Cyber Risk Quantification: Measure all the things! - Adam Rauf

so you're in track one title of this last talk at our event a cyber risk quantification measure all the things and it is really my pleasure and privilege to introduce Adam Roff I always have to think about it because I think about a loaf of bread and I'm like how do I pronounce your last name so I'm trying to change that for you Adam and really he's going to talk about risk and how we quantify it and how you manage risk whether you're retaining that risk transferring it and really how that impacts your cyber insurance policies and decisions for your program so without further Ado please help me and welcome Adam to the stage

thank you Annie I really appreciate it uh thank you everybody for coming to uh talk about such an invigorating topic on cyber security insurance right before you guys get a chance to drink and eat so uh I'm hopefully not going to keep you guys too long from that but I wanted to thank you all for sticking around to the end of the presentation and want to thank everybody here at b-sides for all the really great talks today as well as you know the staff and everybody for making this possible um so in terms of you know the agenda today I'll kind of go over you know why are you here who am I what am I doing

here um why should you be attending this talk if you're kind of puzzled and you're saying why should I be here well one of the reasons is that there's no track two so I think you're in good shape at that point um but also um I think that this is probably going to be more pertinent to a number of the other folks here in the room that are probably thinking about things from a cyber cyber security Insurance standpoint so I'm going to give a current state of the market this is based on conversations I have with forensic accountants people who are in the insurance broking industry can give you some perspective on why you're seeing the different things you are

within cyber security insurance and then we're going to talk about you know how you can apply those tax those techniques and data that you got from the insurance piece to apply it within your own cyber security program so hopefully you'll gain a lot from that and be able to apply that within your own Security Programs and then we can talk a little bit about you know um I would expect that a number of you have probably heard about the fair methodology there's a number of different ways that we're going to talk about quantifying cyber risk and how you can start thinking about doing it within your own organization and then we'll finish up with any sort of QA again

given that I'm the last Talk of the day I will try not to keep you guys too too long as far as who I am my name is Adam Roff so Annie very thoughtfully introduced me and information security practitioner overall geek uh big you know big fan of Music especially of the math Rock and Prague medal of variety I'm a gamer and also a dad I actually heard a great dad joke earlier today that I thought it would bring to everybody where do hockey players go to get a new uniform when they need one New Jersey thank you the grounds are worth it um and then as far as my own background you know I've been doing vulnerability

analysis security operations incident response cyber security Consulting and then within the past couple of years I've actually migrated a little bit into cyber insurance so you know I went from helping clients recover from ransomware and business email compromise to suddenly now helping them obtain cyber security insurance for either the first time or after they've had some difficulty in going through the process um brief legalese all opinions expressed by me are not necessarily those of my employer and then this is meant to be informational and hopefully entertaining in some capacity but I would say all always when you're making these types of decisions make sure you consult with your legal teams talk to your insurance carriers and your Brokers before making

some of these decisions but hopefully this information is still going to be useful for you as part of what you're doing here as far as who should attend this talk I highly recommend that folks who are within decision making positions are in this in this talk so typically you know the conversations I've had with this and the clients that we typically meet with are usually csos CFOs CEOs ctOS direct privacy officers because we have these conversations around them because what typically happens is that there are the folks who are Downstream who are boots on the ground they're working within cyber security here are the challenges that they have and here here's how they could solve these problems but now you

know they have the gavel of insurance to actually be able to do that because many clients that we've talked to have actually gone through the cyber security Insurance process and either got hammered on their policies or they kind of came back and said hey we got sublimits or exclusions on our ransomware policy because we didn't have EDR or MFA or some of these other you know tools within their environment so hopefully you know this will provide a lot of information for that additionally if you're you know somebody who's a risk manager Insurance nerd or your practitioner a security manager or leader and then also you know anybody else who doesn't fall into any of the

other categories so as far as why you're here you are probably here because you care about your security posture you care about your program you've been lobbying for money for your tools and your head count and you just haven't been able to get it traditionally you're not really sure if you need insurance or maybe you are sure that you need insurance but you're not really sure how much you should you should have um or you know you enjoy mathematics or statistics or everyone looks at you weird whenever you're going on and on about loss exceedance curves or Monte Carlo simulations of which that is Monte Carlo but not the type of Monte Carlo we will be discussing today

um so why cyber insurance so you know people kind of think and I had a conversation with the CSO actually this week who said you know I don't know why we're buying you know 20 million dollars in cyber insurance and so we had a pretty Frank conversation and you know we talked about some of the tools and things that they had in the environment and I said well you know what is the business Interruption claim look like to you and he's like well I'm not really sure and I said well did you talk to your business process owners about this and have a conversation did you meet with your GRC folks did you talk with

your legal counsel and he's like I haven't had any of those conversations I was like well this is why you need to start thinking about it from an insurance standpoint because the insurance is kind of a means to an end it's almost become a necessary evil for a lot of people because you have a great security program but the idea is that the threat landscape has not changed from a when am I going to get breached but you know it or from and if I'm going to get breached but now into a when even the best organizations with the best security policies and practices have gotten breached even really really good ones um so you know the perspective that we

