Risk, Cyber Security and the limits of Cyber Insurance - Mark Fidel

Sure.

It's a screen.

Maybe it'll keep somebody's interest.

Oh my god.

Good morning everyone. >> Good morning everyone. >> How was day number one? >> Great. >> I'm sorry I didn't hear anybody. How was day number one? >> Did anybody miss yesterday? Was everyone here yesterday? I thought people missed it. Um I think yesterday was pretty spectacular in my opinion. We had the morning start off by talking about community and kind of bringing people together. And I I was reflecting on on this last night. This is what I do is just constantly think about these things. And it was all about people. That's what yesterday's theme was about. Ethics philosophy community. How do we come together and have a safer environment for children and elderly? Yesterday was all about

people. So, I'm really curious to see what what today is about. All right. So, uh without further ado, we have Mark Fidel who is going to provide us with some mind-blowing insights. I've known Mark for a number of years. uh he and I go way back in terms of you know doing cyber security stuff here in New Mexico. So without further ado, I'll turn it over to Mark.

Thank you Chris very much. Thank you besides and all the people who are involved in putting this together. Uh 400 registered attendees and somewhat less this morning. So there you go. One of the things I asked a couple weeks ago, hey, do you want my slides in advance? They said, "No, just bring your laptop." That was their first mistake. And really, I don't think that there's been another mistake, but that was that was the first mistake. Um, so who's in front of you? Um, I am a native New Mexican, uh, first and foremost. Been in the state much more than I've been out of the state, but traveled some. Uh, my current gig is my

own consulting business. I technology clients both on the established side of the world uh making money doing good things for their customers and then I have startups who want to be established right and so I work with a variety of of technology entities if you will interestingly enough on the startup side it's almost entirely AI and so I always have to do conflicts check to say all right in this part of AI am I conflicted with working with because of these three other things that I'm working with with these other people. So um my background related to cyber security is I was a co-founder of a company called risk sense. We were around from 2006 to 2021.

In 2021 we were acquired by a company called Avanti which is a private equitybacked software cyber security firm and they grew grew grow through acquisition. In the year we were acquired, we were one of three acquisitions. If any of you have been through a merger or andor acquisition, one is fun. Three makes it fascinating. And their goal was to, you know, we were a particular puzzle piece in their larger picture, right? And uh to my knowledge, they're still using our software product with clients. So that's something, right? I I worked with them for about two years uh after the acquisition and it wasn't because I was nice. It was because there was an employee retention bonus at the end of

the two years. Right. So, let me let's get real here. Right. Ryan, is that one of the Okay, thank you, Ryan. I see that. All right. Um I serve on the boards of four organizations, uh nonprofits here in the Albert area. They're listed on the screen and I've chosen these because they have things that are interesting to me and and they do things that are interesting to me or near and dear to my heart. Um the first one is the Civil Legal Services Commission and they pro we provide funding to nonprofit providers of legal services on the civil side. So this isn't public defender work. This is uh so landlord tenant issues, right? And to qualify for their

for their services, you have to be below a certain percentage of federal poverty limit. There's a lot of work that these folks are doing and and we help manage the flow of money about 8 and a half to 10 million a year to these nonprofit providers. For some of the providers, such as New Mexico Legal Aid, we are a percentage of their overall budget. For others, we are their entire budget, right? We we comprise that. CNM Ingenuity, if you're familiar with CNN, CNN Ingenuity is the is the research park corporation of CNM. Much like Arrowhead Research Park for NMSU, much like Rainforest, now not Science and Technology Center, but Rainforest for UNM. It's a statutoily created entity

that allows CNM to own it, but then it allows Ingenuity to have an ownership interest in a variety of of entities. Presbyterian Healthcare Foundation uh is uh exists solely to support Presbyterian Healthcare System. Reason that's important to me is Presbyterian Healthcare Services and system touches about 50 to 52% of the population of New Mexico in any given year. So big impact to New Mexicans. Uh Bowski school, our child went there, right? So I served on the board. I'm rolling off the board in October. My education, New Mexico State University. Go Aggies. Anybody? Yeah. Spirit. >> All right. University of New Mexico. Go >> Lobos. >> All right. There we go. I figured, right? Proximity. >> And University of Denver. Go Pioneers.

