Adam Parks (00:07)
Hello everybody, Adam Parks here with another episode of Receivables Podcast. Today we're kicking off our event series so that we can talk about all the great things that are happening in person around the debt collection industry each year. Today for the first one, we're gonna be talking about the ACA Cybersecurity event that's coming up here in just a few weeks. And to talk about it, I've got Mr. Tim Collins.
resident tech master guru around the deck collection industry. And Jennifer Whipple, who is on the ACA board and helping to bring all of this great discussion together. How you guys doing today?
Jennifer Whipple (00:43)
Really good. Thanks, Adam. Good to see you.
Adam Parks (00:45)
You as well. really appreciate you guys coming on having a chat with me. You know, from the TransUnion Debt Collection Industry Report in 2024, we saw that the number one concern across the entire industry, all debt collection companies is cybersecurity, whether you're large, small, mid sized, it doesn't really matter. think cybersecurity is a threat that we all share these days. And it's becoming more significant issue as we've seen over the last couple of years. So talk to me a little bit about what you guys have
Tim Collins (00:45)
Yeah.
Adam Parks (01:14)
planned for this event in Austin.
Jennifer Whipple (01:16)
Yeah, thanks Adam. We really find that cybersecurity levels the playing field. Doesn't matter what size, doesn't matter who you are or where you are, if you're the owner, if you're managing a company yourself or you are in IT. We all need to know about it. So we are meeting March 31st through April 2nd in Austin, Texas. We're excited to stay at the Hyatt Regency. And of course, ACA always gets us really great room rates. So we're excited to...
to have a nice room rate as well.
Adam Parks (01:45)
Well, not a bad city to be hanging out in either. Austin can be a lot of fun, nice tech hub capital, especially for the South here. So Tim, what's got you excited talking about cybersecurity and bringing more of these very relevant topics to the industry?
Tim Collins (01:59)
And I think Adam, your original point about, that this is what keeps people up at night. And it's even the playing field as Jennifer talked about it. like this impacts everybody. doesn't matter what size it is. doesn't matter if you have a lot of IT people, a lot of information security people or penetration testing, you know, vulnerability testing, all of that stuff. it impacts everybody. And one of the reasons, the ACA leadership decided to do this conference is because of that need.
Tim Collins (02:25)
They saw the need and said, Hey, let's build this conference for the membership and for the industry itself, or that's, you know, this is across the board and other, trade associations are involved with this. Now that that piece is really exciting for me, but it's in Austin. And, while I would love to talk about information security, I'd be making up most of what I said. They actually brought in the experts that are in that space. So that is everything from the people that will help you, you know,
Make sure you have solid systems in place and you're doing the trainings and all that other stuff. But all the way down to the forensics, the investigations, claim adjusters, everything that relates to the insurance piece and how that works all the way through, you know, anything that's super, super technical. So it's a wide range that covers. So if you've got a bunch of, you know, your tech people and they want to understand how they can, you know, make their systems more secure, we've got that.
Tim Collins (03:16)
If you're a business owner and like, is this going to impact my business when this happens? Not if, when this happens, right? Then you've got those people that you could talk to. if you've got the people at the very, very top that are like, how do I get the most value out of the money I'm going to have to spend? We've got those people there too. So it's this whole range. We've got it set up that you can actually talk to them. They'll be doing presentations and I'll be moderating a few of those panels, but they will...
Tim Collins (03:44)
be there to actually answer your specific questions and can look at policies and things that you've got built and SOC 2s and ISOs and all that kind of stuff. And that's hands-on, that's, think really where the value comes from is like, you know, I think I've got it squared away, but do I really?
Adam Parks (04:02)
You know, even
if your technology is squared away, are you really squared away? I think as we look at some of the biggest hacks that we've seen in the last five to 10 years, Sony being one that I like to use as an example quite frequently. A weak password at a CEO almost took down a multi-billion dollar corporation. And so
Adam Parks (04:17)
If you look at really how are people getting in, it's very rarely a digital penetration at this point, nobody's overcoming your encrypted servers or your encrypted firewalls. It's now become more of a situation of how am I watching for these watching for these emails, I had one recently that I caught from a trade association outside of that collection space. And there was a Cyrillic a in, in the name in the email. And that's the only thing that kind of triggered me to go, hey, this doesn't look
Tim Collins (04:40)
you
Adam Parks (04:45)
real. Everything else looked pretty real to me. But that was clearly somebody had been hacked. And now I think social engineering is such a strong thing. And for anyone who has not read it and wants to kind of prepare themselves for this, I would look at The Art of Deception by Kevin Mitnick is one of the best books that I've ever read on that subject. And you will never look at cybersecurity the same way. You will never really sit there and think about cybersecurity as a firewall anymore. You start thinking about the people as the greatest weakness.