should be taking is that what's that you know Travelers Insurance has that little rainy day umbrella right and I think of it the same way of like okay you've now gone out you've like dressed appropriately for it this enormous Windstorm and rainstorm has just come in what do you got to protect you right you need to have something else the idea of defense and depth your insurance should be kind of part of that depth and so you want to help protect you and your organization from any residual costs so the idea around this is not necessarily just your incident response costs when I talk to information security practitioners and we go through a quantification exercise I ask them okay

like let's start thinking about the potential loss scenario and they go okay well I know I need to spend on dfir I need to spend on a breach coach and all this stuff like that's great well what's the reputation loss look like like I don't know how to I'm not really sure about that and I was like okay well you know if your business is out for the industry average of 11 days how much is that impacting your bottom line and your financials I don't know and so those are the kind of conversations that should be included as part of your discussion on loss you're not thinking about it only in terms of the technical loss but also in

terms of the organizational loss the reputational loss these are the things that you can also include as part and it's going to be dependent which is why I always say talk to your your insurance brokers and carriers because reputation loss is absolutely covered in some policies some policies strike it from the from the policy so I would say you want to be very careful in reading through that policy um and so yeah I talked about the rainy day coverage but next I wanted to move on to the current state of the market so you'll see a number of bullets here that are conversations that I had with forensic accountants I've talked with Brokers this year I'm still in touch with a

number of Underwriters within the industry um so they've provided me a lot of this data and so I want to share it with you today and hopefully this is something you can bring back as part of your own your own program and plans so number one is that underwriting is getting better and more mature so typically what you've seen in the past if you wanted to get a cyber security insurance policy you'd fill out an application you'd submit it you get cyber security insurance and you know end of story then 2020 happened we saw an increase in the amount of ransomware attacks that we saw in the world right and so insurance carriers started losing their shirts over these

policies and they're like wait we can't we can't do this anymore and so I don't know how many of you have gone through filling out an insurance application can you raise your hand if you've done that before okay how is that process changed is it easier or harder now exactly and how are those forms set up are they set up in a fashion that allows you to provide any context around any of your answers or is it strictly a black and white yes or no question you're either the best company in the world or you're the worst company in the world so that that process has changed and that's made it an advantage for the

insurance carriers and not necessarily for the insurance it's an uphill battle um premium increases that we've seen have stabilized within a five to ten percent range and you know decreases are obtainable for certain risks that they'll consider Best in Class now this has been an interesting conversation so being part of a brokerage firm is who I work for and I work as a cyber security consultant I've had conversations around okay insurance carrier X tell me what you consider a best-in-class technology like I can't really tell you but you know if you had it I'll I'll let you know it's like the pornography thing right I'll know it when I see it so whenever I've asked these conversations

and I said well if I'm going to recommend product X to somebody how do I know that that's going to make material impact on their cyber security insurance policy and they're like well if they're in the Gartner magic quadrant and if they're in the Forester you know wave and things like that we'll consider that and we'll take that into heavy considerations part of it but they can't give me any dollar amounts around it but they know that they're looking for those things because that's what the industry is telling them to look for right there's something called increased limit Factor so that's dropped actually from the 90 to 95 range down to 75 to 85 percent so that's thinking about

factoring and I'll talk about that a little bit here in the next slide most insurers uh the average that we're typically seeing here are offering limits around 10 million dollars most are actually been capped at five million over the past 12 months so even firms that have traditionally been able to get 10 million dollars in Insurance some of the firms have come back and be like ah we're not going to give you an excess layer at this quote at this quote we're either not going to quote you or we're going to make it you know not worth it for you to even pursue it right the marketplace itself is pretty limited if you've had a prior claim so

if you've had a breach in the past couple of years the insurance carriers have kind of come back and said I don't know if I want to quote on this or if I'm going to quote I'm going to put that sublimit or exclusion on it because I know that you've been hit in the past even if you've gone through all the steps to you know reduce your overall risk going forward you've remediated the findings I'm a little hesitant to not get burned again cyber attacks as you guys know in the US we're up 57 up in 2022 versus 2021 we also saw business Interruption claims uh rise 120 percent between 2020 and 2021 unsurprisingly because of the

proliferation of ransomware and everything that we saw during the pandemic and then unsurprisingly ransomware in business email compromise which is what I dealt with most of the time working in a dfir firm was the leading cause of loss now as far as what happened with cyber Insurance itself they consider this now a global industry so it used to be something where cyber was kind of not considered as much as like proper Property and Casualty directors and officers uh you know GPL things like that right so now it's a 14 billion dollar industry with 9 billion allocated for just U.S and 5 billion outside of the US and according to some data that we got from Fitch ratings like the