>> All right. There. Thank you. Appreciate that. >> So, undergrad in finance and finance people were accounting majors who couldn't count. Accounting majors, however, were finance people without social lives. And it was a two drink minimum to get into the marketing department. So, um, went to the executive MBA program at UN M because, uh, I get to say executive MBA program. It took half as long, but cost twice as much. So, that there was that trade-off. And, uh, I have a law degree. I'm a licensed attorney. I do not practice much or any, so I don't have malpractice coverage. Dell, where's Damo? >> Did he leave? All right. Dell, are you right there? >> I don't have malpractice coverage. That

was not legal advice I gave you earlier. >> Oh, okay. >> Sorry. All right, check. We're going to talk today about something called risk. We're not going to talk about mice beyond this slide, but there's an interesting parasite called toxopplasmosis. Women who may be of childbearing years are warned to stay away from cats and or cat litter because they may contract the parasite toxopplasmosis. Toxoplasmosis is fascinating and I will tie that to risk here in a minute. I I promise you I will. Mice gain get access to it inhabits their bodies if they're if the mouse eats infected something, right? Grain, whatever. Okay. However, in order for toxopplasmosis to propagate and continue to survive in its

ecosystem, it affects a mouse's risk behaviors and it can make them less sensitive and less risk averse to to uh to predators such as cats. All right? So, if you have a a swashbuckling mouse who doesn't give a damn, right? They're more than likely going to be eaten by a predator. Toxoplasmosis then gets transferred to another host, right? And then can propagate that way. Eventually, it can happen, especially for cats that are in the wild. Toxoplasmosis gets back into the mouse ecosystem and toxoplasmosis therefore continues to propagate. Right? Secondarily, it can also infect humans, right? There haven't been a lot of studies, but some of the ones that have been done is that it lowers the risk profiles, meaning the

risk aversion of humans as well. So, one study that I think would be fascinating is people who compete in X games, right? Do they have a toxopplasmosis volume in their body, right? and it affects uh centers in the brain that are responsible for that's bad, this is good. Right? So, I bring this up because when we're talking about risk, you can't ever get rid of risk. We're going to talk today about risk and cyber security. Beyond this one last time, I won't say toxopplasmosis account. Understanding risk and cyber threats is crucial for us understanding our computer infrastructure and real real world safety. Right? Is there anybody not aware that computer computing weaknesses can affect real world events,

right? We're all okay, especially with this audience, right? Absolutely. Water systems can come down, right? industrial control systems. Um, anybody, this has been a while now, the Target breach who had to have a debit or credit card replaced because your credit card number and all of the credit card information on that swipe was stolen, right? Okay. So, real world implications very much so. Um, Manderlay, the international confectionary maker, right? uh the W to cry uh ransomware. Well, the W w to cry ransom lightwear attack because there was nobody on the other side waiting for ransom. It just locked up systems, right? Um so proactive security systems and measures go beyond just purchasing insurance. If you're in an entity that

has cyber insurance and the decision makers, the powers to be believe that we're good, have them take a look at this or have them call quite honestly, right? It's it's one piece of the larger security puzzle. Okay? Risk impacts personal, professional, and online activities. We know that. And so implementing effective security steps can reduce cyber threats. Essentially, what a good insurance policy gives you is it'll help you determine how good is the mop and bucket that you're using to clean up the mess that happened, right? Clean up on aisle five, we have a problem. So, insurance tends to be largely reactive. An event happened, how do we recover from it? Right? As security professionals here, we're we

should be much more on the react on the proactive side versus the reactive side. Now, that's not to say you shouldn't have good in response by any means. You shouldn't have the tools available to understand what happened, right? But it it should beg the question of we've had an incident. Do you really want to pay for attribution analysis and end up with the answer being it was North Korea and then what do you do? Gosh, I just paid $74,000 to learn it was North Korea and then what do you do? Okay, great. So awareness of risk leads to smarter decision making and for both professional and personal environments. Okay, I am going to say risk a lot here,

but I won't say that other word anymore. So, today we're going to talk about

going to go right back to my presentation without my notes get in my way. We're going to understand risk. We're going to illustrate why risk is inherent in all aspects of life. Just you coming here this morning, right, brings that And I don't have video. Why not? Chris, what did I do wrong? Sorry. Hang on a second.

Perfect. Thank you. So, there's a risk that equipment or software will fail, right? Case in point right here, we're going to talk about why risk is inherent in all aspects of what we're doing. Okay? You don't get rid of it. It's how you deal with it. And in some instances, how you don't do it, right? And sometimes those decisions you make and other times those decisions are made for you and other times there's just no decision made and what happens happens.