Adam Parks (05:12)
of any organization? And are you using things like a known before and doing internal phishing hacks. Are you you actually training your people to identify these things? Because it's, it's the little things that count in this situation.
Tim Collins (05:25)
Yeah. And I think it's getting so much better, Adam, to your point. I just had it happen to me personally in the fact that I met InDebted and they're a startup and they give us options to buy equity and all that other stuff. And so somebody sent me an email and it was perfect. were no, nothing I could see that was different. And the email address looked somewhat legitimate. And they said, Hey, Tim, you have to sign your letter.
Tim Collins (05:51)
because you've been there for four years now, you're fully vested, and we just need you to log into your Google account to do it, right? And so I'm just like, this must be something I to, I've never had equity before, so what do I know? And so, but if you think about that, somebody had to know, indebted, that they were backed by a VC and that they probably were giving options to their employees. You had to know that I'd been there for four years.
Tim Collins (06:14)
and you had to find my email address. So there was all these variables that they had to find and then they pulled it all together. Didn't have, you know, the wrong alphabet or any of other stuff that's in there was it was like picture perfect, know, logos and everything everywhere. And all you have to do is push this one button and I pushed it, right? And then it's like, then you start to get that, you know, the hair on the back of the neck and you're like, I'm starting to think and then it's notifying, you know, immediately.
Tim Collins (06:41)
You gotta come clean and say, look at, got this issue. I clicked on this button and the IT guys step in and say, hey, here's what's happening. Here's what we need to do. And then they brush in and start to do what they need to do. But a lot of times people push that button and they have no idea, you know, what, what, try to hide it. Yeah. Because it's, it's embarrassing. Yeah. Yeah.
Adam Parks (06:55)
they try to hide it. I think you brought up a really good point that like as soon as right as soon as it happens, you have to
bring it to the forefront, you have to have that discussion because if you don't, you're making the situation so much worse.
Tim Collins (07:06)
Yeah, absolutely. People look like Tim, you're like a tech guru and you should know this and you just sleep and breathe tech and I'm like, yeah, I pushed the button. And yeah, and so at least I had the courage because there's a lot of courage is to go, hey, I gotta go right to it right away and tell them because then this just starts and now what I've seen because I click that button, I'm a target. And so all of these phishing attempts are coming in now and you just see them a lot and it's like I've gone into the high risk list.
Tim Collins (07:31)
you know, because I'm an executive at InDebted and it's all that kind of stuff. you know, it's out there. It's out there and it's happening. And so again, that's why I think this conference is so important just for people to realize that it's not King of Nigeria kind of stuff that we saw, you know, when the internet first came out and we got email and all that other stuff, the level of sophistication has gone up dramatically. And there's things that every agency of every size can do. Cause I know Jennifer, you guys are, you know,
Adam Parks (07:36)
100%.
Tim Collins (07:59)
smaller agency and it's like how do I compete and be safe you know so
Jennifer Whipple (08:02)
Right.
Yeah. Yeah. I think that is important. If you're not SOC 2, if you don't have those certifications, what can you do? And going to this conference to help you determine, do I have the right insurance? So when this happens to me, am I covered? Do I have to close my business doors because it's going to be so expensive, especially if somebody gets your data?
Jennifer Whipple (08:22)
What kind of insurance do I need? I know that there's different kinds. Do I need internet liability? Do I need cyber insurance? Are they different? Are they the same? So I'm really excited to learn those things at the conference.
Adam Parks (08:34)
And I think you get the right people coming in. I'm sure QBE is going to be there talking about how the new programs have come into play. And I've had the opportunity to talk with some of the team about the debt buyer insurance programs. And that's probably why you're seeing ACA and NCBA and RMAI coming together for such an important topic and seeing everybody really gel.
over something that's so mission critical. And some of this stuff is really simple. It's password managers and creating separate logins and all of those little things that any organization or any individual can do. But I think it's something that executives really need to pay attention to and participate in. It doesn't really matter who you are in the organization or how important you are. As matter of fact, the more important you are, the more likely you are to have an issue, the more access that you have.
the more likely you are to be targeted. And as we were kind of prepping for this time, we talked a little bit about how AI has started to come into play here as well, because the probability that somebody actually sat there and put all of the Tim Collins pieces together manually is probably pretty low. But when you start doing this on scale, when you're able to start connecting the dots on scale and sending out those very targeted messages at scale, I think it changes the playing field quite significantly.
