Subscribe
Share
Share
Embed
We explore the risks arising from the use and misuse of digital devices and electronic communication tools. We interview experts in the fields of cybersafety, cybersecurity, privacy, parenting, and technology and share the wisdom of these experts with you!
Welcome to the Cyber Traps podcast.
This is Jethro Jones.
I am on location for this episode at the Inch 360 Conference and these are panels from that conference, uh, that I think are just really interesting and I hope you enjoy them.
For more information about the this organization, go to inch three sixty.org.
Speaker 3: Maria Braun is going to be our moderator.
So, Maria has worked in public accounting since 2011, including managing compliance for a Fortune 500 cloud technology company.
Currently, she is the principal with Baker Tilly cybersecurity consulting team, providing compliance and consulting engagements for clients with SOC examinations, I-S-O-P-C-I high trust.
She's one of the few people that I know that is deep into compliance and regulation and still has a smile on her face.
She runs a big team is extremely knowledgeable and I will let her introduce the other people on the panel.
Maria Braun: Excellent.
Well thank you very much and I think we're missing Debra's on our way.
Perfect.
Yep.
I think we'll go ahead and get started.
That was a fantastic keynote by Kane.
I think it leads quite well into our panel.
I would love for maybe Casey to get you introduced and then we'll round Roman.
Perfect.
Casey Wheeler: Hi everyone.
My name is Casey Wheeler.
I'm with Marsh McLennan Agency, so specifically focused on the cyber insurance side of things.
I'm from Boise, so, just a little bit of a flight over, but pretty close to here.
So excited to talk to you today about the cyber insurance side of things and how that relates to the audit side.
Dan Brown: My name is Dan Brown.
I work for cybersecurity and infrastructure security agency.
Our mission is to reduce risk and improve resilience for critical infrastructure, which includes both public and private partners.
We're federally funded and offer free services, so if you have any questions, lemme know.
Deb Wells: Hi, Deb Wells again from BECU.
I'm a director of the cybersecurity projects team and also an adjunct professor at Central Washington University in the cybersecurity and digital forensics area.
And a fun fact.
Did we all do fun facts or no?
No, go for it.
Oh, fun fact.
That was the most important thing in the panel I thought.
I'm just joking.
So for me, I have a ranch in Montana.
It's not the Dutton Ranch, but it is the brain donkey and it takes most of my time when I'm not working.
Dan Brown: I fun fact, I am a Spokane native.
I have lived, was born at Sacred Heart, lived here my entire life and haven't left, and I'm proud to still live here.
Casey Wheeler: I guess a fun fact for me I really enjoy drawing and art when I'm not doing cybersecurity side of things.
So very creative, I guess in that aspect.
Maria Braun: This is great.
I think in all of my career, I don't know if I've ever met Creative Cybersecurity.
Folks, so I think that's fantastic.
Well, I think Kane has really done a great job setting the stage with his keynote.
What we are seeing as an industry is definitely a uptick in cybersecurity activity, heightened lens with how we are evaluated our evaluating our cybersecurity posture and what we're doing between crowd strike issues, change healthcare issues.
You know, in all of the recent events in the last few years, our understanding and appreciation of cybersecurity risks I think is changing.
So my first question is to the panel is how do you anticipate our cybersecurity tolerance and posture is changing for the organizations, or how do you think it will change going forward?
Dan, would you like to start off.
Dan Brown: Sure.
I'll go ahead and talk about ins cybersecurity insurance briefly.
I think that it is going to is going to encourage us to do the right thing and do at least best practices and where you didn't have buy-in previously.
I think it's going to move that forward.
I also think that the requirements and the dynamics of cybersecurity are going to change dramatically as both with AI for good and for bad.
So that's my comment.
What about for you, Deb?
Deb Wells: So I'm thinking that for like cyber insurance and all these, the risk that's not just a cyber risk or an IT risk is gonna involve more communications with the business side.
It's gonna almost force it.
Because before you were siloed, maybe in the basement.
No pun intended.
And you're doing your you're blocking us.
We can't do our work.
We can't do our work, but it's going to prompt us and force us to go out and say to the business let's tell a story and let's share with you what's these cyber controls are really doing for the business.
And I loved Kane's speech about that and the misconceptions that it's a cyber risk.
It's a cyber risk.
No, it's a business risk and we can't just buy insurance.
To take care of it.
We have to really buy into it and make it part of our life.
'cause they always say cybersecurity is everybody's business.
Maria Braun: Yeah.
Oh yeah.
I think Casey, with you being in the, in cybersecurity insurance business, what, in addition to what Dan and Deb, Deborah are speaking to from an insurance lens, how do you think the landscape is changing?
In my 15 years when I started, nobody had cybersecurity insurance.
That was just not a concept.