We're going to understand then focus on cyber risk. We're going to identify various threats and vulnerabilities that exist in the digital landscape. And I'm going to talk about the importance of securing our digital assets. We're going to talk about machine and software failures, right? Those things that just happen. Okay, if you've ever been in a server room with a water pipe going over the top of it, wow, there's a lot of knowing laughs there, right? That's no fun. Or a server room. That was never intended to be a server room, but gosh, that's where we put the big Dell machine. Okay. Right. Uh, please don't hit the off switch with a mop handle. Right. Always a a nice

note versus malicious behaviors. And when we get into this section, I'm going to talk a little bit about why I'm not quite sold that cyber cyber insurance actually works as a concept when you're talking about the concept of insurance. Okay. So I'll briefly differentiate between innocent mistakes in technology and those intentional malicious acts. Okay. We're going to talk about cyber insurance coverage and limitations. This is the part in the presentation, if not before, where you should fall asleep if you're so prone to fall asleep. Right? If you're with somebody, make sure it's okay that you fall asleep gently to on them. Right? If you're not with somebody, please make sure you're not going to do a header into a solid

service. the whole liability thing, we bring a whole another level of insurance. But insurance can be absolutely mind-numbingly boring. And I'm really going to try to prevent that from happening. And then we're going to talk about why it's not enough, okay? From from both a practitioner's perspective and a decision maker's perspective. Sometimes a practitioner is also the decision maker, but if you're look in the technology realm, it's often the technology folks are the influencers. but not always the ultimate decision maker. It depends on the environment, right? I get that. And then we'll have some time for Q questions and hopefully answers. Okay, Dell, you're the one with the answers and others will have the questions.

>> Well, here's a name that I can easily come up with quick. That's why primer on risk. We're going to understand the likelihood and impact because I I pick on Chris Perkins. He's gonna pull the plug. So, I can't do that. Risk is simply a combination of how likely an event. Notice I didn't qualify event, good, bad, or indifferent. Just an event. How likely an event is to happen and then the potential impact it could have if it does if it does occur. All right. Understanding this concept is crucial before you can go on to the concept of risk management and certainly cyber insurance. Fair enough. Um, think about the two terms possible and probable. There's a lot of things in the

world that are possible that could happen right now to this building, right? But the realm of things that are probable is a smaller subset of that hopefully, right? Because the the things that are possible are pretty I'm going with asteroids. I'm going with earthquakes. I'm going with that with a uh a monsoon flood maybe this afternoon. Right? Those are possible, but they're not probable today. Fair enough. So, understanding that difference can also help you understand what it takes to manage those probable risks versus the entire universe of possible risks. So, everyday risks, right? We we make decisions every day that involves an element of risk coming here today. Anybody here in a completely uh electric

vehicle? Raise your hand if you will. All right. So, we have couple, right? What's the risk, Josh? What's the risk of the electric vehicle? What's the inherent risk that I should be thinking about if I'm driving an electric vehicle? running out of charging. >> Running out of charging, right? But the same really is similar with gas, right? With internal combustion engines, right? I'm going to run out of fuel. Either way, you're going to run out of the thing that propels you, right? Lithium fires are not common, but they're they happen with cars, right? Especially after impacts if the battery casing is damaged. For those of us who have internal combustion engines and quite frankly, for children. Josh, because now follow

me here. I buy gasoline here in New Mexico. Gasoline is produced by oil and gas providers, some of whom do a lot of business here in New Mexico. And they pay excise taxes to the state of New Mexico that ultimately go into the education system. So, I have a low mileage, low mile per gallon vehicle because I like to support education. How's that for? You like that? All right, there we go. But I'm driving a damn time bomb, right? I'm driving something full of gasoline. Okay, there's a risk there. I've accepted the risk that the likelihood is small, unless I'm in an accident, that it's just going to spontaneously combust. Fair enough. Um, some of the

other instances is, do you really want to eat gas station sushi? It's available, but you want to go there, right? We were on a slight road trip to Oakland, California recently. Two-day road trip. First stop, Las Vegas, Nevada. Second stop, Oakland, California. And damned if there wasn't in uh Bakersville, California, a gas station that had gas station sushi. Did not try it. We wanted to get on to Oakland, California. Right. um trusting your teenager to close the garage door after they've left the house in the car that they're driving, which is an inherent different level of risk, which shows up in your auto insurance premiums, mind you. And you can't just say, "No, the teenager is