claims activity in 2022 was 27 uh by over the last two years and we saw 5400 cyber uh claims just paid in 2022 which was double the amount that we saw in 2019. unsurprising to most people who are practitioners here additionally we saw you know ransomware uh costs actually go up so again you're thinking about here's the cost that I have for instant response and forensics and things like that but paying the ransom the size the class action lawsuits that can come from this right those are all considerations and when you think about quantifying your risk and so we also saw that you know thanks to the move at vulnerability and what we saw with klopp this year

um we're also seeing that more and more firms are actually ending up um you know on these ransomware leak sites so not only are they you know sending you the email and saying hey we've got your data we've you know we encrypted it they're putting it on a ransomware leak site as a you know name and shame and then they're also calling people including your customers and they'll say hey did you know that this company got breached you should probably call them about what's going on with your data and get them to pay the ransom and causing additional pressures for people to pay um and then 2022 itself as you guys know was a record year for data breaches uh

so the amount of class action lawsuit settlements was 719 million dollars which is a 46 increase from the previous year and so organizations that aren't thinking about addressing those gaps are now starting to get as I mentioned the Cyber Insurance pressure to actually say I need to do something about this because the Cyber insurance companies are now coming back and saying your controls are not good enough so even if you've not had a breach they're looking at you and saying I didn't like what you guys put on the form you need to be better about this um this is something that was shared by a colleague of mine John Loftus and he was actually came here to Pittsburgh too

uh to check out b-sides um but he was unable to stay for uh the end of the day here but as far as cyber Insurance wording um so what we saw and I've had a conversation with a couple of you today some of the wording around the actual policies has changed considerably especially I would say around War exclusions so it used to be that you know War exclusions typically you thought about physical damage now there were claims where you know you got hit by the ransomware actor klopp right and then they're saying oh well that attack came from Russia there's a war with Russia we can't pay the claim and so the wording around the policies is has

drifted quite a bit and so what I would say is if anything that you glean from this slide that would be one of the things to look at as part of your insurance policy additionally if you collect any biometric information so bipa has particularly been a hot button item for a number of people because typically you think of Biometrics is like oh we've got like a retinal scanner or something like that in place and you might not have that well I talked to some organizations that are adopting Windows hello for example and using fingerprint scanning and they're saying well where is that fingerprint data stored is it within your servers or within Microsoft servers right and so

there's been some consideration where the underwriters are now asking those additional questions that they've not previously asked in the past and so they're asking as part of the policy because there are some lawsuit settlements that happen I believe in Illinois over the past couple of years around what biometric data was being collected without consent and you know certainly I think a number of you have probably heard about the whole metapixel and vppa claims so collecting data without user consent especially post authentication for a lot of users the vppa being tied to Telehealth so if you guys are in healthcare you should definitely be thinking about what you're doing in terms of metapixel data collection hopefully you have it turned

off and if you're doing VP if you are complying with the vppa laws also in terms of software vulnerability exclusions so I would take a look again once again at your policies what the carriers have come back with and said is that if you had a software vulnerability that you knew about and you didn't address it and a threat actor was able to exploit it we are not going to pay the claim so I think it's very important that you stay on top of your vulnerability management um you know I think there was a great talk earlier today about you know assessing your entire environment knowing you know you can't know um you can't know evil if you don't know normal

and so having a good idea of what you have in your environment making sure that you've scanned for it so all of that I'm giving you guys all this bad news is there any good news that I can provide to you uh yes so number one is that even with that improved underwriting there's more competitive rates in Insurance than there ever have been so we're actually seeing that instead of going to your incumbent we're actually able to go and competitively face other insurance carriers who are either new players to the market or have been around for a while and now are reconsidering the verticals that they're involved in recently talked to an insurance carrier who traditionally never worked with an

oil and gas company and they said you know what we now have an appetite for it so we started sending them some of the

everything that hey weird

hey again 100 deployment on this particular that is worth the tier of neck just so I mentioned that increased increased limit factor which is the rate they charge over the primary pricing right um so that's been the the actual reduction so that's been beneficial to a lot of insureds um Additionally you know while you build these like Partnerships with all of the with all of these cyber security I.T and Tech firms the insurance carriers themselves have now gone out and this is actually a previous role I had was that I was a technical advisor to a very large cyber security insurance carrier where they would bring me on for underwriting calls and also to review

underwriting applications and say what are the gaps that you see here that we need to have these guys addressed before we can quote them on a policy and so from that perspective all of the insurance carriers are starting to do this because they know that their Underwriters are totally swimming in the amount of submissions that have come in and so they understand that they need to have security expertise help these Underwriters through that process so when I was doing that I think very few of the carriers were actually implementing that process but now when you actually give a good context answer you have somebody technical on the other side who says yeah there's what they're

telling you is the truth you should you should definitely assume that this issue has been resolved um I talked about the you know the war exclusion so the war in Ukraine um that's changed some of the regulatory matters and some of the marketplaces changed for that too so again if you don't have any systemic risk with war exclusion um some of the carriers are willing to give you a break on that and then also you know any sort of systemic risk that you see with nation-state actors um that's kind of their leading concern right now and they're thinking about that in terms of the cat loss type risk so those of you who are practitioners