I think e and o general liability insurance, that was certainly something that companies had.
Nobody had cybersecurity insurance and now everybody's trying to make sure that they have cybersecurity insurance.
So from your industry perspective, how are things changing and how would they continue to change?
Yeah.
Casey Wheeler: Yeah, I've definitely seen things I mean change a lot on the cyber insurance piece of things.
And I think with just the different events that we talked about that we're seeing, I think organizations are really taking a closer look at what their insurance actually entails and understanding a.
Really how that incorporates with their overall cyber risk management strategy.
I think there's really a large disconnect right now between the business people that, that we talked about and the cybersecurity side of things.
And in, in my opinion, the insurance is kind of bringing those two parties together of, hey, typically the insurance we're really talking to business leaders and people on that side of the house.
But we're really having to bring in the it, the cyber professionals to really talk to, Hey, what are you doing around your security controls?
The what Kane's talk really talked about of, hey, it's not just really the technical side, it's the business side and really how both those work together.
So I'm really seeing that as a bridge.
And then really people reassessing really what their insurance looks like in, in relation to their overall.
Cyber risk management programs, seeing a lot of people look at, Hey, what limits should we have for our insurance?
Where before it was kind of, Hey, we know we need this, but we don't really know kind of how much we should have or what we should have, what that really looks like.
So just do a bigger microscope on that.
Maria Braun: Let's talk about a common myth.
Compliant equals secure.
I am a company, I have a SOC two, I have an ISO 27 0 0 1.
I may do P-C-I-D-S-S.
Does it mean that I am secure from an insurance perspective?
Casey Wheeler: Yeah, I think that, I mean, I was really excited to be on this panel today and kind of talk about the crossover between the audit and the insurance since I think there's more of a crossover than people might think or realize.
A lot of what we're doing on the cyber insurance side as we're filling, helping organizations complete applications and really what that is it's a risk assessment is all it is.
With that I work on specifically on the brokerage side as far as the insurance side of things.
So what I do is help organizations basically help convey what they're doing around their cyber risk management practices to the carriers that we work with on the insurance side.
So really those kinds of things like audits and being able to say, Hey we have x, y, and Z compliance.
That really gives me the materials that I need to go over to our carriers and best advocate on organization's behalf of, Hey, here's what they're doing on their security and here's why we could look for better terms, better pricing.
As far as when we look for the transfer piece of things and how that relates to the comprehensive risk management piece.
Maria Braun: Dan and Deb, what about from the cybersecurity point of view?
Deb Wells: So from, that's, that was a great question and a great answer because the, when you, I was 21 years in the Air Force and I was an inspector general for a portion of that.
So I understand audits, I understand inspections.
I understand that they're necessary.
Could you pencil whip it maybe, and tell you how to breach.
You don't want to pencil whip it.
So if you have insurance and you have internal audit and you're working basically off the same sheet of music, you're trusting, but you're verifying, right?
Let's trust and make sure these controls.
Maybe it's not a pen test, but let's go through it.
Does everybody in cyber know?
That's the other thing.
Have you communicated to everybody else in cyber that these are our controls, this is what we follow.
We don't cut corners and we we want our insurance to maybe go down.
And this was a question I was thinking of Casey, is if it's almost like health insurance, right?
Everybody in here probably has health insurance.
Maybe your policy is if you work out, you eat good, you have low cholesterol, you don't smoke, it's gonna be lower.
So maybe if you can prove to the insurance companies that we use these mitigating controls, we use defense in depth, we do all these things.
Maybe we could get a lower cost premium or something like that.
Dan Brown: Dan.
So, to your point, compliance does not equal security, right?
And the problem with compliance is there is there's a specific focus and whether it's HIPAA or PCI or GLBA or whichever one, there's a specific focus for that compliance.
And it doesn't take a holistic approach of the entire organization.
You know, that's where it can be useful to use a framework, whether it be NIST or CIS or something and just try and look at everything.
And don't just check, don't do, check the box security, do you know, best practices and consider that.
Maria Braun: I like that you mentioned check the box security.
I think a lot of organizations fall into let's do check the box compliance.
Let's get through this audit.
Let's look at this very narrow scope, but we're not considering holistic overarching risks that, really the industry that they may operate in or any external factors present.
How do we as leaders move away from check the box compliance and we start looking at cybersecurity, posture, resiliency, continue operations.
Dan Brown: I think it's important to just consider building security into all facets of your organization.
You know, from the purchasing side to you know, day-to-day operations.
Just make sure and consider it with everything you do and embed it in your practices.
Deb Wells: Just real quick on that, it's great because we have a mantra at BECU, we want cyber built in and not bolted on.
And so that was the whole impetus behind the new team that I get to be the honor of leading is we get to be out front with those big, big
projects and things like that, that the credit union is putting into place for our members and we're making sure that we're not bolting it on.
