look to expand. Then, we're also looking to make sure that we're in communities that are significant in the areas that we're targeting, and also making sure that we've got acquisition targets that are of a certain size because really, when you go to acquire an institution, there's a certain base level of work that's required regardless of the size of the institution.

 

Kelly Coughlin:

Yes. Along with that opportunity goes the need to have adequate professional staff to help run the bank, whether it be the finance, operation side, executive management. That is a problem that plagues community banks in general, but when you're in the middle of western Kansas, it could be an even more significant challenge. How have you been able to deal with that? How do you get that done?

 

Kyle Campbell:

That is one of the areas that I have always kept an eye open for is, we're always looking for good quality staff. And if we find good quality people, we're looking for ways that we can integrate them into the team here at Astra Bank. We as bankers spend a lot of time looking at things that we can easily see on a piece of paper in terms of looking at an institution’s deposit portfolio or looking at its loan portfolio, securities portfolio, etc. But I have a spent a significant amount of time in each of the acquisitions that we've done looking at the people portfolio that comes along with it, and we've had some very excellent people who are in key positions of leadership with Astra Bank, who have come to us through the acquisition process.

 

 

Kelly Coughlin:

I would imagine, in this environment, where living in big cities comes with an element of risk that it really didn't have 15 years ago, living in a nice, quiet community in Kansas may appeal to many families just to get to a safer, quieter area. Have you observed that at all?

 

Kyle Campbell:

We have observed that, and we see that there is more of an interest, especially, I think technology is helping rural areas because there are a lot of career opportunities where you had to locate in a major metropolitan area to be physically present to do the job. Whereas today, with the advances of technology, it doesn't matter where you are as long as you can get access through the Internet to your employer and whatever source of work it is that they have for you. You can do your job from almost anywhere in the world. So, we have quite a few people in the communities that we serve, even though they live in rural parts of Kansas and Nebraska. They're actually working for employers in some of the country’s most major metropolitan areas.

 

Kelly Coughlin:

Well, for those of you who have never been to Abilene, Kansas, where Kyle is, I'm here to tell you, it's a very cool city. Kyle, why don’t you describe a little bit what you've got going on in Abilene from historical, cultural perspective?

 

Kyle Campbell:

Well, I would be obviously remiss if we were talking about the historical and cultural part of Abilene, if we didn't start with the most famous person to come from Abilene, Kansas. And that would be the 34th President of the United States, Dwight David Eisenhower. We are very fortunate here in that we have one of the Presidential libraries and boyhood homes of a United States President. So, that is a very big draw to what we have here, and it's very neat to have something from that scope and scale of a historical significance in our country here in the community of Abilene.

 

Kelly Coughlin:

Yeah, and I've been to that library. It's very cool. So, any of you listeners, I would encourage you to pay a visit to Abilene. Kyle, I'm curious, did your father or grandfather ever meet Eisenhower, or was he born and raised there and exited?

 

 

 

Kyle Campbell:

He was born and raised here, and then exited. There are a lot of people here still in Abilene that knew Eisenhower when he was alive, but I was from more of the north central part of the state. So, where I grew up is about an hour and 15 minutes away now. So, we were more out of the area, and even though my grandfather fought in WWII, he was under a different general, because he was over in the Pacific instead of being in the European theater.

 

Kelly Coughlin:

All right, that's terrific. Kyle, it sounds like you like what you're doing. You enjoy it?

 

Kyle Campbell:

It's great. I really enjoy it. In fact, I tell folks all the time that I think banking is about one of the best careers you could have, because where else do you get the opportunity to work with people on an individual basis and help them achieve their dreams?

 

Kelly Coughlin:

Yeah, and you guys are doing a terrific job there. I know that. Well, that's all I have, but I wanted to finish with one of your favorite quotes. Or the other option would be to tell us one of the stupidest things you've ever said or done in your career, but I'll give you the choice on that.

 

Kyle Campbell:

Well, I think I could actually share a brief story on both. As I tell folks since I have the opportunity to teach a couple of classes in banking from time to time and telling the students that I'm teaching there is no such thing as a dumb question. I remember my first bank meeting that I went to, and I sat down in the room with a bunch of people who were obviously much more experienced in banking than I was at the time. I was looking down through the agenda and there was an item later in the agenda that caught my attention, and actually, I was kind of excited to see what was going to happen there. I was really in for a big surprise, when we got to that part of the meeting, and I learned for the first time that in banking, OREO does not refer to a sandwich cookie. So, I was very disappointed to learn that we were talking about real estate that the bank had taken back on the liquidation because I thought we were getting close to a break time where we were going to have treats that were brought in. So, I thought we were going to have Oreos for snacks and really, we were talking about other real estate owned. So, that was kind of my first indoctrination. So, I always tell folks, don’t feel foolish if there's ever anything that you ask, because I've probably done maybe even worse assumptions.

 

Kelly Coughlin:

Yeah. Different sweet spot, right?

 

Kyle Campbell:

Yeah. I was going to say, I thought we were going to have a sweet spot and then we were talking about something that wasn’t nearly pleasant at all for anybody. One of the quotes that I often use in talking with folks, and I think it also works for banking, because part of what we need to do in our roles as bankers is really keeping a level head in how we assess situations and making sure that we're doing the best for our customers. When I was at Kansas State, I had the opportunity to be in a presentation that was made by the person, who at that point in time was the athletics director at the university, and his name was Max Urick. He made a statement that has stuck with me still to this day. His statement was, “Things are neither as bad as they seem nor as good as they seem. The truth is usually somewhere in between.” I found that statement to be very applicable in life, because there is times within the human emotions that we can get too high on the highs and too low on the lows, and realistically, we need to step back and take a very balanced view of the situations we're in. And I think that's one of the tremendous services that we can offer our customers as community bankers.

 

Kelly Coughlin:

Yeah, that's a great quote. I've heard derivations of that, but that's succinctly phrased. I like that. Thank you for sharing that. I appreciate that. Well, that's all I have. Anything else you wanted to add? Or should we sign off right now? I really appreciate your time.

 

Kyle Campbell:

Well, I want to thank you for inviting me as a guest. I've really enjoyed our time talking.

 

Kelly Coughlin:

Thanks a lot.

 

Announcer:

We want to thank you for listening to the syndicated audio program, BankBosun.com. The audio content is produced and syndicated by Seth Greene, market domination with the help of Kevin Boyle. Video content is produced by the Guildmaster Studio, Keenan Bobson Boyle. Voice introduction is me, Karim Kronfli. The program is hosted by Kelly Coughlin. If you like this program, please tell us. If you don’t, please tell us how we can improve it. Now, some disclaimers. Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant. The view expressed here are solely those of Kelly Coughlin and his guests in their private capacity, and do not in any way represent the views of any other agent, principal, employer, employee, vendor, or supplier.

Nov 7, 2016

Kelly Coughlin:

Greetings, this is Kelly Coughlin. The Blind Hen. A Hen who had lost her sight and was accustomed to scratching up the earth in search of food, although blind, still continued to scratch away most diligently.  Another sharp-sighted hen who spared her tender feet, never moved from her side and enjoyed, without scratching, the fruit of the other’s labor.  For as often as the blind hen scratched up a barley corn, her watchful companion devoured it. 

