GT - Looking for Smoke Signals in Financial Statements, for Cyber

so quick show of hands really quick who has a finance background in this room excellent we do have some folks with a finance background awesome who has a threat intelligence background just threat and tell awesome very very cool so when I was thinking about this presentation putting it together I was thinking about this concept of a fire tower and the idea of a fire tower is that you're standing up above the forest and you've got a 360 View and your job really is to look for early warning signals in the form of smoke signals right because you know that when there is smoke there is fire and it's really a way to make sure that you don't

have an out-of-control forest fire and so we started thinking about this concept and applying it to some regulations and some other things it seemed to kind of fit and so just quick ground rules here this is interactive I'm going to have some time for questions at the end but you feel free to interrupt we can go as deep as you'd like but you know for those that have been following the news just feel free to blurt out like how much did the United healthc Care breach cost wild guess a lot give me a number next to a lot anyone 40 million 40 million any other guests 100 million you factor all all the business's office provider huge numbers

Pati absolutely so big numbers any other guesses terms of numbers 200 million excellent what about the solar winds breach how much did that cost billions billions of dollars okay any other guesses what about the MGM breach how much did that cost oh the C exactly $5 million $15 million PA and they paid right not the only cost right there's other costs million $100 million in Lost business any other guesses awesome so we're engaged we know a little bit about this so little bit about me in the background here so I'm a recovering ciso so I've been in the financial services space for the last few years uh the security and the the strategy and the

execution of the security program done over 37 mergers and Acquisitions but I've also spent my time securing Banks and Tech as well and so on my journey in all these mergers and Acquisitions if you've ever done enough of these you start to inherit certain things you start to see certain patterns right and if you're working with private Equity firms or Venture Capital firms you notice that they have a different game they're playing they're looking at financial statements but the Cyber element is uh always in question right especially when you start to inherit and bring another company into your environment or if you're divesting and so as I was going through this journey and started looking at what business

looked like pursuing Ed Executive Education looking at business and then ultimately going into Finance I learned hey Financial an analysts play a different game they look at numbers and they're looking for patterns they're able to go through and see things over the course of time especially as they're comparing it expressed to these financial statements especially for publicly traded companies so partnered with Dr Jun NE could not be here today unfortunately because he's in the process of moving uh he's a big brain analytics person a savant when it comes to taking data visualizing it and so together we're forming a team and a project to go through and analyze and look for smoke signals I'm going to take

you a little bit on this journey so right now cyber due diligence looks a certain way we think it should look potentially another way with financial analy with the financial analysis we think that there's some patterns and things are of interest that want to share with you regulatory changes are requiring disclosures and we think that's a wealth of information especially when you know what to look for and you start to look at these patterns and when we think about a little bit of common ways of doing threat intelligence we think there's a novel way of building a new model so we'll start to share that so we started off with this but you know you've all

seen these headlines United Healthcare MGM solar winds right not to pick on any one particular company but you see all all these headlines we see numbers and so these are some of the estimates as quoted from these headlines right big numbers and they vary right they vary based on the estimate at the time these are mostly year to date but while we take a look at these headlines we start to pick what happened these are publicly traded companies that are otherwise healthy in posting these financial statements so let's start to look at what is inside of a Security and Exchange committee security Exchange Commission and SEC required filing there's two filings there's a 10K that's an annual

disclosure it's kind of like posting a selfie right you go through and you have your financials you have what risk factors what your business is doing you've got the management that's disclosing things that are important for a potential or existing investor to know and then you've got the numbers then you've got some other supplementary disclosures so that happens annually depending on a school year and it's important it's important it's a requirement to go through and say this is everything you should invest and this is what's interesting to you potential or existing investor then if you experience an event right an event can come in any form a merger an acquisition a divesture something that is

material you disclose it in the form of an 8K and it's a special event right and as of December of 2023 there's now requirement If you experience a cyber event to disclose this type of information and so it provides a new form of information a new body of knowledge for us to see hey what took place so when we think about our threat intelligence today what when he said AK is3 what's the threshold for that c yeah so the question is what is the threshold for disclosing an AK right and it's at the determination it's really up to the company when materiality has been met materiality is a very fancy expensive word that lawyers get to sort