isolated to this car." Because that doesn't make sense, right? So all the cars get rated with all of the drivers and those premiums you're paying show some semblance of an idea of the risk involved based on a lot of historical information about your driving habits, the age of the person driving etc. And so therefore you pay a premium. Now remember that the premium is designed to cover the relative risk that that insurance is covering. And remember that talking about cyber insurance here in a few minutes. So cyber threats what are the active? We have we have both active and passive, right? The active is those intentional malicious actors. Be they state actors sponsored by Iran or Korea or whomever,

right? Be they uh just random I I purchase 20 million email addresses. I'm going to attach a a variety of ransomware to it and randomly and send those emails out and see what I get back, right? See what who who opens them, right? But it's malicious at some level. is intentional, okay? Versus the passive weaknesses, vulnerabilities in systems that go that remain unpatched, right? There's very few, and I'm going to bring ransomware into this a fair amount because that's really an insidious problem, right? There's very few, there are some, but there's very few ransomware variants that cannot do what they do unless there are vulnerabilities in the systems they're attacking. Pure and simple, right? They

just become an ineffective piece of software if they are attached to a system. systems that don't have the vulnerabilities they're designed to go after. So, why why is ransomware so pervasive? Because there's a lot of unpatched systems in in in our in our environments. All right. Common vulnerabilities, software bugs, right? The software not acting, behaving as intended. That's why we have security. Is it still security Tuesday? Microsoft security updates? I don't know. It's security 3:00 a.m., right? That's why we have updates. Let those updates happen. I don't have to tell this crowd, but tell your constituents within your organizations, let the updates happen, please. Now, if this were a Microsoft machine, the update would happen right

about now, right? At the most inopportune time, I swear there's logic involved in that. And and boy, he's just getting going, or at least he thinks he's getting going, and we're going to stop him cold with an update. Um, unpatched systems, poor security practices. Uh our daughter works for a managed service provider here in town and she's quickly realizing the weakest part of any computer system is us right people very quickly realizing that and understanding she's on the help desk. So addressing these vulnerabilities is crucial to the overall strength right it's not a one-stop shop here it's not a we're going to do this and we're going to be okay no here's a variety of things

we have to do and then we think we'll largely be okay and if any of the security professionals in the which should be all of you disagree with me, please save those disagreements for question and answers and we'll we'll have that discussion. So, innocent errors and intentional threats, machine and software failures, right? Just a ser a drive dying, right? Statistically, these things are going to happen. Uh advances SSDs tend to fail less often, but when they fail, it tends to be more catastrophic, right? on that level. Um, system crashes, uh, glitches, power fluctuations. Uh, we moved a couple years ago from one part of one part of the area to another part of the area. And damned if we

haven't had power outages in the new area. Um, and it's weird, right? And not just glitches, but some time in those power outages, which is making me rethink the whole solar battery, right? Or solar gas generator thing. Um, then there's of course the malware and intentional hacking, right? The guy the the person bringing the three boxes of donuts to your office can't open the front door because right pretends to be an employee. Can't open the front door because the badge isn't available because I got three boxes of donuts. Can you open the door for me? I got donuts. Why aren't you going to let me in? Right. Uh, I was doing training for the New

Mexico Department of Finance and Administration on a on a Monday morning in January a number of years ago. And I, you know, for those people who were either silly enough or had the bad luck to sign up for an 8 a.m. security training session at work, I brought donuts. I brought three boxes of donuts. And I didn't realize that the building I was going to had a time lock on the outside locks. They unlocked I got there 7:30 to set up. It's January. I got donuts. I got a backpack. It's cold. And an employee walks up and says, "Hey, can I help you?" I said, "Yeah, I'm giving a presentation at 8 a.m." And I named a name of my host. And