 

Announcer:

Kelly Coughlin, CEO of BankBosun, a management consulting firm helping banks C-level offices, navigate risks, and discover reward. He’s the host of the syndicated audio podcast bankbosun.com.  Kelly brings over 25 years of experience with companies like PWC, Lloyd’s Bank, and Merrill Lynch.  On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-suite offices risk management, technology, and investment ideas and solutions to help them navigate risks and discovery reward.  Now your host, Kelly Coughlin. 

 

Kelly Coughlin:

Greetings.  This is part two of my interview with Kris St. Martin, a bank cyber security expert at CBIZ.  In part two, we will talk more about what drives premium costs and once a bank experiences a cyber intrusion, then what are the actual types of costs the bank can insure and how to make sure these costs are recoverable in an insurance claim.  I finished part one by asking Kris about how a bank should go about determining the maximum claim liability.  Is it based on records, revenues, business lines, and ultimately, what can a bank do to manage and reduce the premium costs with good internal cyber risk management controls implemented and utilized at the bank.  Here is what Kris had to say about that in part two.

 

Kris St. Martin:

Because of the number of records, you can fairly well quantify the physical costs to deal with a breach. Those types of costs, if you’re hit with a breach, time really is of the essence.  You want to be able to get as much good, accurate information as to what happened, did it trigger your state data breach law as quickly as possible because if you go back to Target again, one of the things that they learned in the litigation and heavily criticized for reputation.  In fact, my family, we all have debit cards at our local bank and we have a Target about three blocks away.  So I always remember these dates, because it affected us.  They really came out public and our bank had offered debit cards two days before this special breach happened and they identified it because in early November.  So they took well over a month to month-and-a-half, to actually notify the world that there was a breach.  Looking at the costs, the cost part of a breach is going to be the initial forensics, legal consultation, so if initial forensics say this was indeed a breach, then you go to your legal representation, did this breach trigger the state’s data breach laws?  Everybody’s a little bit different.  They’re all state driven, but more similar than different.

 

The second part is you go to your attorney and you say here’s our data, here’s what happened, did that trigger the breach?  Well, these are expenses that are accumulating.  Then, if it does, you need to notify in writing and send compliance letter for all the people involved.  Then, you need to handle their calls and inquiries along the way.  They’re going to call in from that letter and either you do it in house or you set up a data center for that, train the people in the data center for those phones or your own employees, and then you need to offer one year of credit monitoring, and there’s a cost for that.  That’s kind of all your costs that are generally, somewhere, at least $30 per record and often times I’ve seen other studies saying going up to $100 per record.  That’s fairly quantifiable, based on how many records you have.  What’s much more tough on the limits is going to be, based on the data that’s been breach, who’s going to sue you and why, and what harm are they going to say you have caused. That becomes more much difficult to quantify.  Along those lines we deal with banks all over the country and as we’ve been renewing cyber policies, this has now become a regulator/board-driven type of thing. 

 

We’re routinely having banks come to us at renewal time and saying we want more liability just because of the unknowns out there.  So, what’ a good number?  It’s really hard to say.  There’s peer numbers that different services put out including Travelers puts out peer numbers for cyber liability.  We’ll throw our customers a couple of what their peers for the different pricings will be as a point of reference and then try to have a discussion on what type of information do you hold in the bank and how is it held, and start talking through kind of worse cast scenarios, if they lost some of that information, and who would be armed the most.  You try to massage the peer numbers from there, but like I think anything in risk and insurance, you really—you can’t necessarily observe for the absolute worst scenario, but you try and pick a number that will largely cover most of the occurrences along the way on a probability basis.

 

Kelly Coughlin:

Kris, you mentioned earlier that theft of funds gets covered by another type of risk mitigation tool and then you also mentioned that business interruption for a bank isn’t very high, because it’s not like there’s a bunch of transactions that come in if there’s interruption of service.  So what are the main costs drivers a bank can look at in determining how much coverage they need?

 

Kris St. Martin:

That’s a very good question and on the cyber side, certainly the number of records.  That’s going to be the biggest driver to look at on the cyber side.  We have banks that are also involved with card programs.  There can be other services that they provide very actively that involves the flow of personal information and vendor partner information.  That can provide another element of risk there versus the standard just checking and savings accounts and loans, and CDs type of business.  It could be a smaller bank that do very large wire transactions.  Another thing to look at is the size of transactions that you’re doing electronically.  There’s other banks that might be bigger that just do a series of very small transactions.  They may not need as big of a theft limit.  Those are things that underwriters as far as pricing a policy, are going to be looking at too; size of transactions, third-party vendors that you might be associated with, with special programs with the added element of risk of other people holding your data.

 

Kelly Coughlin:

When a bank experiences a breach, what are the costs that the bank has to absorb?  You mentioned the theft of funds, that’s covered by a bond.  There’s probably no business interruption costs or very minimal.  What costs normally accompany a cyber breach?

 

Kris St. Martin:

Well, in a cyber breach, let me kind of walk through what happens.  Somebody in IT is going to come to a CFO or some C-level executive and say, “Hey, something happened, we’re not quite sure what it is, but we’re concerned and we need to dig into this thing.”  The first thing you would do is try to go with an outside forensic partner who specializes in this type of thing and start digging it in with your IT group, and say, “Okay, exactly what was breached and is there a pretty high probability that all or some of our records are involved with that?  There’s a cost for that, for your forensics.  Once you get through that, you would bring that information to an attorney and I would highly recommend somebody who specializes in data breach law.  Say here’s the facts of what happened and how does that relate to our state’s data breach law, did it trigger that law, do we now have to go down the steps of notification and all the remedies that are built into that law.  There’s legal fees there.  Then, if the attorney says you did breach the law then you’re going to have to do a letter or a series of letters, emails, so on, out to your clients notifying them of a breach and then in there is going to be an offer of call us for more information.  Many times, it’s a separate call center service used.  There are those that specialize in data breach call centers and there’s an expense for that.  Also, most states, if not all, are going to require, if you did trigger a data breach law, that all of the people affected are going to be offered credit monitoring for one year and there’s a cost to the credit monitoring. 

 

This type of expense can be around $30 to $100 per record.  Banks may choose to do some sort of PR campaign, which often times happens with breaches in many industries.  There’s expenses of hey, we need to do some local newspaper advertisement.  We need to do some more letters to our clients.  We need to get on local TV or advertisements.  Basically, they put a message out there that this happened, we’re sorry, we’re on top of it, and we’re going to be better because of it.  Whatever your PR message is that you’re going to want to try and mitigate the damage under your brand.  Those are additional expenses that can come along the way before you even get to the liability side of who’s going to sue us. 

 

Kelly Coughlin:

Okay.  I’m going to list those again.  You’ve got: 1. A forensic partner; 2. Attorney costs; 3. Notification costs, notification of customers; 4. Maybe a call center; 5. Credit monitoring; 6. Reputation remediation. Are all of those insurable?

 

Kris St. Martin:

Yes and that’s part of making sure your insurance policy contains all that on the front side.  There’s really kind of a couple of ways that the breach expenses can be handled.  One that’s just more common is you’ve got a million dollar limit to handle A, B, C and D, and you’ve got to go out and find your partners, and you’re on your own, and we’ll reimburse you.  What we’re seeing is more and more of these insurance carriers providing some sort of data breach service as part of the policy and that’s been very well received in the banking world.  Now, you have to kind of wind through scenario again.  Instead of calling an outside forensics person, your first call under one of the policies that’s very common out there, is to call the insurance underwriter data breach manager and he assigns a case manager to it, and they start—that case manager stays with you through the whole time of the process.  They either have in-house services or they have third-party partners that they can immediately get you to.

