Increasing Complexity and Frequency of Cyber Events: Trends, Costs, and Risk Mitigation Strategies

Hi, good afternoon everybody. Um, welcome to Besides Las Vegas. Um, this talk is given by Wendy Hoilli. Um, a few announcements before we begin. Um, we'd like to thank our sponsors eventually. Yeah. Yeah. Uh, these these talks are being streamed live. Um, and as a courtesy to our speakers and audience, we ask you to check and make sure your cell phones are set to silence. Um, and yeah, enjoy the talk. Thank you. Can you hear me on the back? Okay, good. I wasn't sure. Uh, so thank you. It's uh for the opportunity. It's really a privilege for me to be here and thank you Gabriel for follow up on me and say you know something and uh anyway so um I

wanted to this is my third year kind of giving this talk but each year I have an area of focus. So um general is trend and cost and risk mitigations. So this year I'm going to the agenda will be um same thing introductions just get an idea and then talk about some of the trends and statistics that we are uh seeing in terms of privacies in terms of business interruptions in terms of ransomware as well as I added this year a little bit of the fraudulent fund transfers and then um since we collect a lot of the uh insurance application ations uh every year thousands and we use those type of data to actually uh figure out what are

the things that we should recommend to our customers. So based on their self assessments we connect that with claims and events and then we do correlation studies and then in the end we actually give you a statistic number to say if you increase this by this many percent you'll reduce your breach uh probability by certain percent as well. So those kind of stuff. So I sort of got into this slide already. So the data that we have it's some of those are subscribed data uh those are the public data that we subscribe from vendors uh including uh uh Zywave and uh flash points or public report financial 10Ks and press release and so forth and

um we also have our own proprietary data source. So we get claims annually we get multiple claims from uh our clients. Uh we claims from the different region of the world as well. And then the other the next one we did starting to leverage more of it's customer selfassessment data. So this is a long list of hundreds of questions that when they come to us to apply for cyber insurance, we want them to fill out a form and then to say how are you doing in terms of this area, you know, multiffactor authentications and so on. And then also we have insurance portfolio data. So uh since we have uh we also do the uh reins insure

the reinsurer we also get the portfolio insurance portfolio data. So um it's kind of unique on that. So um go to some trends and statistics and um the risk environment this year um data encryption business interrupt data and uh business interruption still to be one of the most impactful um of of losses and uh one of the things I do want to focus on this year to talk a little bit more about is privacy regulations and compliance. uh this is becoming a uh pretty big things from year to year. This is starting to get more and more uh uh bigger risk apply to more of the datas. So in terms of data would be like how do you use the data?

How are you transparent? on how you going to use it in terms of use collections how long you keeping the data uh in terms of data brokers we're all doing AIS uh the data broker sometime you get data from your data brokers and what what kind of law do they follow so those are kind of things that that's continue to be a challenge um the good news is uh that we also see let's see we have increased frequency and s sophistication of attack. So uh this year we definitely see more event uh however uh the good news is that extortion uh event percentage wise compared to all of the cyber event business interruption uh privacy breach

uh the ransomware event actually have gone down in terms of percentage wise of the events. Um also uh another thing was that uh decrease in company paying ransom demands. So last year we did it was 23 some percents and this year it went down to 18%. So it's good news. So that what that's also saying is is a lot of our customers getting better at managing the control, managing their environment, doing backups and doing exercise so that they can they don't have to pay the ransom. So that's a nice thing to see. Uh wire fraud, we see that growing. Uh so um this was from uh Baker Hustler on that one. Um we do see 200%

increase more than 200%. Uh the industry sector that we see more event this years on communication media and technology healthcare and wholesale uh retail and wholesale those are the top three industry that we saw in the f last in terms of our clients. So just some background we in we usually have the largest uh companies that we broker for. Uh Marsh is a bigger uh the biggest insurance broker in the world. So um in terms of global trends we see a lot of the zero day vulnerabilities being exploited. Uh we see more of the cloud event as well. Um so uh one of everybody have seen that one cloud strike event and that's uh anywhere depending on who you ask it's