I always use the analogy of buying a car, right?
Well, we can put the remote start on later, we can put all those, or we can put Bluetooth in later, but it might work, it might not.
It's a little clunky, but if you can get it when it's original from the factory, it's built in and it seems to be smoother.
So that's kind of our mantra.
Maria Braun: Casey, what about from the insurance lens?
Casey Wheeler: Yeah, I think that there definitely is from the insurance standpoint, also a check the box mentality.
I mean, we talk about a lot of regulation and how are you, meaning that, how are you meaning your compliance as part of the underwriting process.
But a lot of it too is, hey, what are those controls that you have in place for your organization?
And these applications essentially kind of have a list of, Hey, are you doing X, Y, and Z?
And a lot of times when I talk with organizations, it's.
Hey, you don't need to be meeting every single one of these is if there's an actual business case of why you're not meeting this maybe you have some other compensated controls of what you're doing instead.
I think the insurance side especially can be very check the box when we kind of give these applications.
But I think it honestly goes back to, I mean, what we were talking about in the keynote today, just around a comprehensive risk management strategy of, Hey, how are you incorporating your business requirements into your cybersecurity strategy?
You know, you could have the best controls on something that's not really going to matter to your organization, and that's not really gonna be the best use of your budget, your time, and really help protect your actual organization.
So to me it really goes back to, to what we talked about in that keynote.
Maria Braun: For those of us in the room who are not familiar with cybersecurity insurance underwriting, tell us briefly about the process as
well as what are some of the internal controls that you look for as it relates to security and cybersecurity, to be able to underwrite a company.
Yeah.
Casey Wheeler: So yeah, really what the underwriting process is, and for those of you who aren't as familiar with kind of the insurance terminology, essentially that's when these different carriers that we work with
are really assessing an organization, cybersecurity to determine what kind of premium they're going to offer or what the pricing looks like, and what terms that they're willing to offer on the insurance side of things.
So really what that process looks like is, it's gonna be very similar to a lot of the different frameworks that we look at and different regulatory compliance that we look at as well.
There's a lot of overlap between those things.
Typically we see questions around MFA for remote logins for critical applications, anywhere that sensitive data is being stored things like that.
There's a lot of questions around.
Your backups of, Hey, how are you actually going to restore from backup if you had some kind of cyber incident?
They're wanting to know really, hey if we if you experience a cyber incident, what exactly is that?
Is that payout going to look like, so they're going to ask some questions like that around the security controls.
They're also going to ask you know, what's your organizational revenue to get a better idea of what that looks like, the industry that you're in, to better understand what potential losses that you might face.
And then also really just how much sensitive data that you're holding since it's gonna be a different risk for a healthcare organization with a hundred patients versus someone that has a million patients.
So those are kind of really the big things that they look at on the underwriting side.
Maria Braun: This is great.
Dan and Deb, a question for you.
How do organizations manage the uptick in demand when it comes to going through the various audits, going through the insurance underwriting
process, managing the risks internally, what are some of the tips and tricks that you've seen in your careers to be able to do that effectively?
And for the better of the company?
Dan Brown: I would say prepara preparation and preventative measures.
You know, do you tabletop exercises, do you exercise your plans that you have?
So don't just wait until it's time to do the audit or the, or whatever compliance requirements there are.
You know, make sure you're constantly reviewing what you have and you know, simulating breaches, whatever it might be.
So
Deb Wells: another thing that I've learned through my years, and you know, in the Air Force at BECU is you make it a daily habit, right?
You make it your hygiene, kinda like you get up, you take a shower, you brush your teeth, all those kinds of things.
You make it hygiene and you try to, where you can gain efficiency.
So if you're having an audit and you can do a tabletop, you could take the results, maybe you could put that in your upcoming insurance policy and things like that.
So you, I really like to be efficient because I like to do so many things.
I don't have time to be this, and this.
So let's gain some efficiencies by putting things together where we can.
I love the tabletop exercises.
I mean, I guess that's kind of in my DNA, but it's good to do that, to run through it.
So when a bad day happens, emphasis on the, when you're not scrambling, what do we do?
What where's this, where's that?
You run, you've run through it enough where yes, there's gonna be chaos, there's gonna be the fog of war, but you are going to be able to get through it because you've exercised it and you something.
You do that muscle memory every day that you're practicing your good cyber hygiene through the controls and things like that.
Maria Braun: Let me ask you, in your opinion, what makes a great tabletop exercise?
I've seen way too many tabletop exercises when it comes to disaster recovery and incident management in my career that are done to satisfy compliance requirement.
They're not necessarily an effective scenario.
That has a what if.
Talk to me in your opinion, what makes an effective and useful tabletop exercise?
