AGENDA Executive Committee

June 25, 2015 The Davenport Grand ~ Spokane

8:00 am

MEMBER REPRESENTATIVE MEETINGS (find your Member Rep for meeting location)

9:00 am

GUEST PRESENTATION

1. Collision Avoidance/Active Safety Study Presentation by Ben Englander, VP Operations, Rosco, Inc.

Page #

*WP

11:00 am

CALL TO ORDER – President Nick Covey

1. Roll Call of Members and Introduction of Guests 2. Changes in Agenda/Motion to Accept Agenda

Sign-in sheet

CONSENT AGENDA

1. Minutes – May 28, 2015 2. May 2015 Administrative Vouchers/Checks – Total voucher approval of

$334,040.34 including staff payroll and internet/credit card payments. 3. May 2015 Claims Vouchers/Checks – Total voucher approval of

$1,203,192.41.

Page #

002 007

016

*WP #

ACTION ITEMS

1. Governance Policy: Budget Development 2. Governance Policy: Strategic Target Financial Ratios 3. Proposed Bylaw Changes

021 025 031

23 23

DISCUSSION ITEMS

1. Executive Committee 2015 Work Plan - Covey 2. Staff Salary Survey Update – Hatten 3. Driver Record Monitoring System: Purchase Update – Christianson 4. Network Security Consulting Services: Purchase Update – Christianson 5. Eligibility for Executive Committee Election - Franz 6. Staff Evaluations: Executive Director and General Counsel – Covey 7. Proposed amendment to the WSTIP Coverage Agreement to allow limited

non-monetary claims defense coverage - Hatten

050

053 054

075

3 8 9

SUBCOMMITTEE REPORTS

1. Governance Policy Committee – Verbal Report 2. Legislative Committee – No Report 3. Underwriting Committee Report – No Report 4. Nominations and Elections Committee – No Report 5. Board Development Committee – Verbal Report 6. Emerging Risks & Opportunities Committee –Verbal Report

23

21 22

2:00 pm RECAP and ADJOURN – President Nick Covey *WP = Work Plan Item #

Lunch @ 12:00 pm Work Session @ 1:15 pm Dinner @ 6:00 pm

Minutes of the Executive Committee Meeting

May 28, 2015 WSTIP Office, Olympia

Executive Committee Members Present: Staff Present: Wendy Clark-Getzin, Clallam Transit (Medium Member Rep) Nick Covey, Link Transit (President) Sara Crouch, Jefferson Transit (Small Member Rep) Emmett Heath, Community Transit (Vice President) Tom Hingson, Everett Transit (At-Large Member Rep) Ken Mehin, Grays Harbor Transit (Past-President) Diane O’Regan, C-Tran (Large Member Rep)

Anna Broadhead, Member Services Assistant Tracey Christianson, Member Services Manager Marisa Espinoza, Finance Specialist Ron Franz, General Counsel Al Hatten, Executive Director Jerry Spears, Deputy Director

Board Member Present: Guests Present: Ben Foreman, Intercity Transit Rob Huyck, Pierce Transit

Judy Clark, HR Answers (10:30 am – 11:30 am) Steve Higgins, PricewaterhouseCoopers (left @ 10:00) Kevin Wick, PricewaterhouseCoopers (left @ 10:00)

Call to Order President Covey called the meeting to order at 9:04 am. A sign in sheet was passed around the room. A quorum was determined to be present as Covey called for changes to the agenda. Clark-Getzin moved to accept the agenda. O’Regan seconded the motion and it passed. Guest Presentation Capital Funding Study Wick presented the Capital Funding Study to the Executive Committee and answered questions. Wick is scheduled to present the Capital Funding Study to the Board at the June Work Session. The study will help guide the Board as the 2016 budget is developed. Consent Agenda Minutes – April 16, 2015, April 2015 Administrative Checks and Vouchersi, April 2015 Claims Checks and Vouchersii Crouch moved to approve the consent agenda. Mehin seconded the motion and the motion passed. Action Items Jeffrey S. Ristau Scholarship Hatten talked about his spreadsheet with four applicants for the Jeffrey S. Ristau scholarship in the amount of $3,370 with the award for Sonya McKibbon being held until we receive confirmation of acceptance in the course. The Board approved $20,000 in the 2015 budget for this scholarship fund to be awarded with maximum amount of $1,000. Mehin moved to approve the expenditure of $3,370 from the scholarship fund. O’Regan seconded the motion and it passed.

AGRiP Advisory Standards Recognition Application Christianson explained how Shinners had come to the office to review the AGRiP Advisory Standards Recognition application and his methodology for reviewing the application and asked if anyone had questions. Hatten asked who had plans to attend AGRiP conference in Chicago. Covey, Clark-Getzin, and Foreman all said they plan to attend. Hatten asked if Covey would please accept the award on our behalf and he said he would. If you would like to attend the AGRiP Conference in Chicago, please let Broadhead know. Mehin moved to approve the AGRiP Advisory Standards Recognition application. Crouch seconded the motion and the motion passed. Quick break at 10:22 am and back into session at 10:32 am. Judy Clark, from HR Answers joined the meeting via conference call. Executive Session Staff Salary Survey Update The Executive Committee went into Executive Session at 10:33 am pursuant to RCW 42.30.110 for 27 minutes; they came out of session at 11:00 am and extended the session for an additional 30 minutes. The Executive Committee came out of Executive Session at 11:30 am. The Executive Committee may hold a special Executive Committee meeting before the June Executive Committee meeting to discuss information gathered by HR Answers. Discussion Items Executive Committee 2015 Work Plan The committee reviewed items on the work plan noting that the projects all appear to be on target. The Executive Committee broke for lunch at 11:35 am and resumed their meeting at 12:01 pm. Staff Salary Survey Update Discussed previously in Executive Session. Driver Record Monitoring System: Purchase Update Christianson said she had nothing significant to report since the last meeting we are moving forward putting together a new contract with Data Driven Safety for Driver Record Monitoring Services we had a meeting scheduled for May 22 but it was cancelled and rescheduled for June 4 due to an illness. We have hired outside legal counsel to help us negotiate the contract (the same counsel helped us negotiate the contract with Origami). Covey asked Christianson to talk about the driver abstract issue that was in the May 27 edition of TransACTION. Christianson explained that in January of 2014 commercial drivers’ license (CDL) holders had to self-certify whether they “interstate, intrastate or non-excepted interstate.” If the CDL holder failed to self-certify, their CDL became invalid on January 30, 2014. We notified all members that the Department of Licensing was not pushing abstracts when this happened and consequently our driver record monitoring system was not catching these situations. Christianson said she advised the Envision administrators that each driver had to be tracked individually, by hand, to ensure they self-certified. In the situation described in TransACTION, the CDL holder failed to self-certify and it wasn’t caught until the CDL tried to renew his CDL. The individual had been driving for a year without a CDL. This particular driver is now re-taking the CDL training, and will have to retest to get their CDL license back. Since that situation arose, WSTIP has sent your administrators a list of employees with Class D (personal) licenses, and asked you to verify that none of those employees are in fact supposed to be CDL holders. If you have further questions regarding this topic, please contact Christianson.

Network Security Consulting Services: Purchase Update Christianson said they had started contract negotiations with the highest scored proposal, asked them to submit a final proposal, which they did. But bottom line, their pricing was very high. We have a meeting scheduled with vendor number two, and if that doesn’t go well we will go back out with our Request for Proposal (RFP). Proposed Bylaw Changes Franz said he had revised the Bylaws based on discussion at the prior Executive Committee meeting. Hingson felt Franz had captured the essence of the conversation very well. After a brief discussion the committee asked Franz to remove bullet B from Section 16 and change bullet A to say any officer position shall be filled by the past president. This topic will be an action item for the next Executive Committee Meeting and if approved the Board meeting. Best Practice for Mobility Device Securement *DRAFT* Christianson said this Best Practice is being presented in draft form as it is strongly worded and encouraged feedback from committee members. She explained the process of developing this Best Practice, reminding them that this Best Practice is part of the Strategic Plan, and at some point may become a mandatory Best Practice should the Board choose to do so. Hingson questioned the need for cycling the lift during the pre-trip inspection as that really doesn’t tell you if the lift is going to fail while in service. Christianson explained that both California and Ohio have had losses due to lift malfunction. Hingson is concerned that cycling the lift adds time to the pre-trip inspection which affects costs. O’Regan questioned the jargon being used on number 14. Christianson explained that during procurement you need to ensure that your securement straps are able to withstand 2500 pounds of force. Christianson will work on the language of number four. Collision Avoidance/Active Safety Study Spears updated attendees on the collision avoidance/active safety study. He had attended a statewide summit with WSDOT, King County Metro, and Pierce (Mike Burress from Community wasn’t available), two vendors attended and gave presentations on their products. King County Metro completed a pilot with talking buses. Spears talked about funding for our study and the grant application the Pool had submitted to Transportation Research Board (TRB) IDEA grant to double our money to $200,000. This project is the first research and development project for transit in the United States. Currently WSTIP plans to put technology on five busses at five members (Community, Pierce, C-Tran, Intercity and Spokane). King County Metro is also raised some money and is planning to run a pilot as well. Heath asked if there were a way to collaborate with King County Metro and said he would be happy to facilitate meetings with King County Metro. There will be presentation at the June Board Meeting from Rosco. If you have questions regarding this project, please contact Spears. Electronic Signatures and DocuSign Hatten said staff plan to implement electronic signatures very soon for Board documents. Spears said he enjoyed calling Heath and Covey asking them to electronically sign the IDEA grant for TRB. Christianson said we asked Franz what we had to do to make electronic signatures work, Franz said we are covered under the authentication act. However, legislature has tinkered with this piece of legislation and it is not clear what we can and cannot do, so we are going to look at this one more time before we implement. Succession Planning Hatten said this is on the work plan with respects to his pending retirement (December 2017) and would

like the Board to begin the discussions about the process of finding a new Executive Director. He explained the process that Government Entities Mutual, Inc. (GEM) was going through in their effort to hire a new Chief Executive Officer (CEO). Heath said if there are competent qualified people internally within staff or on the Board, and if there are promote from within, if there aren’t then go down the nationwide search path. There will be more discussions regarding this topic. Staff Reports Executive Staff Report Hatten reported that we have received 22 of the 25 members Interlocal Agreements (ILA); we are still waiting on Pierce, Pullman and Spokane who all have the ILA on their agendas. He reported that after having conversations with the Pool’s certified public accountant (CPA) regarding the taxability of scholarship awards, and as long as recipient is attending an accredited college the scholarship is not taxable and any amount above $600 at a non-accredited college is taxable, so staff suggest not awarding more than $500 for anyone not attending an accredited college. Staff will send out new posters for you to post at your agencies. He spoke briefly on upcoming travel, meetings, and board development opportunities. Christianson said there are several member activities going on, Risk Profiles are underway as well as the Annual Report which will be delivered at the June Quarterly Meeting. Spears said he would be submitting a report to the state risk managers’ office, implementation of the new database system is going well, and Denise is hosting her 18th Annual Claims Coordinators conference next week. We’ve received the 2014 miles and employee counts; mileage is flat and employee counts and exposures remained static. Sub-Committee Reports Governance Policy Committee No report. Meeting scheduled immediately following this meeting. Legislative Committee Hatten updated the committee on the current proposed changes regarding removing non-profits from the public entity forum of pooling. Underwriting Committee No report. Nominations and Elections Committee No report. Board Development Committee No report. Scheduled to meet immediately following Executive Committee meeting. Emerging Risks and Opportunities Committee The Committee’s charter was included for review. A meeting is scheduled June 2 at 10:30 am at the WSTIP office in Olympia. Executive Session The Executive Committee went into Executive Session to discuss open claims to RCW 48.62.101 at 1:32 pm for not to exceed 25 minutes. The Executive Committee came out of Executive Session at 1:55 pm giving staff specific settlement authority.

Recap/Review Covey recapped the meeting stating what had been accomplished and what was coming up in June. The Executive Committee is expecting more information from HR Answers and may hold a special Executive Committee meeting prior to the June meeting, Franz will bring the Bylaws back, Best Practice for Mobility Device Securement will come back, Collision Avoidance will be presented, Capital Funding Study comes back, and more to come on electronic signatures. Adjournment Covey adjourned the meeting at 2:00 pm. Submitted this 25 day of June 2015. Approved: ________________________________ Paul Shinners, Secretary

i Check numbers 25431 through 25492 in the amount of $263,875.18. Internet transfers of $49,152.50 for the 04/15/15 payroll, $45,344.19 for the 04/30/15 payroll and $7,787.31 for Staff Benefits for 04/2015 from the WSTIP Administration Account to the WSTIP Payroll Account at US Bank. Internet and ACH payments for staff credit cards, travel/expense reimbursements and professional/misc. services total $34,903.70. Total voucher approval, including April 2015 staff payroll and Internet and ACH payments is $401,062.88. ii Check numbers 7110 through 7207 in the amount of $342,033.27. Total voucher approval is $342,033.27.

May 2015 Administration Voucher Approval May 1st to May 31st 2015 vouchers audited and certified by the auditing officer as required by RCW 42.24.080, and those expense reimbursement claims certified as required by RCW 42.24.090, have been recorded on a listing which has been e-mailed to the Executive Committee members on June 18, 2015. ACTION: I, __________________________, as of this date, ________________________, 2015 Move that the following checks be approved for payment: Vouchers: Check Numbers 25493 through 25549 in the amount of $206,035.44. Internet transfers of $44,281.99 for the 05/15/15 payroll, $44,330.01 for the 05/31/15 payroll and $7,785.59 for Staff Benefits for 05/2015 from the WSTIP Administration Account to the WSTIP Payroll Account at US Bank. Internet and ACH payments for staff credit cards, travel/expense reimbursements and professional/misc. services total $31,607.31. Total voucher approval requested, including May 2015 staff payroll and Internet and ACH payments is $334,040.34. The motion was seconded by _________________________________and approved by a unanimous vote. I, the undersigned, PRESIDENT/VICE PRESIDENT OF THE WASHINGTON STATE TRANSIT INSURANCE POOL (WSTIP) of the state of Washington, do hereby certify that the merchandise or services, herein specified have been received and the following checks are approved for payment. ___________________________________ PRESIDENT/VICE-PRESIDENT ___________________________________ DATE

Washington State Transit Insurance PoolMay 2015 Administration VouchersUS Bank Administration Account

Date Num Payee Description Account Amount

05/01/2015 25493 CenturyLink Telephone Services 300 · Accounts payable 713.3405/01/2015 25494 Clallam Travel Reimbursement - W. Clark-Getzin 300 · Accounts payable 532.6505/01/2015 25495 Columbia County Public Trans 2015 Risk Management Grant 300 · Accounts payable 2,500.0005/01/2015 25496 Comcast Comcast Business Services 300 · Accounts payable 288.0605/01/2015 25497 DianeO'Regan Travel Reimbursement 300 · Accounts payable 124.2005/01/2015 25498 FedEx FedEx Services 300 · Accounts payable 55.1905/01/2015 25499 Hermanson Company, LLP HVAC Services 300 · Accounts payable 1,005.4805/01/2015 25500 K&L Gates LLP Software Subscription Agreeement 300 · Accounts payable 5,000.0005/01/2015 25501 Kevin Futrell Travel Reimbursement 300 · Accounts payable 288.4705/01/2015 25502 MCS HVAC IT System Check 300 · Accounts payable 334.0205/01/2015 25503 Olympic View Group Inc. Mason Transit Community Center 300 · Accounts payable 1,500.0005/01/2015 25504 RICOH USA, Inc (Pasadena) Additional Images 300 · Accounts payable 196.5705/01/2015 25505 Wendy Clark-Getzin Travel Reimbursement 300 · Accounts payable 9.0005/04/2015 25506 Joanne Kerrigan Travel Reimbursement 300 · Accounts payable 816.6805/07/2015 ACH Anna Broadhead Travel Reimbursement 300 · Accounts payable 865.4505/07/2015 25507 Alliant Insurance - Newport Beach 2015-2018 Pollution Liability Renewal 300 · Accounts payable 130,139.7205/07/2015 25508 Carlson, McMahon & Sealby, PLLC Columbia County 300 · Accounts payable 280.0005/07/2015 25509 Crystal & Sierra Springs Bottled Water 300 · Accounts payable 50.4005/07/2015 25510 PRICEWATERHOUSE COOPERS 2015 Capital Modeling Study 300 · Accounts payable 15,000.0005/07/2015 25511 Seraphim Consulting & Training Solutions Dispatcher Training Train-the-Trainer 300 · Accounts payable 4,561.0005/07/2015 25512 Summit Law Group Prelitigation - Multiple 300 · Accounts payable 2,621.0005/11/2015 25513 Enterprise Rent A Car - Los Angeles Rental Car Exp - K. Thornton 300 · Accounts payable 30.3205/11/2015 25514 Tracey Christianson Travel Reimbursement 300 · Accounts payable 565.9305/13/2015 ACH Christian DeVoll Travel Reimbursement 300 · Accounts payable 1,702.8505/14/2015 ACH Geneva Financial Services, Inc. Professional Services - Multiple 300 · Accounts payable 6,616.2505/14/2015 25515 American Driving Records Driver Abstracts - Reports 300 · Accounts payable 75.7505/14/2015 25516 Consolidated Technology Services Technology Services 300 · Accounts payable 583.7205/14/2015 25517 Grant Transit Authority WSTTC EPA 608 Reimbursement 300 · Accounts payable 50.0005/14/2015 25518 Hermanson Company, LLP HVAC Services 300 · Accounts payable 733.7305/14/2015 25519 ISO Services, Inc. Maintenance Fee 300 · Accounts payable 25.0005/14/2015 25520 Kiehl Northwest LLC WSTTC Registration App 300 · Accounts payable 260.0005/14/2015 25521 KitsapTransit Guest Rider - Yakima Transit 300 · Accounts payable 1,077.5405/14/2015 25522 Lemay - Pacific Disposal Recycling Services - April 300 · Accounts payable 93.0305/14/2015 25523 McSwain and Company, PS Accounting Services 300 · Accounts payable 702.0005/14/2015 25524 National Maintenance Contractors Janitorial Services - May 300 · Accounts payable 200.9705/14/2015 25525 Network Computing Architects, Inc. Cisco Firewall & Traffic Filter Licenses 300 · Accounts payable 1,519.0505/14/2015 25526 Office Depot Office Supplies 300 · Accounts payable 417.6005/14/2015 25527 Puget Sound Energy Electric Utilities 300 · Accounts payable 513.4605/14/2015 25528 RICOH USA, Inc Copier Lease 300 · Accounts payable 481.6905/14/2015 25529 Verizon Wireless Staff Wireless Services 300 · Accounts payable 378.2205/14/2015 25530 WA State Dept of Revenue Leashold Tax Assessment 2012-2014 300 · Accounts payable 2,689.0005/19/2015 ACH Data Driven Safety, Inc. Driver Record Monitoring 300 · Accounts payable 22,044.0005/19/2015 25531 Radisson Gateway Hotel 2015 Trainers Showcase - Lodging/Banquet Fees 300 · Accounts payable 2,940.9305/22/2015 25532 AGRiP 2015 Advisory Standards Recognition App 300 · Accounts payable 600.00