I said, "But I didn't realize the doors are locked. I'll let you in. Do you know where you're going?" "Yes." She went her way. I went my way. She was in my class later uh that day and I asked her permission to use her as an example before I did this. Uh that garnered her two donuts and so she didn't ask who I was. She didn't ask for credentials. She didn't escort me to where I thought I was going. Right? And I think maybe the thinking and this is purely conjecture on my part. Her thinking was that's not my job. Right? I work here. But I'm not the microphone. Sorry. But I am not the security person, right? I'm

not the security person, right? So from that perspective, then the u luckily I wasn't a bad guy or at least not in that moment, right? And it was a learning lesson. Don't open the gap. Don't open the door. Don't pure and simple. Okay, from that perspective, let's talk about cyber insurance and why just coverage and limitations and then throughout here why it may make sense and why it doesn't. And I used to sell commercial insurance. So I'm not unaware of how insurance coverages work, how it's underwritten, things like that. And this is why cyber insurance as a class of insurance to this very day. So cyber insurance provides financial protection against cost associated with data breaches. Data

breach can be anything from somebody bad got in data to I lost my laptop with data. That's a breach including expenses related to notifying the affected individuals. Breach notification laws. New Mexico has a breach notification law. Which entities are excluded from reach notification laws in New Mexico? State government anyway rules for thee but not for me. Right. Okay. And so if the department of health has a breach that doesn't affect something that is is uh related to a federal statute, there's no requirement that the Department of Health notify those individuals whose data was breached. Now, is it a good idea to do so anyway? Of course it is. Any state government employees here? Okay. Did you

happen to work for the state in 2012? Roughly. Okay. There was a breach from public employee retirement association. The breach was a a lost laptop, a contract vendor who was doing audits on the financials. The employee drove to Santa Fe to pick up the data. The data was transferred on a thumb drive uh in the offices of parent to a laptop. The thumb drive was given back. The employee left and the next the next stop was in Clovis, New Mexico. Um that night, uh two laptops and two laptop bags were stolen from the vehicle of this employee of this vendor. Right. recovered in two days at a pawn shop were one laptop and two laptop bags. The

one laptop that was not recovered had your data. Okay. It was also determined that that laptop was not password protected. So you could open the lid and no username required, right? Nor was the file encrypted. Both violating the company's own procedures. That person was relieved of their employment as a result. Right. did not have to notify the 36,000 current employees and retirees of this problem, but they chose to. The reason I know that is that I largely wrote the letter for them and and I worked with their lawyers because they had retirees all over the US. So, we had to make the letter for ease of sly with the most restrictive of the data notification laws at the time, right?

And and so that letter got sent out. My dad, who was a member of CARE at the time, got one letter I helped write. U and so this cost $863,000 of which we got paid $1,300 for for time that we spent. Thank you. Appreciate it. And so the so we knew know all this in the in the background and and what happened was is that the company the accounting firm in question their Arizona missions insurance covered the entire $863,000. No taxpayer money was lost if you will from this breach. Okay. not a great outcome, but there's never been any evidence that the data is in the wild. But you don't know that because it came

out of the care, custody, and control of a trusted individual, right? So insurance covers the cost associated with managing a breach, a data breach. Um providing credit monitoring services, uh hosting an 800 number so that people can call in if they have questions, right? And any legal liabilities that may result from the breach because often a breach involves somebody else's data that you or your company may be managing. And there's very much when we were get we when we got calls to help out we did some incident response work when we did got calls that help out depending on who I was talking to the questions I would ask were have you contacted your counsel either in house

or outside counsel and have you called your insurance company the reason for those two things happening is talk to your attorney because there may be subsequent litigation as a result of this problem right and you want any of the recovery work to be covered under attorney client privilege. Quite honestly, talk to your insurance company because if you have coverage that helps with a recovery here, there's probably a notification clause that says upon understanding that there's a covered event, you have x number of hours, days, usually it's days to contact us and let us know. Otherwise, you don't get coverage. Right? So, I paid all these premiums. I don't call in time and I don't get coverage because that's in the

contract. All right? So now we have

we cover business interruption, right? Have you ever been involved in an incident where it shut things down? Right. >> Jim, any broad details you could share with me? >> And if not, no problem. >> Oh, yes. >> Go ahead. >> I work with >> Okay. Albuquerque public schools. Okay.

>> So, systems were down or unavailable because of the ransomware, >> right? People couldn't do their work, things couldn't get done, right? Um, so it happens. Uh business interruption helps mitigate, not get rid of, not fully compensate, but mitigate losses due to downtime, allowing businesses in some instances to recover quickly and resume operations. But you can't really recover time, right? Not yet. Covers legal liability, can provide you defense attorneys in the event your entity is sued because of that breach. >> Right. Um, it protects businesses from lawsuits related to privacy breaches. Uh, ensuring that legal costs are covered in case of claims from affected parties. Does not cover preventive services because by definition you can't