out but effectively requires a company to go through with the right General Council CFO legal outside legal and disclose that something is taken place and it's still in question it's still relatively new the answer another question in the back I'm sorry you have to speak a little bit

more does it require the updates after the breach interim updates interim updates so yes there are interim updates and so at the point in which you the question was are there other uh incremental updates that are required absolutely so the idea is to inform a existing or potential investor and the regulator that something is taken place a service outage something that could affect the overall Financial outcome of a existing or potential investor great questions so we dig a little bit deeper on this and we think about today's threat intelligence right it's really a life cycle right so there's different forms there's different activities that take place but in effect you have a direction right you you set out to go

and discover some information you go and you collect data from available sources to you public private otherwise right you process the data you analyze it with subject matter experts and you disseminate it to the world to make an action on right and then you follow that life cycle that's our traditional threat intelligence at a very high level and there's different forms right there's strategic where you're Gathering public pieces of information there's things that you're probably more commonly thinking of your ttps right the tools techniques of what adversaries are doing the operational aspects or even the technical the things that you're able to discover internally if you're really looking at the types of uh technical types of things that are out there and

so the idea is that it's not really a life cycle it's really the flow of information and Gathering of information right you're following a cycle and so let's take a look at this right our common threat intelligence today yields this type of activities right so here's an example right mandate well-known company right and this is what took place for solar winds this is sunsee right this is an example of what took place threat actors indicators to compromise and what our conventional threat intelligence yields today but where is the $40 million in this right how does the financial analyst understand this how does a potential investor understand that in the form of an 8K per se but this is what we think

about an example of technical threat intelligence another example great company level blue Labs right this is what MGM looks like when we perform threat intelligence again indicators and compromise right some of the operations what's took place at the time when the bad actor impersonated the help desk and did what they did created a week-long service outage another example of our strategic threat intelligence this is Huntress another excellent company right gathering information publicly available to really disclose what took place somebody had impersonated the help desk went through the the aess broker things were purchased had access and led to effectively a week-long outage but where 's the number right where's the100 million in this and so when we think

about this we think about pointing not just at the publicly available pieces of information but P pointing it at the publicly disclosed financial information using some financial analysis there's some interesting things right because the purpose of financial analysis or the purpose of managing your Financial Risk is to prevent the loss of money right preventing a bad investment and so when we start to compare and contrast cyber threat intelligence with financial analysis there's really some commonality right both set out to combine and create as part of a comprehensive risk strategy known unknowns if you will right identify Financial risks identify threat actors identify adversaries that are targeting you you have a goal to minimize your risk and you're using those similar

techniques putting in front of the right information the right users to make an informed decision at that time so when we start to connect the dots we start to think about let's use this database of publicly disclosed information Edgar which is what it's called so there's this security Exchange Commission database that's out there it's publicly available and when you go and you pull it from anything that says 8K in cyber from December of 2023 to let's just say July we've got 2200 AK filings mentioning cyber now not all of these are related to an incident and I'll talk through that you got just like anything you have to distill signal to noise but with the requirements there's some

really interesting information out there right you have described cyber security processes who you're working with effectively what took place financial information and so it's a wealth of information and it's going to be continuing to evolve right this is relatively new and so when we think about it we start to to actually dissect and distill what these akks are there's a question yes yeah so cling information um are finding at all that

compies the question is do we find that companies are disclosing contingency losses as a result of their events and it depends depends on where they're at with the event it depends on where they're at with the whole Litany of financials that adjusts and if you hold that thought I'm going to go a little bit more into kind of where that information comes in but it's a great question thank you so this might actually help with that so when we start to to distill the 8ks and the information that's out there not all the data is useful right so top example is an example of an AK related to a cyber incident so it hit the criteria right

cyber AK and the the threshold but you can start to see the changes in Revenue right the changes in expenses net losses and again distilling it in you could start to again depending on the ratios you use and the industry and how they carry their assets you could start to distill some of that information so this is an example of something that's useful right again calling your attention to something that you want to inspect a little bit further based on some numbers and some words the other is an example of an 8K but it just so happened that the company had the word cyber in its name right cyber apps world was merging so it's an

example of something that we would not want to pay attention to per se right the idea again is that that not all of it's useful but there's a lot of information especially when we point it out at a at a larger level and so when we think about financial analysis in its most basic form you've got money coming in the form of income money go out with expenses and trained and seasoned Financial analysts looked at things a little bit differently right assets and liabilities ratios and they're looking at things to determine again that they're going to make a right investment make the right bet there's different things that indicate the health of a company and just like with threat