Page 1 of 2

Washington State Transit Insurance PoolMay 2015 Administration VouchersUS Bank Administration Account

Date Num Payee Description Account Amount

05/22/2015 25533 AP Design Works LLC New Board Member Newsletter Masthead 300 · Accounts payable 332.5005/22/2015 25534 City of Pullman - Pullman Transit Guest Rider - RiverCities 300 · Accounts payable 1,244.6705/22/2015 25535 CityofYakima Reimbursement for WSTTC Registration 300 · Accounts payable 50.0005/22/2015 25536 Enduris Washington Bazzell Training 300 · Accounts payable 861.8405/22/2015 25537 Everett Transit 2015 Risk Management Grant 300 · Accounts payable 2,500.0005/22/2015 25538 Hewlett-Packard Company - IL HP Desktop 300 · Accounts payable 836.9205/22/2015 25539 HR Answers, Inc. 2015 Salary Survey 300 · Accounts payable 2,012.6705/22/2015 25540 Law Lyman Daniel Kamerrer & Bogdanovich Mason Transit / RMIS RFP 300 · Accounts payable 719.5505/22/2015 25541 M. Jerry Spears Travel Reimbursement 300 · Accounts payable 212.7505/22/2015 25542 Washington State Transit Association 2015 WA State Roadeo 300 · Accounts payable 9,500.0005/27/2015 Internet American Express Costco (Jerry) Credit Card Exps - Jerry Spears 300 · Accounts payable 378.7605/29/2015 25543 Allen Hatten Travel Reimbursement 300 · Accounts payable 845.8305/29/2015 25544 CenturyLink Telephone Services 300 · Accounts payable 715.2005/29/2015 25545 Comcast Comcast Business Services 300 · Accounts payable 288.0605/29/2015 25546 Crisis Reality Training, Inc. Verbal S.W.A.T. Training Course 300 · Accounts payable 2,622.4305/29/2015 25547 FedEx FedEx Services 300 · Accounts payable 83.0105/29/2015 25548 Hermanson Company, LLP HVAC Services 300 · Accounts payable 1,184.2905/29/2015 25549 Summit Law Group Asotin/Columbia/Clallam 300 · Accounts payable 2,072.00

237,642.75

05/07/2015 5835 Health Care Authority Staff Benefits - Inv Month: 05/2015 300 · Accounts payable 7,785.5905/15/2015 Wire Trans WSTIP Payroll Account 05/15/2015 Payroll & Taxes 300 · Accounts payable 44,281.9905/31/2015 Wire Trans WSTIP Payroll Account 05/31/2015 Payroll & Taxes 300 · Accounts payable 44,330.01

Total 334,040.34

Page 2 of 2

May 2015 Claims Voucher Approval May 1st to May 31st 2015 vouchers audited and certified by the auditing officer as required by RCW 42.24.080, and those expense reimbursement claims certified as required by RCW 42.24.090, have been recorded on a listing which has been e-mailed to the Executive Committee members on June 18, 2015. ACTION: I, __________________________, as of this date, ________________________, 2015 Move that the following checks be approved for payment: Vouchers: Check Numbers 7208 through 7348 in the amount of $1,203,169.91. ACH payment(s) for expert/professional services total $22.50.Total voucher approval requested is $1,203,192.41. The motion was seconded by _________________________________and approved by a unanimous vote. I, the undersigned, PRESIDENT/VICE PRESIDENT OF THE WASHINGTON STATE TRANSIT INSURANCE POOL (WSTIP) of the state of Washington, do hereby certify that the merchandise or services, herein specified have been received and the following checks are approved for payment. ___________________________________ PRESIDENT/VICE-PRESIDENT ___________________________________ DATE

Washington State Transit Insurance PoolMay 2015 Claims VouchersUS Bank Claims Account

Date Num Payee Description Account Amount

05/01/2015 7208 Affordable Injury Attorneys, LLC 2012 Denise Moore BI Settlement - ET 301 · Claims Payments 19,250.0005/01/2015 7209 Autumn Keck 2014 Keck BI Settlement - ET 301 · Claims Payments 4,357.0005/01/2015 7210 Barry M. Woodard 2013 Ruben Vasquez BI Settlement - YT 301 · Claims Payments 6,000.0005/01/2015 7211 C-TRAN - Vancouver 2015 Subro PD Pmt 301 · Claims Payments 3,114.7105/01/2015 7212 Case Forensics 2014 Expert Witness - C-TRAN 301 · Claims Payments 1,082.5005/01/2015 7213 CCC Information Services, Inc. Appraisal Fees - Multiple 301 · Claims Payments 190.9505/01/2015 7214 COMMUNITY Transit 2015 Subro PD & LoU Pmt 301 · Claims Payments 785.2005/01/2015 7215 Craig Swapp & Associates 2013 Kimberly & Brian McCann BI Settlement- STA301 · Claims Payments 10,000.0005/01/2015 7216 Discovery Health Partners 2014 Ferrari Med Lien - ST 301 · Claims Payments 433.3805/01/2015 7217 Eastside Subaru 2015 Coleman Rental Car Exp - CT 301 · Claims Payments 295.6505/01/2015 7218 Exponent, Inc. 2011 Expert Witness - PuT 301 · Claims Payments 20,639.0005/01/2015 7219 Frank McDaniel 2015 McDaniel PD Landscaping Exps - CT 301 · Claims Payments 662.4605/01/2015 7220 Gettie Paulus 2014 Paulus Diminished Value - KT 301 · Claims Payments 2,000.0005/01/2015 7221 Intercity Transit 2010 Subro PD Pmt 301 · Claims Payments 1,170.0005/01/2015 7222 James, Sanderson & Lowers 2012 Fierro Med Records - PiT 301 · Claims Payments 130.0705/01/2015 7223 Jerry's Auto Rebuild 2015 Hanson PD Repairs - KT 301 · Claims Payments 1,755.5105/01/2015 7224 JG McDonald and Associates Adjusting Fees - Multiple 301 · Claims Payments 2,706.4005/01/2015 7225 Larry Scott 2014 Scott BI Settlement - KT 301 · Claims Payments 700.0005/01/2015 7226 Law Office of James M. Kristof 2011 Jean Boone PD Settlement - MTA 301 · Claims Payments 1,970.9605/01/2015 7227 Minor & James Medical PLLC 2011 Fassel Med Review - PiT 301 · Claims Payments 1,875.0005/01/2015 7228 Nicholas Eggen 2014 Eggen BI Settlement - ET 301 · Claims Payments 5,000.0005/01/2015 7229 Paine Hamblen LLP Legal Fees - Multiple 301 · Claims Payments 38,640.7305/01/2015 7230 Partners Claim Services Adjusting Fees - Multiple 301 · Claims Payments 5,266.2005/01/2015 7231 Pedro Garcia, Jr. 2014 Garcia, Jr. BI Settlement - STA 301 · Claims Payments 3,000.0005/01/2015 7232 Pierce Transit 2015 1st Qtr TPA Adjusting Fees 301 · Claims Payments 4,942.5005/01/2015 7233 Progressive Direct Insurance Co 2015 Melanie Cochran PD Settlement - CT 301 · Claims Payments 6,752.4605/01/2015 7234 Property & Casualty Ins Co of Hartford 2015 Opel Rental/PD Settlement - CT 301 · Claims Payments 3,147.4405/01/2015 7235 Puget Sound Orthopaedics 2011 Boone Records Review - MTA 301 · Claims Payments 5,750.0005/01/2015 7236 Reinig Barber & Henry 2014 Ileana Torres BI Settlement - BFT 301 · Claims Payments 750.0005/01/2015 7237 Rivera Law Offices, PLLC 2011 Jean Boone BI Settlement - MTA 301 · Claims Payments 15,000.0005/01/2015 7238 Robert Brongil 2015 Brongil Roof/Gutter Repairs - ET 301 · Claims Payments 328.5005/01/2015 7239 Rose City Adjusters LLC 2014 Adjusting Fees - BFT 301 · Claims Payments 352.5005/01/2015 7240 Sound Vision Video Production 2012 Video Deposition Fees - C-TRAN 301 · Claims Payments 82.1305/01/2015 7241 Vander Stoep, Remund, Blinks & Jones 2011 Mediation Fees - MTA 301 · Claims Payments 437.5005/01/2015 7242 Zaremba Claims Service - Yakima 2012 Adjusting Fees - BFT 301 · Claims Payments 1,219.7505/04/2015 7243 Anthem Blue Cross and Blue Shield 2011 Robert Fassel BI Settlement - PiT 301 · Claims Payments 150,000.0005/07/2015 7244 Alexis Temko 2015 Temko PD Settlement - PiT 301 · Claims Payments 2,437.5505/07/2015 7245 Barbara Jessen, MD, PS 2008 Gilmore Med Review - JT 301 · Claims Payments 2,500.0005/07/2015 7246 Becker Rovang, PLLC Legal Fees - Multiple 301 · Claims Payments 37,024.1605/07/2015 7247 Carlson, McMahon & Sealby, PLLC Legal Fees - Multiple 301 · Claims Payments 10,158.4605/07/2015 7248 CC Reporting & Videoconferencing 2010 Deposition Fees - STA 301 · Claims Payments 1,533.3505/07/2015 7249 Charles Lapresta 2015 Lapresta PD Settlement - CT 301 · Claims Payments 1,166.6505/07/2015 7250 City of Portland 2015 COP Electrical PD Repairs - C-TRAN 301 · Claims Payments 1,088.9005/07/2015 7251 COMMUNITY Transit 2015 Subro PD & LoU Pmt 301 · Claims Payments 92.10

Page 1 of 4

Washington State Transit Insurance PoolMay 2015 Claims VouchersUS Bank Claims Account

Date Num Payee Description Account Amount

05/07/2015 7252 Daniel K. Nuner 2012 Expert Witness - C-TRAN 301 · Claims Payments 1,423.6505/07/2015 7253 Darla Greene 2014 Greene BI Settlement - STA 301 · Claims Payments 1,000.0005/07/2015 7254 Evan D. Hull 2012 Ferguson Guardian Ad Litem Fees - C-TRAN301 · Claims Payments 1,500.0005/07/2015 7255 Investigative Training Service, LLC Expert Witness - Multiple 301 · Claims Payments 3,487.5005/07/2015 7256 Island Transit 2015 Subro PD Pmt 301 · Claims Payments 2,823.7505/07/2015 7257 Kassa Insurance Services, Inc. Adjusting Fees - Multiple 301 · Claims Payments 1,525.7005/07/2015 7258 Kim Pistole 2015 Pistole PD Settlement - CT 301 · Claims Payments 783.6505/07/2015 7259 Lacamas Legal 2012 For the Benefit of Summer Ferguson - C-TRA301 · Claims Payments 3,089.5605/07/2015 7260 Marta Costa 2015 Costa PD Repairs - KT 301 · Claims Payments 429.3705/07/2015 7261 Mason General Hospital 2015 Kerns Med Records - MTA 301 · Claims Payments 18.9505/07/2015 7262 Northwest Medical Experts 2012 Fierro Med Review - PiT 301 · Claims Payments 2,250.0005/07/2015 7263 Progressive Direct Insurance Co 2015 Rodriguez Rental & PD Pmt - STA 301 · Claims Payments 518.6505/07/2015 7264 Putnam Lieb Potvin 2012 Tyler Scott BI Settlement - IT 301 · Claims Payments 85,000.0005/07/2015 7265 Rose City Adjusters LLC 2015 Adjusting Fees - C-TRAN 301 · Claims Payments 438.5205/07/2015 7266 State Farm Insurance Co. - IL 2014 Petersen PD Pmt - YT 301 · Claims Payments 1,595.4005/07/2015 7267 Summit Law Group 2012 Legal Fees - PiT 301 · Claims Payments 1,440.8505/07/2015 7268 Zaremba Claims Service - Yakima Adjusting Fees - Multiple 301 · Claims Payments 3,645.4705/07/2015 7269 VOID: OrigamiRisk Check Printing Setup 301 · Claims Payments 0.0005/11/2015 7270 Aronberg Goldgehn Davis & Garmisa 2015 Battelle Memorial/Xie Med Pmt - BFT 301 · Claims Payments 324.1305/11/2015 7271 Carlson, McMahon & Sealby, PLLC 2012 Legal Fees - BFT 301 · Claims Payments 11,495.6105/11/2015 7272 COMMUNITY Transit Claims Pmts - Multiple 301 · Claims Payments 703.3205/11/2015 7273 Exponent, Inc. 2011 Expert Witness - STA 301 · Claims Payments 2,790.0005/11/2015 7274 Investigative Training Service, LLC 2010 Expert Witness - STA 301 · Claims Payments 2,025.0005/11/2015 7275 Lacey Collision Center Inc. 2015 Dela Cruz PD Repairs - IT 301 · Claims Payments 2,284.3405/11/2015 7276 Law Lyman Daniel Kamerrer & Bogdanovich Legal Fees - Multiple 301 · Claims Payments 11,003.7205/11/2015 7277 LINK 2015 Subro PD & LoU Pmt 301 · Claims Payments 1,242.5005/11/2015 7278 Rose City Adjusters LLC 2015 Adjusting Fees - BFT 301 · Claims Payments 1,007.5005/11/2015 7279 SAFECO Insurance Company - MO 2014 Yu PD Settlement - PiT 301 · Claims Payments 3,425.8305/11/2015 7280 Thad Jacobsen 2015 Jacobsen Wheel/PD Settlement - WTA 301 · Claims Payments 5,648.7205/11/2015 7281 Vital Chiropractic 2015 Wallace BI Settlement - ST 301 · Claims Payments 4,754.0005/11/2015 7282 Whidbey General Hospital 2014 Wallace Med Specials - ST 301 · Claims Payments 2,514.0005/14/2015 ACH Geneva Financial Services, Inc. 2014 Expert Witness - JT 301 · Claims Payments 22.5005/14/2015 7283 Maxey Law Office PLLC 2010 Gary Gonwick BI Settlement - STA 301 · Claims Payments 75,000.0005/14/2015 7284 Becker Rovang, PLLC Legal Fees - Multiple 301 · Claims Payments 15,637.4205/14/2015 7285 CCC Information Services, Inc. Appraisal Fees - Multiple 301 · Claims Payments 191.4905/14/2015 7286 Christie Law Group, PLLC 2011 Legal Fees - KT 301 · Claims Payments 58.5005/14/2015 7287 COMMUNITY Transit Claims Pmts - Multiple 301 · Claims Payments 819.8405/14/2015 7288 Graham Lundberg Peschel (Spokane) 2012 Mark Cuillier BI Settlement - BFT 301 · Claims Payments 55,000.0005/14/2015 7289 JG McDonald and Associates 2010 Adjusting Fees - STA 301 · Claims Payments 2,349.7905/14/2015 7290 Jolee Rogelstad 2015 Rogelstad PD Settlement - WTA 301 · Claims Payments 800.0005/14/2015 7291 Juan Olivera 2012 Olivera BI Settlement - BFT 301 · Claims Payments 250.0005/14/2015 7292 Likkel & Associates 2014 Deposition Fees - IsT 301 · Claims Payments 962.0005/14/2015 7293 Paine Hamblen LLP 2011 Legal Fees - STA 301 · Claims Payments 137.7005/14/2015 7294 Partners Claim Services Adjusting Fees - Multiple 301 · Claims Payments 3,264.0005/14/2015 7295 Rose City Adjusters LLC 2015 Adjusting Fees - BFT 301 · Claims Payments 472.5005/14/2015 7296 Spokane Transit Authority 2015 Subro LoU Pmt 301 · Claims Payments 150.00