here are probably like okay can we get to the technical stuff so one thing that I'll tell you and this is kind of a cheat code sheet that I'm trying to give everybody here right so if there's anything you can take away from this hopefully it's something like this I put this list together based off of conversations that I had with Underwriters and security practitioners and insurance carriers and I said what are the things that make the most material difference in terms of what you get from you know from an insurance policy what reduces the premiums what are the things that you're saying are hard no if you don't get it so the insurance carrier that I was going to

that I was work helping out as a technical advisor told me that if a client didn't have MFA EDR and 24x7 monitoring they're not even a quote they're done move on to the next one some of the other ones that I talked about said well if their fishing rate is over 10 percent and they're not systemically improving I'm not interested because I know the threat actors use that as a way in and they were eventually going to find their way in another one said and many of the other ones said I'm really worried about service accounts especially ones that have interactive login the ones that have domain admin they don't have that under control they don't have that

implemented in a Pam if they don't have it addressed don't want to talk to them and as I mentioned there are some that just strictly will just say OT security if you don't have your OT Network segmented you're not monitoring for it you're not checking for vulnerabilities pen testing it attack surface management not interested so the items that you see in yellow right are not issues that have been as hard line with the insurance carriers that I've had so for example you're I would be surprised to see Pam on there because I think a privilege access management is kind of a best practice and you should have in place anyway if you haven't been thinking

about it you absolutely should but some of the carriers said you know depending on what vertical they're in and what their risks are like if they're not somebody who has a bunch of patient records or anything like that it's less of a it's less of a concern to me if they've got everything else buttoned up and so we do talk about this in terms of you know making sure you have a good instant response plan having privilege access management taking you know taking care of number of domain admins is a really tricky one there was one insurance carrier that I talked to that said I don't like when organizations have more than 200 service accounts and

I said why is that they said well generally the thing is that they're they probably have too many of those service accounts and too many of them probably have over privileged access now granted I know organizations that have thousands and thousands of service accounts there's no issue around that the issue is what did you give those service accounts access to and so I always bring that up as something to consider as part of when you give your context for your answer make sure that you have a good response around that tabletop exercises I mean this is table Stakes at this point SPF dmarc and D Kim they look at that from a business business email compromise perspective as

well as thinking about Legacy email authentication protocols you know IMAP SMTP pop well not modern SMTP right um so you know you usually see like a mail relay server or an archive mailbox and so those end up getting um end up being a concern for them as well vendor risk management is a pretty tricky one because it used to be something where you know you would usually offset if you're a traditional security organization you probably had like a GRC function that was focused on vendor risk management you left it to them in procurement and contracts or whomever else but realistically that should be a security consideration because the idea is that yes GRC is going to help audit these things but you

should still have a good understanding you know whether you're doing a questionnaire like a Sig core Sig light or a cake or anything like that where you're going to the vendors and making sure that they have a good process in place but also that the vendor themselves is good on their own security practices you'd be surprised at how many really well-known vendors don't have a good robust vulnerability management or penetration testing plan uh Network segmentation this is another one of those tricky ones where some of the carriers said I want absolute Network segmentation at every level I want it you know done it geographically or by Department others just said you know I'd at least want like it and OT

segmentation or segmentation between like guest and production networks and things like that so I do bring that up as something that again from a best practices standpoint hopefully everybody in this room is a fan of network segmentation and knows that how important it is but you know essential segmenting off those devices and then security secure sdlc too I know a number of software people that I've probably even talked to today I'm thinking about this you know what are you doing in terms of SAS Das s-bomb those are all considerations that I have but the other underwriting concerns that I mentioned the war exclusions end of life is a pretty big one right now just because of

how many organizations have been hit by end of life software being exploited end-of-life Hardware being exploited again the insurance carriers look at that from the perspective of this is an additional risk how much risk am I willing to take onto my book a business and then as I mentioned supply chain I mean we just saw this with move it this year too right move it solarwinds log4j when we think about s-bomb too so these are the kinds of things that insurance carriers are keeping them up at night now the real world challenges with actually obtaining cyber insurance number one the Cyber insurance applications past and present I think I talked about that already very binary

format doesn't give you an opportunity to provide any context number two it's a fire drill so generally when somebody says I need you to fill out a cyber insurance application you say great how long do I have to fill it out uh well our policy renews in two weeks okay well you don't have a lot of time to collect all this information and additionally if you need to put together any sort of road maps for improvements you don't have time to put that together number three is what framework should I be using you know everybody's got their own preference on should I be using nist or ISO or high trust or any of these right number four understanding your

security Roi so kind of going back into that quantification piece well I could I could buy a Pam solution this year it's going to cost me this much is it worth it though is it going to make a material difference in my risk or in the amount of insurance I need to purchase and then number five which I think is the one that most people struggle with which is around how much of that risk do I decide to transfer and we're going to talk a little bit about that in a moment one thing I also want to call out Risk Managers and csos should be best friends the reason I say this is because when you're thinking about your security

