Risky Business with PaymentWorks: E9–The American Rescue Plan Act
John Wilkerson, General Counsel to Arkansas Municipal League, Discusses The American Rescue Plan Act
Risky Business with PaymentWorks: E9: The American Rescue Plan Act
We first published on this topic back in October 2021. We’re updating it because many organizations are still struggling to automate vendor risk management in January 2024.
The pandemic impacted cities, companies and organizations in big ways. Enter ARPA, the American Rescue Plan Act. This funding is primarily geared towards fighting COVID, but there’s some leeway on using that money. Some have their sights on improving cybersecurity and are considering how to automate vendor risk management.
This podcast episode discusses how ARPA works, what it can be used for, and how it applies to cybersecurity. Whether your goal is to automate vendor risk management or just tighten up cybersecurity measures, this one’s worth a listen.
Table of Contents
Key Takeaways on How to Automate Vendor Risk Management
#1. Get comfortable with ‘lost funds’
#2. Funnel money into cybersecurity
#3. It doesn’t have to be a ton of money…
#4. An ounce of prevention is worth a pound of cure
#5. Understanding your cybersecurity coverage is key
Must-Read Episode Quotes on How to Automate Vendor Risk Management
Get Ready for Vendor Management Appreciation Day 2024
Want Help Aligning Your Teams on How to Automate Vendor Risk Management?
Interested in Regular Tips on How to Automate Vendor Risk Management?
Want Personalized Guidance on How to Automate Vendor Risk Management?
Listen to the Full Episode
Welcome to Episode 9 of Risky Business with PaymentWorks!
John Wilkerson is so passionate about the American Rescue Plan Act that it feels like family.
“This has become my life’s work,” he says. “I will not have any more kids, I can’t imagine, but if I do, I will name him or her ARPA after the American Rescue Plan Act.”
If you think he’s kidding, guess again. Wilkerson has served the last 15 years as general counsel to the Arkansas Municipal League and takes great pride in helping 500 cities and towns across Arkansas develop and implement strategies to become stronger financially.
ARPA was passed by Congress in response to the COVID-19 pandemic, and while one big bucket of funding must go towards fighting COVID-19, there’s much more that can be done with the money that Congress has allocated.
Read the except of the podcast below or listen in full here.
Key Takeaways on How to Automate Vendor Risk Management (and Other Fun Facts About Federal Funding)
#1. Get comfortable with ‘lost funds’
“(ARPA) is a once in a generation, perhaps once in a lifetime, direct federal funding stream to cities and towns and counties and states of America,” Wilkerson said.
“Every state is getting this sort of money, every city, every county, every town, every township, every borough. Whatever every other state calls their local government is getting this money. We haven’t seen the likes of it, I think, since the Johnson administration,” he continued.
Besides money allocated to fight COVID-19, ARPA also provides premium pay for employees on the front lines and funds for projects to support water, sewer and broadband infrastructure.
Cities, towns, counties and states can also use ARPA funds in situations where they have lost revenue due to the pandemic. Wilkerson says these “lost revenue” funds can be used in the event of a decrease in sales tax revenue as well as any other way the entity may have lost revenue- right down to concession stand sales at a Little League tournament.
And for these funds, there’s wide latitude in determining what you can spend it on.
John discusses how to calculate lost revenue:
“Unless you’re buying a trip to Barbados for your family,” Wilkerson says. “You’re going to be able to use the lost revenue money for really anything.”
#2. Funnel money into cybersecurity
Among the many government services mentioned in a FAQ on the Federal treasury’s website is “modernization of cybersecurity, including hardware, software, and protection of critical infrastructure.”
Wilkerson is determined to make sure the cities to which he provides counsel take advantage of the unprecedented opportunity to pour money into cybersecurity.
“We’re very mindful of making sure that cybersecurity is emphasized around the cities and towns because we’ve seen how it could negatively impact you,” Wilkerson said. “So what we say is, an ounce of prevention is worth a pound of cure, probably a ton of cure, in the cybersecurity world. So we’re really pushing this a lot.”
Wilkerson doesn’t view devoting ARPA funds to cybersecurity as a luxury that lags far behind helping healthcare workers or visible infrastructure. Small towns that depend on broadband access for their citizens are just as susceptible to fraud as larger municipalities.
“It’s those sort of smaller towns that don’t think of themselves as risks that really become the risk,” he said. “Getting us over that hurdle of understanding and demystifying cybersecurity is probably the number one goal for us.”
#3. It doesn’t have to be a ton of money…
Arkansas isn’t alone in pushing the use of ARPA funds to build up security infrastructure. The Vermont League of Cities and Towns recently published a brochure that provided four reasons why they should use ARPA money for cybersecurity improvements:
- Save time, money, and your reputation.
- Because municipalities are definitely targets.
- Now is the time with ARPA funds available because cyber improvements are crucial and absolutely worth it.
- Make investments now to address known deficiencies.