Dan Brown: I would say an effective and useful tabletop exercise includes a scenario that's specific to your organization, and it's very important to make sure that the people that work through and design the tabletop exercise are not.
Part of it directly because it's like they know the answers to the test.
You know, it's like, well, yeah, we'll do this and no, it's, I've been in, I've been in them many times and you just try and include part of the IT organization in the design, but not the entire IT organization.
So they're they're involved and can off the cuff say, okay, we probably should do this, but they won't know the entire scenario.
Deb Wells: And then, I mean, I, the other, the only thing I really could add to that is you don't wanna fairy dust it.
That's what we talked about in the military.
You don't wanna fairy dust it.
You wanna try to be as authentic as you can of a real attack, because you can assume that we're gonna simulate this.
We're gonna simulate that we, you have the capability and the capacity and the personnel to do it.
Don't ferry dust a a breach.
Don't ferry dust.
Somebody clicking on a link and starting it out.
And you go through your processes.
Your playbooks play by play.
You know, in the Air Force, the pilots always have a dash nine on their knee.
It's their checklist.
They probably know it by heart and probably our sock at BECU.
I know they know it by heart, but by golly they'll take their checklist out and go line item by line item.
So you don't miss things.
Don't in a tabletop think, oh, we can, we don't need to do that.
We don't need to do that.
Go through it.
Everybody together says, yep, we can.
We don't need to do that in this case.
But you have that.
Once again, that muscle memory.
Dan Brown: I'm gonna make one more quick comment.
Please do.
And it's important to include the right people.
I mean, it's depending upon the scenario, if it's physical, cyber, cyber, physical convergence include facilities, maintenance, maybe your legal team, hr, finance, whatever's appropriate.
Make sure you have all the right people in the room.
Casey Wheeler: Yeah.
With the tabletop exercises as well.
Something I'll say that I think organizations are starting to do, but not enough are doing this, is really incorporating their insurance into that as well.
So really understanding, hey, who are you contacting on the insurance side and how does your response play into the claims process On the insurance side, it's something that I talk to a lot of organizations about when helping put these
insurance solutions in place is, hey, like I'm not just giving you a piece of paper, but let's actually figure out make sure you know how to use this when the time comes and how that relates to the other processes that you've put in place.
So something that I tell a lot of organizations is.
Hey, contact your carrier first.
There could be a lot of just kind of miscommunications between organizations and their insurance carrier, and that can help with a lot of you know, clear clearing things up and making sure that things are covered.
When that does happen, as well as making sure that you know what resources you might have available to you.
On the cyber insurance side a lot of people might not really realize the, there's a part to cyber insurance that's financial indemnification, but a lot of it is helping you with the resources that you need to respond to an incident.
So being able to actually know what that looks like and incorporating it into your incident response plan is something very passionate about
Maria Braun: from the insurance lens.
When you're underwriting a company, what are the top five controls, internal controls that you're looking for?
Casey Wheeler: I would say MFA is a really big one.
And not just for email remote logins all that kind of stuff, that's still something where if we don't see organizations have that in place, it can be really difficult to find them coverage or just find them good coverage.
I'd also say just comprehensive backups is a very big thing as well.
Not just having backups, but making sure that you're actually testing those backups and your tabletop exercises, your incident response planning making sure that you're actually able to recover from those, that they're segmented from the rest of your network.
All those good things.
Email filtering is also a big thing that, that we look at.
Just, Hey, are you actually filtering out potential phishing emails?
Things like that.
What's your security awareness training?
That's another big thing.
As far as, hey, how are you actually educating your staff around different cybersecurity risks that we're, you're seeing?
And then.
I think that's about four things.
So probably really the fifth thing I would say is yeah, pass passwords are a big thing too.
I mean, there's a lot of different things I could go into.
But really a big thing would be like wire transfer practices and really what those procedures look like.
Do you have some callback verification and actually calling to make sure who you're sending funds to is the person that you are sending funds to.
That's a really big thing.
And that I'm helping organizations with around just processes for how are you actually sending funds and how are you verifying who you're sending them to is who you actually who they say they are.
Maria Braun: This is great.
Dan, what about from your standpoint?
Dan Brown: Well, I will just say when you talk about claw back it's important to remember you have to be very timely.
I mean, if it's within a defined amount of time, sometimes you can get your money back.
We've had some a CH fraud that's occurred and you know, if it's within 48 hours, a lot of times they can claw back.
From my side, a lot of what you named you know password policies asset inventory, do you know everything that's on your network, every device
that has an ip that's important so you know what to but yeah, our list is of the top four or five is pretty similar to what you described.
Maria Braun: Deb, what about for you?
Sure.
Quick.
Casey Wheeler: And I think that's just a good thing to point out of like, hey, there, there's a lot of alignment.