budget the CSO is probably very con you know concentrating heavily on okay what tools do I need to buy how do I protect my data how do I report this to the board your risk manager should be thinking about this and saying hey let's quantify that risk so that we have data that you can present back to the board there's a lot of tools that can do this there's a lot of methodologies to do this and we're going to get into that here in a second so in terms of Thinking Inside risk modification I wanted to get back to the discussion around Frameworks and tools so number one the one that I think most people in the room have probably heard

at least within the past couple years is fair the factor analysis of information risk nist has their own framework for actually doing cyber risk modification I think it's pretty good but I think that it could use a little bit of tweaking that's just my own personal opinion number three was actually brought up by my former colleagues with insert octave right the operational critical threat asset and vulnerability evaluation you know it's certainly a headier way to do it but I think it's a really good way to do a deep dive on it there's a methodology within cobit itself and then there's also one called Tara which is the threat assessment and Remediation analysis as far as tools to deal with there's a

number of them out there I mean even if you're going to pick an Excel spreadsheet it's better than not doing it at all and we the one thing that I do want to recommend though as part of this and you heard me mention the Monte Carlo simulation earlier right is that when you are doing this analysis the idea is not for you to use red yellow green or a maturity scale of like oh we're a 3.2 but I want to get us to a 3.6 at the end of the year that doesn't make a material difference back to your board of directors what makes a material difference is you know hey I need 200k to invest in this particular tool it's

going to offset 10 million dollars of risk let me show you how I ran the calculations and quantification against that and so some of these tools that you know we have here that I mentioned axio has one risk lens has their own product I guess they're called uh safe security this week and then nist has their own fair you know methodology that they call pram it's privacy risk assessment methodology I believe Archer I was just having a conversation uh with uh Mike Mike Radigan who's over there he's a uh another Fair practitioner is uh we were having a conversation at lunch yesterday with a number of folks and there was a mention that Archer actually now has a

means of doing um this kind of risk analysis using Monte Carlo simulation um so that's new to me um and then you know as I mentioned even using Excel spreadsheets um I just talked to another call former colleague of mine Brandon Franklin there in the front row who mentioned that he's actually using a python module that's doing Monte Carlo analysis so great way to do it and this is meant to be information sharing so if you guys are interested in the stuff like I'm always happy to learn about new ways of doing this stuff and we should all be sharing that with each other so for those of you who have never heard of fair right I figured that I'm at

least going to lay out what the basics of this is so let's call this Fair 101 um just again high level just want to give you an understanding what you have here the very top you have your risk right so let's think about what's the what's the risk the organization and then we think about things like loss event frequency so how often are you going to see a potential loss occur in your environment and then you're going to decompose that down into the threat event so how often are you expecting the threat to occur in your environment and then what's the what's the probability that the turret event is exploited through a vulnerability right and then

you're going to decompose the threat event frequency and the vulnerability into two sections here so you've got contact frequency as in how often could this potentially happen and this is kind of broken into whether it's going to be a random occurrence is it something that's a regular occurrence you know somebody trying to brute force a password for example or is it something where it's intentional so there's like I'm going to I I specifically have a way to do this whether that's through an Insider threat or I have the information in order to to make this a problem and then you have probability of action right and so that's also decomposed here in terms of what's the value of that

what's the level of effort that the threat actor has to take in order to get this and then what's the overall risk that that's taken on and then as I mentioned when you break down vulnerability here right threat capability and resistance strength so the threat capability what skills are going to be needed in order for them to do this thing that they're going to do and then what are your controls that you're going to use to protect against it right now as I mentioned earlier when people think about loss events they typically think about it as what's my forensic cost what's my incident response cost how much is it going to cost me to replace Hardware but that's you know

when you think about that that's that primary loss but then you think about secondary loss too and those are the other things that are a little bit less tangible right and so you think about what's what's my loss of reputation how many how much revenue am I losing how much am I going to be able to reclaim as part of insurance and so you think about the secondary loss of end frequency so you're kind of decomposing that too and then the magnitude of that potential loss right so that's the percentage of time that you have your your secondary stakeholders are likely going to negatively react you have a third party that you work with that is you know

you're not meeting their slas because you can't deliver the product right see these are the kinds of losses that you can think through um and so I kind of led to that a little bit earlier right in terms of types of losses so you have productivity loss so I can't do my job while this is going on you have the response costs which we also you know beat the beat the uh dead horse here replacement costs so you know I'm gonna have to now replace this particular piece of Hardware I'm gonna have to do a device rebuild it's going to create this downtime competitive Advantage loss so now we're starting to get into that the other types of Damages

right so what are the losses resulted from you know maybe the threat actor made off with intellectual property that you had or there are some key competitive difference like you offer 99 uptime and now you're suddenly down right and so now they're like well you didn't deliver on the thing that you said you were going to um fines and judgments this is what kind of comes out of you know things like class action lawsuits um any sort of regulatory requirements that you're you're supposed to adhere to um you know civil criminal and contractual type actions and then reputational type damage which is as I said the little bit squishier part of things so what's that external loss I