intelligence just like anything you want to call attention to things that are of interest to you and you could trigger off of this and so example of that right understanding what is inside of the 8K related to cyber right of course you're looking for if a company's going through some sort of financial distress as an example uh is there an acquisition or divesture or a lot of movement over the last course of years if you've ever worked in a security program have youve gone through many mergers and Acquisitions many times there's a lot of change and there's a lot of freeze and you've you've got potentially Legacy things that you're dealing with and you could start to see that in some of the

operations you know any any relation to to the the obligation to not to to to not pay down the debt right or if you're taking on additional debt again triggers that allow us to analyze and look at things a little bit deeper and so when we start to look at this thing take a look at the cash flows and the debt everything else again there's some triggers there's some interesting information that's there so let's start to see this in practice and so what better company to take a look at than MGM right and so again we're in this beautiful city of Las Vegas and so just to kind of level set here about a year

ago MGM experienced a cyber event that caused a week long service outage to the tune of about $100 million and so it's interesting about this is that it predated the requirement for the disclosure of an AK but it's one of the first of its kind it provided all the transparency that we would want to see so it provides a comparison for other companies in industry or other comparable Industries and there's some really interesting things so we asked the question again performing an analysis of what took place looking at the numbers and so when we think about this again taking a look at between 2020 and 2023 leading up to the event taking a look at the financial since doing some

Trend analysis well at a high level the trends indicate that there's some challenges related to cost utilization which could affect long-term Financial stability well tell me more moving over to number two taking a look at the liabilities and looking at some of the ratios that a financial analyst would look at uh there has been a significant increase in liabilities from 2020 to 2022 in other words if you start to look there were some Acquisitions opening and closing of things right bringing on other assets bringing on identity programs bringing the assets together as an example taking a look at what happened between 2021 going up to 2024 at the end of the event well the data

would suggest that there is an operational shift there was streamlining that was taking place right there was improving creating operational efficiencies and now it's not unusual for companies to expand and contract right what's interesting is that while looking at the numbers and automating some of the analysis we're able to start to see some patterns and so in 2023 leading right up to the event the data would suggest that there was a strategic shift towards consolidation right it was to really pay down manage the debt and that comes in the in the form of cost cutting or potentially divesting and so when we start to think about this as a potential pattern it's something to compare other

companies going through it it's interesting something to again trigger off of and when we look at the operating cash flow again was there money there to go through and fund and operate we have that data so again we have a comparison because when you look at companies in Industry whether in gaming whether in their the health care Financial Banks Tech they all carry their assets differently and you can start to look for those patterns just like a financial analyst does so those are what some of the numbers suggest there's a question in the back how

the question is how

many yeah so compared to other countries I guess the way that I look at it the way that I think about it there's generally accepted accounting principles right that really govern the ratios that are here in the United States some of are accepted internationally but they actually have different principles the purpose of really finding some commonality is again looking at the finances looking at what go

ahead yes

gotcha got it yes so the question is again if you're looking at this and you see signs of of danger or something that is of Interest could someone or something from the outside look at this yes which is part of why we're calling this uh why we're calling this of interest thank you the other question guidelines for revenue recogn of St I'm sorry are the PCA guidelines for the revenue recognition of SAS companies that's right are there any PC guidin L are upcome that determines how accounts have to be Del for cyber losses the question is the PCA aob has specific guidance for SAS companies is there any guidance that's out there that's I'm actually trying to do a

patter here because one is about how you recognize because basically the idea is how do you form these different accounts right and how do you account for them in the books and that was that used to be a big problem with SAS companies and that was because of how technology companies Carri their assets completely different problem but right now we have a bigger problem here with cyber security Cy security creatures losses are there any guidelines on how to handle this from are there any guidelines I don't know that I can answer that one directly right now but let me table that one and see if I can come back to it right the focus is really on the the body of