1.5 to 5 billion and depends on you know how many that's a lot it's a big number uh Delta Airlines is we lost they lost $500 million for that one event for five days that was it $500 million loss in that five days and then change healthcare that was another big on uh that's also in the billions. Um and then we also see a lot of the uh supply chain silk python and uh as well as scatter spider. We see uh scatter spiders everywhere. We saw last year a lot in a lot of the caesars entertainments MGMs also a lot of European retail as well. And so this is becoming a pretty big it's starting to connect to also

Snowflake uh the AI storage company and then of course the uh Microsoft we also seen that as well. Uh so you see a lot more of the event that would impact uh multiple companies quite widespread type of events. Um before I say anything about on this one, this is by country. This is the top 10 country and it doesn't it's always there's data bias on this one definitely. So there there's definitely more event in the US. Uh it depends on the requirements of the reporting requirements and um so you can see US ranked pretty much number one and then Canada uh Great Britain and so on and so forth. But some of those uh it's also

due to language barriers. So maybe India it's uh have lot more event but because our data source may not get translated. So we do see the English-speaking country has more event than the non-English-speaking and also the alphabet English alphabet type of country we see more of those kind of reporting as well. Um so if you drill down to 2023 uh uh drill down to uh US this is what you see more of uh 2024 is still not complete set of data because takes about 30 some days to find them and then to report them to to actually uh report out and then the data delays and so forth. So I picked the data up to some of it's

January of 2025, end of January and so the the data report wise it's uh not complete. So 2025 we didn't do that good but that's just because that's a partial data set. It's not full data set. We're not done with 205 yet. So in general we do see probably six month to nine months of data delays. Um in terms of cyber incidents you can see uh finance and insurance goes and public men and professional services being the top three but you can see in general finance starting to from a lot more to slowing down and then the bandwidth on this one the next one is a public amends also at first it's all about them on 2013 2016 go on and then

that's also narrowing down and then the third one's a health care healthc care continue to be a uh pretty focused target to the to the uh uh bad actors. Um so we seen some pretty big events in healthcare this year as well. Um in terms of ransomware, it's a little different uh in terms of like highest one being manufacturer. You can see the manufacturer bandwidth starting to actually quite increase quite a lot. The next one is professional services. So that's this this bandwidth right here and you can see that the band is widening and then the next one is healthcare while the frequency of it look like it's decreasing but the severity we see it's pretty uh severe in

terms of healthcare events. So the different industry does experience different type of cyber events and if you look at incident response time um you can detection now have gotten a lot better. So different company companies are using different tools to try to figure out. So on the average they improved by 10 days uh which is from 36 to 26 and uh um that that's for the network intrusions all average all incidents from 42 to 31. So that's quite a lot of improvement and uh containment's about the same didn't change a whole lot. uh analysis to completion that also has improved some and notifications uh maybe not that much of a change a little bit longer. So

cause components. So I did this one two different ways. I the first one I ran this num the number here and I was like wow the one and 100 is huge because I have some really large bridge response done. And so I said okay let me just take those guys out given that that's not typical. And so then the second graph it's I took out the outliers and uh it it went down a lot but still you can see the averages has gone from it's still like 86 8.6 million versus uh uh 14.8 eight. I would say that probably for most company would I I do wonder to to to see there could be pretty huge uh

numbers for bridge response litigations and by the way the bridge response we had about more than almost 500 data points on on those that's how I ran those numbers and then on litigation I have we also have about 400 something data points as well. So you can see that on the average the data average is about 2.4 million but the one in 100 is about $35 million. So it's pretty expensive in terms of uh uh cost components and then uh recovery uh data average is about 2 million and the one 100 is about 16 million and some of those clients actually took a long time. We have in terms of durations of data recovery, we