had that same conversation with that sisa that I mentioned this week they are a staffing agency and so when I talk to their operations folks after talking to their CSO I said well what does a potential loss look like for you and they said well you know our daily margins are you know about like 500k and so if we have a hard down event of business Interruption for 11 days that's a significant cause the CSO was like well I don't know if I agree with that and they're like no this is literally our financials this is what the impact is and so if we're down for 11 days we're we're pretty screwed right and so

they brought that up as a new conversation and that's why I always encourage when you do this quantification analysis if you only have the it and security people do it they have a very my topic for you and that's no fault of ours we can't know everything that's the the field that we're in there's too much to to ingest but you got to bring the business process people in you got to bring the risk people in because you're going to make that information so much better and now you have a much better understanding of the things that they really want to protect you might have a very different idea of what your crown jewels are

versus somebody who's in the business process and working with this stuff every day when I think about holistic cyber uh risk management this is the way that I think of it number one you assess what you have so you're assessed to your controls and make sure that they're actually functional that they're meeting all the needs that you have from a risk standpoint number two is modeling that loss so now you take that you take that controls assessment you apply it to a quantification exercise usually you do like a a scenario based you know review and say okay well if this scenario were happened let's let's also include the particular controls that we have and now

let's think about what that loss looks like and then number three you take that data and now you're able to express it in dollars you go back to your board and you say okay now you have a couple of options you can either transfer the risk so that's you know thinking about cyber Insurance you're thinking about mitigating the risk I can move that curve to the left if I get the budget in order to purchase these particular tools and notice the offset and risk that we're getting or number three you get a little creative and maybe you do something like captive not a primary insurance guy right so I would say talk to your insurance agents about that kind

of stuff but getting a captive can be interesting too because if you're a larger organization you might have another way of offsetting that risk that's actually going to be advantageous to you as opposed to purchasing a traditional cyber insurance and so you're like Adam I you were talking about that modeling that loss thing so what's that all about and so I think of it as a Cartesian plane you've got your first party and third party to consider you've got your your impacts that are financial and then you've got your impacts that are tangible now tangible is probably going to apply a lot more to your organizations that are in critical infrastructure uh oil and gas

manufacturing anywhere where there's a physical component can you know a turbine explode and kill somebody can it damage a facility is there uh in health care is there a loss of human life you need to account for and so I won't read this whole slide to you but I just want to give you an idea of how to decompose some of this stuff because when you think about first party and third-party impacts you typically think about again all the response costs and things like that but then if you are in those particular verticals it's really important for you to actually think about environmental damage mechanical breakdown of your equipment bodily injuries do you have class action

lawsuits that might be there is there a product liability you need to be concerned about um you know are are you not going to have a functioning widget um I talked to a Food Services uh vendor who actually said you know we had we had an outage where our OT was impacted and our refrigerators that keep this particular food cold for this long suddenly couldn't keep that temperature for that period of time and we had to throw all that food out imagine if that food got delivered to people right and so those are the kinds of costs that you need to think through and then when you do that you kind of overlay that against your insurance

policy so you say here's my potential loss right I've thought about this in terms of first party and third party you know Financial versus tangible and now you go and map that up against your insurance policies I've got Financial lines of cyber coverage I've got you know kidnap and Ransom crime I've got dno I've got you know property and liability I've got Casualty Insurance to start thinking about that and then you start mapping out do I have enough Insurance to do this do I have the right type of tools in place and so one of the tools that I use actually is within the axio platform so you'll see kind of what we do with

example quantification analysis here where we take in this organization and if you notice in the top left we talked about what their scenario exposure is right so we're looking at overall loss what does this look like for this organization and then on the right we're taking their insurance policies that we say show us what your cyber security insurance policies look like today what's your coverage look like we have forensic accountants take a look through it look for those things like does it cover reputation loss and all of those types of things and then we run that Monte Carlo simulation based off of that data that we have and then what we do is we say hey ciso talk to us about what

are your overall initiatives and what are you trying to improve well you know in this case this one was trying to do enhanced authentication Network segmentation they had a couple of other improvements applied and so we said okay like let's talk about each of these and how this potentially impacts the the curve right we had a conversation around it and then it's a matter of prioritizing those types of things and it turned out that Network segmentation was going to be the biggest bang for buck because they were the type of organization that really needed to go from a flat Network to one that was actually enclaved and so as part of that we built a lost

exceedance curve too right so this is actually from anonymized from another client where we actually talk to them about you know ransomware and they had a 10 million dollar insurance policy and so we said well okay you've got a couple of different options your curve the the darker curve right was actually showing that the loss was going to be closer to almost 20 million like somewhere around 18 million right and so we had the conversation and said okay well here's what you can do is if you think about this loss from the perspective of the mitigating controls that you have let's think about your project roadmap and they're like okay well we're going to do you know

