Cyberliability Insurance and Information Security

Thanks I like to thank all the sponsors my name is Brian and legacy is that okay I'm here today to give this talk about the relationship and kind of analyze the relationship between cyber liability insurance information security and second yeah okay and just a quick show and how many people here and dealt with either any legal people or any cyber liability people in your in your day to day work okay that's actually more than I was kind of expected as I do that earlier and no one raised their hand and she was also doing it for legal okay I'll do okay cool so a little bit about me I currently am a policy analyst at a

company called hearse genius and we use artificial intelligence and machine learning to break down insurance policies and review them for quantitatively to determine where gaps are where industry standards are and then we also help companies kind of harmonize there the way there one closed internally the progressive that I also managed Kansas abused legal hackers chapter and legal hackers is basically a nonprofit earth it's just a community meetup where we try and figure out how to better marry why and Technology together we actually got to help the city we helped to figure out how to come up with a better legal framework with their beliefs but we also like designer police from cities Katherine art cities

there to get that credential of being a night relief for our city and then I'm also doing a couple other side projects as well with credit X and legal technology lab I am a licensed attorney and I a lot of my work folks is one of my work there focuses on information privacy and how to protect it how to help clients in figuring out how to manage that's their technological assets and and that's had what has gotten me into the field of cyber liability insurance so here's a quick overview of the talk I'm going to focus on the concept of risk management generally figure out how both law and information security kind of exists on the spectrum for risk

management they're they're very clear impacts on in the cyber liability insurance world that and it was great the guy in front of me was talking about kind of the past using open source information to in social experience Atkins the people and hacking people's data figure out how to do identity Gus I was looking at go searching Brighton that's nice but one of the things that each industry has been very interesting to me is each has their own strengths and weaknesses and the cool this one part about the work that I do is I get to figure out how to leverage the strengths the strengths of each and turn them into a kind of holistic redesigned

way of thinking about risk management and I get to use or I get to work advanced computer science technique to do that and anything from AI through she wanted to neural network for creation there's another one but ok so yes as I'm saying both of these are risk management that there are really a lot of types of receipt but there's financial risk management is operational risk management there's legal detectable risk management and in each of these areas to really have a comprehensive strategy you need to communicate very well with each other so figuring out how to develop a language or some sort of ontology that gets people speaking with one another in terms of them and in doing that

productive and constructive way so that maybe if you're on the information security side you're using language that the legal side doesn't get or vice versa I know with a lot of people bash mountains lawyers freeze and legalese and kind of necessarily and I noticed a big push away from that but if we can talk in the same way we'll be able to develop more conference strategy we'll be able to operate more efficiently and we'll be able to prove data from unnecessarily being turned over or if it is turned over we'll be able to ensure that there is some sort of remedy for them so that's a very exciting prospect some of the characteristics I want to talk about for

each of these sub industries of risk management with insurance there's there's really slow implementation of policies I mean this concider liability policies around for probably 15 to 20 years there are compared to other lines of business in the insurance world there are relatively few policies probably fewer than 100 across all industries what insurance is kind of necessarily reactive you have to have an event take place that screws everything up and then you are you're able to recover whereas on the other side of information security you kind of look at these things proactively figure out hey how do we make sure this doesn't get touched and so what I want to focus on with the topic like how do we kind of marry these

two together so that there's a smaller gap as possible between the proactive and the react between what happens faster and that is information security what happens faster what happens slow insurance because if in fact it happened you can you can provide a lot of value places that you work or the people who depend on you and this means the the question is that we have to answer in order to figure out how to achieve all this in the patter of how do we in particular these gaps between information security and legal departments and in order to maximize coverage to limit exposure and the solution that I kind of came up with was you can do this by leveraging some of

the advances in computing technology to improve the way that all these professionals interact with one another you can make everything more Interop or its interoperable and you can you can start to dissolve comprehensive frameworks that use the same language across the board and that so in my mind to be a language that everybody can readily understand and you take it from this kind of workflow where everything is kind of siloed off in a bunch of different locations across a bunch of different departments or across a bunch of different people intended is it something where you can have a lot more collaboration you can have a lot more people who understand on a broader scale like what what the goal is that you're

trying to achieve and and so one of the things that I wanted to start thinking about was like how like what should risk management look like what what is it like what would a futurist risk management strategy economy how could we test improve some of these strategies what what would it look like in practice and and how how would you be able to develop these kind of ontologies of these sets of new words that derive some meaning from that that is common to each each industry or each sub industry trade management practice and so I think that starts looking like natural language processing in the quantification spec what I mean by that is when you can