have clients that has some still recovering data that's a year long or more. So that that's a pretty expensive uh number. Yeah. >> Examples of what what I guess examples of what how how you came up with that number. So like are you are you calculating like people's salaries and >> No, no, no. We just based on this is a conditional uh severity. So given there's an event given that they told us what their number is here's what the log normal distribution look like. That's what that is. Yeah. So you can you can do the different you know on average they're here the median's here and then the one 50 is this thing and one 100 is

that thing. So yeah. So this has when we actually do the severity analysis when we build the model we would associate the revenues and employee count those are pretty um standard parameters that we use to actually do the severity for a particular client. Uh but for the number uh for illustration wise this just saying that given all the event that we have numbers on here's what the average look like. Okay. >> Yeah. Sure. Um good news cyber market conditions great uh look at the numbers. So one of the things that we are seeing is a lot of our clients are this year spend uh last year and this year spend more time actually transferring the risk. So

increase the limits and decrease the deductible retentions. So uh we see a lot of client because given this environments evolving so they wanted to so this is the you look at the total program and the primary layer it's pretty consistent the price have gone down a lot so this is good news for our clients privacy risk so I'm going to go through some risk and trend um it's still one of the most impactful uh risk and then uh of all the cyber perils um we things have challenging to the um our customers where is the data where do you store it is it in the public cloud is in the private cloud is it on prem is it

with a partner do you have you know data coming from the from the data broker does it uh is your SDK in integrated with your environment that consumes that embedded in the application that consumes data does the SDK collect data if it collects data you know there's where's the data come from right and who's has access you know is it employees uh business partners business partner being one of the big one that we wanted to call out for uh sometime you know um you have a company you have thousands of business partners that you work with how much of the data your data do they have and we've seen companies that uh got breached by the business

partner. The business partner went out of business, the company actually end up having to cover for those kind of losses because that is their data. And then how do you provide now is all this transparencies and user controls and stuff like that. Can you keep up with all of those kind of things? And then uh if there's rec record consent and certain consent that you have to have and where is it needed how do you get those and uh how's the data being used and so if you're doing machine learning doing advertising target advertising is it can you do that is do you have the right to those do they provide consent for those kind of things. So that's kind

of a um questions that we see challenges to a lot of the companies um your data assets. So we've been talking for a long time PII PCI and PHI. So now this year this is starting to get more complicated. So I mentioned about SDKs and and application data collections. uh do they collect unnecessary datas and who's receiving those datas? Um APIs API API that works with SDKs may allow other party to obtain data unintentionally. Uh what about data brokers? Uh smart connections, variable device. Uh a lot of the California CCPAs and privacy what's it say? CIPA, California Invasion of Privacy Act. Uh there are sweep stakes, there's contests, surveys, uh any social reward program, biometrics. So those kind of

thing like Texas just sue Facebook for biometric data violation. It end up to be hundreds of millions of dollars. So I think it's billions, 1 point something billions. So regula regulatory in this area has gotten to be a little crazy uh from a state level. The BIPA, the C CCPA, the CIPA, the California is kind of leading on this one. uh the federal government's now enforcements on you know used to be the the the technology surveillance technology now being re repurposed to reinforce the pixels and session replace and those kind of stuff requiring compliance and in terms of a global point of view there's about GDPRs um there's about 144 plus country participates in that and then the UK's

and the France and Australia being the top three gotten a lot more aggressive about it collecting those kind of thing. Um there's 140 privacy regulation global and they're changing. So this is a tough one to actually manage and there other tools that there's a uh 98% of the company fail uh the cookie audits per regular requirements and then uh that's a study done by prey and then uh for Alons Alon had a report last year saying that the average privacy litigation cost for data violations and now is at 30 million per incident. So this is a pretty big risk that you know requires some attention and if you look at the number of claims that we see this is