 

The value of that versus a limit, one of the things, going back to the regulators, the regulators are all over the concept of what’s your—they’ve always been good on disaster recovery, the regulators, or at least asking what your disaster overall recovery plan for the bank. Now they’re getting all over where is your disaster recovery plan in the event of a data breach.  Again, you want to make quick access decisions and mitigate the reputational risks that you sat on this information, and get through it quickly and well-organized.  The regulators really like if you just do all those services under your limit then you better show them who your contracted third-party providers are going to be for those services, they’re lined up, they’re ready to go, they can work quickly, and you’ve thought through that whole process of who’s going to do that for you.  There are other policies that you call them and they start walking you through that, and provide a forensic person, they provide an attorney, they can help with the PR, all of that kind of built into the policy itself. 

 

Kelly Coughlin:

What advice would you give policy holders when completing their applications for cyber insurance?  Any unique tips, any special tips you’d give them?

 

Kris St. Martin:

Yeah, one very important is to be accurate.  Sometimes these things are onerous and they’re many pages long, but take the time to be very accurate, because if you put a number down, if they’re asking for a number or you answer something that you think, where that could come back to haunt you is at claim time.  They can pull up that application and say you answered it this way, we may not have even given you a policy.  What they’re going to do at claim time, they’re going to look and see if there’s anything, any speedbumps, that would take you out of getting the claim paid.  I’d also say be aware of warranty statements.  This is true, very true for cyber policies as well as all policies.  You need to be aware, often times in the applications themselves, they will say some statement like is there anybody in your organization aware of any circumstances that could lead to a claim under our coverage? If you have 500 employees, there’s no way you can say yes to that with any assurances and again, it could come back and haunt you at the claim investigation time.  So pay attention to warranty statements.  There are ways to modify those statements or eliminate them.  Then again, I mentioned this before, but pay attention to the thought behind the question on the application.  There are good reasons for asking for them and use that as maybe an excuse to go back and review your own procedures.

 

Kelly Coughlin:

Okay. I know you’ve been in this business a long time and you have a terrific reputation, so congratulations on that.  Is it fair to say that your objective is to help your bank clients get the coverage and not trying to help the insurance carrier avoid a claim?

 

Kris St. Martin:

Right.  Right.  What I always tell my clients is we’re going to sell the best, but accurate story to the insurance underwriter.  We’re not going to hide anything.  We’re going to give them accurate information and then they make their decision whether to insure or not.  From that point, when it comes to claim time, there’s two parts on the claim.  One is on the front end of it, when we give all the information to the insurance underwriter, they’re going to come back and say here’s our offer.  A good insurance agent, a producer out there, and there’s lots of great ones, you’re going to dive into that.  For example, we’ve developed a 40-point checklist with cyber over years of working with this.  We start, you know, producers should check a number of things in the offer so that when you do come to claim time, you don’t have these speedbumps.  Then there’s just a number of things that you can modify in the wording with the negotiation with the underwriter.  When it comes to claim time, whoever you’re working with for an agency, can be a great advocate for you on claim time.  You’re going to initially put the claim in as a customer copy or agent, but the agent should be in the loop the whole time, and aware of any objections that the claims adjuster is going to have, when it comes to the client. The agent has a really usual business dual role. They have a legal obligation both to the carrier and to the client, but they’re different obligations to each.  Claims is one where we really work with the client just to make sure they’re well advised on whether or not that’s a reasonable denial, if it’s a denial, or it might be something that they should talk to their attorney about and do a little bit more legal research on.

 

Kelly Coughlin:

Let’s talk about pricing a bit.  How flexible and negotiable are the terms of a cyber policy?

 

Kris St. Martin:

Like any policy, there are certain things that are just absolutely industry things.  But there are a number of things that are different and negotiable in a cyber contract.  Just a couple of quick examples, data breach on loss of information in one policy can be defined, for example, as electronic information loss.  What you want in the contract is paper information or electronic.  These things are negotiable with the carrier, often times.  A number of fine-print type of things.  Another example is some policies will pay on a ransom letter, for example, and then the definition will say we’ll pay out in US dollars.  Most ransom letters are requesting bitcoins.  Another dot that’s on our checklist is going to be make sure that the wording says US dollars or bitcoins that they can be paid out in.  Most of these types of things, the carriers are fairly flexible, but some cases, they’re not going to proactively do that.  They give you often times, the standard type of contract form and approval.  There’s room to be negotiating a premium.  We’re talking maybe 10% latitude, if it’s a good agent can build a case for the risk.  There’s some room in premiums, but a lot of room in the terms and conditions. 

 

Kelly Coughlin:

Back to that internal control continuum of one being nothing, five being great internal controls, is there negotiable room if the bank can build the case saying hey, look, our internal controls are four and five, you shouldn’t be pricing this at a three. Is that an area that’s negotiable?

 

Kris St. Martin:

Absolutely.  Absolutely.  It’s all claims related.  Example is like worker’s comp insurance, there’s a lot of loss prevention that carriers very proactively get involved with, with certain industries if there’s a lot of injuries.  If there’s a lot of claims in the cyber area, you can count on the carrier getting much more proactive in not only just asking the questions, but it might dig a whole lot deeper.

 

Kelly Coughlin:

One final question I have is, any tips, tricks, or traps when making a claim that we should be aware of?

 

Kris St. Martin:

Well, I’d say first when you’re looking at how claims are going to be handled, you want to do as much work as you can before you have a claim. We’re big proponents of things we’ve talked about here with procedures and all the preventive types of things.  In the insurance world, the preventive type of thing is one, make sure you pick a carrier that has a great reputation in the area of insurance that you’re talking about. That’s important because they’ve been there for a while and have a good claims paying history, and just a general reputation.  Secondarily in the prevention on the insurance side is make sure your policy is looked at by somebody who writes a lot of cyber insurance in this particular case, and knows the speedbumps that you’ve got to address, that are going to give you a problem at claims history.  Some of the wording, the definition, those types of things.  Lastly, you want to make sure that you have your agents intimately involved with that, because they’re going to be a strong advocate of you when it does come to claims time.

 

Kelly Coughlin:

Great.  That’s perfect. I will say, this podcast isn’t designed to be an infomercial for you or for CBIZ, but I am going to put a plug in, because I have some experience with you guys and some of your carriers, and I’ve been so impressed with how you are working with the community banking and regional banking market that I think the service is terrific.  I’m totally committed to helping banks manage this cyber risk because as I started it out, I think it’s a problem.  Community banks are in the crosshairs of these bad-guy cyber pirates and they need all the help they can get in preventing attacks and breaches. I applaud you for your great work.  I think I’ve finished the questions that I had, Kris.  Is there anything else you wanted to add that we didn’t get?

 

Kris St. Martin:

You know, only that another big topic out there is this third-party vendor. That’s probably a subject for a whole different thing that the regulators and just good business practice is really pushing hard down the road of okay, so your data processor is Fiserv, what do you really know about them?  Or your IT guy is XYZ, what do you really know about them, their procedures, their insurance?  It’s a whole other kind of layer to this that’s opening up as a third-party vendor that you as a business or bank are using.  Besides that, no, I just wanted to thank you a lot of the opportunity.  It was fun to do and really honored that you thought enough of us to pull us into one of your podcasts. 