Page 2 of 4

Washington State Transit Insurance PoolMay 2015 Claims VouchersUS Bank Claims Account

Date Num Payee Description Account Amount

05/14/2015 7297 WA Physical Therapy & The Fitness Center 2012 Olivera Med Specials - BFT 301 · Claims Payments 1,458.0005/14/2015 7298 Zaremba Claims Service - Yakima Adjusting Fees - Multiple 301 · Claims Payments 1,891.9005/18/2015 7299 Gerber Collision & Glass 2015 Coble PD Repairs - IsT 301 · Claims Payments 2,739.6405/18/2015 7300 Glenn Wallace 2014 Wallace BI Settlement - ST 301 · Claims Payments 3,500.0005/18/2015 7301 Maxey Law Office PLLC 2013 For the Benefit of Ruth Nichols - STA 301 · Claims Payments 23,250.0005/19/2015 7302 Scheer & Zehnder, LLP 2011 Robert Fassel BI Settlement - PiT 301 · Claims Payments 350,000.0005/22/2015 7303 Bean, Gentry, Wheeler & Peternell PLLC 2012 Mediation Fees - IT 301 · Claims Payments 1,100.0005/22/2015 7304 Becker Rovang, PLLC 2012 Legal Fees - IT 301 · Claims Payments 2,273.1005/22/2015 7305 Bellingham Physical Therapy, LLC 2015 Asfour Med Records - WTA 301 · Claims Payments 38.1705/22/2015 7306 CCC Information Services, Inc. 2015 Appraisal Fees - BFT 301 · Claims Payments 54.9405/22/2015 7307 Charlene M. Beck, CCR, RPR 2012 Deposition Fees - CCPT 301 · Claims Payments 845.7505/22/2015 7308 Farmers Insurance Group 2015 Hok Rental Car - CT 301 · Claims Payments 2,669.2405/22/2015 7309 Group Health Cooperative - Spokane 2013 Geleynse Med Specials - WTA 301 · Claims Payments 1,175.2505/22/2015 7310 JG McDonald and Associates Adjusting Fees - Multiple 301 · Claims Payments 2,304.0005/22/2015 7311 Kassa Insurance Services, Inc. Adjusting Fees - Multiple 301 · Claims Payments 2,805.4005/22/2015 7312 Kemper Services Group 2015 Scott Supplemental PD Repairs - CT 301 · Claims Payments 177.2305/22/2015 7313 Law Lyman Daniel Kamerrer & Bogdanovich 2015 Legal Fees - IT 301 · Claims Payments 151.2505/22/2015 7314 Meridian Collision Center 2015 Knowlton PD Repairs - PiT 301 · Claims Payments 1,828.5705/22/2015 7315 Michael's Auto Body 2015 Lima PD Repairs - BFT 301 · Claims Payments 7,651.6405/22/2015 7316 Northwest Document Retrieval, LLC 2011 Engen Med Records - GTA 301 · Claims Payments 736.9905/22/2015 7317 O.M.A.C 2013 Dybbro Med Review - KT 301 · Claims Payments 367.5005/22/2015 7318 Paine Hamblen LLP Legal Fees - Multiple 301 · Claims Payments 18,717.1705/22/2015 7319 Paint Factory 2015 Finney PD Repairs - KT 301 · Claims Payments 1,500.2705/22/2015 7320 Partners Claim Services Adjusting Fees - Multiple 301 · Claims Payments 2,849.5005/22/2015 7321 Rose City Adjusters LLC 2013 Adjusting Fees - C-TRAN 301 · Claims Payments 1,881.9905/22/2015 7322 SAFECO Insurance Company - MO 2014 McLaughlin PD Settlement - PiT 301 · Claims Payments 1,458.4105/22/2015 7323 Sound Vision Video Production 2008 Deposition Fees - JT 301 · Claims Payments 542.1305/22/2015 7324 State Farm Insurance Co. - GA 2015 Poirier Subro PD Pmt - STA 301 · Claims Payments 4,965.7605/22/2015 7325 Trew Auto Body, Inc. 2015 Harlow PD Repairs - KT 301 · Claims Payments 791.8905/22/2015 7326 Williams, Kastner & Gibbs PLLC Legal Fees - Multiple 301 · Claims Payments 11,684.3705/22/2015 7327 Applied Cognitive Sciences, Inc. 2012 Expert Witness - CCPT 301 · Claims Payments 4,500.0005/22/2015 7328 Mary Kerns 2015 Kerns BI Settlement - MTA 301 · Claims Payments 788.0005/29/2015 7329 Allstate Payment Processing Center 2014 Blanchard PIP Pmts - C-TRAN 301 · Claims Payments 10,000.0005/29/2015 7330 Becker Rovang, PLLC 2014 Legal Fees - KT 301 · Claims Payments 5,348.6005/29/2015 7331 C-TRAN - Vancouver 2015 Subro PD & LoU Pmt 301 · Claims Payments 6,022.0305/29/2015 7332 Hendricks-Bennett, PLLC Legal Fees - Multiple 301 · Claims Payments 4,360.0005/29/2015 7333 Intercity Transit 2015 Subro PD Pmt 301 · Claims Payments 176.0005/29/2015 7334 Investigative Training Service, LLC Expert Witness Fees - Multiple 301 · Claims Payments 10,412.5005/29/2015 7335 Kassa Insurance Services, Inc. 2014 Adjusting Fees - STA 301 · Claims Payments 828.3105/29/2015 7336 Kirsti Charlton 2015 Charlton PD Settlement - WTA 301 · Claims Payments 614.9205/29/2015 7337 Mason General Hospital 2015 Kerns Med Specials - MTA 301 · Claims Payments 1,666.3205/29/2015 7338 Neil Tibbott 2015 Tibbott PD Settlement - CT 301 · Claims Payments 343.8305/29/2015 7339 Northwest Orthopaedic Specialists 2014 Durkin Med Specials - STA 301 · Claims Payments 145.0005/29/2015 7340 O.M.A.C 2012 Med Review - KT 301 · Claims Payments 1,102.5005/29/2015 7341 Paine Hamblen LLP Legal Fees - Multiple 301 · Claims Payments 735.6005/29/2015 7342 Partners Claim Services 2015 Adjusting Fees - MTA 301 · Claims Payments 382.50

Page 3 of 4

Washington State Transit Insurance PoolMay 2015 Claims VouchersUS Bank Claims Account

Date Num Payee Description Account Amount

05/29/2015 7343 Paukert & Troppmann, PLLC 2010 Legal Fees - STA 301 · Claims Payments 625.0005/29/2015 7344 Spokane Transit Authority 2015 Subro PD & LoU Pmt 301 · Claims Payments 922.4905/29/2015 7345 Summit Law Group 2012 Legal Fees - PiT 301 · Claims Payments 1,839.9005/29/2015 7346 Valley Transit - WA 2015 Employment Settlement - VT 301 · Claims Payments 9,154.0005/29/2015 7347 Yakima Transit-City of Yakima 2014 Subro PD Pmt 301 · Claims Payments 498.7505/29/2015 7348 Zaremba Claims Service - Yakima 2014 Adjusting Fees - BFT 301 · Claims Payments 221.00

Total 1,203,192.41

Page 4 of 4

WSTIP Policy Manual Document

Name: Budget Development Policy Date Adopted: 03/26/2010

Category: Finance Revision Date: 6/26/20146/25/2015

Page: 1 of 2

Budget Development Policy

Purpose

1. To provide the framework for the orderly development of the Pool’s annual budget; 2. To coordinate the work and inputs from management, the Executive Committee, and the

Board in the development and eventual adoption of the budget; and 3. To evaluate compliance with the Strategic Financial Ratios Policy; and 3.4. To achieve consistency with the Strategic Plan..

Authority

1. Interlocal Agreement, Sections 4f (“adopt an annual budget”) and 1 3b (“contributions and assessments shall be established . . . in [the] annual budget”); and

2. Bylaws, Section 4b (“the Board. . . [shall adopt the] annual budget”). Policy Statement 1. Budget overview. The budget is:

a. The primary tool for planning and controlling operations; and b. The manifestation through which the Pool secures stable and predictable member

contributions and reduced reliance upon commercial insurance.

2. Budget components. The budget shall provide for: a. Self insurance funding; b. Excess and/or reinsurance funding; c. Contribution to surplus; d. Risk management funding; e. Operating costs; and f. Driver record monitoring.

3. Collection of data. For use in the budget process the executive director shall collect the

following from the members in a timely fashion: a. Estimated total vehicle miles for all modes; b. Number of vehicles and their values; c. Property values; d. Number of employees; and e. Member UIM preferences.

4. Actuarial study. No later than September the executive director shall provide the Executive Committee

and the Board with an actuarial study. The study shall address; a. Outstanding claim reserves; b. Funding adequacy; c. Projected losses and loss rates;

Page 1 of 2

d. Deductible credits for first party coverage; e. Cash flow requirements; and f. The financial ratios described in the Strategic Financial Ratios Policy for a running six year period.

5. Directions from Executive Committee. At its July meeting the Executive Committee may provide directions

to the executive director regarding the draft budget. These directions may include a departure from the Assessment Allocation Policy.

6. Recommendation by Executive Committee. At its September meeting the Executive Committee shall

consider the budget and may recommend changes to : a. Contributions to equity; and b. Actuarial confidence levels.

7. Draft budget. The executive director shall present a draft budget to the Executive Committee and Board at

their September meetings.

8. Budget workshop. The President may schedule a budget workshop prior to the consideration of the draft budget by the Board. At the workshop the executive director shall present and explain the proposed budget as modified by the Executive Committee.

9. Adoption. The proposed budget shall be presented to the Board at its annual meeting. The Executive Committee shall make a recommendation to the Board on the proposed budget. The Board shall adopt a budget at this meeting.

Amendment The Pool’s Executive Committee may amend this policy.

Passed this 254th day of Junely , 20154 Executive Committee Washington State Transit Insurance Pool

Nick CoveyKen Mehin, President ATTEST: Paul ShinnersEmmett Heath, Secretary APPROVED AS TO FORM: Ronald A. Franz, General Counsel

Page 2 of 2

WSTIP Policy Manual Document

Name: Budget Development Policy Date Adopted: 03/26/2010

Category: Finance Revision Date: 6/25/2015

Page: 1 of 2

Budget Development Policy

Purpose

1. To provide the framework for the orderly development of the Pool’s annual budget; 2. To coordinate the work and inputs from management, the Executive Committee, and the

Board in the development and eventual adoption of the budget; 3. To evaluate compliance with the Strategic Financial Ratios Policy; and 4. To achieve consistency with the Strategic Plan.

Authority

1. Interlocal Agreement, Sections 4f (“adopt an annual budget”) and 1 3b (“contributions and assessments shall be established . . . in [the] annual budget”); and

2. Bylaws, Section 4b (“the Board. . . [shall adopt the] annual budget”). Policy Statement 1. Budget overview. The budget is:

a. The primary tool for planning and controlling operations; and b. The manifestation through which the Pool secures stable and predictable member

contributions and reduced reliance upon commercial insurance.

2. Budget components. The budget shall provide for: a. Self insurance funding; b. Excess and/or reinsurance funding; c. Contribution to surplus; d. Risk management funding; e. Operating costs; and f. Driver record monitoring.

3. Collection of data. For use in the budget process the executive director shall collect the

following from the members in a timely fashion: a. Estimated total vehicle miles for all modes; b. Number of vehicles and their values; c. Property values; d. Number of employees; and e. Member UIM preferences.

4. Actuarial study. No later than September the executive director shall provide the Executive Committee

and the Board with an actuarial study. The study shall address; a. Outstanding claim reserves; b. Funding adequacy; c. Projected losses and loss rates;

Page 1 of 2

d. Deductible credits for first party coverage; e. Cash flow requirements; and f. The financial ratios described in the Strategic Financial Ratios Policy for a running six year period.

5. Directions from Executive Committee. At its July meeting the Executive Committee may provide directions

to the executive director regarding the draft budget. These directions may include a departure from the Assessment Allocation Policy.

6. Recommendation by Executive Committee. At its September meeting the Executive Committee shall

consider the budget and may recommend changes to : a. Contributions to equity; and b. Actuarial confidence levels.

7. Draft budget. The executive director shall present a draft budget to the Executive Committee and Board at

their September meetings.

8. Budget workshop. The President may schedule a budget workshop prior to the consideration of the draft budget by the Board. At the workshop the executive director shall present and explain the proposed budget as modified by the Executive Committee.

9. Adoption. The proposed budget shall be presented to the Board at its annual meeting. The Executive Committee shall make a recommendation to the Board on the proposed budget. The Board shall adopt a budget at this meeting.

Amendment The Pool’s Executive Committee may amend this policy.

Passed this 25th day of June , 2015 Executive Committee Washington State Transit Insurance Pool

Nick Covey, President ATTEST: Paul Shinners, Secretary APPROVED AS TO FORM: Ronald A. Franz, General Counsel

Page 2 of 2

WSTIP Policy Manual Document Name: Strategic Target Financial Ratios

Policy Date Adopted: 6/26/2009

Category: Finance Revision Date: 6-27-1406/26/2015

Page: 1 of 2

Strategic Target Financial Ratios Policy

Purpose In order to insure that the Pool remains financially strong it is necessary to annually evaluate and compare financial performance for the past five years with current financial performance. This policy adopts target financial ratios and provides for an annual comparative study of these ratios. Authority

1. Interlocal Agreement, Sections 3 (“all things necessary and proper for the establishment of self insurance programs) and 4 (“adopt an annual budget”); and

2. Bylaws, Section 4b (“adoption of annual budget”).

Policy Statement 1. Financial ratios. The Pool shall strive to maintain the following financial ratios:

a. Expected losses to equity—less than 1; b. Net reserves to equity—not more than 1.5; c. Annual reduction in members’ equity—less than 10%; d. Annual increase in prior year loss reserves—less than 25%; e.a. Expense ratio (expenses to annual budget)—less than 20% ; f.b. Loss ratio (losses to annual budget)—less than 65%; and g.c. Combined expense and loss ratio—less than 90%.

2. Annual report. By September of each year and for use in the annual budget development process, the Pool’s executive director shall provide the Board with a report of the financial ratios set forth above for a running six year period. The six year period shall be for the current year and for five years prior to the current year.

3. Collection of information. In order to calculate the ratios the executive director shall collect from all Pool members and Pool members shall provide for each year in the ratio analysis actual or estimated: a. Vehicle miles for all modes; b. Number of vehicles and their values; c. Property values; and d. Number of employees.

4. Variance from ratios. In the event any of the actual values are at variance from target values set forth in 1a-fc, the executive director shall provide the Executive Committee with an action plan which, if implemented, will bring the ratio within the target value. The action plan shall include a timetable for implementation. The Executive Committee shall consider the executive director’s action plan and, after making whatever changes it deems appropriate, shall forward it to the Board for consideration.

5. The Pool shall engage an actuary to assist in the computation of the ratios in 1a-cf.

Page 1 of 2

Amendment The Pool’s Board may amend this policy. Policy History The groundwork for this policy was developed as part of the Pool’s 2008 six year strategic plan.

Passed this 26th day of SeptemberJune , 20142015

Board of Directors Washington State Transit Insurance Pool

Ken MehinNick Covey, President ATTEST: Emmett HeathPaul Shinners, Secretary APPROVED AS TO FORM: Ronald A. Franz, General Counsel

Page 2 of 2

WSTIP Policy Manual Document Name: Strategic Target Financial Ratios

Policy Date Adopted: 6/26/2009

Category: Finance Revision Date: 06/26/2015

Page: 1 of 2

Strategic Target Financial Ratios Policy

Purpose In order to insure that the Pool remains financially strong it is necessary to annually evaluate and compare financial performance for the past five years with current financial performance. This policy adopts target financial ratios and provides for an annual comparative study of these ratios. Authority

1. Interlocal Agreement, Sections 3 (“all things necessary and proper for the establishment of self insurance programs) and 4 (“adopt an annual budget”); and

2. Bylaws, Section 4b (“adoption of annual budget”).

Policy Statement 1. Financial ratios. The Pool shall strive to maintain the following financial ratios:

a. Expense ratio (expenses to annual budget)—less than 20% ; b. Loss ratio (losses to annual budget)—less than 65%; and c. Combined expense and loss ratio—less than 90%.