they they weren't fully deployed and this is from last year they didn't have fully deployed DDR they didn't have uh 24x7 monitoring they didn't have MFA for all remote access we started talking through all those improvements that they wanted to do and we said okay well let's take a look at that through the quantification lens we provided that data and as it turned out that curve moves dramatically over to the left and so we compare that kind of against their insurance policy and said well this is what would happen potentially you know based off of the quantification analysis that we did what would you like to do would you like to purchase more insurance or do you want to fund those

projects that you've been trying to get off the ground for a couple of years and as it turned out they actually got all the funding they needed to get those projects off the ground reduce their risk and we went when we went to Market with their application submission the insurance carriers came back and said we're actually going to give you 15 million in limit because you made a significant impact on your on your overall progress so these kinds of things do work really well and so I I do want to mention that you know if you go through this process it's very very helpful for everybody so um actually uh that being said that is

the end of my talk does anybody have any questions Brandon oh hold on here I think she's gonna hand your mic I was going to read the question but this is way better all right so you said that 5 million is about the average within the industry for coverage if I am looking to sign a contract with a vendor and their coverage that they are offering us is less than five million dollars what questions should I be asking and what should I be reading into that are you talking about like a vendor a vendor like a partner or are you talking about a vendor as in like somebody you're purchasing so let's let's make a

ridiculous scenario I go to contract with Microsoft for Azure and they tell me they're only going to carry two million dollars in Insurance what should I read into Microsoft security posture that is surprising to hear that it's only 2 million from from it's made up it's not okay okay yeah it's I was gonna say that seems incredible I'm doing it so I'm not calling anyone out because you're Microsoft's pretty bad no that's that's fair and I mean you that's the analysis that should be done at you know the the risk your GRC team I know you hate the term GRC right because there should be a different amalgamation of those uh of those teams but the idea

behind it is that what does that risk look like in terms of what does a potential loss look like if it's a vendor where you're like I don't store any important information over there I'm only using it as a software platform if it goes out I can still function as a business it's probably less of a concern than somebody who's like you know I'm thinking of like if you're a Healthcare company and you're farming out your Phi to this company okay I would expect them to have significantly more Insurance because I would expect that if something goes wrong that they're willing to cover that portion of the claim and and you're not going to be on the hook for it right so

can I do a follow-up all right so let me oh did you have a follow-up or something we're taking turns okay okay Adam you had a slide up about the uh controls that would uh the underwriters are looking for yes in the uh obviously would be the ones that you'd want to have a good response for yeah that's the one how did they arrive at this list is this the result of foreign uh you know kind of like a minor attack sort of analysis you'll you'll be unsurprised to hear that the reason that they've harped on these things are because what they've played paid claims on so the dfir firms are saying here is the gap that would have prevented this

attack or here's the Gap that um would have would have reduced the overall impact and so they come back and say hey why didn't you have this here just work with the organization that recently didn't have a full EDR deployment and it was 30 systems and it turned out that that was the was the way that they were able to bypass any sort of controls and so we talked to them and they said well yeah why didn't you have an EDR and 100 of your systems we would have given you a better claim or we would have given you a better premium if that were the case are they sharing this information with one another

insurance carriers probably at conferences

but the miter framework I hear a lot of hey here's however how good we're detecting but what about the defense framework right like to your point what are you doing proactively shifting more of that left side yeah I think that's truly important kind of drives into how much Insurance you really need yeah I hate to say it but you know as good as your security posture is the insurance carriers will come back and be like you need to do even better than that hey can you scale this down for a company that small company that maybe has about five million in revenues yeah they're not going to do all this what is the you know what yeah so that's that's

uh I'm interesting great great Point um in terms of you know okay maybe Fair might be a little overkill for what you're doing right um but however the nice thing is that all the tools that I mentioned um aside from Excel and doing it yourself is that so many of them are starting to bake in this stuff that you can basically just plug in things like how many endpoints do I have what is my you know what is a typical day of Revenue look like for me put in that information as part of the range and then you can build the curve off of that Anna Let Me mentioned something about the PPA and hello can you expand on that

a little bit I'm not I've never heard of that yeah yeah so uh there's a couple of things that uh Healthcare organizations are facing extra scrutiny on right now aside from move it um because they tend to be the the biggest users of move it um one is on metapixel um so it was around data analytics that was collected uh usually it was tied to meta I think Google had their own one that was actually tied to healthcare um it's not Google analytics it's actually under a different umbrella term and so what happened was that the websites had like a tracking pixel that was used to collect the information on a particular user without their consent

and so when they started doing that the um that's turning into a class action lawsuit if it hasn't already I think at this point um and so more and more organizations are just stripping that out all together from their sites the problem was that there were some organizations that were doing it post authentication so now you were getting uh very private Phi information on users that was being collected by meta and Google without their consent vpba is tied to telemedicine there's data analytics and AI ml you know llm kind of stuff that was being tied to um people who would see Telehealth so you were seeing doctors especially during the pandemic once again collecting data

