LOST PINES, Texas–Credit union leaders often discuss what keeps them up at night, and few executives have more reasons for sleepless nights than CIOs and CTOs.
So, not surprisingly, when Bruce Fox, CEO of Catalyst Corporate, asked Diana Hennel, SVP/CTO with the corporate, during the company’s Strategic Summit what causes her to have insomnia, Hennel had plenty to share.
But she also related how steps are being taken and investments made to make for (at least a little) more peaceful nights.
Hennel’s comments came just a day after the outage at Amazon Web Services (AWS) that caused problems for a wide range of industries, which she said made clear how important “resilience” is.
What happened at AWS, she said, is an illustration of just how interconnected credit unions and corporates are with vendors.
‘It Gets a Little Scary’
“A lot of us have moved to cloud-based backups, and it seems like a great thing; we don’t have to do tapes anymore, we don’t have to have Iron Mountain coming every day picking up a bucket of tapes and taking them off-site. It just automatically, magically gets backed up to the cloud every night,” Hennel said. “But if you start thinking about what that really means from a cyber-event perspective, then it gets a little scary, because if all that data was on-site and you had that tape machine sitting right there next to your mainframe, recovery was pretty quick. But these cloud-based backups have the downside that if you need to recover a large part of your environment from a ransomware event, it takes a tremendous amount of time.”
Hennel noted that, just like credit unions themselves, Catalyst Corporate can’t afford to be down—especially for any extended period—and said Fox has challenged the technology team to build out and support resiliency so that if there were a ransomware event, it could recover within 48 hours.
14-Step Program
“We identified 14 different steps to improve the resiliency of the data,” she said. “We have focused a lot on locking the environment down to only what is known traffic in the environment. We do a lot of tabletop exercises. We did one last year with just senior management on how we would respond to a ransomware incident, and we came up with about 25 action items—just things that we needed to go figure out in the event of a breach or ransomware. About 30% of cyber-events today are either data breaches or due to third-party providers.”
That’s the reason examiners have placed more scrutiny on third-party risk management, Hennel said, even though those can be difficult to control.
She added that Catalyst is planning a live event with one of its vendors in 2026 to measure recovery time.
Insomnia 2.0
Also keeping her awake at night, Hennel said, is how AI is playing into cybersecurity-related threats, although it is also a tool for fighting cybercrime. AI has made phishing attempts much more believable, she noted, and, as a result, much more difficult to detect.
“Unfortunately, the people in our value chain are still the weakest link from a security perspective,” she said. “The other piece of AI is that the fraudsters are able to ramp up and analyze vulnerabilities much more quickly, which leads to attacks happening much more rapidly, which is both a positive and a negative. The negative, obviously, is attacks are happening much more frequently. The positive is that things like ransomware aren’t living in your environment as long. The tools are getting better at looking for pieces of ransomware that are sitting in your environment and being able to detect them.”
Another AI-related issue Hennel said she often thinks about is FOMO—the fear of missing out on AI technologies that other organizations are deploying.
Seeking a Co-Pilot
“There must be some great use cases out there, and it’s very much a balancing act, finding those use cases that show payback for your organization,” Hennel said. “Building an AI program in-house and hiring the staff and being able to effectively leverage that staff is both very difficult and expensive. The approach we have taken at Catalyst is really to look for those key partners that have AI built into their tools that naturally fit into the workflows.
“We have had a number of efforts this year. We rolled out (Microsoft) Co-Pilot to our employees who were interested in it, and we’ve seen great adoption; about 85% of our employees who signed up for a license at the beginning of the year are heavily utilizing that in their day-to-day job.”
Hennel said Catalyst Corporate is also working to implement a BSA platform with embedded AI to help it look for suspicious activity and has found use cases in the check processing environment.
“We’ll continue to look for those high-value places that bring almost immediate ROI,” Hennel said. “We’re not looking to leverage AI right now to reduce staff—it’s really to free up our staff to provide better services.”