start breaking down insurance policies into bits of data that are actually able to be tagged with information in metadata you can start showing all these pieces of information affect each other and you can start using machine learning to map some of these things out Matthews relationships up and you can start to see quantitatively where the gaps exist where the coverage is we here where the covers are stronger and you can start protecting your assets and not not just based on like some lawyer vouching for his work you can empirically look at this and say hey we have like good policies it's got like a 95 percent match for whatever else it is we're trying to protect like that's the best

match we can find that anywhere in the insurance world like let's use it [Music] and so when you start kind of breaking all these things down and you start thinking about them and abstractions you can begin to redesign the workflow from something that has traditionally been very static into something that's a lot more dynamic you can actually start begin beginning to increase that interoperability and this is where I think the the symbiotic relationship starts to reveal itself with insurance you have if you if you have all this text broken down into data you have increased reporting you can do that in real time you have greater transparency and this is something that obviously can be used to reduce guests on the

information security side I think it's a lot more exciting and I'm not I'm not an information security guru by any means I tweeted earlier that in the legal community I'm the guy but here at besides I'm definitely not the technical lead that to more protect people but one of the things that I I see is a huge value add to information security professionals is that if you start thinking about risk management in this this symbiotic way where each side gets something out of it you can start to leverage connections with larger groups to help scale your operations you can you can start developing a better continuity with your risk management practices from an information security

side that's backed up by this information the cyber liability data the cyber liability the cyber liability in and this will give you kind of an increased ability to legal really recover as well so if something doesn't like it if it all gets the ven you'll be able to recover if you start partnering start making these types of partnerships and that's like when a whole community is an industry can benefit I think that that's a really positive thing and that's something that a lot of people should pay for the initiative and so now I'm going to kind of get into some of what I do on a day to day basis in might work in that event like quantifying

cyber liability risk into actual pieces of information and using that information to make informed decisions and reports about where a specific quality is with regard to other policies where specific policy would be in regard to an industry-wide standard and figuring out what the gaps are for different companies are different brokerages and using that information to improve insurance on books and so this this is one of the first things that I use I'll paint an apology gift broken down using machine learning into all these clauses I add revises for a bunch of pieces of information and we start kind of breaking it down into different chunks that can operate with one another and so this is some old

data and I don't need to be demo that this is kind of where a lot of this information has come to me from and this is kind of the backbone of how I got into this mindset of speaking thinking about things this way and and so we've actually practiced more policies than this in total we internally process around 3,000 colleges around probably a hundred which would be almost all the cyber liability policies that are out there and we it to me the most interesting part is there 136 where the adds definitions for what malicious code means and for cyber liability insurance policy you think that malicious code or computer virus that's that's pretty important of definition to have and one

of the single definitions that we had levels you can read this one is in people goes over what Lucius code means and it's got this really long it's a pretty good explanation of it should be but when you when you start comparing that with other pieces and information you really see like hey like there's a creating disparity among a move all these different carriers to add more some of the biggest areas of the world and they've all gotten hugely different definitions of what it means and you can I I played here just a few a few examples where they talk about eating malicious software file or virus and connect that's like the theme later would be a

catch-all but in the insurance world when you actually have litigation you have the strongest likelihood of recovering if you specifically identify something so then you're interested as specifically as possible go in account for everything that you need to account for when you have really like big language that increases your likelihood of recovering so if you're if you're a company that has a lot of data assets and you want to be sure that they're protected from new threats that are emerging so maybe new types of ransomware or whatever it is that like the lawanna krypter or wrong yeah moniker I like it if you know that something's out there like you want to specifically have that

in your policy you should want to go ahead and count for all the known dress that you can think of because then you'll be able to recover some in the event of a breach in 10 conversely if if you're already in cyber liability insurance contract and you know you're locked into it for a while and you know it doesn't cover a lot of things you should like actively seek out an information security professional who can help you find a solution that accounts for that vulnerability that you have that you've identified from your from your insurance policies and so this is this is an entire policy that's broken down clause by clause and compared with every other available

clause in our psyche reliability index that we use and you can see here the the topic that usually what we call the control clause or the the cause that's used to as the the main compare like as the clause that everything else gets compared against and so you can see here that for something as basic as a businessman which would control what your observations are in the event that something did go wrong you can see here that there's a crazy disparity between your policy and everybody else's problem you can say hey look we have to do something that nobody else really has to do like the closest mass is maybe 50 percent everybody else's we have like

we're doing something either wrong or right but that's something that that's a red flag that should be raised that's something you should buy quantitative what you can quantitatively go in there and say hey this needs to be reviewed we need to set up some controls and protocols that show when we need to review these causes to me that our cyber assets are going to be covered in okay and in where I think this for it and I spent a lot of last few days trying things specific examples of information security practices that could be applied using these insights in more of an insurance setting and the ones that I came up with kind of readily