something 2023 sort of exploded and 2024 it went down some uh the CIPA being the one that's uprising the California uh invasion of privacy act and uh the blue one the light blue VPPA and the website tracking So it looked like the website tracking had gone down a bit but you can see that those are getting more and more sub more from 2020 2021 and 2022 it's gotten to be a lot higher. So here are some of the losses. Um this is a chart that I've updated yearly oh actually regularly for our rep and uh at this conference and you can see one of the uh the healthc care is 2.3 to 2.87 in terms of damages in billions and so

there's some number here that's pretty uh subst it's substantial compared the bottom on this thing that fits on this page 101 million on the privacy. So, uh, in terms of fines and penalties, uh, it's also in the billions. Uh, the the second one was the Facebook ones is 1.4 billion. Uh, state of Texas sue Facebook and got a settlement of 1.4 billion out of that one. So, those are kind of like large uh fines and penalties that companies should uh pay attention to. So didn't mean to throw out all those bad numbers and not tell you what to do about it. So um in terms of data data minimization on the new data you can actually tag a

lot of your data. So there is u privacy called privacy enhancement technologies. So those are things that things like that you can do because with AIS and stuff you can do federated learning that's one of them. Uh you can uh basically you train the machine on uh decentralized data without directly sharing the data. Um there's also differential privacy so add random noises to your data so that the statistic doesn't change but it kind of obscure individual records and stuff. Um there's anonymization and pseudo anonymization. Those are some of the uh uh pets that you can use uh for the old data. I know this is something that I'm always guilty of. Oh, I want to keep it.

Maybe I can use it for something later. And uh so it's not necessarily a bad thing, but you should prioritize. Say by keeping it, what kind of risk do you encourage is make that conscious decision about it? Um notice and consent. uh you need to keep all of those kind of collection and understand how your data is being used and of course any sorts of disclosure requirements keep track of it. If the regulator ask you we need the all the uh records of requests for uh documentations how do you provide those and then there's a lot of actually have a process and there are tools there's privacy program tools there is basically for privacy setup not necessarily risk

monitoring but notices consents and and DSR implementations all of those kind there's tools for those and there's also data discovery and bulk tools Um I don't want to name vendors here but if you want I it's actually in the notes of uh my uh uh presentation. Uh of course too uh map you internal datas and there are some of those uh insurers um their risk management uh offering actually provides those two given that for free and it's included I shouldn't say for free it's included in the risk management option that they have so if your premium is above certain points some of those thing you could just get and That's all this monitoring then automating those and

testing out and see what are you failing what are the things that you got to do so that there are actually have a process and tools in place you can do all this stuff so that you don't have to keep up with the 140 plus regulations and stuff that worldwide it's impossible next I want to talk about is business interruption uh so one of the big one this year last year was the crowd strike one. Uh again that was depends on who you ask that was 400 million to 1.5 but the cyber cues is about 5.4 but Delta was saying that we lost 500 million according to their CEO they lost 500 million in 5 days so due

to cancellations and stuff like that. So, um, the United Healthcare had the, uh $2 billion worth of losses. Uh, 2.87 was the high-end. The business interruption there, it's about $800 some million dollar business interruption loss in that one. So, um, again, this is actually a pretty big bucket. And I know I talked about this one before and I wanted to just give the heads up of talk about the different type of business interruption that people should be aware of. One everybody know about the uh malicious hacking type of business interruption and DD dolls and so those kind of stuff. So that's the first type that's network interruption and interrupt your security failures type of interruption. But second type of in

business interruption would be the uh system failure even the software you use I mean that's where move it right that's another one of those you use somebody else's software and they have a bug in it and then the the Microsoft SharePoint there's something that's also uh vulnerabilities those kind of has also could cause business interrup interruptions and that's not always called out in the insurance policy so make sure if that's something that you guys that the company is concerned that's something that you would want to make sure that's included in the policy and then the third one would be this contingent business interruption so caused by a third party which could be IT provider or nonIT