2. Annual report. By September of each year and for use in the annual budget development process, the Pool’s executive director shall provide the Board with a report of the financial ratios set forth above for a running six year period. The six year period shall be for the current year and for five years prior to the current year.

3. Collection of information. In order to calculate the ratios the executive director shall collect from all Pool members and Pool members shall provide for each year in the ratio analysis actual or estimated: a. Vehicle miles for all modes; b. Number of vehicles and their values; c. Property values; and d. Number of employees.

4. Variance from ratios. In the event any of the actual values are at variance from target values set forth in 1a-c, the executive director shall provide the Executive Committee with an action plan which, if implemented, will bring the ratio within the target value. The action plan shall include a timetable for implementation. The Executive Committee shall consider the executive director’s action plan and, after making whatever changes it deems appropriate, shall forward it to the Board for consideration.

5. The Pool shall engage an actuary to assist in the computation of the ratios in 1a-c. Amendment The Pool’s Board may amend this policy.

Page 1 of 2

Policy History The groundwork for this policy was developed as part of the Pool’s 2008 six year strategic plan.

Passed this 26th day of June , 2015 Board of Directors Washington State Transit Insurance Pool

Nick Covey, President ATTEST: Paul Shinners, Secretary APPROVED AS TO FORM: Ronald A. Franz, General Counsel

Page 2 of 2

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

40,000,000

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

WSTIP 2004 to 2014Assets, Liabilities & Net Position

Total Assets

Total Liabilities

Net Position

Washington State Transit Insurance Pool Washington State Transit Insurance PoolAs of 12/31/2014 As of 12/31/2014

FYE FYE FYE FYE FYE2010 2011 2012 2013 2014

2010 2011 2012 2013 2014 2015Expected Losses to Equity Ratio: 0.42 0.35 0.34 0.33 0.33

(1) Member Contributions $10,214,682 $10,899,471 $10,662,805 $11,225,365 $11,570,191 $12,212,971 Net Reserves to Equity Ratio: 0.61 0.57 0.61 0.74 0.81 (2) Investment Earnings 570,642 424,570 430,029 213,399 396,819 350,000 Annual Reduction in Member's Equity: 5.23% 16.13% 6.57% 1.16% -0.53% (3) Misc. Income 132,387 115,044 131,426 160,222 213,502 108,000 Expense Ratio: 20.67% 20.84% 20.85% 21.67% 21.60%

Loss Ratio: 59.01% 40.36% 51.78% 57.32% 62.46% (4) Total Revenues $10,917,711 $11,439,085 $11,224,260 $11,598,986 $12,180,512 $12,670,971 Combined Ratio: 79.67% 61.21% 72.63% 79.00% 84.06% [(1)+(2)+(3)]

(5) Paid Loss 6,403,868 7,004,046 6,293,512 6,563,252 6,535,847 6,647,885 (6) Chg in Prior Year Claims Reserve (376,608) (2,604,562) (772,646) (128,413) 690,961 - (6) Operating Expense 1,661,484 1,691,837 1,825,394 1,980,812 1,973,911 (7) ULAE 316,526 340,782 330,677 331,812 356,641 501,436 (8) Excess Insurance 1,650,603 1,792,669 1,903,835 2,166,030 2,206,372 2,026,849 (9) Depreciation Expense 12,463 10,135 11,291 12,347 20,560 20,560 (10) Insurance Services Expenses 437,121 569,912 386,384 439,657 505,170

Operating Expenses 2,111,068 2,271,884 2,223,069 2,432,816 2,499,641 2,462,400

(11) Total Expenditures 10,105,457 8,804,819 9,978,447 11,365,497 12,289,462 11,659,130 [Sum of (5) through (10)]

(12) Change in Net Assets 812,254 $2,634,266 1,245,813 233,489 (108,950) 1,011,841

(13) Beginning Net Assets 15,518,442 16,330,696 18,964,962 20,210,775 20,444,264 20,335,314 (14) Ending Net Assets 16,330,696 18,964,962 20,210,775 20,444,264 20,335,314 21,347,155

(15) Total Losses [(5)+(6)] 6,027,260 4,399,484 5,520,866 6,434,839 7,226,808 6,647,885 (16) Total Expenses [(11)-(15)] 4,078,197 4,405,335 4,457,581 4,930,658 5,062,654 5,011,245

(17) Projected Loss 6,829,688 6,569,903 6,926,756 6,731,986 6,772,356 7,149,321(18) Net Outstanding Reserves 9,942,442 10,894,803 12,282,298 15,164,828 16,555,981 17,245,154

(19) Budgeted Expenses 10,660,786 11,575,860 10,690,499 11,299,848 11,549,642 11,722,843

MEMORAMDUM

To: Board of Directors From: Ronald A. Franz, general counsel Subject: Proposed bylaws amendment Date: June 18, 2015 This memorandum explains the proposed changes to the bylaws. In a nutshell, the amendments are an adjustment in the way the Pool addresses vacancies in its officer positions and the elected executive committee positions. Presently vacancies in the Executive Committee are filled by the Board. For officer vacancies, the president may appoint a member of the Executive Committee to fill the vacancy on an interim basis until the Board acts to fill the vacancy. If these proposed amendments are passed:

1. An officer vacancy is filled by the immediate past president until the Board fills the vacancy at the next annual meeting.

2. As a backup course of action if the immediate past president has already been appointed to fill a vacancy or if he/she declines the position, the Board fills the vacancy as soon as it can.

3. Vacancies on the Executive Committee are to be filled by the Board. 4. Vacancies in the small/medium/large Executive Committee positions must be filled by

someone from the appropriate size member. 5. A vacancy in the immediate past president Executive Committee position is not filled.

WSTIP Policy Manual Document Name: Bylaws Date Adopted: 10/01/08

Category: Organizational Planning Revision Date: 5-29-1508/11/11

Page: 1 of 9

WASHINGTON STATE TRANSIT INSURANCE POOL

Bylaws

ARTICLE I: DEFINITIONS Section 1. Definitions. The terms set forth below are defined as follows:

a. Board -- The governing body of the Pool is composed of one representative from each Member.

b. Executive Committee – The committee which governs and controls the Pool except as set forth in Section 4.

c. Member -- A local governmental public transit entity which participates in the Pool’s self-funded insurance program.

d. Pool -- The Washington State Transit Insurance Pool. Defined terms are in bold throughout these bylaws.

ARTICLE II: OFFICES Section 2. Principal office. The principal office of the Pool shall be located in Olympia, Washington. Section 3. Other offices. The Executive Committee may, in its discretion, establish other offices for the Pool. ARTICLE III: GOVERNING BOARD Section 4. Governance. With respect to the following, the Pool shall be governed and controlled by the Board: a. Adoption and amendment of bylaws; b. Adoption of annual budget;

Page 1 of 9

c. Assessment of annual and special Member allocations and contributions; d. Admission and termination of Members; e. Selection of executive director and terms and conditions of employment; f. Purchase, lease, sale, and disposal of real property; g. Changes to the terms and conditions of coverages to be offered by the Pool to its Members; and h. New coverages or programs to be offered by the Pool to its Members; Provided, at least ninety days prior to voting upon whether or not to offer any new coverage or program, the Pool shall provide notice thereof to the governing bodies of the Members, which notice shall include a description of the proposed new coverage or program; and i. The definition and parameters of the Governance Documentation Procedure and WSTIP Policy Manual as set forth in Article XIII. Section 5. Composition. The Board shall be composed of one representative appointed by each Member. Section 6. Voting Rights. Each Member shall have one vote on each matter submitted to the Board. Unless a supermajority vote is required on some particular matter, a majority vote is sufficient to pass a matter. Voting by proxy is not permitted. Section 7. Quorum. A majority of Members representatives is sufficient to constitute a quorum. Section 8. Member representatives.

a. Each Member shall appoint a primary representative, and one or more alternative representatives. A Member’s representative is, authorized to exercise the Member's voting rights in the Pool and to act on behalf of the Member with respect to all matters pertaining to the Pool.

b. If a primary representative is unable to serve or participate in proceedings for any reason an

alternative representative shall represent the Member.

c. Members shall designate representatives in writing and may change designations at any time,. Members shall promptly notify the Pool of any changes.

d. Representatives must be officers or employees of Member. e. Alternative representatives may serve on committees or as officers only if appointed or

elected to the committee or office.

Page 2 of 9

Section 9. Board meetings. a. The annual meeting shall be held in November or December; Provided, if extraordinary circumstances require the cancellation of the annual meeting, the president may reschedule the annual meeting for some other time as a special meeting. The Board shall elect the secretary and new members of the Executive Committee and adopt its annual budget and Member allocations at the annual meeting. b. In addition to the annual meeting, the Board shall meet quarterly. The annual meeting shall be the meeting for the fourth quarter. Section 10. Membership not transferable. Membership in the Pool is not transferable or assignable. ARTICLE IV: OFFICERS Section 11. Designation. The officers of the Pool shall consist of a president, vice-president, and secretary. All officers shall be primary or alternative Member representatives. Section 12. President. The president shall chair the Board and the Executive Committee. Section 13. Vice-president. The vice-president shall perform the duties of the president in the temporary absence or disability of the president. Section 14. Secretary. The secretary shall certify Pool policy manual documentsdecisions as described in Article XIII, and minutes of the Board and Executive Committee. Section 15. Election and Progression of Officers.

a. The Board shall elect a secretary and fill vacancies in offices that had become vacant since

the last electionevery year at its annual meeting.

b. The secretary shall progress to vice-president and the vice-president shall progress to president.

b. Section 16. Vacancies in offices.

a. Vacancy in the office of the president, vice president, or secretary shall be filled by the immediate past president until the annual election.

b. If the immediate past president has already been appointed to fill a vacancy or if he or she

declines to fill a vacancy, the Board shall fill the vacancy at a regular or special meeting as soon as practicable.

Section 16. Section 17. Terms. The terms of office shall be one year and shall commence immediately following election of the secretary. y.

Page 3 of 9

ARTICLE V: EXECUTIVE COMMITTEE Section 187. Powers. The Pool shall be governed and controlled by the Executive Committee in all respects except for those matters reserved to the Board by Article III, Section 4. The Executive Committee shall make recommendations to the Board with respect to the annual budget, assessment of Member allocations and contributions, the purchase, lease, sale, and disposal of real property, and all other matters that may come before the Board . Section 198. Composition.

a. The Executive Committee shall consist of the president, immediate past president, vice-president, secretary, and four additional members elected by the Board at every annual meeting.

b. All members of the Executive Committee shall be primary or alternative Member

representatives. c. Of the four members elected annually, one shall be from a small transit system, one shall be

from a medium transit system, and one shall be from a large transit system, and one shall be “at large”; Provided, if no eligible member from a small, medium, or large system is willing to serve, that position shall be open to any other Member representative . The criteria for small, medium, and large shall be established by the Executive Committee.

Section 2019. Meetings. The Executive Committee shall meet every month. The president may cancel any monthly meeting. A majority of members of the Executive Committee shall be sufficient to constitute a quorum. Section 210. Claims Review. The Executive Committee shall review and, if appropriate, approve proposed settlements for any claim or lawsuit against any Member which is proposed for settlement in an amount greater than the standing settlement authority of the executive director. Section 221. Committees. The Executive Committee may, in its discretion, establish committees, either ad hoc or standing.

ARTICLE VI: VACANCIES, REMOVALS, AND RESIGNATIONS Section 232. Vacancies.

a. Vacancies in the Executive Committee shall be filled by the Board at aits next regular meeting as soon as practicable. The person appointed to fill the vacancy shall complete the term of his or her predecessor.

b. Vacancies in Member representative positions shall be filled only by a Member representative from a Member that meets the size criterial for the vacant position.The president may appoint a member of the Executive Committee as an interim officer prior to action by the Board to fill the vacancy.

a.c. A vacancy in the immediate past president position shall not be filled.

Page 4 of 9

b.d. If an Executive Committee member ceases to be an officer or employee of Member, the position shall be considered vacant.

Section 243. Removal. An Executive Committee member may be removed by a two-thirds vote of all Member representatives. Section 254. Resignation. An Executive Committee member may resign by providing written notice to the Board or president. Such resignation shall be effective upon receipt or at some other specified time. A resignation shall be effective without acceptance.

ARTICLE VII: MEETINGS

Section 265. Meeting time, date and place. The president shall establish the time, date and place of the Board's annual meeting and for regular and special meetings of the Board and Executive Committee. Section 276. Notice of meetings. a. Notice of all meetings shall be provided to all Member representatives. b. The notice shall specify the time, date, and place of each meeting and, in the case of a special meeting, the matters or topics which will be presented for consideration. Section 287. Executive sessions. The Board, Executive Committee, and any other duly established committee may adjourn to executive session to consider those matters authorized by RCW 42.30.110 and RCW 48.62.101.. Section 298. Special meetings. Special meetings of the Board or Executive Committee may be called as authorized by RCW 42.30.080. Section 3029. Conduct of meetings. Meetings shall be conducted pursuant to Robert's Rules of Order to the extent not inconsistent with statutes, these bylaws, or the interlocal agreement through which the Pool was established. ARTICLE VIII. APPOINTED POSITIONS Section 310. Treasurer.

a. The Board shall appoint a Treasurer pursuant to RCW 48.62.111 as now or hereafter amended. The Board may replace the Treasurer at any time.

b. The duties of the Treasurer shall be as specified by the Executive Committee. The

Treasurer must be a primary or alternative Member representative. If the Treasurer is not a member of the Executive Committee, he or she shall be an ex officio, non-voting member thereof.

Page 5 of 9

Section 321. Auditor. The Pool’s executive director shall serve as its Auditor. The duties of the Auditor shall be as specified by the Executive Committee. Section 332. Other positions. The Executive Committee may appoint such other positions as it deems appropriate and, if it does so, shall specify the duties of the position.

ARTICLE IX: EMPLOYEES Section 343. Executive Director. a. The Board shall engage an executive director upon mutually agreeable terms and conditions. The Executive Committee shall evaluate the performance of the executive director following input from the Board which may be through the small, medium,and large Executive Committee members. b. The executive director shall be the chief executive officer of the Pool and shall be responsible for its efficient operation and overall direction. c. The executive director shall execute the directives of the Board and the Executive Committee. Section 354. General Counsel. The Executive Committee may engage general counsel for the Pool upon terms and conditions it deems appropriate. The general counsel shall be the legal advisor to the Board, Executive Committee, and Pool staff. Section 365. Other Employees. The executive director shall employ such other individuals as may be authorized by the Executive Committee and consistent with the annual budget. ARTICLE X: OPERATIONS Section 376. Accounts. The Pool shall establish and maintain funds and accounts consistent with generally accepted accounting practices and as may be required by state laws and regulations. Section 387. Internal Controls.

a. The books and records of the Pool shall be audited annually. b. The Executive Committee shall establish policies with respect to internal controls, financial

reports, audits, and investment policies. Section 398 Annual report. The executive director shall submit an annual report to the Board as may be required by the Executive Committee. Section 4039. Inspection of records. All Pool records and files shall be available for inspection and copying by any authorized representative of any Member at any and all reasonable times.

Page 6 of 9

Section 410. Fidelity bond. The Pool shall obtain a fidelity bond of one million dollars or such greater amount as may be required by the Executive Committee to cover all losses of misfeasance and malfeasance by the Member representatives and employees. Section 421. Power to contract. The Pool's contractual powers are vested in the Executive Committee. The Executive Committee may delegate all or part of its contractual powers to the executive director or some other agent or employee. Section 432. No compensation. Member representatives shall not receive compensation for time or services provided to the Pool; Provided, Member representatives shall be reimbursed for necessary and reasonable expenses incurred for activities authorized by the Board or Executive Committee in accordance with rules set by the Executive Committee. Section 443. Indemnification. a. The Pool shall indemnify any Member representative or employee of the Pool for all costs and expenses incurred in connection with any legal action or proceeding arising as a consequence of activities on the Pool's behalf so long as the Member representative or employee acted in good faith and without intentional wrongdoing. b. Any determination whether a Member representative or employee is entitled to indemnification shall be made by the Executive Committee. Section 454. Reporting claims. Members shall report all claims and losses to the Pool irrespective of whether the Pool has any indemnification obligation. Section 465. Notice of proposed amendments to interlocal agreement. a. Whenever there is a proposed amendment to the Pool’s interlocal agreement, the Pool shall provide notice thereof to the Members’ governing bodies. b. The notice shall be directed to “Clerk [name of Member transit system]” to the address of the Member’s primary administrative offices. c. No proposed amendment shall become effective sooner than sixty days following notice as required herein.