Tim Collins (09:46)
Yeah, it does. mean, it's the, the phishing attempts are increasing because it's so easy to do. You could use a ChatGPT You can have a perplexity do all the research on, you know, give me all the companies that just had a serious C like indebted did in the United States. And then you can get that list and then you can just do the prompting. Give me a list of all the executives at those organizations and then export it into a Excel spreadsheet.
And then you start layering on all the other research that you can do, and it's just asking you continual questions. The next thing you know, you've got this whole profile of who this person is. And now you can start to say, okay, we're going to use this one and this one and this one. And in the future, AI will pick which fish it's going to use, what the bait's going to be to get the fish. And it'll do it at such a level and at such a scale. It'll be like nothing we've seen before.
It is becoming more and more of a problem, such the fact that I love people after the safeguards rule came out from the FTC. They're like, well, we've got an MFA. And you're like, those letters can be used in so many ways. But this is more than just an MFA thing. Because to your point, Adam, they are not forcing their way in. They're walking in. And they're walking in because an employee opened the door for them and said, come on in. Come on in here. We've got this.
Adam Parks (10:48)
I'm sorry.
You
Tim Collins (11:06)
So, and not intentionally, they just don't even know. It's completely clueless. So that's why it's important to come talk to the experts about what's coming and we can stay, we're always gonna be kind of in this reactive place because of AI, especially. They're going to, we're gonna counter something that they're gonna keep up with and we're gonna use AI to kind of combat AI. And so there's those tools, but if you don't know they're out there because you're not in this every single day and.
Tim Collins (11:32)
I'm not, that's not my area of expertise, but you have to be to be in a business. then it's even when it does happen, because it's going to happen. We just always talk about when we never talk about if. And it's like, okay, when this happens, what do we have to do? And how do we train for that? Who's my insurance? And, you know, when you talk about QB and the insurance groups that are there, the things that you can do is Jennifer mentioned about the right policy with the right writer. And now we're starting to see, you know, $5 million is
Adam Parks (11:43)
Yup.
Tim Collins (12:00)
not a lot of money when it comes to a cyber breach. But now you can start to stack policies and umbrellas and there's some unique things that you can do to kind of keep some of those costs down. But that's why really the business folks need to be there. But you also need the tech people. This is not just a tech conference, it's a business thing to able to say, how can we make sure that we've got the coverages that we need for when this happens?
Jennifer Whipple (12:21)
Yeah.
Well, and think the other part too, Adam, talking about all of the associations coming together, RMAI, NCBA, ACA, it's so important because when something happens and it's not handled appropriately, it affects all of us. It doesn't matter if you're a debt buyer, a third party debt collector, or a first party biller. It gets in the news and it affects all of us. And so making sure that when these things happen, we're handling it.
Jennifer Whipple (12:46)
to the best that we can and reacting the best that we can is important no matter which association we connect with.
Adam Parks (12:48)
Yeah, I agree with that wholeheartedly. I mean, we've seen too many really great organizations over the last couple of years that just aren't here anymore. And it's sad to watch knowing that, you know, it was probably a social engineering attack like most attacks are because the physical systems are SOC 2 type 2 certified, they're re-evaluating all the technical aspects and all of that.
But we are seeing an increase in attacks. mean, in just in the last three weeks, I've had more than three denial of service attacks against collection agencies, because we manage hundreds of websites across the industry. And so we see a lot of that. And we've had to put certain tools in place. And thank God for Cloudflare and other ways of kind of mitigating that type of traffic flow so that you're not degrading service. But if you haven't thought through those things in advance, you can't put that in place on the fly.
That kind of material, that type of technical protection needs to be in place. And how often do you run your incident response plan? We run it every six months. No matter what incident or no incident, we are running an incident response every six months just to make sure that everybody knows where they need to be and when and why. If we have to rapidly respond to a scenario, we wanna make sure that it's not, we're not learning as we go. We've got a defined plan.
Tim Collins (13:53)
That's it.
Adam Parks (14:09)
And that's something that goes all the way from my top executives all the way down to those that are on coding. Our administrative team has their role in that, but pretty much everybody in the organization gets deployed immediately when we have an incident response, regardless of whether or not there's actual penetration to the systems. Just the attempt of somebody penetrating the system requires us to respond. And I think that it's not that hard, right? You just have to put the plans in place.
Tim Collins (14:34)
now.
Jennifer Whipple (14:35)
Right.