provider your supplier your critical supplier uh you don't have batteries that you can put into electric cars that could be another type of you can't produce cars you don't can't have car that you can't sell so that happened during the pandemic for example. Um I also wanted to go through some of the risk areas of business interruption. So uh third party risk that was the one I want to focus on a bit. It's um 60% of the organization work with more than a thousand partners. So you can imagine you have partners, partners have consultants, consultants have contractors and blah blah blah. There's so long list of the chain of that and um 73% that's more than

twothird have experienced significant significant disruption by a third party that's a pretty big one and then 27% about a third of incident it's involving a vendor so and then of course the supply chains and stuff so this is an area that um that I you should focus on have some awareness and understanding and make sure you understand what kind of interruption you could experience. And then of course the AI stuff uh the access the plug-in the design the data uh that could be poison data uh that could be the train your model who knows uh in in the those kind of thing that could cause interruption as well. And here's some of the large business

interruption event uh cloud strikes with sears about 400 million to 500 1.5 but not including lawsuits. And so this is not done yet. So this will still be working. It's involving over a hundred some companies now in terms of we're seeing um one of the things that I want to spend a little bit of time because a lot of one of the trouble with this business eruption claim is that we we don't always see the data and part of it because it's so hard to make a claim. So I want to spend a little bit time just to give you what's acceptable and uh also the length of a claim and adjustment process like 12 to

18 months on average. We see a lot of those and then the proof of loss is somewhat complicated as well as uh everybody's arguing about their forensic accounting. I have mine, you have yours. How do we manage that? And then also what's covered, what's not. So if you have a environment that's breached and you upgrade your computer, you upgrade your software, how much of that is count as Betterman that does not it's not replacement, it's betterment. So how much of that should be covered? So on the left it's uh coverage for um best practice and that is widely accepted by the by the um by the market. So proof of loss, you want to do make sure your

whatever proof of loss you put together, it is a cover item. And then of course um get ahead get agreement ahead of time to get the forensic accounting. So you can have your own forensic accounting and uh also the insurer would have their own. they sometimes just agree to uh compare notes and uh so often time one of the things we seen and it's that the the the insured the companies um gets forensic accounting the first submission and there's a nope our for uh forensic accounting doesn't agree with that. So, if you have your broker that actually could help you shepherd you through the way to say, "Hey, this broker is it's approved or this FA is approved ahead of

time," then they'll save you a lot of time for those. And then also, it's okay for you to ask them to say, you know what, if I submit this, I want a response within 30 days. And then whatever it's agreed to, pay me now. Don't wait till all the way in the end. So, this is all standard, okay? Accepted by the market. The second area which is make things could make things faster. It's simultaneous review. Uh it's on the on the other side right side. Um my I'm on the left. So anyway um you could have your own forensic accounting and they have their own and each one of them given the same data set. Let's calculate

it and compare notes in the end. Or you can also have um get a joint empire to say we agree to have um so and so as the empire to to reconcile this. So do this upfront so it'll make things a lot faster a lot quicker to um to uh for the claimant. So you could reduce your 12 to 18 months that way. Uh ransomware um ransomware I'll start with the losses um this one the healthc care showed up in both places as well as retail it's also uh some of the big one that come up in 2024. Uh so if you look at the event count by year 2024 it's from 2022 to 2023 it's

still a lot I mean number-wise it's increased quite a lot um by year and uh if you look at quarter over quarter it's still uh 2023 Q2 that was jumped right up um that that's also uh you can see ransomware is still out there compared Compared to other apparel, it is less percentage- wise and some of the total loss year-over-year total loss it's anywhere. So from you can see um from 20 2022 is 1.1 and 2023 it doubled that almost and 2024 is 50% more than what 2023 was. So that's jumping. 2024 has a big uh ransomware um uh client uh losses. Um in terms of percentage of people that pay ransom, I get a lot of company ask

what's other people doing? Are they paying or they not paying? I want to know who's paying, how many of them is paying. So there's the graph of who's paying, who's not paying. So you can see from you know 88% in what 2021 they pay uh by 2024 it's only 18%. So it is getting better in terms of paying uh companies are not paying because their control is getting better. Um this is a demand versus payments and um you can see that the demand amount have gone up a lot on 2024 uh pay also gone up. So this the first graph so first side it's a demand second one's a pay for the year. So you can see