ARTICLE XI: NEW MEMBERS

Section 476. Application. A local governmental public transit system situated in Washington

desiring to become a Member of the Pool may apply for membership by submitting an application to the executive director. The application shall contain the information requested by the executive director. The application shall be accompanied by a fee in an amount determined by the executive director to cover the cost of analyzing the applicant's loss data, risk profile, and other information. The executive director shall

Page 7 of 9

forward the application first to the Executive Committee and then to the Board along with his or her recommendation. Section 487. Consideration by Board. An applicant is approved for membership with the affirmative vote of at least three-fourths of all Member representatives. Section 498. Consummation of membership. An applicant for membership as a Member shall become a Member following its subscription of the Pool’s interlocal agreement.

ARTICLE XII: COVERAGE DETERMINATION Section 5049. Tender. Following receipt of a claim or complaint seeking monetary damages, a Member or other person who believes the Pool may have an obligation for such claim or complaint, may tender the claim or complaint to the executive director for a determination of coverage. The tender shall include a copy of the claim or complaint together with such other information as the Member or other person believes supports coverage. Section 510. Decision by executive director. a. Following receipt of a tender the executive director shall promptly review the materials submitted and do whatever additional investigation is necessary to make a coverage determination. b. Following review of the materials and investigation, the executive director shall: (1) Accept the tender, thereby acknowledging a defense and indemnity obligation; (2) Accept the tender but with a reservation of rights, thereby acknowledging a defense obligation but reserving to the future the right to dispute an indemnity obligation; or (3) Deny the tender, thereby denying a defense and indemnity obligation. c. If the executive director accepts a tender but under a reservation of the rights or denies a tender, he or she shall notify the Member or other person thereof in writing. The notice shall specify the reasons for the decision. Section 521. Appeal to Executive Committee a. A Member or other person feeling aggrieved by the decision of the executive director regarding a tender decision, may appeal that decision to the Executive Committee by filing notice thereof with the president and executive director. The notice shall specify the identity of the appellant, the decision from which the appeal is taken, and the reasons why the appellant believes the decision of the executive director was wrong. Such notice must be filed within thirty days following such decision. b. The appeal shall be set for consideration at the next regular meeting of the Executive Committee or, in the discretion of the president, at the regular meeting following the next regular meeting.

Page 8 of 9

c. Any Executive Committee member employed by the Member taking the appeal shall recuse herself or himself from the proceedings. d. At the hearing before the Executive Committee, the appellant shall first present facts and argument followed by the executive director.

e. Following the hearing or any continuation thereof, the Executive Committee shall issue a written determination on the appeal.

ARTICLE XIII; GOVERNANCE DOCUMENTATION PROCEDURE

Section 532. Governance memorialization procedure. The Board and its Executive Committee may memorialize governance decisions by additions, amendments, or deletions to the “WSTIP Policy Manual,” as described in section 554.

Section 543. Procedural requirements. In order for a section of the policy manual to have binding force, the section must be approved by a majority vote of the Board or Executive Committee unless a supermajority is required. The approval of a section shall be memorialized by the signatures of the Pool’s president and secretary. The section may also be approved as to form by the Pool’s counsel but such approval as to form is not necessary for the section to have binding force.

Section 554. WSTIP Policy Manual. The WSTIP Policy Manual shall be known as such. It shall be consistent with the Pool’s interlocal agreement and bylaws. It shall include a section describing the purpose of the policy, the authority for the policy, a policy statement section which is the substantive portion of the policy, a section describing the historical background for the policy, and other sections as deemed appropriate by the Board or Executive Committee.

ARTICLE XIV: REPEALER Section 56.5 Repealer. Bylaws previously adopted and all amendments thereto are hereby repealed.

Adopted this 9th day of December , 20151 Board of Directors Washington State Transit Insurance Pool

Nick CoveyMark Carlin, President ATTEST: Paul ShinnersBen Foreman, Secretary APPROVED AS TO FORM: Ronald A. Franz, General Counsel

Page 9 of 9

WSTIP Policy Manual Document Name: Bylaws Date Adopted: 10/01/08

Category: Organizational Planning Revision Date: 5-29-15

Page: 1 of 9

WASHINGTON STATE TRANSIT INSURANCE POOL

Bylaws

ARTICLE I: DEFINITIONS Section 1. Definitions. The terms set forth below are defined as follows:

a. Board -- The governing body of the Pool is composed of one representative from each Member.

b. Executive Committee – The committee which governs and controls the Pool except as set forth in Section 4.

c. Member -- A local governmental public transit entity which participates in the Pool’s self-funded insurance program.

d. Pool -- The Washington State Transit Insurance Pool. Defined terms are in bold throughout these bylaws.

ARTICLE II: OFFICES Section 2. Principal office. The principal office of the Pool shall be located in Olympia, Washington. Section 3. Other offices. The Executive Committee may, in its discretion, establish other offices for the Pool. ARTICLE III: GOVERNING BOARD Section 4. Governance. With respect to the following, the Pool shall be governed and controlled by the Board: a. Adoption and amendment of bylaws; b. Adoption of annual budget; c. Assessment of annual and special Member allocations and contributions;

Page 1 of 9

d. Admission and termination of Members; e. Selection of executive director and terms and conditions of employment; f. Purchase, lease, sale, and disposal of real property; g. Changes to the terms and conditions of coverages to be offered by the Pool to its Members; and h. New coverages or programs to be offered by the Pool to its Members; Provided, at least ninety days prior to voting upon whether or not to offer any new coverage or program, the Pool shall provide notice thereof to the governing bodies of the Members, which notice shall include a description of the proposed new coverage or program; and i. The definition and parameters of the Governance Documentation Procedure and WSTIP Policy Manual as set forth in Article XIII. Section 5. Composition. The Board shall be composed of one representative appointed by each Member. Section 6. Voting Rights. Each Member shall have one vote on each matter submitted to the Board. Unless a supermajority vote is required on some particular matter, a majority vote is sufficient to pass a matter. Voting by proxy is not permitted. Section 7. Quorum. A majority of Members representatives is sufficient to constitute a quorum. Section 8. Member representatives.

a. Each Member shall appoint a primary representative, and one or more alternative representatives. A Member’s representative is, authorized to exercise the Member's voting rights in the Pool and to act on behalf of the Member with respect to all matters pertaining to the Pool.

b. If a primary representative is unable to serve or participate in proceedings for any reason an

alternative representative shall represent the Member.

c. Members shall designate representatives in writing and may change designations at any time,. Members shall promptly notify the Pool of any changes.

d. Representatives must be officers or employees of Member. e. Alternative representatives may serve on committees or as officers only if appointed or

elected to the committee or office.

Page 2 of 9

Section 9. Board meetings. a. The annual meeting shall be held in November or December; Provided, if extraordinary circumstances require the cancellation of the annual meeting, the president may reschedule the annual meeting for some other time as a special meeting. The Board shall elect the secretary and new members of the Executive Committee and adopt its annual budget and Member allocations at the annual meeting. b. In addition to the annual meeting, the Board shall meet quarterly. The annual meeting shall be the meeting for the fourth quarter. Section 10. Membership not transferable. Membership in the Pool is not transferable or assignable. ARTICLE IV: OFFICERS Section 11. Designation. The officers of the Pool shall consist of a president, vice-president, and secretary. All officers shall be primary or alternative Member representatives. Section 12. President. The president shall chair the Board and the Executive Committee. Section 13. Vice-president. The vice-president shall perform the duties of the president in the temporary absence or disability of the president. Section 14. Secretary. The secretary shall certify Pool policy manual documents and minutes of the Board and Executive Committee. Section 15. Election and Progression of Officers.

a. The Board shall elect a secretary and fill vacancies in offices that had become vacant since

the last election at its annual meeting.

b. The secretary shall progress to vice-president and the vice-president shall progress to president.

Section 16. Vacancies in offices.

a. Vacancy in the office of the president, vice president, or secretary shall be filled by the immediate past president until the annual election.

b. If the immediate past president has already been appointed to fill a vacancy or if he or she

declines to fill a vacancy, the Board shall fill the vacancy at a regular or special meeting as soon as practicable.

Section 17. Terms. The terms of office shall be one year and shall commence immediately following election of the secretary.

Page 3 of 9

ARTICLE V: EXECUTIVE COMMITTEE Section 18. Powers. The Pool shall be governed and controlled by the Executive Committee in all respects except for those matters reserved to the Board by Article III, Section 4. The Executive Committee shall make recommendations to the Board with respect to the annual budget, assessment of Member allocations and contributions, the purchase, lease, sale, and disposal of real property, and all other matters that may come before the Board Section 19. Composition.

a. The Executive Committee shall consist of the president, immediate past president, vice-president, secretary, and four additional members elected by the Board at every annual meeting.

b. All members of the Executive Committee shall be primary or alternative Member

representatives. c. Of the four members elected annually, one shall be from a small transit system, one shall be

from a medium transit system, and one shall be from a large transit system, and one shall be “at large”; Provided, if no eligible member from a small, medium, or large system is willing to serve, that position shall be open to any other Member representative . The criteria for small, medium, and large shall be established by the Executive Committee.

Section 20. Meetings. The Executive Committee shall meet every month. The president may cancel any monthly meeting. A majority of members of the Executive Committee shall be sufficient to constitute a quorum. Section 21. Claims Review. The Executive Committee shall review and, if appropriate, approve proposed settlements for any claim or lawsuit against any Member which is proposed for settlement in an amount greater than the standing settlement authority of the executive director. Section 22. Committees. The Executive Committee may, in its discretion, establish committees, either ad hoc or standing.

ARTICLE VI: VACANCIES, REMOVALS, AND RESIGNATIONS Section 23. Vacancies.

a. Vacancies in the Executive Committee shall be filled by the Board at a regular meeting as soon as practicable. The person appointed to fill the vacancy shall complete the term of his or her predecessor.

b. Vacancies in Member representative positions shall be filled only by a Member representative from a Member that meets the size criterial for the vacant position.

c. A vacancy in the immediate past president position shall not be filled.

Page 4 of 9

d. If an Executive Committee member ceases to be an officer or employee of Member, the position shall be considered vacant.

Section 24. Removal. An Executive Committee member may be removed by a two-thirds vote of all Member representatives. Section 25. Resignation. An Executive Committee member may resign by providing written notice to the Board or president. Such resignation shall be effective upon receipt or at some other specified time. A resignation shall be effective without acceptance.

ARTICLE VII: MEETINGS

Section 26. Meeting time, date and place. The president shall establish the time, date and place of the Board's annual meeting and for regular and special meetings of the Board and Executive Committee. Section 27. Notice of meetings. a. Notice of all meetings shall be provided to all Member representatives. b. The notice shall specify the time, date, and place of each meeting and, in the case of a special meeting, the matters or topics which will be presented for consideration. Section 28. Executive sessions. The Board, Executive Committee, and any other duly established committee may adjourn to executive session to consider those matters authorized by RCW 42.30.110 and RCW 48.62.101.. Section 29. Special meetings. Special meetings of the Board or Executive Committee may be called as authorized by RCW 42.30.080. Section 30. Conduct of meetings. Meetings shall be conducted pursuant to Robert's Rules of Order to the extent not inconsistent with statutes, these bylaws, or the interlocal agreement through which the Pool was established. ARTICLE VIII. APPOINTED POSITIONS Section 31. Treasurer.

a. The Board shall appoint a Treasurer pursuant to RCW 48.62.111 as now or hereafter amended. The Board may replace the Treasurer at any time.

b. The duties of the Treasurer shall be as specified by the Executive Committee. The

Treasurer must be a primary or alternative Member representative. If the Treasurer is not a member of the Executive Committee, he or she shall be an ex officio, non-voting member thereof.

Page 5 of 9

Section 32. Auditor. The Pool’s executive director shall serve as its Auditor. The duties of the Auditor shall be as specified by the Executive Committee. Section 33. Other positions. The Executive Committee may appoint such other positions as it deems appropriate and, if it does so, shall specify the duties of the position.

ARTICLE IX: EMPLOYEES Section 34. Executive Director. a. The Board shall engage an executive director upon mutually agreeable terms and conditions. The Executive Committee shall evaluate the performance of the executive director following input from the Board which may be through the small, medium,and large Executive Committee members. b. The executive director shall be the chief executive officer of the Pool and shall be responsible for its efficient operation and overall direction. c. The executive director shall execute the directives of the Board and the Executive Committee. Section 35. General Counsel. The Executive Committee may engage general counsel for the Pool upon terms and conditions it deems appropriate. The general counsel shall be the legal advisor to the Board, Executive Committee, and Pool staff. Section 36. Other Employees. The executive director shall employ such other individuals as may be authorized by the Executive Committee and consistent with the annual budget. ARTICLE X: OPERATIONS Section 37. Accounts. The Pool shall establish and maintain funds and accounts consistent with generally accepted accounting practices and as may be required by state laws and regulations. Section 38. Internal Controls.

a. The books and records of the Pool shall be audited annually. b. The Executive Committee shall establish policies with respect to internal controls, financial

reports, audits, and investment policies. Section 39 Annual report. The executive director shall submit an annual report to the Board as may be required by the Executive Committee. Section 40. Inspection of records. All Pool records and files shall be available for inspection and copying by any authorized representative of any Member at any and all reasonable times.

Page 6 of 9

Section 41. Fidelity bond. The Pool shall obtain a fidelity bond of one million dollars or such greater amount as may be required by the Executive Committee to cover all losses of misfeasance and malfeasance by the Member representatives and employees. Section 42. Power to contract. The Pool's contractual powers are vested in the Executive Committee. The Executive Committee may delegate all or part of its contractual powers to the executive director or some other agent or employee. Section 43. No compensation. Member representatives shall not receive compensation for time or services provided to the Pool; Provided, Member representatives shall be reimbursed for necessary and reasonable expenses incurred for activities authorized by the Board or Executive Committee in accordance with rules set by the Executive Committee. Section 44. Indemnification. a. The Pool shall indemnify any Member representative or employee of the Pool for all costs and expenses incurred in connection with any legal action or proceeding arising as a consequence of activities on the Pool's behalf so long as the Member representative or employee acted in good faith and without intentional wrongdoing. b. Any determination whether a Member representative or employee is entitled to indemnification shall be made by the Executive Committee. Section 45. Reporting claims. Members shall report all claims and losses to the Pool irrespective of whether the Pool has any indemnification obligation. Section 46. Notice of proposed amendments to interlocal agreement. a. Whenever there is a proposed amendment to the Pool’s interlocal agreement, the Pool shall provide notice thereof to the Members’ governing bodies. b. The notice shall be directed to “Clerk [name of Member transit system]” to the address of the Member’s primary administrative offices. c. No proposed amendment shall become effective sooner than sixty days following notice as required herein.

ARTICLE XI: NEW MEMBERS

Section 47. Application. A local governmental public transit system situated in Washington

desiring to become a Member of the Pool may apply for membership by submitting an application to the executive director. The application shall contain the information requested by the executive director. The application shall be accompanied by a fee in an amount determined by the executive director to cover the cost of analyzing the applicant's loss data, risk profile, and other information. The executive director shall

Page 7 of 9

forward the application first to the Executive Committee and then to the Board along with his or her recommendation. Section 48. Consideration by Board. An applicant is approved for membership with the affirmative vote of at least three-fourths of all Member representatives. Section 49. Consummation of membership. An applicant for membership as a Member shall become a Member following its subscription of the Pool’s interlocal agreement.

ARTICLE XII: COVERAGE DETERMINATION Section 50. Tender. Following receipt of a claim or complaint seeking monetary damages, a Member or other person who believes the Pool may have an obligation for such claim or complaint, may tender the claim or complaint to the executive director for a determination of coverage. The tender shall include a copy of the claim or complaint together with such other information as the Member or other person believes supports coverage. Section 51. Decision by executive director. a. Following receipt of a tender the executive director shall promptly review the materials submitted and do whatever additional investigation is necessary to make a coverage determination. b. Following review of the materials and investigation, the executive director shall: (1) Accept the tender, thereby acknowledging a defense and indemnity obligation; (2) Accept the tender but with a reservation of rights, thereby acknowledging a defense obligation but reserving to the future the right to dispute an indemnity obligation; or (3) Deny the tender, thereby denying a defense and indemnity obligation. c. If the executive director accepts a tender but under a reservation of the rights or denies a tender, he or she shall notify the Member or other person thereof in writing. The notice shall specify the reasons for the decision. Section 52. Appeal to Executive Committee a. A Member or other person feeling aggrieved by the decision of the executive director regarding a tender decision, may appeal that decision to the Executive Committee by filing notice thereof with the president and executive director. The notice shall specify the identity of the appellant, the decision from which the appeal is taken, and the reasons why the appellant believes the decision of the executive director was wrong. Such notice must be filed within thirty days following such decision. b. The appeal shall be set for consideration at the next regular meeting of the Executive Committee or, in the discretion of the president, at the regular meeting following the next regular meeting.