invoke the insurance until something has happened. So how do you invoke preventive ser? Now, some insurance policies provide access to education, to resources to help shore up the environment, to help make the environment better, but largely you can't make an insurance claim before something's happened. Make sense? Okay. So, cyber insurance provides essential financial coverage after the fact. Doesn't often include those preventive measures. Doesn't often include full recovery from an incident, right? and certainly the psychological impact of feeling unsafe due to potential threats. So, I'm gonna ask this question that I've asked a lot to audiences, but I'm asking it in a way where there might be one or two hands raised. Who here does not have or has ever had

um credit monitoring because of a breach? Yeah. Right. No, nobody is in that class. We've all I have so many credit monitoring services, right, that that are paid for. Um, it's ridiculous. So, why cyber insurance alone is not enough? Let's talk about how insurance briefly covers risk. Who here has life insurance policies, right? Okay. Life insurance is it's simply it's a matter of money and time. That's all it is. The bet that the I know I shouldn't use bet because it's not again. The prospect that the insurance company is making is that with those premium dollars you're paying for the insurance that you won't die until a certain time. Therefore, they can invest that money and make

interest on that money. Maybe sharing some of it with you, maybe not, right? Depending on what the contract reads. And then when you die, they pay out a lump sum, but they've made money on that on that those premiums, right? So when you buy cyber insurance, what you're doing is you're buying insurance against the fact that something's not that something may happen, right? However, versus life insurance, for those of you have life insurance, did you have to go through a medical exam? Certainly filled out a questionnaire, >> right? Well, the questionnaire is compared to the medical exam. And if on the questionnaire you stated under the question how many alcoholic drinks do you have per week and you said

two right standard answer right the medical exams comes back with advanced cerosis of the liver those two things tend to be incompatible those two answers right so now the agent will come back to you and said hey you want to revise your answer to this question or maybe we do some more blood work or let's get you to a hospice system right something along those lines There's often not a similar quote unquote medical exam for your computer environment, right? Because it's not cost-effective. Is it cost effective to do a full pentest to lower your insurance premiums by $5,000? No, because a pentest might cost $40,000, right? So, there's a costbenefit analysis there. But cyber insurance

alone is not enough because it's not a pan it's not a it's not a catch all panacea, right? It's one of a number of things. So you have to have a comprehensive security approach. It's a combination of knowledgeable personnel, folks in this room, well-defined processes, and robust technology solutions working together to mitigate risk. Cyber insurance is that safety net. It's that net on the aircraft carrier in case the jet misses the hook. That's the that's where cyber insurance comes to play. Insurance is reactive. You have to have an event first for insurance to actually work. And there's benefits to cyber maturity. Organizations that invest in cyber maturity u can reduce the risk of breaches significantly and often benefit

from lower insurance premiums as a result. Right? All of these good behaviors can result in you paying less for it but still having the coverage when you need it. There's probably I don't know how many but there are lots of underfunded cyber insurance policies out there today. meaning they are not charging enough premium for the real risk identified for excuse me for the real risk present in what they're covering pure and simple and the amount of coverages can be limited as well for the premiums you're paying so we're going to wrap up here Chris is thinking oh thank god all right key takeaways so it's an inherent part of life right say a silent prayer when you start your

car right just do that right? Uh especially in the digital realm, insurance serves as a supplementary measure versus as a primary defense mechanism, right? Showing the bad guys your insurance policy isn't going to stop the bad guys from being bad guys. That's not going to work. Preventing them access to your environment or making their access to your environment much more difficult will certainly make them think for easier target. Think about easier targets. Building resilience through comprehensive cyber security strategies is crucial for minimizing risk and enhancing your overall security posture. So I need challenging questions. I don't want mundane questions. I need challenging questions related to risk and cyber security. Are there any? For those of you still awake, are there

any? Yes, sir. In the back, we have a microphone coming to you. >> Hello. My name is Daniel and since you're a lawyer in the field, I Just wondering what your opinion is. Uh is there enough or not enough uh regulation laws in in the field to uh significantly protect all industries and fields of area where cyber and it uh affect everyone? Thank you. >> Great question, Daniel. And I'm going to summarize this and make sure I got it right. Essentially, are there enough regulations? Anybody? It depends. The answer is it depends, Daniel. Right. Here's the problem with regulations. Just like the problem, and I'm not going to get into a pro or anti- debate here, but just like the problems

with gun laws, if I'm a law-abiding citizen, I'm going to pay attention to the gun laws. If I'm not a law-abiding citizen, I'm not going to pay attention to it. Right now, I might be influenced by the fact that there are penalties for what I'm about to do, and that might dissuade me, but others it may not dissuade. So, regulations, how many of us here live under the the umbrella of a regulation somewhere? we all do, right, in our computing environment, especially if you're working with federal data, federally sourced, federally managed, federally impacted data, right? And so those regulations quite honestly make it good for people like me in the consulting business, right? Because then