knowledge but that is a great question let me come back to that one yes I want to back on you did not yeah so this maybe we're looking at Insurance comp SCU insurance companies portfolio companies Venture Capital companies investors might have an interest in this information we think that it absolutely has another way of looking at a risk profile which is why that's of interest because again if you've ever gone through mergers Acquisitions devest and you're comparing your programs again the finances are effectively reviewed but there's no line item for cyber there's no line item for technology per se but some operational costs that again certain companies of like Industries carry they look at those ratios and as a

trained financial analyst you look for that right you're looking for efficiencies and to increase profitability you're driving efficiencies so again that's a some of the early warning signals and things that we're doing excellent questions and I'm glad you guys are picking up what we're putting down here right because these again this is just based on what the numbers suggest with Trend analysis using some of the ratios that are generally accepted account principles governed by the pcaob right so the idea is we've got some triggers right and as we start to go through and continue to distill the words again we can automate what the words say and so if we go through and we take a look at the 10K

and what was said in comparison to an 8K and we just say all right anytime you see the word cyber security or anything of Interest right regulation incident whatever it may be take the paragraph before take the paragraph after and let's do some analysis and um there's some interesting things that are there again because there are requirements to disclose information to make sure that we protect that Financial investment right so you could see you know there was no incident reported during a par particular period of time but once the 8K was filed as an example there was an adjustment in eida right there was a mention of uh adjusted bookings right there was a decrease in profitability

there was Services outages right because again these are all smoke signals right because we're looking for the fire right when we continue on with the analysis you know was it mentioned right is a company operating looking at this from a a risk perspective and again there's differing uh views of this and they all go through a legal review but we're looking for the patterns right we're looking for pattern analysis because again these are smoke signals where's the fire right and in the eyes of the security Exchange Commission here your fire right the drop and stop price right and so when we go through and we take a look and marry those smoke signals with the fire and we start to see pretty

interesting information so right as the event was being experienced stock was price was trading at $43.75 and then upon the uh filing of the 8K with other things that were going on right we saw 4% DP dip that's interesting that's interesting right because as we go through and we start to see and ride that dip all the way down to its lowest point 3449 represents a 22% drop there's some real interesting information because the available stock $340 million of that experienced about a 20% drop or $68 million right that's what this is for the disclosures of the 8ks are to prevent the financial losses in this form but we've not looked at it this way

again looking for the signals and also reviewing what is the after effect right and so this is one company right this is one company that we profile there are many companies inside of U that are publicly traded about 3,400 and so when we start to point at the entire database again looking at specific information you have to do something with all of that information to start to profile and run your experiments especially if you're modeling and so you start to introduce your lag plots right and that is basically the distribution of the information the ratios and the things that are of Interest over time and then you need to go through and distribute your model right so on the right hand

side or the yeah the right hand side here you're starting to see again some information that's being distilled and we're looking for some patterns again based on the ratios based on the information based on some other things that we think are of interest and then on the other side again there's not there's not a specific cost of security as a line item but there are some estimates there are some guesses based on how companies carry their assets that we can distill and so there's some form of a productivity there's some form of a company that has gone through and done certain things and not experienced event against others again looking for early warning signals and so you go through

you pick your model and our or in our case you make your own and you're looking for something right the Assumption of what the cost of the cyber security looks like and so there's some form of risk mitigation there's some sort of productivity there's some sort of absence of an 8K disclosure because an instant was not solved for and then again you've developed or beginning to develop a profile of Interest again pointing at the entire database within your date ranges and so when you start to think about this it's kind of like again being on that fire tower with binoculars the left and the right lens and you start to distill some information and then you've got a

standard deviation right and you're starting to go through and have the ability to run the experiments to then compare the mgms the United healthc carees the solar winds the Clorox the atnts against all the other things and as time goes on we'll start to see more and more of this because again this requirement is novel and it is allowing us to develop early warning signals or things that are of Interest and so we start to think of this again this is the two lenses of the uh of the the binoculars here and bringing it all together what does it mean right well what it means is that you get the opportunity to draw a box if I could

leave you with just one thing it's this all of this information is to be able to draw a box and so the little dots represent particular companies of interest that have certain patterns that we've thought to be of interest and the whole purpose of this is to decide on whether or not you invest on what's inside of the box or bet on what's outside of the box and so with all of that what we've again just to kind of just to conclude here what we've talked about is the regulatory requirements that are posting out a that were requiring us to post a lot of information information that could be of interest information that we believe could be an early warning signal