Page 8 of 9

c. Any Executive Committee member employed by the Member taking the appeal shall recuse herself or himself from the proceedings. d. At the hearing before the Executive Committee, the appellant shall first present facts and argument followed by the executive director.

e. Following the hearing or any continuation thereof, the Executive Committee shall issue a written determination on the appeal.

ARTICLE XIII; GOVERNANCE DOCUMENTATION PROCEDURE

Section 53. Governance memorialization procedure. The Board and its Executive Committee may memorialize governance decisions by additions, amendments, or deletions to the “WSTIP Policy Manual,” as described in section 55.

Section 54. Procedural requirements. In order for a section of the policy manual to have binding force, the section must be approved by a majority vote of the Board or Executive Committee unless a supermajority is required. The approval of a section shall be memorialized by the signatures of the Pool’s president and secretary. The section may also be approved as to form by the Pool’s counsel but such approval as to form is not necessary for the section to have binding force.

Section 55. WSTIP Policy Manual. The WSTIP Policy Manual shall be known as such. It shall be consistent with the Pool’s interlocal agreement and bylaws. It shall include a section describing the purpose of the policy, the authority for the policy, a policy statement section which is the substantive portion of the policy, a section describing the historical background for the policy, and other sections as deemed appropriate by the Board or Executive Committee.

ARTICLE XIV: REPEALER Section 56. Repealer. Bylaws previously adopted and all amendments thereto are hereby repealed.

Adopted this day of , 2015 Board of Directors Washington State Transit Insurance Pool

Nick Covey, President ATTEST: Paul Shinners, Secretary APPROVED AS TO FORM: Ronald A. Franz, General Counsel

Page 9 of 9

2015 Executive Committee Work Plan

Page 1 of 3

Who Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec2016 Jan Feb Mar

1Review efficacy of Committees/Charter and Close Committees Executive Committee * *

2Get closure on Board Development roadmap Staff/EC *

3 Staff salary survey Executive Committee * * * * * * * * * *

4Member Rep Meeting Assessment (stop/start/continue) Executive Committee * *

5Quarterly Board meeting structure: review efficacy Executive Committee *

6 AGRIP accreditation/EC Rep Appointment EC / Tracey 7 Succession Planning EC/Board * 8 Eligibility for EC and Election Process Executive Committee * * * * * * 9 Ron's evaluation/Al's evaluation President/EC * * *

10 Training Coalition appointment EC / Tracey

20 Audit/Finance Executive Committee/Ben * * *

21 Board Development Tom, Sara, Wendi, Diane charter * * * * * * * * * *

22 Emerging Risks and OpportunitiesGreg, Staci, Ed, Ben, Rob H., Rob L., Ken, & Mike

charter * * * * * * * *

23 Governance Nick, Emmett & Paul * * * * * *24 Legislative Committee Nick, Tom, Wendy * * * * * * * * * * *25 Nominations Nick, Emmett & Paul * * * 26 Underwriting Committee Ben, Paul, Nick * * * * * * * * * *

Who Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec2016 Jan Feb Mar

30 Strategic Plan Staff * * * * * * * * * 31 Board Education (WSTIP 101) Staff * * * * * * * * * *

KEY: * = start and SUN SYMBOL = end

Subcommittees

Staff Projects

General Work Items

2015 Executive Committee Work Plan

Page 2 of 3

1 Strive for transparency about the role you are playing.2 Instead of driving an issue, the Executive Committee will work from its work plan to decide what to do.3 Operate under parliamentary procedures.4 Be recognized before speaking.5 Members will come prepared; read materials in advance and participate during the meeting.6 Try not to dominate the conversation; let someone else have a turn.7 Finish the meeting on time.8 No side conversations.9 Show respect by adhering to principles 4 and 8.

10 The President runs the meetings; not the Executive Director.11 The Executive Committee can agree to allocate more time to discuss a topic.12 The Executive Committee decides by majority rule, but strives for consensus. Consensus is defined as the

ability for every Executive Committee member to be able to live with the decision.13 The Executive Committee will flag "hot topics" for members to check in with members on.14 Proposals to the Board are forwarded with Executive Committee endorsement. Proposals that require Board

action, Executive Committee members can share their opinion if they disagree with the Executive Committee's recommendation.

15 The Executive Committee will review their work plan every month and identify what needs to be taken to members.

16 Make sure that communication to the Board is complete.

*Working Principles formed during 2007 Executive Committee Retreat, November 29 and 30, 2007; revised during 2009 Executive Committee Retreat, January 22 and 23, 2009. Reviewed at Executive Committee 2011 Retreat, January 20 and 21, 2011. Revised during the 2012 Retreat. Working priniciples were not changed in the 2014 retreat

Tribal Rules (from January 2012 Retreat)

1 Put the needs of WSTIP first.2 Serve as member representative before taking a leadership role.3 Provide a development track for members.4 Expect people to take a leadership role.5 Everyone who ran for Executive Committee office can come to the Executive Committee retreat.6 No side deals -- raise your concerns with the entire Executive Committee7 Everyone's views are heard. Once Board decision is made, support it.8 Respect the office -- respect the roles each person takes.

2015 Executive Committee Work Plan

Mental Models

Page 3 of 3

1 . WSTIP Board will meet four times per year.2 . WSTIP will offer $20,000,000 in policy limits for Auto/General Liability.3 . All Members will receive the same Loss Prevention Grant amount.4 . All members are assessed on the same rating methodology.5 . The Executive Director will be hired by the Board and evaluated annually.6 . All best practices will be agreed to on a voluntary basis (exception: driver record monitoring).7 . Membership is restricted to Washington State transits of a minimum size and experience history.8 . WSTIP primary purpose is insurance.9 . No rail or ferry coverage will be offered.

10 . General wage increases are subject to the action taken by Intercity Transit.11 . Auto liability rates are determined by mileage and experience.12 . General/Public Officials (E & O)/Property rates are all determined by the actuary with no experience rating.13 . Claims will be resolved in a "fair, equitable and responsible" manner.14 . Subrogation is a value added service and all recovery is returned to the members.15 . WSTIP offices will be located in Olympia.16 . WSTIP/WSTA relationship will be collaborative and mutual.

June 18, 2015 TO: WSTIP Executive Committee FROM: Tracey Christianson, Member Services Manager SUBJECT: Driver Record Monitoring System – Purchase Update Last year the staff recommended, and the Executive Committee concurred, that a formal Request for Proposal be done this year for our driver record monitoring system. The result of the RFP was a proposal from our current vendor, Data Driven Safety. At this point in time we are in contract negotiations mostly centered on pricing and service offerings. Our existing contract with Data Driven Safety has been extended through next year. Also, our contract with the Department of Licensing has been renewed. However, it is still our intention to have a new contract in place and pricing in place for 2016. Data Driven Safety have proposed a variety of prices and service levels and continue to be willing to negotiate. One of our primary goals is to have Data Driven Safety do the data exchange with Department of Licensing. Currently we do the data exchange and because we do, increased security on our network is necessary. We have had two negotiation meetings with Data Driven Safety. We had a meeting scheduled for Friday, May 22; however, at the urging of legal counsel Daniel Wadkins, Lee & Hayes, we cancelled that meeting and had a meeting with management staff, Daniel and Steve Clancy regarding contract issues. We are now ready to move forward with negotiations; however, we are having trouble finding meeting dates with so many parties. There will be a big push to get this done before the Executive Committee meeting in July. /tc

June 18, 2015 TO: WSTIP Executive Committee FROM: Tracey Christianson, Member Services Manager SUBJECT: Network Security Services – Purchase Update Background The goal of this procurement is to engage a partner to assist WSTIP and WSTIP members with the “to do items” identified in the Best Practices for the Technology Environment (see attached Best Practice). We conducted a procurement process and started negotiations with the highest ranked vendor. Unfortunately, the costs were too high (their proposal was excellent). However, we decided to dialog with the second highest ranked vendor. We met with this vendor’s team on May 29 to discuss their proposal and pricing. Update Steve Clancy, Chris Chidley, Jerry, Andrea and I met with their team. We were very impressed with their knowledge and expertise. It was a unanimous decision to ask them for a revised proposal in order to include additional services that we were not able to procure (vulnerability scanning and penetration testing). The secondary proposal is a very good proposal. It appears the overall project costs for the project are approximately $250,000 over three or four years; which is what we expected. Additionally there are many “extras” that the member can decide to utilize and self-pay, such a PCI compliance audits, vulnerability testing, penetration testing, network consulting, and on-site employee training. This vendor brings a broad range of experience and has already established arrangements for certain services (such as vulnerability testing). Deliverable 1 - $33,750 paid out over 3 years – Process, paperwork, training, and individual assistance Deliverable 2 - $33,750 paid out over 3 years – Process, paperwork, training, ongoing assistance Deliverable 3 - $22,500* over 3 years – Employee training Deliverable 4 - $25,000 paid in year 1 – Sample IT policies Deliverable 5 - $7500 paid in year 1 – Sample technology contract Deliverable 6 - $8500 paid in year 1 – Sample Interlocal Agreement Total = $131,000 plus travel expenses The vendor also recommended adding incident response planning as a critical element to success under this best practice. This additional cost of the incident response planning was $62,500, which brings the total cost to $193,500 plus travel expenses. As we continue to work out the details of the scope and timeline it appears the overall cost of this agreement is likely to be in the $250,000 range over three or four years. Staff expect to ask for the Executive Committee to give the Executive Director authority to sign a contract next month at which time we will present more details on the timeline and scope. /tc

Page 1 of 3

Best Practices for the Technology Environment (Computers, Networks, Desktops) and Related Issues

The goals of this Best Practice are the following:

Reduce the likelihood of a network security breach that would result in a loss of private information (identity) and/or loss of money by identifying achievable controls for the technology environment.

Increase the understanding of non-IT managers regarding the technology environment and their role in utilizing, financially supporting, and managing the environment and employees.

Increase the education of all employees regarding their role in properly utilizing technology resources.

Ensure IT is prioritized with other core business functions as a strategic agency goal. Implement an upgrade and maintenance schedule to ensure network infrastructure is kept in a

state of good repair.

Senior leaders and IT managers of transit agencies should have current knowledge of security breach requirements including legal obligations, reporting requirements, and coverage. Transit agencies should follow the SANS Top 20 Critical Controls (http://www.sans.org/critical-security-controls/) to the best of their ability and applicability. However, agencies of all sizes should closely adhere to the following “dirty dozen:”

1) Ensure that all systems have a current anti-virus and anti-malware suite installed and programs are regularly updated, and ensure that virus definitions are kept current.

2) Backups are checked each business day and moved off site. Backup restoration is tested at least every other year. (See sample IT policy regarding backups.)

3) Establish a process to update security patches promptly. 4) User passwords are changed every three months, and password complexity requirements

are enforced. 5) Screen savers are implemented for users when they leave their system, and auto locking is

used. 6) Deploy a firewall configured to protect the network from unauthorized access.

Firewall rules and logs are reviewed at least twice a year and obsolete rules turned off. 7) All networks should have a web filter that logs activity, filters out undesirable content, and

also filters out known spam sites. Consider filtering out .RU and .CN domains. 8) All email systems must have an email spam filter. 9) Instruct users to delete temporary transaction files (such as those that are sent to banks)

once transmitted. 10) No open wireless networks directly connected to production systems. 11) Run desktops with limited or no administrator privileges whenever possible. Employees with

administrative privileges shall be recognized, trained, and utilize their equipment for work (no de minimus use) only.

12) Segment the network and use group policies to limit access to data/information that is sensitive and critical in nature.

Page 2 of 3

Agencies should focus on aligning IT resources with business needs. (For example, utilizing a leadership group or using standing items at management meetings.) Agencies should identify critical systems (both hardware and software) and ensure support and maintenance contracts with the vendor are kept current. This ensures expert support, or hardware replacement, is quickly available if a critical system fails.  The member should conduct annual vulnerability security scans and establish a process to review their technical environment based on those scans and these Best Practices. The member should then provide documentation of critical controls met, goals for improvement and exceptions. This documentation should be signed by the network security administrator and reviewed/signed by the senior level manager responsible for IT at the organization. This documentation will be the basis of an every other year review utilizing a third party contractor. Transit agencies should provide education and training to their users on network security awareness. Transit agencies doing online banking (deposits and transfer) and/or those agencies processing credit or debit cards should closely adhere to best practices for banking and/or PCI compliance (whichever is most applicable (see Best Practice for Online Banking). Transit agencies should adopt policies and procedures to provide a framework on how the technology resources will be managed (for IT) and expectations for interaction with the resources (for the users). Transit agencies should hold employees accountable to the policies and procedures. Transit agencies may find adopting key performance indicators for the network infrastructure to be helpful in evaluating the performance of IT managers and IT staff. IT Staffing Needs Transit agencies contracting for full IT services with an outside firm should utilize WSTIP’s contract for IT services, utilize state resources when available, and/or use WSTIP provided contract language. Transit agencies with single employee IT department should utilize an outside consulting firm or enter into interagency cooperative agreements to provide those agencies with support in the event that professional services become necessary. Transit agencies must budget for their IT employees to attend ongoing professional development courses and encourage their participation in WSTA’s IT Committee.

Page 3 of 3

WSTIP TO DO ITEMS: WSTIP to provide checklist and certification documentation, training, and possibly training on how to think through and document exceptions for this Best Practice: Network security administrators should self-certify every other year their compliance with the “dirty dozen” and SANS Top 20 Critical Controls, including providing a Plan of Action and/or explanation for exceptions. This certification should be reviewed and signed by their supervisor and general manager. WSTIP to procure contractor to help develop individual improvement plans/plans of action for this Best Practice: The member should establish a process to review their technical environment based on these Best Practices and establish goals for improvement. Audit and modify plan on an annual basis utilizing a third party. Plans should be reviewed and signed at the supervisor and general manager levels. WSTIP to procure contractor/cost retained by transit agency for this Best Practice: The member should conduct no less than every other year vulnerability security scans. More frequent scans may be needed if launching new technology products. WSTIP to provide a resource. Transit agencies must self-administer their groups for this Best Practice: Transit agencies should provide education and training to their users on network security awareness. WSTIP to provide sample policies for this Best Practice: Transit agencies should adopt policies and procedures to provide a framework on how the technology resources will be managed (for IT) and expectations for interaction with the resources (for the users). Transit agencies should hold employees accountable to the policies and procedures. WSTIP to provide catalog of key performance indicators for this Best Practice: Transit agencies may find adopting key performance indicators for the network infrastructure to be helpful in evaluating the performance of IT managers and IT staff. WSTIP to develop sample contract for this Best Practice: Transit agencies contracting for full IT services with an outside firm should utilize WSTIP’s contract for IT services, utilize state resources when available, and/or use WSTIP provided contract language. Contractor must meet or exceed WSTIP’s Best Practices. WSTIP to also provide a sample contract for on-call IT services. WSTIP to develop sample agreement for this Best Practice: Transit agencies with single employee IT department should utilize an outside consulting firm or enter into interagency cooperative agreements to provide those agencies with support in the event that professional services become necessary.