What we're requiring on the insurance side is really just best practices and something that I think a lot of people see just kind of, hey, this could be a barrier to
getting insurance, but there's really a lot of resources to like cisa to, to help organizations really put those things in place and have a good strategy around cyber.
So, just wanted to add that.
Deb Wells: I you know, agree with the other panelists, basically on the top five controls, the MFA, the password protections, looking at network segmentation the polyp, the policy of lease privilege.
I don't need administrator accounts for anything.
Why does everybody have it?
So those are the top three I can think of off, off the top of my head.
And then you talk about once again the communication and the education piece, and also with the education piece we found, and this kind of goes heather in your lane with drip seven and things is you could, you try to make it fun 'cause cyber isn't fun.
Although I love it.
But it can't, for other people, they're just, once again, blocker, blocker, blocker.
But you give some teeth if they keep kind of messing up or you maybe not teeth, like you're in trouble.
But you give them education and with whatever they did wrong, they clicked on a link and it was a phishing link and it comes up and says, you did this, and this, and here's what you need to look for.
So you have that constant education piece.
If they do mess correction when they do mess up and click something.
Maria Braun: I'm glad you brought it up, Deb.
That was actually where I was going to head to.
Especially with the use of ai, the attacks are becoming fairly sophisticated and quite creative.
So I think the education of the end users, even though we have all of these robust security controls, internal security controls in place, I think the education of the end users are still critical to make sure that our environments are secure.
Whenever organizations go through the insurance requirements, the various compliance related activities, both from either external parties or internal
audits, or even federal agencies, depending on the industry that the they're into, it can certainly be a daunting task and it can be overwhelming.
How do you think organizations could or should manage the rigorous demands from the auditors, insurers, any other outside parties to make sure that they're prioritizing the cybersecurity needs?
Dan Brown: So I would say make sure to include the appropriate people in the organization.
You know, I've seen it many organizations where the IT folks, we kind of alluded to this earlier, the IT folks don't necessarily.
Know everything about the cyber policy because that's a business side of the house thing.
But you know, cyber risk is business risk.
So you just need to make sure that you talk to whatever area is is involved in that.
Make sure the cyber folks know what the benchmark they're trying to hit.
You know, make sure and ask if what you are considering is compliant with the insurance requirements.
Actually is.
It's like if someone says, okay, we're doing this as a compensating control and it really is secure run that by your insurance folks and make sure that it's acceptable.
Deb Wells: Once again, great question.
Sometimes hard to do because so many things going on in the business side is like, well, we gotta we gotta do this, we gotta do this, we gotta do this.
We don't have time for you.
You know, the nice thing about our C, our CIO and our organization is we have a stop button.
If somebody's trying to run with scissors, we always say they're running with scissors.
And we say we do have the capacity to hit stop.
And then we try to get the steps to us, right?
How do we get you there Securely?
You may say, well, that's in the lower, or they may say That's in the lower environments, that's a test environment.
Nobody cares about that.
Yeah, tell that to solar winds, right?
But you do need to look at it from a holistic perspective, communicate, and then be able to say no, or let's get you the steps to yes, unless it's illegal, immoral, unethical, or not secure.
So that, that's kind of one way to do it because there's so much coming at us from every single angle.
We have the ai, we have the insiders, we have the outsiders, we have all these threats that we have got to keep our head on a swivel and be looking for them all the time and be creative and once again, be efficient.
Casey Wheeler: I, I mean, totally agree and just love all the different perspectives that we have as a panel too.
But yeah, I would I guess prior to coming into the entrance side I used to work at a soc and so really bringing that into the insurance side, I would say it, it's been really interesting in working with.
Insurance people because they really understand risk and they understand risk management, and they understand how to do that on a wide variety of different risks.
But as soon as we talk about cyber risk, it's, oh, hey, that's super technical.
Like, I don't know anything about that.
You know, why do we need to do why are we responsible for insurance around that?
But I think that in insurance they really understand the risk management piece.
And that's really where we really need to go back to just around these competing priorities and understanding, okay what are we trying to protect?
You know, what tools, resources do we have to protect that?
You know, going back to the keynote today I feel like that just really teed things up really well, just around comprehensive risk management of, Hey, you need to actually know what devices you have in your organization, what sensitive data that you have.
Going back to that and really being strategic with your business priorities, your cyber priorities, and really aligning that and having a good
strategy moving forward can help you best align those different competing regulation insurance requirements that you're really trying to comply with.
Maria Braun: That's actually a great point because in the world of competing priorities that we live in, there's a common debate as to whether organizations should invest more into preventative controls or into cybersecurity insurance policies.
So, in your different opinions, how do the organizations strike the right balance?