and when you start to use the Financial Insights from the 8ks and the 10ks you marry with the Cyber threat intelligence techniques that are out there you can then start to go and overall see what the company is doing and what the outputs are and develop some early warning signals and so with that I thank you for the opportunity to share this information with you in its current nent form I'm Brandon at Firetower ai.com and I'd be glad to open up up look Flor to any questions that you may

have if you don't mind going up to the mic I think they can hear you but thank you for the questions so it seems like the purpose of the AK filings is to prevent Financial losses correct but from the graph you showed and we don't I don't you know there not uh big data set seems like when they announc the AK that there's a momentary dip in the stock price so it's you could kind of use that to predict that there with these filings that there could affect the stock price and bet on that loss is that correct there is an opportunity to potentially short a company right um that there you do allow for that um I think one of the

points and I'm glad that you brought that up is that on average a company will go through and rebound from a cyber incident in about 90 days but that initial but that initial dip so if you were if you were uh going through the Edgar because this is fil this is in Edgar right that's right and you notice new filings you could use that as a as data for what you think the price is going to do at least momentarily it again helps understand what a profile could look like either in Industry Recovery or otherwise right because again the purpose of the AK is saying we've experienced an outage financials are going to be adjusted if you made an

investment you might lose on that investment so here's everything we know to be transparent about the particular event and so on average again and this is one of the interesting conversations about this you experience a cyber event but you could see around December you know you've actually made more money right why is that there's many many variables that affect the financial statement but again this there's $100 million here or there's $68 million in overall drop if you take the bottom point right that's interesting information when you look at the numbers you start to combine it with triggers right thank you for the question so as a recovering siso then would you say you can also look at this

from the internal perspective and use this as uh actually if you go back two slides um to the it's going to be the cost to investment yeah so yeah so using this then to help justify expenditures and spending on security right showing it from an internal perspective right you're competing with your CF not competing but you're you're trying to convince your CFO you're trying to convince other people to invest and some of these things do you see this as a way to help in explaining that in terms that they can understand um I yes the short answer to that is yes so when you think about uh diligence especially if you're portfolio company you've got company a company B company C

right and you've gone through and the financials look good you may be wanting to do a private Equity play right you're looking to provide leverage and you know do certain things to acquire to make it more attractive you might be acquiring a company to sell off certain parts or to you know invest money and invest resource to put it back out into the world depends on what you're looking for so one of the measures of diligence is being able to look at how do you compare against your peers in industry or your other like scenarios and what we're looking for particular patterns and profiles to then compare and say hey again in the case of MGA expansion

contraction movement over time and we experience an outage and we experience an event there might be some other comparisons that are out there so absolutely that's a that's an applicable use case that we contemplate okay thank you thank you for that question along those lines I noticed that right now it looks like you are focusing on areas around you know the word cyber security for lack of a better term have you looked at other aspects particularly filings that aren't necessarily explicitly cyber security related things like layoffs Labor Relations all that sort of stuff that are other indicators of an organization under stress that don't necessarily immediately translate to a change in Revenue you so the answer to that is yes

and the reason for that is you can appreciate right a lot of the operating expenses like people don't have a specific line item right and so when we looking for financially distressed companies just like in other cases you know you're looking for those indicators the words vary right for the sake of this presentation we just keed off of cyber security but again the analysis is looking for indicators of distress which then trigger an analysis which then helps us form a profile thank you um kind of a two-part question firstly how laggy is the data in the filings how how much time do you get before you can perform the analysis in a way that's statistically relevant and

then secondly what's the predictive value of this information like have you been able to test the the false positive rates on these signals that you're picking up on yep so the first question just to make sure I got it um the first question is how laggy is the data right so the the requirement for the filing of an 8K is relatively novel right uh so again from December up until present day so that's the Corpus of information that we have at this time of course there are other AKs and other disclosures and comparisons right but we're specifically looking at that and preparing for additional AK filings to then build those profiles so there are regulatory

requirements that necessitate putting it out once you feel like you're going to affect shareholder value or an investor value and that's kind of in question because it's is it at the time of which you experience the event or at the time in which you've declared it to be material or the time in which you've notified again cat rat dog regulator as opposed to the SEC so there's a lot of complexity and it varies if you're Healthcare regulated versus Tech you're going to have a lot more regulatory Hoops to go through so it'll appear more laggy as a par compared to an industry that is not as heavily regulated but publicly traded does that answer your