And every day running a business, are, you know, trying to figure out how do I bring on more clients? How do I make sure my employees still work here? So that can become something that's lower level. That can become something that we say, IT's got that, or I hired this third party company, they managed that for me. They have that taken care of. When in reality, that's not necessarily the case. So I think what I'm most excited to go see is to learn what I don't know.
what I'm not paying attention to, and the things that I need to be asking the third party that I've hired to do the work, to do the penetration testing and scanning. What do I need to be asking them? What do I need to be looking at when I'm reading these reports? There was 3,000 attempts and zero got through. Is that all I need to know? Is there more that I need to be asking?
Tim Collins (15:03)
Right.
Adam Parks (15:23)
There's definitely more
but it sounds like the workshops would be a great place to ask those questions to the you know, to the professionals right then and there because I don't think that I hate to say it this way, but like debt collection companies are roughly 15 % unique, right? And so we're all facing a lot of the same challenges and problems from a technical perspective or from a self management perspective. And how are we going to address those? I think bringing together all of these groups because whether you're a debt buyer, a law firm or an agency, you've got the same
challenges when it comes to data security, when it comes to data transfer. Data at rest, data in transit, we've all heard the terminology, but what does it really mean and how can I start to build that into the plans that protect my organization?
Jennifer Whipple (16:02)
And I love being in a room where we have those kind of group sessions so that I can listen to what other people are asking and learn and sometimes be brave and vulnerable and be the one asking the question myself.
Tim Collins (16:15)
Yeah, absolutely. I know. And sometimes the answer is so simple. Like I was talking to a security expert the other day and he says, do you have it in paper? And I'm like, paper? We're digital. We don't do paper. It's like, what happens when your whole system's locked out and you're locked out? I'm like, I like paper. I'm going to get a binder, put it in there. Then you can flip through. Here's the alternative. Here's the, you know, that you have some of that stuff and you're not, your systems aren't completely locked out. It's like something that simple.
Adam Parks (16:15)
Sometimes the problem is you don't know the problem.
Tim Collins (16:41)
is that
that's the kind of stuff that you get and go, I'm going to take that away. got to take away. I to have a binder. We have this piece. The Jennifer's point, it needs to be a conversation that, you know, in smaller companies or big companies at all levels, as you talked about Adam, it needs to be a conversation with people like, okay, what happens when this happens and what do we do? And we just, we talked through it and you can do, you know, tabletop exercises once a year and you can do all that other stuff. And, you know, you're still trying to run your business, but this is, this is something that is impacting.
every industry, our clients especially, if you're in the medical space, I know that there's been a lot of ransomware against hospitals, clinics and all of that other stuff. And so having your clients come to this event is something that people should be thinking about also, because they can then hear what we're doing as an industry, get a little bit more comfortable that we've got what we need in a row and then have some takeaways themselves to be able to protect them because not only could your business be put on a business,
if you get shut down, if your clients get shut down and they're your major client, you're out of business now because they're not going be able to push any accounts out. They're not going to be able to do anything. They're not going be able to take payments. They're going be able to pay invoices or any of those things. And so this is a whole chain, you know, customers being hacked from the very beginning all the way through the backend where we're doing debt collection.
Tim Collins (17:58)
all that stuff. And so that's why I think it's so important, not just that that trade association is there. And it's, think, Adam, you made a great point. This is the first time in a long time since COVID that we've all worked together to say, Hey, look at, we need a unified front on how we're going to fix this and what we're going to focus on. And so they've all gotten together and said, okay, this event's happening. You should be there in Austin, get to Austin. And so that we can all learn, but it also needs to happen on that client front. I still think, I still think we're missing a little bit of that.
Some more on the fintech side feel more comfortable as we move over to the medical and it's more mom and pop and that kind of stuff. It's like we're seeing every single day, know, businesses being put on business by these ransomwares. They don't have a million bucks to pay to get their data accessed again. They can't get to it. They can't decrypt it because the encryption is so strong.
Jennifer Whipple (18:44)
Well, just looking at your own financials as a business owner myself, what would it look like to my company if my biggest medical client didn't list any accounts for 90 days? The financial impact and the trickle down effect to my company, my employees, that's pretty significant. So to your point, Tim, making sure that our clients are not putting themselves at risk, that's important too.
Tim Collins (18:54)
Right.
Adam Parks (18:56)
And making sure that they understand the insurance. Like that everything comes back to this insurance because the cost of a data breach is so high, the cost for notifying each one of the consumers that was affected, the cost of actually re accessing your data and go in the cost of all of the professionals that have to come in from a forensic standpoint to basically work backwards into what happened. It the expenses start to add up very, very fast. I mean, even a small hack can run you in the
Tim Collins (19:06)
And this conference for them too. Yeah.