Dan Brown: I think it's important to try and wherever possible quantify it.
And if you can quantify it, then it's easier to prioritize.
So if you can quantify the risk using calculations.
You know, impact times probability and see if it's gonna happen or is likely to happen then I would allocate your resources there to those high risk areas that that would have the most impact on your organization.
Yeah,
Deb Wells: I agree with you, Dan, on that because you have to look at a heat map, although ca we're he had his heat map.
I love heat maps because especially if you can kind of figure out, okay, the impact is going to be very high, the probability is very high, and you can show that with more than just ablo a blip on the screen.
But you can have some numbers, you can have some other data points that you can share with the business to say this is what we, this is what we don't want.
We don't want this to happen.
We can mitigate some with insurance, but let's not rest our laurels on insurance just because as we heard in the guest speaker, it might not pay for all those other things.
Plus it won't pay for your reputation.
How many of you remember the Target breach?
Right?
I still kind of I like cash at Target.
I kid you not, or the TJ Maxx or those, because that it sticks, right?
The reputation is a cost that the old Visa commercials, it's priceless.
That's priceless because it's trust.
And one of the things at BECU our main thing is our trust.
Our members trust us.
And so if you lose that, not good, so don't rest your laurels on insurance.
But yeah, maybe have a balance between the two.
Casey Wheeler: Yeah I fully agree just around the balance perspective.
Just insurance is a great tool, but it's not really a substitute for having comprehensive cybersecurity controls.
It's really about taking a balanced approach and like you talked about with reputational impact, it's something that the resources and financial help that insurance
provides can help respond to that and help with like, reputational impact, but it's not going to completely save you from that reputational impact that, that you have.
So really having a balanced approach to what we talked about, the three ways you can manage risk with mitigation, transferring of risk, and accepting that risk.
It really comes down to having that comprehensive strategy that we've been talking about for your organization and really understanding the
different threats that you might be facing in your industry for your organization, and making informed decisions on what's the best fit.
Dan Brown: And another thing we talked about when we met the other day was you could consider like an incident response retainer.
So that's an insurance or that's something that assists you if you actually do have a breach.
If you know that you have someone that will contact you within or assist you within four hours to try and mitigate whatever incident you have.
That's another another thing that you can kind of quantify and compare that with the cost of insurance.
So do you have more insurance to cover that or do you put your insurance the same level and then add an in incident response retainer?
Just something to consider.
One other thing
Deb Wells: on that and that we haven't touched on, which is very popular these days our third party, the vendors, the SaaS solutions that a lot of people do because they don't want to they can't do it in house or somebody is doing it better.
Why not?
What are their mitigating controls?
What are their insurance do we just oh do we transfer that risk to another one?
I teach a risk management class, and that's one of 'em.
The student's like, well just transfer it over to a SaaS solution or to an insurance one.
It's like, you don't just transfer the risk even though you know an insurance company's name's on it, or a third party's names on it, you just can't transfer it.
So don't forget those third parties.
Casey Wheeler: I'd like to add something.
Please do fast about the third party since that's something that I hear a lot too around.
Oh, well we don't need to worry about this.
We have a bunch of third parties, like they'll take care of this on our behalf.
Like, this isn't something that's going to fall back on us.
So it's definitely a common misconception a lot of people have of, Hey, I outsource some of these things, so I really don't have responsibility if something happens to that data, if something happens with that service.
And I think really a comprehensive third party risk management is super, super important, especially with the different attacks.
Kind of going back to some of the things that we've seen you know, with different attacks, really having a downstream impact on organizations
understanding, hey, how are your vendors actually supporting your operations, and what does that look like when a key one of those goes down?
How are you going to continue your operations?
Do you have alternate vendors that you're really going to?
What does that look like?
Is super important as well.
Maria Braun: And before we transition to the q and a, we would love to get a couple of questions from the audience.
What I would like for the three of you to quickly touch on is in the next five years, how do you think the cybersecurity risk management will change?
Casey Wheeler: I guess I could start.
I really just see from the insurance perspective and how that plays a role in cyber risk management.
Just more.
Knowledge and emphasis and education just around the insurance piece of things.
And I just see it really becoming more of a conversation that we're having and how it fits into comprehensive cyber risk management and not
just a, Hey, this is something that the business side of people focus on, but really how does this relate to our overall cybersecurity strategy?
I also just see a lot more conversations.
I mean, just about like third party risk management too.
That's something that we're having a lot of conversations on in, in the insurance space.
Specifically too.
We're seeing a lot more.
Organizations requiring third parties that they work with to carry a certain amount of cyber insurance.
And something that you know, I don't see going away either.
So really, and I see a lot of organizations pushing back of, well, how are you actually quantifying that we should be required to carry 5 million and limit for our insurance or 10 million in limit.