 

Kelly Coughlin:

Well, yeah, I appreciate it.  I would like to follow up with another podcast on third-party vendors and the due diligence required.  Let’s put that on the calendar.  Kris, I really enjoyed it.  I wish you the best.  Keep up the good work.  Enjoyed talking to you.

 

Kris St. Martin:

Thanks, Kelly.  Thanks so much.  Talk to you soon.

 

Announcer:

We want to thank you for listening to the syndicated audio program bankbosun.com.  The audio content is produced and syndicated by Seth Green, market domination with the help of Kevin Boyle.  Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle.  Voice introduction is me, Karim Kronfil. The program is hosted by Kelly Coughlin.  If you like this program, please tell us. If you don’t, please tell us how we can improve it.  Now, some disclaimers.  Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant.  The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way, represent the views of any other agent, principal, employer, employee, lender, or supplier.

Nov 7, 2016

Kelly Coughlin:

Greetings, this is Kelly Coughlin. A pack of wolves lurked near the sheep at pasture, but the dogs kept them all at a respectful distance and the sheep grazed in perfect safety. But now, the wolves thought of a plan to trick the sheep.  “Why is there always this hostility between us,” they said.  “If it were not for those dogs who are always stirring up trouble, I’m sure we should get along beautifully.  Send them away and you will see what good friends we shall become.”  The sheep were easily fooled.  They persuaded the dogs to go away and that very evening, the wolves had the grandest feast of their lives. 

 

Announcer:

Kelly Coughlin, CEO of BankBosun, a management consulting firm helping banks C-level offices, navigate risks, and discover reward. He’s the host of the syndicated audio podcast bankbosun.com.  Kelly brings over 25 years of experience with companies like PWC, Lloyd’s Bank, and Merrill Lynch.  On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-suite offices risk management, technology, and investment ideas and solutions to help them navigate risks and discovery reward.  Now your host, Kelly Coughlin. 

 

Kelly Coughlin:

Hello everybody, this is Kelly Coughlin, CEO of BankBosun, helping C-suite bank executives navigate risks and discover reward.  Today is the first in a series of five podcasts on the subject of cyber security and banking.  Cyber hackers today rob banks much more sophisticated than the days of say Jesse James.  And certainly, they’re much more intelligent than Isaac Davis who committed the very first bank robbery in the US in the year 1798.  Davis robbed the Bank of Pennsylvania at Carpenters Hall in Philadelphia, PA.  He was apparently so stupid that he robbed the bank of over $162,000 and then deposited the funds in his own account at the same bank.  Not very smart. He got busted. 

 

Today’s cyber pirates aren’t that stupid.  They attack the bank’s web application.  They shut down their site for ransom with denial of service attacks. They skim credit and debit cards. They engage in privilege misuse, crime ware, just to name a few.  It’s a huge threat to banks. And the reason I’m putting so much attention and focus to it at BankBosun is the expectation is that more bad guy resources will be directed to community and regional banks in the future for two primary reasons.  Number one, the Willie Sutton factor.  When he was asked by the FBI, “Hey Willie, why do you rob banks?”  He replied, “Because that’s where the money is.”  Then, a second reason, insufficient resources to prevent and detect.  If lower net interest margins and higher regulatory burden weren’t enough, then the additional expense required for cyber security risk management is enough to put you over the top. 

 

So that leads me to my guest for today.  His name is Kris St. Martin.  He’s vice president bank services program direction for CBIZ with over 100 offices and 4,000 associates in most of the major metropolitan and suburban areas throughout the US.  CBIZ delivers financial and employee business services to many organizations of all sizes as well as individual clients by providing national expertise combined with highly personalized services.  CBIZ is a leader in cyber risk including cyber insurance, IT audit, penetration testing, mobile application assessment, digital forensics, cyber risk management, and Kris is a cyber insurance expert, and is a member of the CBIZ national cyber risk management team.  He has more than 23 years of direct bank experience and he’s held many positions in banking.  He’s been providing risk mitigation services since 2009.  So, with that introduction, Kris, are you on the line there?

 

Kris St. Martin:

I am.  Thank you very much for that introduction, Kelly. 

 

Kelly Coughlin:

Did I cover all the relevant points in your bio, Kris?

 

Kris St. Martin:

You were very, very thorough.

 

Kelly Coughlin:

Excellent, I like being thorough.  Now, I didn’t include any personal background in there.  Do you want to start off with telling us who you are, family, where you live, that sort of thing?

 

Kris St. Martin:

Sure, absolutely.  As you mentioned, I was in banking for over 20 years.  I live in Plymouth, Minnesota, a suburb just west of Minneapolis.  In my banking days, I was involved in community banking in Plymouth for 20 plus years.  I worked First Bank Systems, which later became US Bank.  I was very familiar with a regional bank becoming a large national bank.  Went to a very small community bank, worked there for four years in my hometown, opened up a branch for them for a couple of years, and then became part of the de novo bank experience in 1999.  We opened up the bank in 2000.  Lived in the same community, Plymouth, for 20 plus years.  Wife of almost 26 years.  Three kids, one is a wildland firefighter; one’s a senior at the University of Minnesota going on to the law school next year; and my daughter has graduated with a marketing degree recently, and works for a hotel chain in the twin city.

 

Kelly Coughlin:

That’s terrific.  Let’s dig right into it, Kris.  Subject today is cyber risk, cyber risk management in the banking ecosystem.  Let me just start out with a very general question here.  From your perspective, what are the cyber risks facing banks today?  What are the key risks that you see they face today?

 

Kris St. Martin:

Well, Kelly, you mentioned a number of them in your introduction and they include probably the largest frequency risk today is the ransomware by cyber extortion.  For the last few years, that was not as prevalent in the financial institution world, because financial institutions were deemed as a little better at backup than other industries such as retail and medical.  The very nature of those are locking up your information and if you haven’t backed up for a few days, that could be very, very costly. So they paused on the banking world for a couple of years, and now it’s getting hit very, very hard.  The other industries have tightened up on their backup procedures.  They tend to be smaller amounts; anywhere from $500 to $50,000.  They can be larger.  They tend to be quick hits, lock up your system.  Data breach is obviously a big one in the banking world, because obviously banks hold a great deal of data. Theft of money is always a big one. 

 

We’ve seen several cases recently where there was some type of hack leading up to obtaining passwords and wiring money out.  In addition to the types of things that are happening, banks are having to deal with, as you mentioned, the regulatory aspect of that.  The regulators are all over this topic and have great expectations when they’re coming in for exams.  Cyber insurance is part of that, where they really didn’t look at that too much in the last couple of years before that.  Now, they’re wanting to know what type of cyber coverage and all your cyber procedures are so it’s put a great deal of burden on them.  The reputation risk for having your information active is enormous to both your reputation, your brand, and litigation from a number of sources if you could have your data breached can be from clients who’ve had their data breached and it could be as more of like a class action if you had 50,000 records breached.  They could all ban together and sue, but it could also be if you’ve lost one really critical piece of data. 