Adam Parks (19:33)
millions, right? I've never heard of a cyber incident costing less than seven to eight figures.
Tim Collins (19:38)
Yeah, for sure. Because then get the, you know, not only now you get maybe the state attorney generals are involved, you get the FBI involved. So the only thing you're doing is talking to people about what happened and you're trying to figure it out and you don't have the same terminology. And that's why having the right experts there from the right insurance, the right investigators, claim adjusters, all of that kind of stuff is, so important. It's like a, it's a village. That's for sure. To be able to handle one of these situations.
Adam Parks (20:03)
Well, you guys are making me jealous that
I'm not going to be able to make it this year.
Tim Collins (20:06)
That's all right, we'll take really good notes. And we'll share that with
Adam Parks (20:08)
Take good note, I will be there
the next time around because this is a topic that I think is mission critical for the entire industry.
Tim Collins (20:15)
Agreed, agreed hands down, because to your point, Adam, it's only going to get worse with the AI. It's only going to get worse. So this level of sophistication we're already seeing is incredible. But let's just put all the hacks aside and all that other stuff. Every day mistakes happen because of humans, right? And so it's like somebody who can be printing off the letters to send out all the verification of debts, right, is off one letter.
Tim Collins (20:38)
And so now you've said to everybody's, so it's very, it's those kinds of situations too. It's like, okay, now what do I do and how do I respond? And understanding that there, every state now has their own and it's not just a 500 threshold. It's like, um, states like Rhode Island, you have one, there's all these notification requirements that have to happen. And thank goodness you don't have to tell the FTC or anybody else like that. But still you have all these things and understanding it whenever we have a incident, you know,
a security incident that there's things that have to happen and everybody needs to learn it because it's just too big. the ownership needs to learn it. The ops people need to learn it. Tech people need to learn it and they need to learn their part so they can all pull it together and have one big brain.
Adam Parks (21:19)
Well, I can't wait to hear more about what discussions have happened at this. I'm sure I'm going to be getting feedback. I'll be texting everybody that's there. I definitely got the FOMO for not being able to make it this year. But I'll definitely be there in the future because this is something that we all need to be looking at that we all need to be concentrating on and as insurance has changed pretty dramatically and the way in which that insurance is priced, I feel like this is a great opportunity.
for people to better understand the criteria that's being used to price those insurance policies and what they can put in place. It's almost like when you buy home insurance, if you've got an alarm system, I'm getting 15 % off. If I got this, I got this off, right? And I look at this in very much the same way through the conversations that I've been lucky enough to have with ACA mostly talking about how some of this insurance has come together and the types of programs that are being built by educating the underwriters.
Tim Collins (21:56)
Yes. Yeah.
Adam Parks (22:13)
But it's not just about educating the underwriters, it's about educating the people behind it as well, right? The people within our own organizations. And I'm gonna toss that book out there one more time because if you don't feel paranoid enough right now, read this one book, The Art of Deception by Kevin Mitnick, who was the most famous hacker in the world through the 90s and into the early 2000s. And it talks about some very specific...
Jennifer Whipple (22:35)
you
Adam Parks (22:36)
incidences that he was involved in through the years as a hacker or had pulled together as a cybersecurity consultant after he was out of jail and became one of the most well known cybersecurity professionals in the world. So I think if if you haven't, if you're not feeling paranoid enough, go take a look at that book. And I guarantee you, you're going to book a ticket to go to this event in Austin, Texas at the end of March, beginning of April.
But until then guys, thank you so much for coming on and sharing with me. I really do appreciate you informing me about what's going on at this event, because I think this is gonna be pretty fantastic and just so mission credit.
Jennifer Whipple (23:12)
Yeah, thanks Adam for having us. I'm really excited to see some other business owners, some other managers of agencies and have other people asking some of those lower level questions with me.
Tim Collins (23:21)
Yeah, thank you for doing this, Jennifer. It's always good to be with you on a presentation like this. We'll see you in Austin.
Adam Parks (23:27)
For those of you that are watching, you have additional questions you'd to ask Jennifer, Tim and myself, you can leave those in the comments on LinkedIn and YouTube and we'll be responding to those. Or if you have additional topics you'd like to see us discuss, you can leave those down in the comments below as well. And hopefully I can get these guys back at least one more time to help me continue to create great content for a great industry. But until next time, I really do appreciate all of your insights today. And thank you everybody for watching. We'll see you all again soon. Bye everybody.