Best Practices for Online Banking 1 August 16, 2014

Best Practices for Online Banking Computers, Networks, Desktops and Related Issues

Final 2014 Version Table of Contents ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 1 Introduction / Background .............................................................................................................................................................................................................................................................................................................................................................................................................................. 2

Purpose/Goal........................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 2 Formatting Note ........................................................................................................................................................................................................................................................................................................................................................................................................................................................... 2 Usage Notes............................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 2

Best Practices .......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 3 Overview ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 3 Internal Control Procedures ............................................................................................................................................................................................................................................................................................................................................................................................... 4

1) Separation of Duties ................................................................................................................................................................................................................................................................................................................................................................................................. 4 2) Banking Authorization ......................................................................................................................................................................................................................................................................................................................................................................................... 4 3) Financial System Management.......................................................................................................................................................................................................................................................................................................................................... 5

Legal and Reporting Procedures ..................................................................................................................................................................................................................................................................................................................................................................... 6 Breach Notification to WSTIP ................................................................................................................................................................................................................................................................................................................................................................. 6 Breach Notification to Affected Parties................................................................................................................................................................................................................................................................................................................... 6

Technical Procedures and Practices .................................................................................................................................................................................................................................................................................................................................................. 8 1) Zero-Day Exploits .............................................................................................................................................................................................................................................................................................................................................................................................................. 8 2) Anti-Malware........................................................................................................................................................................................................................................................................................................................................................................................................................................ 8 3) Security Patches .................................................................................................................................................................................................................................................................................................................................................................................................................... 9 4) Password Control ............................................................................................................................................................................................................................................................................................................................................................................................................... 9 5) Screensavers and System Lock............................................................................................................................................................................................................................................................................................................................... 10 6) Site Firewall ..................................................................................................................................................................................................................................................................................................................................................................................................................................... 11 7) Web Filtering ................................................................................................................................................................................................................................................................................................................................................................................................................................ 11 8) Spam Filtering ......................................................................................................................................................................................................................................................................................................................................................................................................................... 12 9) Tempfile Control ............................................................................................................................................................................................................................................................................................................................................................................................................... 12 10) Secure Wireless ......................................................................................................................................................................................................................................................................................................................................................................................................... 12 11) Least Privilege ................................................................................................................................................................................................................................................................................................................................................................................................................. 13 12) Network Segregation ................................................................................................................................................................................................................................................................................................................................................................................ 13 13) Isolated Banking System............................................................................................................................................................................................................................................................................................................................................................. 14

Best Practices for Online Banking 2 August 16, 2014

Introduction / Background

Purpose/Goal

Washington State Transit Insurance Pool (“WSTIP”) wishes to address the risk of money and/or identity theft, and business disruptions caused by and/or resulting from improper or non-secure online banking operations of its transit agency members. As part of its overarching Best Practice for the Technology Environment, WSTIP is writing a procedure resource document that details best practices for online banking security. This effort focuses on smaller agencies1 and assumes the audience members are not yet PCI-compliant. This effort will assume that the SANS Top 20 Critical Security Controls are the main framework for WSTIP IT security work (and that online banking is our critical first subset). As part of its continuous process improvement efforts, WSTIP will have a team of subject matter experts (“SME team”) review and update this information periodically.

Formatting Note WSTIP will format this document as it desires once the WSTIP SME team approves the content. For now, NIS has used an existing document as its starting point, so the font (Arial 10), margins, and WSTIP header, etc., should be OK. NIS has added a footer and a field-based, hierarchical table of contents to the document, however, to ‘assist’ WSTIP in its re-formatting effort. We have also done minor indenting within the content itself to partially match the table of contents organization.

Usage Notes Items in underlined blue are hyperlinks: to other sections of this document, and to Internet URLs. Hyperlinks improve navigation in the electronic/.PDF version of this document. In addition, because this report by its very nature uses technical language and networking acronyms—and because it also serves in a tutoring capacity for smaller transit agencies—we intend and hope that its hyperlinks help its audience fill in any knowledge gaps. Most hyperlinks link to topics within Wikipedia, The Free Encyclopedia. This document assumes that all WSTIP agencies use a current2, Microsoft-centric infrastructure. In specific, it assumes that client computers run Windows 7, Windows 8, or Windows 8.1, and that servers run Windows Server 2008 R2 or newer. This document focuses mostly on external threats, though some pieces (especially the section on segregation of duties) addresses internal threats, too. The team offers special thanks to Steve Clancy for his help with the defense in depth overview, to Chris Chidley for his help with the VDI-oriented ideas for online banking and for general service isolation, and to Brent Campbell for ideas regarding compensating controls when not using an isolated online banking computer.

1 In this context, “smaller” agencies mean those agencies with one FTE or fewer IT personnel. 2 Microsoft will of course continue to update its client and server operating system server, so versions classified as current (i.e., still supported by Microsoft) will change as time moves on. For example, Microsoft stopped supplying security and other patches for Windows XP on April 8, 2014, and it will do the same for Windows Server 2003 on July 14, 2015.

Best Practices for Online Banking 3 August 16, 2014

Best Practices Earlier WSTIP work identified twelve ‘quick win’ procedures and tasks that smaller agencies could accomplish to address most of the network security issues. Because many of the quick wins have online banking implications, this document follows that structure and builds additional detail onto the quick wins that are specifically relevant to online banking. This document additionally adds several online banking-specific best practices procedures. For easier reference, this project has created shorthand ‘names’ for the quick wins and newer online banking procedures. Overview

Securing the online banking environment requires a defense in depth approach. Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. In essence, each layer of perimeter defense provides different levels and types of perimeter security to help ensure that at least one countermeasure is effective in preventing information theft or destruction. Agencies must adopt this defense in depth mindset to effectively secure the online banking subsystems and the IT infrastructure in general.

The Technical layer focuses on the many defenses outlined in the quick wins as well as higher-level best practices control frameworks such as SANS Top 20 and PCI. This document adds some online banking-specific technical controls, too. The Human layer includes clear communication between IT staff and the financial personnel involved in online banking efforts. It also includes training programs such as SANS’ Securing the Human, which can greatly increase situational awareness for agency employees.

The Internal Control layer includes such standard business best practices such as checks and balances, separation of duties, and financial monitoring to ensure that personnel and systems can prevent breaches before they occur and/or detect and react to said breaches shortly after they occur. Finally, the Physical Access layer includes such things as locking the data center and ensuring the smallest possible subset of personnel can gain entry to critical systems and associated data. Note, too, that there are overlaps between the layers. For example, good internal controls will help ensure that only certain personnel have physical access to root-level, ‘keys to the kingdom’ passwords.

Human

InternalControl

PhysicalAccess

Technical

Best Practices for Online Banking 4 August 16, 2014

Best Practices (continued) Internal Control Procedures 1) SEPARATION OF DUTIES: Whenever possible, split the tasks and privileges required for a

specific banking process among multiple people. Doing so acts as an internal control to reduce the potential damage caused by the actions, accidental or malicious, of any one individual by restricting the amount of power and influence they hold over financial transactions. This also ensures that people don't have conflicting responsibilities, such as reporting on themselves or their superiors. The objective is to eliminate the possibility of a single user being in a position where one can carry out and conceal an illicit action. Change job descriptions such that one person cannot transfer funds and delete, edit, or copy data without being detected. Instead, separate the responsibility for online banking functions into at least two roles and assign the roles to different people. Breaking up the processes to achieve separation of duties involves ensuring that the steps required to complete that process can only be completed if each step is followed, and that no one person has the power to complete the process on their own. Thus, for example, the CFO can approve the transfer, the payroll / A/P / A/R clerk can perform the transfer, and the accounting supervisor can monitor the transfer. In this case, by separating the authorization, implementation and monitoring roles, it means three people and/or three compromised systems would have to work in collusion to successfully commit a fraud. In addition to separating some job responsibilities, agencies should also separate some reporting structure functions. Per the example above, the approval, performance, and monitor roles should report to different supervisors. In a small agency with a flatter organization chart, these roles could all report to the General Manager. This will help ensure that their ability to maintain security controls is not influenced by those individuals that are part of the process being controlled. In all cases, we want to ensure that a conflict of duties does not occur which might otherwise cloud the judgment of the involved parties.

2) BANKING AUTHORIZATION: Ensure that your bank has strong access and authorization controls in place. Agencies should work to ensure that their banks have strong access and authorization controls in place. For example, banks can enforce the same types of password control as in quick win #4. Many banks also have a crude form of computer authentication and thus require users to go through additional authorization steps when using a different computer than they usually use for their banking transactions. The bank should also require that all web-based communications are securely encrypted via the HTTPS, not HTTP, protocol. In addition to the components above, multi-factor authentication can help provide better security. For example, banks can issue security tokens that work in conjunction with the authorized user to provide another layer of assurance that the person making the bank transfers is in fact part of the group that is authorized to do so. More recent examples include banks sending SMS messages to an authorized mobile phone—at the appropriate point in the transaction, the user then enters the passcode information contained in the SMS message to further prove the that user’s identity.

Best Practices for Online Banking 5 August 16, 2014

Internal Control Procedures (continued)

Agencies should also consider meeting with their bank’s management team to see what security and incident response services the bank can offer. The bank itself might be willing to enforce complex passwords, etc., for its own agency-facing systems. Similarly, especially in smaller communities, it is not unheard of for a bank to assign personnel to monitor transactions for its larger customers. Such monitoring can help in achieving the separation of duties goal and has been known to catch inappropriate transactions before the money involved is lost. Finally, US Bank has a ‘Positive Pay’ system where it will not honor paper checks from certain accounts until confirming the transaction’s validity. Finally, agencies might be able to shift some of the risk of losing money from itself to the bank. If the agency sets up its payroll account so it does not have overdraft protection, the bank cannot legally pay on a large authorized check. If it does pay on such a check, the agency itself is not liable for any reimbursement.

3) FINANCIAL SYSTEM MANAGEMENT: The agency must ensure the confidentiality, availability, and integrity of its financial, accounting, and payroll systems and data. Confidentiality, availability, and integrity (“CAI”) are the three sides of the ISACA information security triangle. There are many issues involved in ensuring CAI within the agency. As described earlier, financial systems should have their own access and authorization schemes, too. Though an IT administrator probably has root access to the accounting servers and network equipment, he/she should not have access that allows him/her to sign-on to the payroll system and hand out pay raises. A common way for hackers to steal money is to infiltrate the payroll system and create false employees. An inattentive entity then pays these ‘employees’ via an online transfer which then lands in the hacker’s bank account. Accordingly, the accounting team that manages the payroll and/or other financial systems must be ever-vigilant to look for anomalies. Each quarter, the team should review the employee list within the system and ensure that there are no incorrect records. Related, certain systems such as MAS90 have access controls at the data field level. As part of this quarterly audit, the team should verify that authorized users have the least amount of privileges required to accomplish their jobs. The team should delete access levels that are not (or no longer) necessary. Finally, the system manager should enforce password complexity here, too. Note that full PCI-compliance requires that the agency not save credit card information within the financial management system. Given the complexities of securely collecting, handling, and managing third-party credit card payment information, WSTIP recommends that agencies use a third-party vendor to process credit card transactions.

Best Practices for Online Banking 6 August 16, 2014

Legal and Reporting Procedures Upon discovering a breach, the agency must notify WSTIP and follow the appropriate Washington State laws to notify affected parties. Be very familiar with these procedures so you can respond more capably if and when the time comes. Breach Notification to WSTIP The first thing the agency should do is contact WSTIP’s Deputy Director, Jerry Spears, at 360-786-1624 (or after business hours at 360-628-3111). Explain the situation to Jerry in as much detail as possible so he can help with the response and containment efforts. Breach Notification to Affected Parties Summary of Washington State Laws and Procedures (from Perkins Coie); comes from Wash. Rev. Code § 19.255.010 et seq. and S.B. 6043 (signed into law May 10, 2005, Chapter 368) Effective July 24, 2005: H.B. 1149 requires reimbursement from payment processors, businesses, and vendors to financial institutions for the cost of replacing credit and debit cards after a breach. Effective July 1, 2010

Application. Any state or local agency or any person or business which conducts business in WA (collectively, Entity) that owns or licenses computerized data that includes PI. Security Breach Definition. Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.

Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system when the PI is not used or subject to further unauthorized disclosure.

Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: o Social Security Number; o Driver license number or Washington identification card number; o Account number or credit card number or debit card number in combination with any required

security code, access code, or password that would permit access to an individual’s financial account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Notification Obligation. Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of WA whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

An Entity shall not be required to disclose a technical breach of the security system that does not seem reasonably likely to subject customers to a risk of criminal activity.

Best Practices for Online Banking 7 August 16, 2014

Legal and Reporting Procedures (continued)

Third-Party Data Notification. Any Entity that maintains computerized data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Timing of Notification. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Notice Required. Notice may be provided by written notice; or by electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act). Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following: o Email notice when the Entity has an email address for the subject persons; o Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and o Notification to major statewide media. Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this section is in compliance with the notification requirements of this section if the Entity notifies subject persons in accordance with its policies in the event of a breach of security.

Other Key Provisions: o Delay for Law Enforcement. Notification may be delayed if a law enforcement agency

determines that the notification will impede a criminal investigation. The required notification shall be made after the law enforcement agency determines that it will not compromise the investigation.

o Private Right of Action. Any customer injured by a violation of this section may institute a civil action to recover damages.

o Waiver Not Permitted. Reimbursement from Businesses to Financial Institutions. In the event of a breach where an entity held unencrypted account information or was not PCI DSS compliant, payment processors, businesses, and vendors can be liable to a financial institution for the cost of reissuing credit and debit cards in the event of a breach that results in the disclosure of the full, unencrypted account information contained on an identification device, or the full, unencrypted account number on a credit or debit card or identification device plus the cardholder’s name, expiration date, or service code.

Best Practices for Online Banking 8 August 16, 2014

Technical Procedures and Practices As mentioned above, this document attempts to reference the ‘quick wins’ from a related best practices document. This document uses created shorthand ‘names’ for the quick wins in italics, followed by a non-italicized broader discussion where required. 1) ZERO-DAY EXPLOITS: Patch for zero-day exploits as soon as possible.

By definition, zero-day exploits are vulnerabilities for which there is not yet an available remedy. For agencies, the most realistic option in combating such threats is to monitor cybersecurity forums for workarounds and, eventually, new patches. Monitoring the Computer Emergency Readiness Team (“CERT”) blog and/or subscribing to the CERT RSS feed are good places to start3.

2) ANTI-MALWARE: Ensure that all systems have a current anti-virus and anti-spyware suite installed and programs are regularly updated. Microsoft Security Essentials, which debuted in Windows 7, is a good threat manager for client computers that is free. It is also the basis of Windows Defender (which comes pre-loaded in Windows 8.1). For agencies that can afford to spend money and thus get better anti-malware solutions, PC Magazine continually assigns its Editor’s Choice ratings to Webroot (here and here) and Norton products (here and here ). Skagit Transit currently (2014Q2) uses VIPRE 2014 as its anti-virus solution on both clients and servers. Another popular choice is Malwarebytes, which now includes root kit removal.4 Regardless of the anti-malware software solution(s) involved, the agency must ensure that it:

updates the malware signatures frequently (i.e., at least monthly on servers and automatically on clients)

applies the solution(s) consistently across all systems platforms prevents end-users from disabling and/or uninstalling the protection (i.e., through GPOs

and/or least privilege logins)

3 This procedure was not one of the original quick wins. Instead, WSTIP added it once the Heartbleed vulnerability became widely known in April 2014. Though the Microsoft-centric infrastructure throughout the WSTIP agencies meant they were largely unaffected, there will be other zero-day exploits that might affect the agencies. Accordingly, acknowledging the issue and taking these reasonable precautions will make great sense. 4 WSTIP is in the process of developing wiki-based tools so agencies can share information, tips, and configuration decisions regarding their choices for tools and solutions (anti-malware, threat managers, firewall appliances, etc.) discussed in this document. This will help facilitate a longer-term goal where the SME team can provide inter-agency support and peer review.

Best Practices for Online Banking 9 August 16, 2014

Technical Procedures and Practices (continued) 3) SECURITY PATCHES: Security patches are updated at least four times a year.

Microsoft normally provides Windows and other software updates on the second Tuesday of the month at 10:00am PDT/PST5. For client computers, WSTIP recommends applying these automatically every Monday night at 11:00pm. In effect, then, this waits one week in case there are problems with the patches (which are almost always corrected in that intervening week). For servers, four times per year is too infrequent. However, be careful re automatically applying updates to servers, and be sure to track the status of each server’s patches. Rely on the judgment of the IT team to determine which servers can receive automatic updates. Auto-updates on Monday nights should work fine on file and print servers, but applying patches automatically to domain controllers and certain application servers is NOT advised. For example, anti-virus software causes problems for Trapeze servers. Thus, because the agency cannot realistically run anti-virus on the Trapeze server, it should apply compensating controls—e.g., run anti-virus only on active shares and/or do infrequent manual scans on the Trapeze servers during ‘safe’ periods.

4) PASSWORD CONTROL: Passwords are changed every three months, and password complexity requirements are enforced. Weak passwords provide attackers with easy access to your computers and network, while strong passwords are considerably harder to crack, even with the password-cracking software that is available today. Password-cracking tools continue to improve, and the computers that are used to crack passwords are more powerful than ever. Password-cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and brute-force automated attacks that try every possible combination of characters. Given enough time, the automated method can crack any password. However, strong passwords are much harder to crack than weak passwords. A secure computer has strong passwords for all user accounts. Per the definition from Microsoft’s Knowledge Base, a strong password:

Is at least six characters long and does not contain your user name, real name, company name, or a complete dictionary word

Is significantly different from previous passwords—passwords that increment (“Password1”, “Password2”, “Password3”, etc.) are not strong

Contains characters from at least three of these four categories: uppercase letters, lowercase letters, numerals (0-9), and symbols6

Note that there are at least two platforms involved here: the Windows operating system on the server and client computers, and the online banking platform. For the Windows environment, agencies should try to ensure that all users follow these complexity requirements—e.g., it can use GPOs to enforce these requirements. Regarding the banking platform, we have added a separate banking authorization section. Note, however, that these password strength concepts also apply to the banking (and accounting) software applications/systems.