 

Let’s say it was a critical business plan of one of your clients that you obtained in conjunction with a loan request.  Who knows what kind of harm that could cause, if that got in the hand of a competitor?  There’s also some litigation based on what is showing on social media.  Banks often encourage their employees to be on LinkedIn and other social medias to increase the bank’s presence.  There are other things that bankers are on that are not necessarily done with bank approval like Facebook.  So, somebody could be on Facebook and note on there, they’re an employee of XYZ bank and put something disparaging about one of the competitors on there.  It wasn’t necessarily a bank approved type of a thing, but they can be pulled into the litigation because of the reference to the bank.  So there’s a wide variety of cyber risk and financial risk for banks out there right now.

 

Kelly Coughlin:

Now that social media example, that isn’t part of cyber security risk. That’s more reputational risk, other financial risk, but a bank’s employee participating in Facebook for instance, that doesn’t open up risks for cyber-attack, correct?

 

Kris St. Martin:

Not from a cyber-attack, but it can be part of your cyber risk management program.  There’s great expectations from regulators that you are training your employees because there’s a financial risk that can come back to the bank.  So it’s part of your cyber risk management program at the bank not necessarily directly from a hacker. 

 

 

 

 

Kelly Coughlin:

Okay.  You guys are in the business of helping banks insure the risk.  In the event of a cyber-attack, they buy an insurance policy that covers their financial risk in the event of some sort of cyber-attack, correct?

 

Kris St. Martin:

Yeah. 

 

Kelly Coughlin:

Now, is it fair to say that four years ago cyber risk management was more or less a footnote of a P&C policy or an E&O, D&O type policy?

 

Kris St. Martin:

Right and there’s just only a few remnants of that.  So, for example, in your general liability policy there were many areas in there that could have provided coverage 10 years ago under what’s happening in today’s environment.  Over the years, the carriers have been excluding on your D&O policies, directors and officers liability policies, your professional services policies as well as your general liability policies, anything that’s related to cyber risk.  So today, most directors and officers policies and general liabilities policies exclude anything related to cyber risk.  They push everything towards a cyber policy with only a few exceptions.  The exception to that is in their directors and officers policy, if you look at what happened to Target, the Target breach about three or four years ago, after the smoke cleared the directors and officers were sued for lack of oversight of the cyber risk management program.  That’s where kind of a cyber-related type of thing can still be pulled into a D&O policy, but specifically if officers and directors are named based on decisions made by those directors and officers.  The D&O policy is not going to pay for anything that’s related to your expenses associated with the breach.  In the case of theft of money through hackers, where there is a theft of money, that’s treated under a crime bond policy. So the other exception is if you had a hacker come in, obtain codes to malware or whatever they use, eventually wire money out that’s not retrievable, that actual cash loss, whether it’s the bank or your client, is treated and handled under the bond.  So those are kind of the two remaining policies where there is some related coverage. 

 

Kelly Coughlin:

Okay, but business interruption, for instance, let’s say it’s denial of service, which is business interruption, would that be specifically excluded from the other P&C policy that would cover interruption from fire or water, that sort of thing?  Is that specifically excluded? 

 

Kris St. Martin:

Yes and with other causes of business interruption, that is included in your traditional package policies.  That has historically been part of those policies, but with a cyber interruption, again, those policies now exclude the business interruption reimbursement and pushed it back to the cyber policy.  If you’re a retailer selling products online and your website goes down for three weeks, it’s very easy to document the lost sales based on a history there.  In the banking world, your primary revenue is going to be your net interest margin, so your loan income is still coming in regardless if your system is down or not.  So the classic business interruption policy is going to pay for the lost income. It’s good to have it in your policy because you never know, but there’s not a lot of claims in there in the banking world because it’s difficult to demonstrate you actually lost income.

 

Kelly Coughlin:

Yeah, I suppose it’s mainly reputational damage, if people go to the site and they can’t access it, and the media gets wind of it, then that’s more harmful than loss of any sales on any given day, correct?

 

Kris St. Martin:

Yes, that is correct.

 

Kelly Coughlin:

So this is a whole new policy that banks now have to include in their portfolio of insurance policies.  That’s good for you in that it’s another policy that you can earn fees on.  Bad for them, it’s another policy that they have to pay fees on, but that’s the brave new world.  Is it fair to say that regulators today are looking for and demanding specific policies related to cyber insurance? 

 

Kris St. Martin:

Yeah, it’s interesting from the regulators.  They will come in and they will look at your insurance policies, but there’s very little that they absolutely require on insurance.  The way the regulations are written under there is you don’t necessarily have to have insurance, but you’ve got to convince us that you have a way of self-insuring, or what your plan is.  A bank that’s extremely well capitalized can go in without any insurance policies if they want and say we’re going to self-insure for those.  That’s not very common. So the regulators would come in, they don’t require it, but they will look through the insurance policies and it could be a critical comment, if you didn’t have insurance.  When the regulators come in and look at the cyber program and IT in general right now, the insurances went from low business access loss to a very important part of your cyber risk management and how your IT exam is going to come out.  Again, it’s not a requirement, but it’s going to fall into how you’re rated and the components of the rating for that whole area.  They know that if you do have a cyber breach and you’re making decisions, and you need to make fairly timely decisions, because the harm for not acting quickly exponentially get worse.  Not only financially and reputation wise, so it’s good to know that you would have an insurance available to help you make good, accurate, quick, timely decisions and not make bad decisions based on we don’t have a funding mechanism outside of our own capital.  It’s a very distinct part of that exam, but not required.

 

Kelly Coughlin:

Okay.  If I go back to my consulting days of internal controls, you’ve got three categories of controls; prevention, detection, and correction.  Insurance has been more or less in the correction category.  It’s a way to make people whole, make the company whole.  It really doesn’t prevent and detect things.  Those are internal controls that the company has to adopt and use insurance on the correction side.  As part of the insurance underwriting process, is there any sort of work or effort being done by insurance carriers that helps banks on the prevention and detection side in terms of adopting best practices among the industry?  Do they give discounts in premiums if they have best practices, or not?

 

Kris St. Martin:

I think it’s fairly early on in that world with carriers right now, but if you look at an application from a carrier and try to say okay, why are they asking that, a lot of it gets at the best practices that they’re asking.  They’re going down that path and by the way Kelly, the cyber policies today are not viably priced as of yet in the banking industry.  If you’re a community bank under let’s say a half billion, you can probably get a $3 million limit cyber policy.  Now, there’s going to be different bells and whistles there, but you can probably get something in that range for $8 to $12,000 in that range, for $3 million.  We’ve got small little banks that they’re buying them for million dollar coverage for $3,000.  They’re a pretty good robust policy.  Where underwriters are looking at pricing, they can fairly quantify, if a data breach happens based on a number of records, personal data records that you have, there’s different published amounts of somewhere around $30 per record is going to be what your cost is out of pocket.  They can fairly well quantify the costs to immediately get through the data breach part of it and the carriers are fairly comfortable with the pricing on that.  Where it really gets difficult, is more on the liability side; who’s going to end up suing you; what regulatory body is going to put a fine on you; and that is a really ever-evolving market. 