in the beginning in 2019 they just wild. They're just like demand whatever it is. But now they have gotten more precise toward the end there. The gap of the differences between the ransom demand and pay has decre it's still pretty big but it's not as big as it was before. Um in terms of pay I took the 95th percentile. So I won't uh show what their losses are. Um so fragulent fund transfer this just a mention I starting to say okay since this is a category that's up and coming um we do see jumps in this one and it's often occur through business email compromise. We see more of that causing fraudulent funds. And here are some of

the large fraudulent fund transfer. The big one being about 600 some million on top and uh that's from 2022 2023 2023 it look the numbers seem to be smaller and uh so but uh still we see more of you can see a lot of those 100 million 120 some million uh 100 million in 2023 and 2024. So here's the fun one. uh how do you improve your odds using what we have done? So we collect on the annual basis we collect about thousands or couple th few thousands of uh uh insurance applications and self assessments. So this thing is still the same. Uh the for 2025 we still recommend the 12 uh cyber security control. Um there's a paper

that's coming out uh in a couple weeks that actually drill down to say what kind of multiffactor authentication should you do and then in employee data protection how much is good enough uh by by implementations. So like for example some of the I I'll go through the more details on this one a little bit. Uh asset management uh asset management matters. Um you can see that um you need to understand where you where the data is where your assets are. Is it on the cloud? Is it on you know public cloud? How do they transfer? What are the data transfer restrictions? What are the law that the data you got from is complied to? Um those kind of things in terms of

asset if there's any way to identify uh rogue act assets and stuff. uh in terms of identity management uh control privilege access being number one in return on investment but not just on Windows but also in the clouds in software software service applications various other applications um so those are kind of thing uh also too uh process coverage and uh cloudware pen testing just not not just your on-prem stuff but as well as things that happen in the cloud a validation of uh during help desk of passwords and those kind of things. Uh I want to talk a little bit about MFA. MFA was that of the client that we surveyed about 90 to 100% that's a pretty good

number have MFA. So what kind of M MFA does it pay off? So one of the things that we did study is the fishing resistant MFA and then the other one it's about 3x better if you actually have that implemented and also there's a biometric and endpoint certificates also has the highest value it's also another three points 3% better so how much of a MFA you should um uh implement also makes a huge different of course uh EDR R um so 25% increase in EDR correlates to 2 to 3% decrease in breach likelihood. So if you done your EDRs and then about 75% was kind of where we see the uh saturation point is. So um how you how the the degree you

implement certain things it makes a different and then of course the um have a plan you know that the um usually it's a 2.2 2 million less in breach respon if you actually have a br deploy the security AI and automations across your socks and uh plan for zero day softwares uh educate your staff uh integrate your insurance into your instant response have a conversation ahead of time um in in our website we actually have a list of of vendors that's been vetted through by us to say that they are vendor that's approved that would reduce your risk. So you can go to our website and look through those things and who are the one that the

insurance uh broker does uh uh endorse them. So um also to secure AIS and uh given have a very clear roles and responsibilities uh and know the where the data is how it's used we spend a lot of time talking about it the average bridge cost for data is 4.88 88 million. So, and also confirm your process and of course tabletop exercise. Um, optimize your resource. Uh, so delete your unnecessary data, the value of the data versus the risk of the d keeping that data. You should make a conscious decisions. Um, you have you want to assess the impact based on you have a very uh well-defined rules. um ahead of time to decide what this impact

could be and classify your in incidents by impact. So do if is it a escalation? Do I need do I need to you know notification? Do usually you want to involve legals and stuff and documentations and all of that stuff that those are kind of things that you should have if a code do I need to file AK. So last but not least back to again reduce your data data asset. So automate, delete and uh limit data provided to the suppliers. Um make sure they have a deletion kind of thing. Uh inventory of your asset and uh classify your data. So new data coming in, classify it. Uh apply the uh privacy enhancement technology to it. Uh set it

up right so that you will have mitigate your costs. Uh understand where your data is stored, whether it's in the land, in the cloud. It's a public cloud, priv private Cal, software service and then any source of s third party supplier both supplier as well as your third party consumer of your data be understanding what they're doing why they're doing it how they're doing it and uh what kind of law do you need to be compliant in order to supply those data to the uh to the uh partners. I got four minutes for questions. Yep.