question the second piece to that um question remind me again have you tested the false positive rate so what's in the box is in question for us right because again it's based on the data to date and so the predictive uh analysis component is uh something that uh we believe and we'll see so it's a function of time but we'll be able to answer that as time progresses and our models improve great questions thank you so I'm afraid this doesn't have much to do with fire tower per se but would it be possible or has it happened or do you think it's possible that somebody could like basically short a stock and then attack the company you could use data

for good you could use data for evil right at one point it was very popular for adversaries to go through and look at Public public uh 10K filings and some companies in the spirit of providing transparency would post how much cyber insurance they had and that came back to bite them right because again there was no way of you know negotiating what the ransom would be it was actually there in the spirit of disclosure so again the idea is that there's information and you could use it for good you can use it for bad uh but it's all again in how you decide you want to use it okay thank you thank you great question uh so so my question

is really if you had a really hard-nosed uh CFO who was looking at this start and went well you know you said if we have a big cyber event the share price will be back to where it was in 90 days you know we'll commit to improving security we'll embark on a big program I don't need to embark on that cost now I'll wait till something happens and then if it does we'll bite the dip for 90 days we'll be back to where we need to be what would your argument be to someone who put forth uh that kind of um position yeah so the great question so the ultimate expression of risk in my opinion is if

you're publicly traded through these 10ks right budgets are approved ultimately by the CFO right through the CEO board but through the CFO rolling up and rolling down and so if you've gone through any type of changes um you know cost cutting uh holding things static potential divestures or the companies's in financial distress that's part of the conversation is having a more informed conversation with those financial folks the CFOs and so my aha moment didn't come to me until I actually sat down with the financial analysis for the the analysts that are very skilled and I asked the question I said how many times do you talk to your operational teams they're like barely any right so love

your financial business partner love your CFO organization speak their language because they're looking at it differently if there's no company to protect because again you're so financially unhealthy well they're making those calls the idea is that there is a downstream effect to this and there are patterns that we can see especially if you're a portfolio company holding other companies thank you for that yes thanks so much for doing this briefing today and his question was the first part of my question yes it could be used for evil I do believe that as adversaries become more sophisticated and include other competencies there's no doubt that this could be used for that but if you put on your hat as a

risk practitioner now and think of not only as a recovering ciso but as a risk practitioner this data especially the MGM kind of six phases there are five phases informs a changing risk landscape where certain things could be more impactful to an organization do you think that that kind of analysis because most of this has been about financial analysis in the context of cyber threats but do you think it could be used in Reverse to say we now have some Financial conditions or strategic pivots or shifts that represent different kinds of risk that maybe we hadn't considered before so my question make sense it does yeah so basically we've been looking for the smoke signals but can it also shine

a light on what good looks like and the answer is potentially yes right because again the idea of posting a 10K or an 8K or is posting the best effort numbers of what you're doing at that time and the idea is to both combine the analysis the numbers right the math with the words there's no math behind the words but the idea is again to look for those patterns triggers and then provide the financial analysis view to quantify this that answer your question thank you yes yeah I feel like I have kind of a simple question sure are there high level indicators of of uh I guess in a compromise situation where there's a loss of a revenue loss where there's no

impact at all in the stock price like are there certain that jump out to you were like yeah that's probably not going to impact the stock price whether vertical or you know it it's really um so the question is if is there a is there a scenario where a cyber event being disclosed does not trigger a uh a little blip is that correct yes and so in my experience and what we've seen so far we've not seen that right now and we've seen at least a a marginal dip but really it's too soon to tell right because you've seen service disruptions and then you've seen the question so what right well the transfer of risk

comes in the form of say cyber insurance so you're able to go through and reestablish but then what happens to the overall you know the reputation of the company and some of those intangible things and so whether there's a primary loss or a secondary is still part of what risk management looks at so there's the immediate but then there's the longer term and that's basically what we're doing is building those models building those patterns and building those profiles to compare that's super interesting thank you thank you excellent well this is how to interact with me so Brandon Firetower ai.com I'm on LinkedIn and I thank you all so very much for the time and the opportunity to

share this and uh happy to keep the dialogue going so I'll be here for a little bit and thank you all very much for your time