 

As an example, going back to the critical piece of data, if you lost somebody’s business plan, it gets into the wrong hands, that’s hard to quantify.  It all depends on the circumstances.  It could be a half-million dollar lawsuit, it can be a $10 million lawsuit.  So that’s evolving.  Getting back to kind of your question on the underwriting, the first two things that a cyber underwriter will look at in the big picture of things is number of records that you have.  Records are generally defined on the consumer side, if there’s a social security number associated with a name of loss, that’s automatically going to qualify as triggering a data breach for that particular record.  So you look at the number of records both personal and business, that you hold, and that will be on the application and that will be probably the biggest thing that will set the pricing.  A bank may have 100,000 accounts, either accounts that are closed or current ones, but they may have 25,000 individual individuals who opened all of those accounts.  So the number of records would be the individuals with their social security number and how many of those do you have at the bank.  Historically, if you are retaining that information in current accounts, that’s the primary driver with the cost of cyber insurance right now. 

 

They’re going to look at the annual revenue of the company just to give them a scope of the size and breadth of the company.  It’s not perfect, but it gives them an idea of obviously a bigger company versus a smaller organization, because it’s got more things going.  They have more contracts.  They have more data.  In general, more stuff going on that could potentially fall into the cyber world.  Then, you look at a typical application and look at some of the questions that they’re asking.  Some of them would be maybe a complete take out of hey, we don’t want to write this policy.  Some of them are going to be a little much less alarming, if you had answered no. But if you look at it, there’s a reason they’re asking those questions.  It’s the overall risk to the insurance company.  Same thing for the bank. 

 

For example, one question that’s on many applications and I’ll read one, “Does the applicant restrict employee access to personally identify information on a business need to know basis?”  That’s a pretty general question and most banks are going to say, yes, we make sure, we try to make sure that people can have access to different areas on the computer network based on what they need it for, kind of a need to know type.  That question, I think most banks are going to say yes to that.  Who wouldn’t say that?  But they always want you to kind of think that through and really go back and review that.  Hopefully, if I’m looking at that, not only am I going to say well yeah, but hopefully that causes you to go back and really review that because they’re asking that for a very good reason.  There’s claims history behind those questions.

 

Kelly Coughlin:

Back to my prevention, detection, correction internal control model. On the prevention and detection internal controls, what I think I hear you say, let’s say we have a continuum of one being no internal controls and five being terrific internal controls.  In the underwriting process, if the bank comes in at a one or a two, they’re going to get rejected.  If the bank comes in at a four or a five, they’ll get accepted, but they’re not going to get any discounts. They’re not going to get rewarded for their superior internal control structure, but they’ll get accepted.  So if they’re a 3, 4, 5, then they get lumped in terms of the same pricing, but they won’t get rejected.

 

Kris St. Martin:

Yeah, I think that’s a fair statement.  What will happen over time as there is more and more claims history with these carriers, they’re going to be able to get even more defined on that type of thought process.  If they know that, in my example that I talked about under being able to restrict your employees to only certain applications within your system. If that became more and more of a claim problem for carriers, they’re probably going to dig deeper into that and actually ask more and more questions beyond that and have you document that and also base the pricing on that more and more.  So yes, there is definitely some underwriting based on your current procedures in place.  I think just based on where claims are going, there’s going to be more and more of that.

 

Kelly Coughlin:

What’s your expectation in terms of likelihood on the pricing part?  Do you think they’re going to increase or decrease, or stay the same over the next 12 months and then even farther out from that?

 

Kris St. Martin:

Yeah, I think it’s going to be a little bit like the hurricane effect in general P&C insurance.  Whenever there’s a big hurricane, that’s going to affect everybody’s homeowner policy for a couple of years.  Everybody will see the cost of premiums will spread out a little bit.  I think you’re going to see that in cyber.  Right now, there are a number of claims out there, but it’s not to the point where I don’t think that the premiums the carriers are changing isn’t supporting it.  The carriers are a profit business like anybody else. They try not to pay out more than 50% of what they charge in premiums on claims, kind of a rule of thumb and then the other 50% is profit and paying for the rest of your operation. When you see that pay out starting to exceed that kind of industry percentage, that’s when you start seeing the premiums go up. That would just take enormous breaches or volume of community bank breaches, then it’s going to be all claims related. 

 

So, as of right now, based on what the pattern of claims are, it should be pretty steady, but with a caveat that it wouldn’t take much if there’s a couple of alarge financial institutions or a bunch of smaller ones, you’re starting to get into hundreds of millions of dollars of claims, that could push prices up in a hurry.  The other part to that is there’s also a future expectation of risk of what’s going on, they can push it up also.  Even if the claims haven’t quite hit yet, if there is a more and more devious way to harm banks than before and that comes out, and there’s a fear of that, you may see some underwriters starting to push the premiums up in anticipation of that.  They don’t have any reason to believe right now, based on what’s been happening, that we’re going to see premiums drastically increase in 12 months.

 

Kelly Coughlin:

Well, that’s it for part one of my interview with Kris St. Martin, a bank cyber security expert at CBIZ.  In part two, we’ll talk more about what drives premium costs and once a bank experiences a cyber intrusion then what are the actual types of costs the bank can insure, and how to make sure that these costs are recoverable in an insurance claim. 

 

Announcer:

We want to thank you for listening to the syndicated audio program bankbosun.com.  The audio content is produced and syndicated by Seth Green, market domination with the help of Kevin Boyle.  Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle.  Voice introduction is me, Karim Kronfil. The program is hosted by Kelly Coughlin.  If you like this program, please tell us. If you don’t, please tell us how we can improve it.  Now, some disclaimers.  Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant.  The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way, represent the views of any other agent, principal, employer, employee, lender, or supplier. 

Nov 3, 2016

Kelly: My next guest worked with his brother, and was so fierce and mean in his first career that some journalists called him and his brother the “Bruise Brothers”. He wasn't in the mafia. He was an NFL safety for the Miami Dolphins.

Greetings! This is Kelly Coughlin.

Voiceover:     Kelly Coughlin is CEO of BankBosun, a management consulting firm helping bank C-Level Officers navigate risk and discover reward. He is the host of the syndicated audio podcast, BankBosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyds Bank, and Merrill Lynch. On the podcast, Kelly interviews key executives in the banking ecosystem to provide bank C-Suite officers, risk management, technology, and investment ideas and solutions to help them navigate risks and discover rewards. And now, your host, Kelly Coughlin.

Kelly:             Hello! This is Kelly Coughlin. I am the CEO of BankBosun and program host. This is the first in a two-part interview series with a guest that I think is fascinating, interesting and frankly, he’s simply an enjoyable guy.

 

His name is Glenn Blackwood. And he is a Board Member and Principal of Equias Alliance, a bank-owned life insurance and nonqualified benefits consultant for regional and community banks.

 

What makes Glenn more fascinating and interesting than your average BOLI guy is Glenn is a former NFL athlete with the Miami Dolphins. And for all you bankers out there, who of you never reenacted the 5 seconds left, game on the line, opponent in the red zone, pass thrown your way, interception, game over, you win…

 

Well, this guy has been there, done that. And you all hear that not all games ended this way. You will win some and lose some, and learning to deal with that was part of being a professional athlete.

 

You know, in my mind, competition is the common denominator between sports and business. Certainly, professional sports are a business industry in and of themselves, but I am talking about the competition on the field of play in sports - the gridiron; and the competition on the field of play in business - the boardroom.

 

So what can be learned from professional sports about competing more effectively in business? And more specifically, what can our bank clients learn from professional sports and a professional athlete who knows business? That’s the purpose of this podcast.