>> Uh first, thank you. That was a great talk. Um maybe a round of applause real quick. >> Thanks. Thank you. >> And you mentioned a study coming out soon with some of the like the details about MFA. Where will that study come out? Where can we find it? Uh, it's Oh, wait wait wait. Let's see. There's a little scanny right right there. Um, you can scan it and uh I forgot about that one and that's coming out in a couple weeks and uh you'll see all the detail. I think that's a public we will publish that and but there are a lot of paper in there that uh talking about what we learn from our clients and then by doing

studies to correlating uh there's also a physical loss study is also coming out uh physical damages in terms of cyber it's also coming out in a few weeks as well. So um go there and then uh if you want a presentation you can also go there I'll send it to you as well. So >> and so maybe more practical question um it looked like ransomware went up around you know 1920 21 big losses and it dropped back down >> y >> and now it kind of looks like very similar trend to that previous point with you know a doubling tripling quadrupling in losses but we haven't seen the insurance market respond with premiums because you showed

a a minus 3% rate. >> Um do you have any ideas why we're seeing those increases in losses but not the response of the um industry? >> Um I think part of it could be that um this is my speculation now. Uh the the the attacks become a lot more complicated. Uh our customer is also a lot better in terms of defending themsel and also to insurance company as well too. They have a lot more tools that they actually some of those they say like those privacy scanning stuff they would say you know this is the management risk option with that option given that you're premium that you are you do get some of those tools and that

you don't have to pay it's part of your thing. So they are helping customer managing those risk and a lot more of integrating it within their their insurance within their environment. Now there's a lot more restrictions and I wouldn't say restrictions a lot more deep uh and wanting to know more about their environment when they apply for insurance. So if there's something that doesn't look right, fix it before you come again. Yeah. So that's why there's hundred some questions that uh 300 I want to say it was like 300 questions that they have to answer when they come apply for insurance and about your uh all the list that you saw the the 12 controls but

there's a whole bunch more of those we just say say that of those things that was the list of risk things that we see that that's basically required especially the top six if you don't have those in done that's why uh when we do MFA is 90 to 100% our customer have it. But to what degree that's a different story? Yeah. >> Yeah. >> Last question.

>> Thank you. Uh jumping back up to your trends and stats uh section of the presentation, >> you uh I noticed that you spoke a lot about the source of the incidents that you were perceiving there uh and like who perpetrated them kind of on the attribution side. Is that data that's critical to your loss evaluations or is that just something that's kind of like a nice to have that you you study? We haven't gotten to that part yet. So um and also too who attack your environment that changes all the time. So, it was hard to track that one. >> It seemed like a lot of the incident data that you were talking about as far

as the trends we were specifically attributing to various threat actors there. Am I perceiving that incorrectly? >> Um, I think they change they change quite a lot. The the threat actor would be there like the scatter spider that was one of them that was this year >> but before this year they weren't. Yeah. >> Gotcha. So, it's less important to the covered loss and more just something that you are tracking. Yeah, we're keeping the bad bad actors but often time they would disintegrate and become a separate thing and call themselves something else. So it's harder for us to Yeah. >> How much asset management is enough? >> Repeat the question. >> Oh okay. How much asset management is

enough? Oh god. So I think you should go look at the uh paper that we have on that one. I'm sorry guys, we have to end the session. Um it is um past time. Um I'm sure she will be free to answer questions outside. Y Thank you.