5 i.e., Update Tuesday (also widely known as “Patch Tuesday”) 6 i.e.: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /

Best Practices for Online Banking 10 August 16, 2014

Technical Procedures and Practices (continued) 5) SCREENSAVERS AND SYSTEM LOCK: Screensavers are implemented for users when they

leave their system. The term ‘screensaver’ is an anachronism—unlike their 1980’s monochrome predecessors, modern computer monitors are not susceptible to image burn in. Instead, screensavers now serve a different protective service—they can automatically lock a computer from prying hands and eyes when the valid user leaves his/her workspace. Microsoft Windows includes the screensaver settings as a Control Panel applet. However, in Windows 8 and beyond, it’s easier to get to the Start window and type ‘screen saver’ (and note the space after the “n”):

Once you have started the screensaver applet, set up the two crucial components: ensure that it takes effect quickly (in five minutes or less), and ensure that it does in fact automatically lock the system. The Windows 8.1 settings screen example at the right shows how to choose the 5-minute timeout (via the Wait control) and how to auto-lock the screen (via a checkmark in the On resume, display logon screen control).

Many screensavers have other settings (e.g., rotating amongst several different pictures at a user-definable speed), but the five-minute timeout and the automatic lock are the two critical settings to make.

Best Practices for Online Banking 11 August 16, 2014

Technical Procedures and Practices (continued)

Along the same lines as screen savers, all users—and especially those with online banking roles—should get in the habit of locking their computers whenever they leave their workspace. Users should do this even for quick trips (retrieving output from a nearby printer, getting a glass of water, etc.), because one never knows when he/she might get sidetracked or waylaid during that trip by a well-meaning co-worker with an important question or two. Locking a computer is easy—simply hold down the Windows key (<> (normally in the bottom row of the keyboard just to the left of the <Alt> key)) and press “L” for lock. The computer will lock immediately, waiting for your password when you return.

6) SITE FIREWALL: An adequate firewall should be used. Firewall rules and logs are reviewed at least twice a year and obsolete rules turned off. There are several good candidate firewall appliances on the market. However, configuring a firewall properly is a moderately difficult task. Accordingly, it might make sense for an agency to use a device that one or more WSTIP member agencies have experience with and could thus possibly offer peer support. Two excellent product families would include entry-level or mid-range FortiGate firewalls from FortiNet7 or entry-level or mid-range Adaptive Security Appliances from Cisco8. The FortiGate platform in particular is a good choice because of its unified threat management focus—i.e., one appliance performs several security functions9:

stateful packet filtering firewall intrusion detection / prevention application control anti-virus anti-spam anti-malware anti-spyware web content filtering multi-factor authentication VPN

7) WEB FILTERING: All networks should have a web filter to log activity, filter out undesirable

content, and also filter out known spam sites. Consider filtering out .RU and .CN domains. The FortiGate and other site firewalls can filter web traffic based on several criteria, including the country codes .RU (Russian Federation) and .CN (China). Another good choice would be a lower-end model from the Barracuda Networks web filter family.

7 Skagit Transit (2013Q2) uses a FortiNet appliance. 8 Whatcom Transportation Authority (2011) uses a Cisco ASA device. 9 As of 2014, most vendors are moving towards a unified threat manager focus. The higher-end devices have AD ties-ins that allow per-user control for application blocking, etc.

Best Practices for Online Banking 12 August 16, 2014

Technical Procedures and Practices (continued) 8) SPAM FILTERING: All email systems must have an email spam filter.

The FortiGate and other site firewalls can filter spam very well. However, to maximize email uptime and effectiveness in general, smaller agencies would probably benefit from moving email to the cloud. For example, Google Apps (which also provides additional cloud-based applications10) costs $50 per year per user and frees the agency from running a Microsoft Exchange or other mail server. Barracuda Networks also offers a powerful and easy-to-use spam firewall appliance.

9) TEMPFILE CONTROL: Instruct users to delete temporary files (such as those that are sent to banks) once they have been transmitted. A file that doesn’t exist anymore has infinitely better security. Unfortunately, this is a difficult policy to enforce. GPOs and other tools can easily delete the temporary files that Windows generates as it runs (i.e., those that reside in the %TEMP% and %TMP% locations), but users in sensitive positions that generate these payroll and other banking-oriented data files will need special training. For example, they need to understand how to ‘clean up’ after themselves when generating any supplemental data files—e.g., information regarding bonuses, overtime approvals, etc. Such users will need to be careful to properly dispose of these files. Note that because these temporary files are considered intermittent, working copies, they have no special retention requirements.

10) SECURE WIRELESS: No open wireless networks directly connected to production systems. We recommend taking this recommendation even a bit further—all wireless traffic needs to be segregated onto VLANs that must traverse some kind of firewall or other access control device before connecting with the internal, sensitive VLANs. In addition, the agency must treat wireless devices as untrusted devices. There are many, many variables and technologies involved in setting up secure wireless networking—certificates, pre-shared keys, 802.1x, captive portals, RF monitoring, BYOD concerns, and the like. For example, computers fully and securely controlled by the Active Directory domain, the agency can use WPA2 with certificates and/or pre-shared keys to provide good security11. For uncontrolled devices, the agency can treat them like any other Internet traffic—i.e., they need to go through the same firewall filtering that any other inbound Internet traffic would use. At a bare minimum, agencies should ensure that the wireless router and/or wireless access points have the most current firmware. It is also a good idea to turn off SSID broadcasting for the non-guest access points12. The bottom line, however, is this: agencies should weigh the business benefits versus the risks involved and proceed slowly in this area. Though in 2014 it is probably no longer realistic to totally quarantine wireless devices and shunt them to the Internet with no access to the internal systems, such shunting is probably a good place to start.

10 for example, cloud storage, document sharing, and rudimentary word processing and spreadsheet capabilities 11 Even then, however, it should rotate these keys periodically, perhaps once per year. 12 Hackers can still easily locate ‘hidden’ SSIDs, but ‘hiding’ the SSID this way will discourage casual, inexperienced snoopers.

Best Practices for Online Banking 13 August 16, 2014

Technical Procedures and Practices (continued) 11) LEAST PRIVILEGE: Run desktops with limited or no administrator privileges whenever possible.

Users should receive the least amount of privileges required to perform their tasks. The principle of least privilege should also apply to administrators: they can sign-on as ‘regular’ users during the probable majority of time that they are not performing higher-security tasks. For example, the monitor role in quick win #14 needs to be able to analyze bank transfer records server log files, so he/she will need read permission, but there is no need to grant him/her write permission to those same records. The principle of least privilege applies throughout an organization right up to board level. A person's authorization rights in the system should match their tasks, not their seniority within the organization. Employees with administrative privileges shall be recognized, trained, and utilize their equipment for work (no de minimis use) only.

12) NETWORK SEGREGATION: Segment the network and use group policies to limit access to data/information that is sensitive and critical in nature. Some of the same concepts in the secure wireless quick win apply here, too. The network VLANs should reflect a security ‘hierarchy’ in the sense that only those users that ‘need to know’ should have access to the critical subsystems. Payroll and related financial systems should exist on their own VLAN(s), and a firewall should control and protect access to these network segments. Financial systems should have their own access and authorization schemes, too—just because an IT administrator has root access to servers and network equipment does not mean he/she should be able to sign-on to the payroll system and hand out pay raises.

Best Practices for Online Banking 14 August 16, 2014

Technical Procedures and Practices (continued) 13) ISOLATED BANKING SYSTEM: Isolate the online banking systems from the rest of the network.

The general idea here is to minimize the possibility of malware creating havoc with the computer by bypassing/altering the hard drive’s operating system. There are two main ways to create this hardened OS: create a live CD/DVD with a read-only operating system image, or create a VDI instance that can access only online banking functions. Compensating Controls

Note that it is impractical in some instances for the banking system users to use an isolated system. In such cases, the agency should implement compensating controls to help minimize the potential for problems. Compensating controls could include the following: The accounting system should generate the payroll file onto a shared directory with

tightly controlled access. The payroll file is the only file that can generate electronic withdrawals—otherwise the agency can cut a manual check.

The agency sends the file to the bank via FTP or via the bank’s web site upload form.

Where FTP is the method involved, the firewall should not allow outbound FTP except from the payroll machine(s) to the bank.

The bank accepts FTP traffic only from the IP address of the sending workstation. This

would require a static public address for the sending work station (probably created via NAT).

The bank discusses the transaction with the payroll clerk. If the clerk cannot confirm the

total transfer and/or other amounts, the transaction is rejected. Once the transaction has finished, the payroll clerk should delete the direct deposit file.

Live CD/DVD

The quickest way to temporarily convert your Windows PC into a hardened banking-only system is to use a live CD. This involves burning a downloadable image file to a CD, inserting the disc into your computer, and rebooting.13

13 WSTIP will create a live CD for agencies that wish to go this route. Note that they will start with a boot media-independent file that they can convert to a USB drive, CD, or DVD as required. The instructions that follow on the next page pertain specifically to a Linux-based CD.

Best Practices for Online Banking 15 August 16, 2014

Technical Procedures and Practices (continued)

Create a live CD/DVD14 that contains a bootable Linux image15. Puppy Linux is an extremely lightweight and fast version of Linux, though there are dozens of alternative Linux distributions available for this purpose. Download a copy of the latest Puppy Linux ISO file here. If you don’t have software for burning bootable images to disc, download a free copy of Free ISO Burner software here. (Free ISO Burner runs on Windows XP, Windows 7, and Windows 8). Insert a blank CD or DVD, tell Free ISO Burner where to find the ISO file you just downloaded, and let the software write the file to the disc. The next step involves telling the computer BIOS to try to boot from the CD-ROM/DVD drive (hereafter called “optical drive”) before trying to boot from the hard drive. Leaving the optical disk in its drive, reboot the computer. Pay attention to the text that flashes on the screen during the initial boot process: look for something that says “Press [some key] to enter setup”. Usually, the key you want will be <F2>, <F10>, <F12>, <Delete>, or <Escape>; sometimes you might also need to press <Shift> or <Ctrl> at the same time. Once you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you’ll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu option named “Boot”. At this point, instructions might vary a bit between different computer makes and models, but in general, hit the <Right Arrow> key until you’ve reached that screen listing your bootable devices. What you want to do here is move the optical drive to the top of the list. Do this by selecting the down-arrow key until the optical drive option is highlighted, and the press the “+” key on your keyboard until the optical drive option is at the top. Then hit the <F10> key, and confirm “yes” when asked if you want to save changes and exit, and the computer should reboot. If you’d done this step correctly, the computer should detect the CD/DVD image you just burned as a bootable operating system16.

14 Much of the information regarding the Live CD/DVD comes from Krebs on Security. 15 Do not plan to use a Windows image, as most malware used in financial attacks is built to target Windows. Windows is overkill here and has a much larger attack surface. 16 Unless you know what you're doing here, it's important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit <F10>, and select the option "Exit without saving changes." The computer will reboot, and you can try this step again.

Best Practices for Online Banking 16 August 16, 2014

Technical Procedures and Practices (continued)

Note that some newer computers have a GUI for BIOS settings. For example, in this Toshiba laptop running Windows 8.1:

one would need to select “Boot” settings at the left, select “ODD” (for optical disk drive) in the middle, and press the “Up” button at right until “ODD” was at the top of the Boot Priority Options list. At that point, selecting “OK” or “Apply” would save the change. The computer will take 1-2 minutes to boot up into the Puppy desktop, at which point it will be ready to surf the web and initiate the banking transactions. When you’re done with the banking transactions, click the Puppy start menu, and select shut down or restart. To get back into Windows, simply eject the disc and reboot normally.

Best Practices for Online Banking 17 August 16, 2014

Technical Procedures and Practices (continued)

Online Banking VDI The other secure way to isolate the online banking system is to create a VDI instance that is strictly limited to banking functions. Because all of the WSTIP constituent agencies use Windows-based client operating systems, the VDI instance will run Windows, too. And though Windows has a larger attack surface than do Linux variants, familiarity with Windows GPOs, MMC and related tools compensate for that trade-off. This diagram shows the system that Skagit Transit is implementing in Q2/Q3 of 2014:

The general idea is that the authorized user(s) accesses the banking VDI instance only when transferring funds, performing reconciliations, and similar. These direct deposit and related functions thus occur on a virtual workstation that has no Internet access except for the bank site needed for the direct deposit. The network wide content filter blocks all social media and other unnecessary functions at the application level and web browser level. GPOs pare down the standard user interfaces, and the instance enables zero access to any extraneous applications. Any required data files (payroll manifest, etc.) reside on a secured Windows share, and the user deletes such files once they have served their purpose. Using the VDI workstation removes the need for USB drives and OS-image CDs. As with the live CD, however, the virtual machine reverts back to the vanilla default state when the user logs off. As of April 2014, Skagit Transit is almost fully converted to using VDI. Among other benefits, this means that the user must log into a virtual desktop that is assigned to his/her group before he/she can run his/her applications and documents. Thus, for example, accessing less secure functions such as social media requires a temporary login to the relevant virtual desktop. Like the payroll/banking desktop, the social media desktop is stripped down to the bare minimum functions it needs to accomplish its tasks. Note of course that IT must keep the anti-virus/anti-malware software on those dedicated VMs updated—just like on any other workstation.

MEMORANDUM

To: Executive Committee and Board of Directors From: Ronald A. Franz, General Counsel Subject: Coverage for non-monetary claims Date: June 12, 2015

Introduction

The Pool’s General Liability (GL) policy and Public Officials Liability (POL) policy cover claims for monetary compensation. They do not cover claims for non-monetary relief. Our Bylaws empower the Board to determine the coverage offered by the Pool. The Board has never debated whether the Pool should provide coverage for non-monetary claims and, if so, for what types of non-monetary claims. The absence of coverage for non-monetary claims is a legacy from the old commercial insurance policies that the Pool used for templates for its coverage decades ago. This memorandum discusses what the Pool presently covers and the varieties of non-monetary claims it does not cover. It discusses the considerable latitude in the Board in deciding the scope of coverage.

What we cover

The Pool covers claims for monetary compensation from, for example, bodily injury and property damage from a traffic accident or lost wages from a wrongful employment termination. Scores or Washington cases and other sources discuss “damages.” One such discussion is found in 16 Wash. Practice, Torts (3rd Ed.) at section 5.1:

The guiding principle of tort law is to make the injured party as whole as possible through pecuniary compensation. Washington courts apply the traditional rule in tort cases. Simply stated, a plaintiff is entitled to that sum of money that will place him is as good a position as he would have been but for the defendant’s tortious act. [Citations and footnotes omitted]

What we don’t cover We don’t cover any claims or suits other that those which seek monetary compensation. The GL policy covers damages from bodily injury or property damages. It has a specific exclusion for “fines, punitive damages, or exemplary damages.” The POL policy, in general terms, covers damages from errors or omissions. It has specific exclusions for:

(1) “cost, civil fine, penalty, or expense” imposed by a governmental enforcement agency; (2) condemnation or inverse condemnation; (3) “deliberate violation of any federal, state, or local statute, ordinance, rule, or regulation”; (4) “demands or actions seeking relief or redress in any form other than monetary damages . . . [or] any adverse judgment for declaratory relief or injunctive relief . . . or for punitive or exemplary damages. . . .” Here is a partial list of complaints or actions not covered by the Pool: 1. Public disclosure violations; 2. Open public meeting act violations; 3. Election law violations; 4. Declaratory judgments; 5. Injunctive relief; and 6. Statutory provisions that allow for damage multipliers, e.g. consumer protection act,

wage and hour law violations.

Legal considerations The Board has great latitude in the breadth of coverage it provides. However, at some point public policy considerations come into play. You could not, for example, insure payment of a fine in a criminal matter. To do so would undermine the intended punitive sting a fine is intended to impose. If you wanted to insure the payment of the “civil penalty” for a violation of the Open Public Meetings Act or the monetary award for a violation the Public Records Act, I would want to do additional legal research to be sure you are on solid legal footing. With respect to the reach of public policy and insurance our Supreme Court said in Boeing v. Aetna Cas. & Sur. Co., 113 Wn. 2d 869, 876, 744 P. 2d 507 (1990): “Washington courts rarely invoke public policy to override the express terms of an insurance policy.” Washington case law clearly allows insurance for punitive damages and for intentional torts.

Some thoughts You may want to do a lot, a little, or nothing. For those complaints or suits that provide for some sort of civil penalty like the Open Public Meetings Act, you could cover defense expenses but then require that the insured pay the civil penalty. If you wanted to leave coverage the way it is but thought on occasion our coverage is too inflexible, you could change the coverage appeal process in the Bylaws. Currently a denial of coverage by the executive director can be appealed to the Executive Committee. You could change the Bylaws so that the committee, in its discretion, could allow coverage if it concluded a strict application of policy language resulted in undue burden or unfairness to the member. No matter what you eventually do with this subject, I look forward to your debate.