where you can do data monitoring of insurance you can look at the industry standards that are scored geometrically against each other you can say hey this is where there's a large disparity between what people are doing a this is where everything's kind of beautified and this is where we need to work harder on all these things but you can also you can also do audits where you figure out hey how do i where where are we most vulnerable what should we how can we how can we start patching some of these things that we have and ensuring that we're complying with all the regulations that we need to be compliant with how it will probably start to the insurance pen

testing is basically what I I want everybody to focus on and I think this is one of the ways where you start to get there as you discard putting everything in the same framework that you would have as a pen tester and that hasn't David having it mapped out and then telling people to go through it and search for it and try and figure out like do we have the best thing that we could have does it cover what we needed to cover are we going to be protected in the event that something happens are we going to be protected in the event of something else happening and that's that's why I think it's important to

start thinking about this as not all of these things not as like isolated things they're they're all really spokes on the same wheel and you want to the more that information security professional professionals know about cyber liability insurance and better the risk management strategy the more legal professional load legal professionals know about information security the more comprehensive that covers could be and so the specific insurance and information experiences cases that I would like this more a lot more and would be interested to talk with you all about or being like how you match information security vendors with non-gas various cyber liability policies how do you how can you use an API to hard permanence risk management business

strategies between insurance and dentists tech groups to improve the efficiencies and mitigate the vulnerability is sort of by that insurance pentesting our users kicking around how did you quantitatively analyze the insurance market to determine what your best policy would be where the coverage is the most left like coverage across the board is the most lacking and then this can even also be used as a marketing tool for different value added resellers to attract new clients if you if they can go in and say hey we know based on your your cyber liability policy that you're vulnerable to this business here are some people you should look at partnering with we can helps partner with those people so

that's kind of where I think all this is headed and that's something I definitely work I'm definitely interested in learning more about but that's actually I like that so if I love to take the questions and comments out there so you anticipate the insurance providers joining the policy position plan shore must adhere to certain guy

work or even required with injuries best practices might be more specific yeah I think so I I mean we have seen I think with some of the largest insurance carriers in the world that they when they're insuring a large company they'll throw in language like that as either an endorsement or an exclusion where they require you to have it or they exclude it if you're operating outside of that and so I think that's definitely where is it it is going and it's already started to go that way a little bit but I think it's probably I would be really interested to see it as you were kind of talking about more broken down like induces the very specific niches of

Industry and so this created sub sub industry and yeah I think that it that's definitely where is feeling in the three

[Music]

down

by yeah so and I think this question you were asking is there any pressure from within the insurance companies to harmonize everything within their type of their company that they like at issue in policies or to other companies and figuring out how to make everything kind of catch energized in a way that they're a little more like

for example and

okay

yeah so I think one of the areas where I seen that most clearly is there's a international broker's that has started they have a legal like a legal innovation team that works to figure out ways to make their their policies more flexible and allows them to account for different changes so that it's not necessarily they're trying to fit like some specific rules but they're they're trying to figure out what a spectrum would look like instead of trying to say hey do you meet these five checkpoints on our on our list or like how can we work with you to ensure that what we're giving you is exactly what you're looking for and I think that's that's a

direction where it's and I think it's more so coming from the largest insurance like it's not the middle middle guys because the large companies are throwing a lot of money at it to make it a bringing professional to our start usually start up people like start of people legal people and innovators to kind of figure out how to that internally but you also have uh some of the smaller smaller insurance brokerages out there who work on a kind of like a more artists than the scope model the develop policies specifically for mine

[Music]

you know I said overtime so there I was just trying to point to some of the standards making groups within the insurance industry's current industry ISO actually doesn't have a cybersecurity framework to say this whole thing yeah okay and then AAA is is the American eh insurance I forget what that but they care also another group they're kind of more of a non-profit tonight though is but they're they're also working to see these place and what was what is the standard for all these things and how do we make it so that some coverages are grossly inadequate ensure that people across the board I think so I think cyber liability insurance is like having the figures that I've is something

that's opened their eyes to okay we have to be more dentist in this world work we're trying to protect people against things that we don't even know about yet like it's always going to be like you're always going to be trying to catch up and the general is going to be trying to figure out how to stay one step ahead and with something that could change with one last code you know you've got a you get a really know how to do that well and so I think they're all trying to lose that direction yeah okay and then we have one more and okay so doing sham companies currently require access to the IT review before third parties laughter I

some of them do I couldn't name them off the top of my head because we kind of deal with them in the aggregate but the Act some of them do which is exciting because they I think more should but yeah thank you guys all for your time and I actually get to throw out some show so thanks Brian