The bottom line is that the more cities realize ARPA funds are available to them, the more they can protect themselves from bad actors who don’t discriminate when choosing who their next victim will be.
“The way we look at it [cybersecurity] doesn’t have to cost your city or town a whole lot of money,” Wilkerson said. “It’s not a big investment to get started to really start the process of understanding how to better protect your city or town.”
#4. An ounce of prevention is worth a pound of cure
John talked about a scam that hit Arkansas right before COVID involving a person stealing image signatures on checks and recreating the checks.
The scam ended up costing various cities and towns within the state roughly $1.8 million over the course of six to seven weeks.
It really put the focus on cybersecurity within Arkansas. This reminds us of another county that dealt with business payments fraud to the tune of $2.5 million before deciding to automate vendor risk management.
And let’s not forget the City of Vista, which was able to (thanks to their pivot to automate vendor risk management) stop an ARPA-related fraud from occurring on their watch:
The bottom line: once the impact is felt, no one ever wants to make that same mistake again. As John puts it, “An ounce of prevention is worth a pound of cure – probably a ton of cure, in the cybersecurity world.”
Part of the effort they’ve made is conducting training to show how to use the Rescue Plan money for cybersecurity. And to John’s surprise, they got a lot of questions about what cybersecurity is and what it really means.
Ultimately, John noted that starting with the basics – like moving to the cloud – can do a lot right from the start. Part of that is training teams and towns to demystify what the cloud is and how it can make things more secure.
“It’s trying to get people to understand the importance of it, which is not hard to do. But [also] understand that you don’t need to spend a million dollars to have some level of cyber security.”
#5. Understanding your cybersecurity coverage is key
John mentioned that insuring for cybersecurity is tough and many cities are unclear on how to insure against it. Not to mention, it can be extremely expensive and challenging to get if you don’t have your bases covered.
This gets even trickier when you look at the cascading impact of cybersecurity as it applies to your vendors. Sure, you might have cybersecurity for your organization or town ramped all the way up, but what about other organizations you do business with?
This is where understanding your insurance is highly advisable. You want to make sure it covers instances where the compromise happens on the vendor side of things.
Organizations that automate vendor risk management might be able to rest a bit easier knowing that they’re covered behind the scenes.
Additionally, many organizations that have the forethought to automate vendor risk management tend to have things in order when it comes to documenting procedures for vendor onboarding and change management (like this), securing the vendor management process (like this), and having a compliance plan (like this). These are all very appealing qualities to a cybersecurity insurer who wants to know that there are no loose ends.
In sum, there’s a lot of room to make big improvements to security and risk mitigation. Whether you choose to automate vendor risk mitigation or round out other cybersecurity initiatives, you have until December 31, 2024, to obligate those funds.
Must-Read Episode Quotes on How to Automate Vendor Risk Management
- “Be patient but be persistent and keep up with the changes that Treasury is going to throw at us and be persistent in trying to understand your city’s needs and the ability to use money to address those needs and then you’re going to be successful because there is plenty of time to spend this money, there’s no reason to rush out and spend it.” (15:30)
- “Lost revenue…is really, really broad, I mean, really, really broad. If you can spend a nickel on anything that’s government service-related normally, you can use lost revenue to pay for that same thing.” (18:00)
- “So what we say is, an ounce of prevention is worth a pound of cure, probably a ton of cure, in the cybersecurity world. So we’re really pushing this a lot.” (21:30)
- “[It] doesn’t have to cost your city or town a whole lot of money, but it’s not a big investment to…really start the process of understanding how to better protect your city or town…Understand that you don’t need to spend a million dollars to have some level of cyber security. “ (22:00)
- “Just because your sales tax numbers didn’t drop the way you would have expected does not mean you don’t have lost revenue. The feds have given a lot of ways to calculate lost revenue.” (30:00)
Get Ready for Vendor Management Appreciation Day 2024
Our first official holiday celebration may be behind us, but the party’s not over yet! We’ll be celebrating Vendor Management Appreciation Day all year long.
Why? Because there’s no expiration date on honoring one of the most important, under-recognized roles across industries: vendor management.
Join us in observing Vendor Management Appreciation Day (VMAD)! We’re gearing up for the 2024 celebration, and we want you to be a part of it!
VMAD is a unique holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
We’ve been releasing gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
Learn more here, and grab some free vendor management goodies.
Want Help Aligning Your Teams on How to Automate Vendor Risk Management?
Explore our blogs below. They’re filled with action items you can implement right away.
How to Prevent Social Engineering: 3 Common Scams Fraudsters Use to Trick Your Employees
The Missing Link When Building a Vendor Risk Management Framework
B2B Payments Fraud in Times of Chaos: 2023 Edition
Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It
Vendor Management Tips From the Experts Themselves
Vendor Verification: How NOT to Do it and What to Do Instead
Interested in Regular Tips on How to Automate Vendor Risk Management?
Want Personalized Guidance on How to Automate Vendor Risk Management?