So I think just more of those kind of conversations and really digging into what does our insurance cover?
How are we determining how much insurance we should have and how does that fit into our overall cyber strategy?
That's great.
Dan, what about for you?
Dan Brown: I see the requirements likely becoming more well-defined and stringent.
I mean, it will be I hate to say checklist, but there will be a, there will be specifics that are required.
I think that cybersecurity insurance now even it's not optional.
But it will, moving in the future will become much more prevalent.
The business side will be more involved and especially as we see more and more smaller organizations get hit I think it will be a lot more mainstream,
Deb Wells: I guess five years.
It's hard to look in a crystal ball and really see what's gonna happen, but we kind of see they're writing on the wall, right?
With quantum computing.
Some of the bigger, I think, I can't remember who, which, and I'm sure one of these smart students out here knows, but is it Google that's causing their or their certs are gonna be, have to be, you have to renew them like every.
22 days eventually, or something like the certs, the cert renewal.
You can't be complacent.
And that's the biggest thing is don't be complacent because the attackers aren't they want what we have.
They want our data, they want the money, they want that.
And I think the other part of it is, I think as more and more people hate to say it, get hit personally with identity theft or something that goes, 'cause show of hands,
how many of you have all had some sort of, you don't have to, but how many of you have been hit with some sort of a credit card or identity or something like that?
Quite a few of you have.
The more that happens, the more it resonates.
It's closer to home.
'cause it's your own stuff.
And so for cyber professionals, that's gonna mean a lot because that means that you have more of a, it touches pretty close to home.
I'm going to not click on that.
I'm gonna double check I'm gonna do these things because I know it happened to me.
Maria Braun: Thank you.
This is fantastic.
Do we have any questions from the audience for our panel?
I wanna work as a runner.
Excuse
Dan Brown: me.
I'll just make another quick comment.
Make sure that everyone reads their policy and actually understands it, because a lot of people don't know what it says.
Casey Wheeler: Agreed.
Agreed.
Please actually understand what it says and really what's in there.
I think a lot of people just kind of take it at face value or don't really know how that incorporates personal insurance.
Right?
Yeah.
Speaker 10: A question for Casey.
Do you work with any carriers that currently provide, as Dan mentioned earlier incident response guidance or forensic analysis support?
Yeah.
Do they include that or is it typically an add-on an extra.
Expense.
Casey Wheeler: Yeah, no, great question.
Really what we see on the cyber insurance side of things the actual coverage piece, kind of the, usually when I explain what cyber
insurance covers to people, I usually refer to as the bread and butter of the cyber coverage is really that breach response costs.
So.
Legal coverage forensics and like potential PR if that's needed.
That's really where we see a lot of costs and really why it, it's more just than the fin financial indemnification, but really those resources a lot of carriers will have different panel vendors that they work with.
Which is also a big reason I tell organizations to talk with their insurance carrier ahead of having an incident and going through that process and talking through I mean, a lot of them have different panels that they like to work with.
But it doesn't mean that you're stuck using that panel.
A lot of them are willing to work with you on who your preferred provider is for those kinds of things, if you just talk with them ahead of time, since they wanna make sure that they're actually qualified to do that work and stuff.
But yeah you pretty much always included.
It's just.
Yeah, that's really how the insurance works with that.
Maria Braun: Any other questions?
I think there's one in the back.
Christina Richmond: I'm curious how difficult it is to gain the proof you need as an insurer, Casey, that the controls you have asked your
insured organizations to put in place have actually done what you've asked, that they've implemented MFA, or they've put in an MDR solution.
How hard is it today for insurers to get that proof and what is that process?
Casey Wheeler: So a lot of times we'll go through and have those applications that organizations will come back and provide.
We're seeing a lot of carriers do some outside in kind of scanning as well that they use to also help really assess what their underwriting piece of things.
So if you're familiar with like BitSight security Scorecard, they'll do some things like that and really just see, hey, are there any kind of outward facing vulnerabilities that an attacker might look at?
But we are seeing there's a, an interesting company that I'm forgetting the name of now but there's more carriers that are starting to look at really how do we continuously monitor rather than looking at just that application kind of once a year.
But it, it's essentially like if you're familiar with the, progressive, like plugin into your car and like seeing how you're driving safely throughout the year.
It's essentially similar saying, Hey we're going to be giving you an extra looks into our organization and what we're doing around our cyber just continuously and annually.
And hey, if you're doing some good things then you know, you could get some potential you know, premium discounts, like things like that.
So there's definitely starting to move, I think towards that side of things.
There's also a program that, that Google Cloud just started and they're really trying to help their clients with.
Basically providing to insurance carriers what their environment looks like and how they're protecting that and they've essentially done this thing like, you go into Google Cloud and you're able to pull this report and provide that.