 

Glenn has over 25 years of experience in the bank-owned life insurance and nonqualified benefit plans consulting and has worked with hundreds of banks in the design and construction of cost-effective solutions, to help banks compete and retain good talent. But before that, he was with the Miami Dolphins for about 10 years and I think he played middle linebacker for the Dolphins. Glenn, did I get that one right?

 

Glenn:            You got everything right except position. If I had played middle linebacker, I’d have gotten killed.

 

Kelly:             Oh that’s right, you played safety.

Glenn:            Yes, I played safety.

 

Kelly:             All right. Great. Glenn, welcome! How are you doing?

 

Glenn:            Thank you. I am doing fine. Glad to be visiting with you.

 

Kelly:             Great! Thanks for coming on board. Glenn, I don't want to try to summarize your background, because you know yourself better than I know you. Just give us a summary of education, business background, family, where you living, how many kids?

 

Glenn:            My wife and I have been married for 34 years and we have 4 children and 4 grandchildren. I grew up in Texas and I grew in a football family. My dad played running back at Baylor in the late ‘40s. And then, I had two brothers and one sister.

 

My sister was a very good athlete as well. She played tennis and actually was one of the top tennis players in the city of San Antonio where we grew up.

I’m the youngest of the four and my oldest brother Lyle played at TCU and went on and played in the NFL with a variety of teams, and actually ended up playing with me down in Miami for his last 5 years, which was really a kick.

 

Then I have another brother Mike, who was probably the best athlete of all of us, but he was just smaller than Lyle and I were. He was a tremendous baseball player, basketball player, golfer, football player, and he played at TCU and then primarily due to size restraint, he wasn’t able to play in the NFL.

 

I did really well academically in high school so back then there wasn’t as much educational counseling it’s kind of like, well, if you did really good in grades you went into med, you became a doctor.

 

And then I ended up going to the University of Texas out of my high school. Darrell Royal was kind enough to offer me a scholarship and there is a long story there, which I won’t bore you with. I was not his early on pick, because I was kind of small as well. And they ended up taking a chance on me and I think it worked out for them and certainly worked out for me.

 

I ended up starting three years there at the University of Texas. I was captain the last year of my playing there.

 

So I was in pre-med at the University of Texas. Actually, had completed those or was right in the process of completing, when the Dolphins drafted me. And the dean at one of the, I think it was the University of Texas Dental School, said "Look, you can come back and go to school anytime, but how many people get a chance to play in the NFL?"

 

So I really appreciated him having the candor because a lot of academic guys don’t really value the sports side. He was really a balanced guy and he said, “Go try the NFL. And you can always come back and go to school.”

 

And I was drafted by the Miami Dolphins in the 8th round and I ended up.

So after 10 years in NFL, I wasn’t going to go back and try to redo that, and ended up playing 10 years for the Dolphins. And started my career there and ended my career there. I actually had nine seasons. I played in my last year but I was on injured reserve with a knee injury, which ultimately ended my career. So it was a good run.

 

Kelly:             Those were Don Shula years, I’m thinking, right?

 

Glenn:            That would be correct. That was 1979. I was drafted and I retired in April of 1989. I had all my years with coach Shula and that was a great experience from a standpoint of playing for a coach who had a grasp of the game and all phases of the game, as well as how to manage a football team. The head coach has to do a lot of stuff and Shula was probably as good at it as anybody I've ever seen.

 

Kelly:             And let’s see, Bob Griese would have been the quarterback in those years?

 

Glenn:            Actually, Griese was there the first two years I came to the Dolphins and then after that, we had a little stub period and then we drafted this kid out of Pittsburgh named Dan Marino and that was the end of that.

 

Kelly:             And that was the end of that. So you had, what, four years with Marino at the helm?

 

Glenn:            Danny came in at '83. So I actually had five years of playing with Danny.

 

Kelly:             Five years, yeah.

 

Glenn:            There is a great story there. He came up to my brother was in the locker room and my brother had been playing at that time for like 12 years, kind of the seasoned veteran. And here is the rookie Marino at his first start and Danny tells the story during his Hall of Fame speech.

 

My brother walked up to him and said, "Danny, look just relax. You are a great football player. You’ve got a great arm. You are going to be great in this league. Don't be nervous. Don't go out there with any anxiety. But just remember our whole season is riding on your shoulders."

 

Marino said, “Thanks a lot!” And he properly went out threw for a 356 yard game and so began the career of Dan Marino and probably one of the most amazing releases I’ve ever seen by a quarterback. He was so quick release. People say, “Oh, what it’s like playing with Danny?” And I’d said, “Well, you know I watched him from the sidelines so I was glad I wasn’t playing against him. But I practiced against him every day. And he made me a better football player because his release was so quick that you had to get a jump. You couldn't play around with him. You couldn’t give him any space because he could get that ball going with accuracy and velocity quicker than anybody I’ve ever seen.

 

Kelly:             I always have this incredible amount of respect for defensive players - safeties and cornerbacks - when they are in a situation where they know the game is on the line and then it’s the safety and the cornerback facing a really good quarterback and a really good receiver and there you are getting ready for the play. What’s that like? How do you get your mind in the game, where you’re not thinking "Oh my God! If I blow this, I’m done." Right? How do you get yourself prepared for that?

 

Glenn:            Well, I think part of it is that you realize that you are playing against professionals that are really good at what they do. So you’re going to get beaten some. And if you don't have a healthy understanding of that, then you’ll be a basket case in the NFL. There are those individual NFL players that are so talented…they relish that opportunity because they know they’re that good and they’re going to be able to rise to the occasion.

 

Most of the players in the NFL are really good athletes, but they are not of that ilk where they are just going to dominate every time. So it’s nerve racking and it is exhilarating when you rise to the occasion, and it’s a gut punch when you don’t. And I’ve been beat for touchdowns and I’ve intercepted passes as they were going in for touchdowns and I’ve stopped the play. And as they said in the Wide World of Sports, the thrill of victory and the agony of defeat. And it’s painful. But if you don't realize that that’s very much the way life is. You’re going to have some moments of exhilaration in life and you are going to have some pain parts in life as well. If you don't negotiate that well, then it can make for a tough time.

 

Most guys who have a difficult time with that don't last as long in the game, because they can't handle the pressure. I really felt like I prepared extremely well for a game. I had knowledge of my opponents. I knew what they liked to do. I knew what they like to do in certain downs and distances. And so I could it whittle it down.

 

I remember there was a play where we were playing with the Jets one time and they had a really good tight end, almost like a receiver guy a guy named Jerome Barkum, and I knew what pass route they were going to run. They ran it against me and Richard Todd threw the ball, completed it ind the end zone for touchdown. I knew exactly what they were going to run. I was just playing against a really talented receiver and a quarterback who put the ball in a place where only he could catch it.

 

Kelly:             Do you get in situations or have you seen players in situations where the fear factor of getting burned it almost creates a paralysis and they get so consumed by failing that they are almost slow to react cause they are so consumed by that?

 

Glenn:            There is no doubt you see that. You see it all the time. And that’s happened to me. Everybody has those moments where you know you say, “I don't want to be the weak link in this defense or this offense.” So absolutely, that happens. And I think some guys can live through that and come out on the back side and learn from it, and they mature and they grow through things. And then others, they never get a handle on it. And I think it hinders their career.