I have an opportunity to come in and help with gap assessments, right? We come in and help with penetration testing if I was still in that business. All of those things. But those regulations are designed to make better environments versus more ownerous environments. Sometimes in the midst of it, you won't think that's the case. But hopefully for the majority of regulations that are out there, think CMMC, think PCI, payment card industry stuff, which isn't a regulation, but if you want to play with the credit card companies, you have to follow their rules, right? They help. Are there enough regulations? There's probably not enough right regulations. I'll put it that way. All right, other question. >> It's a two-part question.

>> Thank you. It might be a little bit complicated, but it was driven by your AI experience. >> All right. >> So, um, how can organizations and leaders in organizations start to leverage and implement a gentic AI in ways that it's practically useful in cyber security? >> Sure. >> And then the second part is how do we also start to solve for the skills gap that will be created by aentic AI because we no longer have entry level positions. >> Sure. Appreciate that. If you're intending on using AI and the big caveat here, not an AI expert yet, but I'm studying fast, right? Catching up. And yes, I'm using AI to help me do that, right? To make it better. But the

the the essence is is that to the extent that you can use AI internally, you want to use not chat GPT and load your questions into that. You want to have your your front-end chatbot looking at your own data. That is it becomes your LLM on one ID, right? Guard that data just like you would guard any data. All it is is information, right? AI though is used to help make our jobs easier, not more complex. Are there threat actors using AI to make their malware better? Absolutely. Are there cyber security vendors using AI to make their defensive postures, their defensive software much better? Absolutely. Right. It's the genie is out of that particular bottle

right now from that perspective. Um, and I think that since we're talking generally about cyber insurance, the insurance industry is very very far behind in what this means, right? A lot of it's going to come from malpractice. Let's say you engage with a law firm for some issue, right? and they use AI, which is very likely to happen, to help uh with the development of your case theory against me, the bad guy, however it happened. I ran into your car, etc., right? Well, if they're not checking sources of information, the case law that that AI may site may look really good and not exist at all because EIA doesn't know better, right? We still have to have some guard rails and so it

can't continue to be the wild west, but my thinking is it still is. It's a roundabout answer. Uh, let's talk in a year when I'm better at this on the AI subject. Is that fair? >> Okay. >> Have time for one more. >> One more question. Um, I'm sorry. In the back there is the question. I I'll be happy to visit with you afterwards, Dell. >> Uh, yes. Uh, my question is, did you go to Durant for breakfast and how come you didn't invite me? [Applause] >> So, actually, I'll take your question, sir. uh since it didn't the other question didn't require a response from the defendant. All right. >> All right. Thank you very much. So um

I'm more interested in policy analysis u as my studies. Um so my question is I was going to I've been extensively analyzing the HB60 that the state is trying to get past and state this past legislative session but it was um did not go through. So um it's it relates to it it is a comprehensive um bill on AI >> right? >> So what are your thoughts because it covers so many industries so what are your thoughts about that specific bill that emphasizes on discrimination transparency to the consumers and more less emphasis on the developers and so many things. So what are your thoughts generally about the HB60? >> Great question. And I'll be brief and

I'll be happy to visit with you once they've kicked me off the stage. Okay. But the large question I think the larger implication is the learning aspect. And for humans, right, it tends to be nature versus nurture. What is something that we can do without being taught? Well, breathing, heartbeating, those types of things, walking at some level, right? Versus what do we learn from our environment? AI learns from its environment. it doesn't have any inherent uh knowledge, right? It's whatever it is exposed to and it builds off of that, right? And so if you're putting your own company data into a chat GPT type environment to then get a result, be cautious because now it's learned that

company data and it can use it publicly for other issues. Right? There's been many instances of people finding credentials, finding stuff that shouldn't be in the public sector in chat GPT and others. My time's up. I'll be happy to visit with you a little bit further because that wasn't a great answer for you. Thank you. Round of applause for Mark. Thank you very much for being here. Thank you for your support and sponsorship of the event as well. Afraid.