So we're seeing a lot more, I think, partnership from vendors and other people in the cybersecurity space and just continue collaboration
and, hey how are underwriters actually assessing these things and what information can we really take to make that more comprehensive?
Maria Braun: Yeah.
Any other questions?
I think there's one right there in the back.
Don't worry about it.
Mike.
I've never been accused of need one.
Perfect hear.
Okay.
I'm just curious that a lot of people in this room are responsible for making sure that their policy is good and that it'll pay out what it needs to pay out versus being declined.
So I'm just curious what the couple reasons
Casey Wheeler: insurance, so there's that.
So just curious what the top couple things are that missed or created denial of.
Yeah.
Yeah.
I would say there's some things on the claim side that can happen that I've seen.
Just organizations not getting prior consent in some of the actions that they're carrying out.
You know, like organizations potentially going out and I saw one purchase several different servers and workstations before they really came to us and reporting the claim.
So I just see people getting into trouble sometimes around not having that open line of communication with the carrier.
And that's really where, like on the claim side, they can get into trouble.
And so really why I'm like, hey.
Establish that line of communication early on and really talk with their carrier around what your process is looking like to respond to it.
They're willing to work with you, but they can't do a lot if they don't really know what's going on.
And you're kind of going back retroactively and asking for that reimbursement.
When it comes to the actual coverage side, though I do a lot of kind of coverage audits, things like that, and helping organizations look at their policies.
Something that can be tricky is waiting periods on policies.
So there's business interruption coverage to essentially like indemnify you for loss of income in a cyber event.
And we see some high waiting periods that are kind of like a deductible in a period of time for that business interruption.
So there could be a really long period of time and we know that.
Really the first couple hours of an incident could be the most costly.
So really trying to make that as low as possible.
And then also related to the business interruption, I think I see pretty frequently is how long you actually have to receive business interruption coverage from an incident.
So I usually look between like 180 and like a year of coverage for that, just depending on the policy and how quick the organization thinks they can respond.
But that's a big thing, just kind of more in the language of the policy.
And then kind of one of the bigger ones too, that, this is the last kind of thing I'll say is with that breach response coverage, the bread and butter that I kind of said is I see policies have a.
Actual trigger for that coverage.
Really just responding to personal data being affected.
That's something I can, I see commonly when, hey, we really wanna make sure that any kind of unauthorized access into your systems is going
to trigger that business interruption coverage, that response on the forensic side, the legal side of things, all those kinds of things.
So there's definitely some kind of nuances to the actual language of the policy that, that you can kind of look out for.
Maria Braun: And we have a couple minutes if there's one.
I think there's one more.
Perfect.
Go ahead.
Speaker 11: Can you hear me?
Okay.
So, question for all of you.
I am wondering about insurance and auditing when it comes to like smaller businesses and organizations.
So I've recently worked at an internet service provider and I was going through and doing some my own audits since I'm a student and interested in figuring out like what's going on.
But when I brought that information to my coworkers and my manager, they weren't really interested in hearing that.
What would be the process that I would use or what would the pointers that I would take to make my manager a little bit more interested in hearing me out on the different problems that
I'm seeing and like giving them insur, recommending insurance or recommending like different auditing things that we can do to make it more secure and lock things down to potential issues.
Dan Brown: I would consider you know, trying to perform some, even some self-assessments that are based on recognized frameworks where there, it's n site, CAS, whatever maybe try and.
You know, put a report together and quantify what could happen if they're not properly you know, mitigating issues if they're not segmented, whatever it might be.
But I would you know, just try and show the sense of urgency and if yeah, that's what I would do.
Deb Wells: That's definitely a put it together, put facts and data together.
Try not to put, well, I believe, or I feel, because those are great words, but in the case of this you wanna be more emphatic and say if this doesn't happen or this happens, this could be the bottom line, oh, by the way, could be your job.
And sometimes you put that back on them, like if you don't it's like now that they know that and something happened and it came back and they're they'd be liable as well.
So you try to have them.
Try to get them to buy in somehow.
And not with threats, but just facts and data and try to keep emotion out of it and just say I always say Andrew, he's one of my engineers, he's here.
And I always love to do the stick figures 'cause I don't I don't want a complete drawing of the network and all that to show, because it glosses over nine times outta 10.
But put the stick figures in there with the bad actor in their sweatshirt, with their hoodie down, and then go all the way through to say, this is what's going to happen.
Provide a threat model and the facts and data and just try to be as emphatic.
And if they don't listen and you have a real sense of this is right, go over their head.
Maria Braun: I think maybe to quickly add to it, also understand your audience.
That's gonna be the most important one, I think.
With that, this we're out of time.
Deb, Dan Casey, really appreciate your expertise this morning.
Thank you.