 

Look, I watched a lot of guys that were much better athletes than me, come into training camp every year and for some reason you know I was able to keep my job for you know ten years. A large part of it was because I really prepared a lot for the games and I had a good knowledge of the game, and I could coordinate our defense really well. The other part of it was that you kind of grow into that knowing that you’ve got to realize that you are going to have times where you make the play and there’s going to be times where it doesn’t work out the way you wanted to.

 

And that’s the game of football. You are playing with really good players on the other side of the line and that their job is to make you look bad, to beat you. They are good athletes. So sometimes you win, sometimes you lose. Fortunately, down in Miami, we won a little bit more than we lost and that was good.

 

Kelly:             Ever been in that situation where there is just mismatch, you are making the wrong reads and then, they are picking on you?

 

Glenn:            Very seldom I saw myself in that position because I was not reading things right. It usually was just physical talent. I wasn’t the biggest, fastest guy out there. You are going to get in those situations – and sometimes the quarterbacks see it and sometimes they don't.

 

Kelly:             So after the NFL, you decided you wanted to get in to the bank-owned life insurance business. How did you end up picking this industry?

 

Glenn:            You know the reason I got into the business is that – it’s a long story but I will make it very short. I ran into a former adversary of mine in the NFL, a guy named Wally Hilgenberg. And Wally played linebacker for the Minnesota Vikings…and played sixteen years in the NFL. And he and a few other gentlemen had started this business and they called the company Bank Compensation Strategies. And that company placed the first BOLI product on a bank in Bloomington, Minnesota back in 1982. And it was kind of a quid pro quo. It was an insurance policy purchase to hedge a SERP or deferred compensation expense.

 

And that’s the way this whole business really got started. And Wally and I ran into each other at a fishing tournament..I’ve got a name for it but I won’t say it on this…but it’s basically the old guys fishing tournament..former retired guys from the NFL we were fishing down in Louisiana and I happened to sit next to Wally on a bus going to the fishing tournament. And he and I got to talking.

 

And I had prepared for after football by going to a university down in Miami and studying for a couple of years. I had worked in an investment banking firm because I knew they’d kick me out of football one day. And that’s probably the one thing if I could say for most athletes, especially professional athletes is you’ve got to prepare for the day they tell you you're not good enough anymore. Because it will happen. And when it does, the severing of that cord, of that tie is swift, and it’s brutal, and it’s fast and it’s painful.

 

If you are not economically prepared and educationally or vocationally prepared, it’s a very tough transition. Fortunately, I had done that and Wally and I got to talking and he said we’ve got this program where he had this BOLI asset and the benefit needs. And he explained it to me and what I saw in it, was I saw there were three real focused needs of expertise.

 

You had to have some sense mathematically. You had to have accounting grasp. You had to have a legal grasp, because there were agreements involved. And then, you had to understand the regulatory piece of it. And I loved the multitasking and juggling all those balls. That was very similar to what I did on the football field, because I ran our defense for most of the years I was playing down there in Miami.

 

And so, I had to know what the line backers were doing. I didn’t play their position but I had to know what they were doing, what their challenges were, and our defensive line, our corners. And then I had to when the offense came up and showed us a different formation, I had to change our defense and put us in the right one. I love Bill Arnsparger, my defense coordinator, who was one of the greatest defense coordinators in the NFL and he sat me down on the bleachers one time and said before I was going into my first start, where I was running the defense, and he said, “Glenn. I can only guess right half of time. You have to put the right defense the other half.”

 

And first of all, Bill was understating his capabilities, because he didn’t guess, number 1. He was well prepared. And most of the time, he gave us the right defense. But he gave me that freedom, to move and change if I saw something I didn’t like.

 

And I loved that ability, the need to understand all the different pieces of how a defense works together. And it is the same way in this business. You got to understand the legal, the accounting, the regulatory. And I love being able to juggle those balls and being able to put everything together and explain to a bank and a bank board how this works, how we can put it in, how it works from an accounting perspective, and tax and balance sheet and income statement, and then what we do to take care of them to caretake for them on an ongoing basis. I looked at it and I thought this is a good fit for my skill set and Wally wanted somebody in Florida and I said I think I found the right guy for you, and that's me.

 

Kelly:             Did you ever have to play up in Metropolitan Stadium in the winter?

 

Glenn:            I played in the Met Stadium but not in the winter. And by the time I played up there in the winter, we had a dome. But I did play in the Packers in the teens and I played in New England and Chicago and New York.

 

Kelly:             How tough was it from Miami because half your games were down or more than half of your games were down in the southern climate, right? But how tough was that?

 

Glenn:            It was hard because you had to adjust to the cold weather really, it hardens everything and it makes it harder to catch the ball. One of things coach Shula used to say is don’t overdress and he’d be yelling in the locker room, don’t overdress. His point out of that was you can be warm, you can put on enough stuff to get you warm, but you can't function. You had to get that balance of layering that allowed you to maintain some form of body heat but also be able to move fluidly in your uniform, etc. I think, actually, while it was tough on us, I think it was much harder for the northern teams in November to come down to Miami and play in 80 degree weather and it’s humid. I’ve watched teams literally just melt right before us because they just couldn't handle it in the second half.

 

Kelly:             Really? What about the Mile High Stadium? Did you ever must have played there?

 

Glenn:            We did play at Mile High Stadium. That just really wasn't a lot  of problem either for me. The lack of altitude was offset by the lack of humidity…and so you didn’t sweat a lot out there. It was invigorating…I loved playing in that. The worst place I ever played from a physical standpoint of trying to be able to breathe was when we played the Rams out in Anaheim one year and they had a stage four smog alert. It was a one o'clock game; they had to turn the lights on in the stadium. There was so much smog. My lungs burned for about 2 days after that game.

 

Kelly:             Let's finish with the dumbest thing you have ever done or said in your situation?

 

Glenn:            I remember one time I was so, we had a fourth and one the Buffalo Bills were going into our endzone. They had kind of a strong set towards me and I was a strong safety and I really wasn’t that big a guy, so my adrenaline was flowing and I thought this guy was going to try and kill me. And they’re going to try to run right over me. It was kind of what you talked earlier, where there’s a little bit of fear there and I didn't want to be the weak link in the defense. So I was geared up and as soon as the ball was snapped, I took off to run into that flanker, he just turned sideways and I whiffed on him and he was a tight end flanker, it was a real tight set. They ran a play action pass and you know when I whiffed on him, I basically stumbled and the guy I was supposed to be covering ran right into the end zone and they threw him a little pass for a touchdown.

 

Kelly:             Well, that finishes Part 1 of my interview with Glenn Blackwood. I started the podcast saying Glenn was fascinating, interesting and simply a good guy, and I think that came out in this interview. I personally just love hearing his war stories of the NFL.

 

In Part 2, we will talk more about his second career in business and focusing on his expertise in the bank-owned life insurance business. And true to his form, he is competing and winning in this business just like he did with the Miami Dolphins. Thanks.

 

Voiceover:     We want to thank you for listening to the syndicated audio program, BankBosun.com. The audio content is produced and syndicated by Seth Greene, Market Domination, with the help of Kevin Boyle.

 

Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle. The voice introduction is me, Karim Kronfli. The program is hosted by Kelly Coughlin.

 

If you like this program, please tell us. If you don’t, please tell us how we can improve it. And now, some disclaimers. Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant.  The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any other way represent the views of any other agent, principal, employer, employee, vendor or supplier.

1