without the patient's consent so that turned into an issue and there is a the video privacy protection act vppa if you want to take a look at it there's a lot of legalese behind it so I will let the law firms of the world explain what that all is I um but it's if you're in healthcare and you do telemedicine highly recommend that you read up on vppa and make sure that you're compliant Brandon so as I'm managing our third party risk um one of the areas I'm worried about is we've got a lot of vendors and I don't necessarily know what's going on under the covers from a service perspective as bombs are hard enough to get from Modern

vendors actually knowing which fourth parties are providing services and ensuring that things are happening is really difficult so what would you suggest as a strategy to hedge against if you know I've got five vendors that all have the same fourth party and we've got an outage or an event with the fourth party and I get aggregate risk across multiple vendors I'm engaging it yeah so are you have you with those you know five critical vendors have you done like a third party risk analysis on those or are you saying you haven't so we've we've done third party risk analysis on our vendors but we do not have the capacity to go to a fourth party risk okay so they're using you're

asking them to do that for us and we're not necessarily seeing that you know mom and pop data hosting is backing this third party and this third party and this third party and this third party yeah we just know hey we expect you to be using a qualified and reputable Cloud hosting provider yep yeah so that's a that's a really interesting question I wish that I had a silver bullet answer for that um so I I will admit that I don't um but certainly I think what I've found in terms of mature maturity in third party risk is those types of questions because typically what's asks third party risk is you know do you have a

good vulnerability analysis program do you do regular penetration testing do you have a good Certificate of Insurance and I think that what you are asking is something that should be asked as part of it are you working with insurance applications right now will even start asking you who are the third parties that you currently work with and so I would say that that maturity within third party risk management is to go back and have that included as part of that hey Microsoft who else are you using as part of the pipeline for the work that you're doing for me and that can provide some additional information the other thing is that there are a number of third-party tools which I I'm

happy to talk about when I'm not on camera that I think are really really good at doing that analysis um that I I got to use one of them and I'm trying not to be a vendor Shell at this point so that's why I'm saying that um so when when I got to see this for a very tiny organization that didn't have their own GRC team we helped them you know source and select this and that vendor went and above and beyond and basically like hounded the organization that they were working with to like submit the data for the third party risk management and they kind of like did like a really really deep Roto-Rooter

kind of dive and so I'm a big fan of that especially if you don't have the capacity to do it yourself because you know just like just like having 24x7 sock and stuff like that it's really really hard to do that all in-house and so sometimes having that outsourced to somebody who can do that and will Hound people on your behalf and that also provides additional liability coverage for you is really helpful too uh one more yeah all right one more quick one here because we do have yeah yeah again I'll talk about this stuff all day but I don't want to keep you guys some drinks and food uh not to be provocative but how do you

feel that um the state of the industry will be in 10 years like will I be able to buy cyber Insurance in 10 years and what about the requirements uh becoming possibly tyrannical over time it's it's interesting that you asked that because I think that uh it's even even when I talk to some practitioners and the folks that I've known for years who have traditionally been in cyber you know in cyber as a practitioner I asked them you know what did you think about insurance whenever you were working there like I didn't even know we had cyber insurance or I knew we had it but I didn't know like what we were doing and how much it

cost or any of this kind of stuff and I think that for organizations the difference that's got to be made is that the Cyber Insurance stuff should be shared with the security folks the security leader specifically and I I don't mean just like csos and things like that right I'm talking about the people who are boots on the ground and understand what's going on because then they can bubble up those risks back up to the folks that are in in positions of power so that they can make some decisions and say yeah we need to invest in this because this is some that they care about as far as what I think the landscape of the insurance industry has

changed around is that they are becoming more and more mature and smart on these types of things I've been talking to clients specifically about things like software bill of materials and things like that especially if they develop software that's not on a single insurance application but it will be same thing for operational technology when I talk to them about you know are you meeting IEC 64 to 443 standards they're like I don't even know what that is and I'm like you should because when we're talking about operational risk for insurance carriers they will ask you this stuff they're not asking it yet but they will and so what I tend to think of it is much like you know the attack and

defense cat and mouse game that we have it's the same thing with insurance the insurance carriers are going to continue to mature employ people who are security practitioners and say what do I need to grill these people about and so I think from that same aspect that we need to think about those things ahead of time and I just think you know this is where your insurance broker themselves should be coming back to you and being like hey I know this is coming up just like that language slide that I shared with you guys right that's something that we share with all of our clients because we want them to know that like here are the

challenges that you might face when we go through this policy stuff you need to know about it and this is a should be a free service that they're providing to you because if the insurance carriers are changing gears on anything like War exclusions like this is something that you should know about and not be surprised by does that answer your question or sort of answer your question yeah we can talk afterward too so don't worry I'm sure that there's some liquid beverages that can kind of help uh dig into the comment so we're going to go ahead and wrap up Adam thank you so much as our last talk if you uh join me in

the war thank you all thank you Annie