Specialty Podcast: Managing Your Cyber Risk - Strategies for Success

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

CJ Dietzman (00:09):
Welcome back to another Alliant Specialty podcast. CJ Dietzman here from Alliant Cyber and super excited to be joined by Brendan Hall. He and I have been partnering on working with many Alliant clients, certainly over the summer and beyond, helping them drive better cyber risk management and cyber insurability outcomes. We thought we'd take just a few minutes here to pause and to reflect on some of the common themes that we've been seeing with our clients from a cyber risk, threat and security standpoint, particularly in light of Cybersecurity Awareness Month in October. This is a really good time to make sure that we're remaining vigilant and focusing on the right things, and certainly that we're aware of some of the contemporary threats and risks that continue to, unfortunately, proliferate around us. Brendan, great to be talking to you again. How was your summer 2023 and eager to hear about your thoughts as we head into Cybersecurity Awareness Month. What are some of the key themes and trends you've seen, that you and I have spent a heck of a lot of time on related to cyber risk and security?

Brendan Hall (01:18):
First and foremost, thank you. And I think I need to address my summer, which was just absolutely fantastic. Not a lot of work travel, but your question, it's interesting out there as always, and that's the fun part about cyber is that things are constantly evolving and changing and it makes it interesting, but it's obviously a huge challenge for our clients who are oftentimes just trying to keep up. Innovation continues to be one of the greatest driving forces in cyber risk because as we create a myriad of different technologies that make our lives better, make our businesses run smoother, reduce costs, we're also at the same time inadvertently creating a larger attack service, a cyber attack service. And for those of you who don't know what a cyber attack service means, it just means we increase the number of ways that bad guys can get at us.

All these widgets we're using. Our phones all create new-fangled opportunities for bad guys to utilize their skills to create cyber havoc in particular. And in some ways, it's becoming a bit of a buzzword, but AI is a challenge and I think there's great promise there because you've got tremendous capability where we're making businesses more efficient. The functionality within ChatGPT alone is so fascinating that this algorithm can go out and create strategy and pull together thoughts and create marketing strategies for companies just by scanning the internet. It's mind-blowing to think that that's where we are, but it also produces tons of challenges, especially if you think about how we're heading into an election season and the deep fakes that can be done. What generative AI is able to do if it's used improperly is also something that we need to be really careful about.

Obviously, our government's looking at it very closely to try to figure out how do we regulate this to the greatest extent possible. But it's going to be a challenge especially as we talk about our public entity clients with running school districts and other sorts of concerns around municipalities. AI can be used to create a lot of disruption in those spaces. Moving on, this is a continuation of the theme we saw at the outset of COVID, but it's the proliferation of remote locations and temporary sites and networks and people basically working from home or working from places that they did not previously work. I think a lot of folks are pretty excited that this seems to be here to stay, but again, this is just continued.

The more you've got these networks going to be sprung up all over the place is definitely a challenge to keep up with that from a business perspective, to make sure that everything we're setting up, whether it's new technologies or new work sites, are going to be done with cybersecurity in mind. More often than not, we see maybe that that's not always the case, but definitely a challenge for businesses to that point, people are leveraging now more than ever temporary workforces, contractors and the subcontractors of the subcontracts. Next thing you could be hiring a firm, and next thing you know, you have four or five people removed from who you thought you hired in terms of the temporary workforce and those folks were all working remotely as well. So, definitely a challenge for clients that keep up with that, and then you bring the regulatory element.

And you've got across our client base, I think the financial services has always been regulated and cyber has been a part of that. But now we're starting to see that to pop up and long from now, I think we're going to see that everybody is going to be subject to some level of cyber regulatory requirements. Regulation tends to really follow the threats. I think the regulations probably still, even when they start to really take hold, will be behind where the threats are currently and at that point, it's going to be yet another thing for clients to consider when they're thinking about cybersecurity. In the last two years, I would say legacy infrastructure continues to be a problem, especially in the ITO team, security innovation and architecture. And this is a big consideration that the underwriters are concerned about when we're going through the renewal process with clients, is what technology you have out there that's sitting out there that doesn't have patches, that's no longer supported; that could cause a very bad day to happen for your organization.

It's a big concern. We're really working closely with our clients to figure out ways that they can sunset these technologies, to move away from them, to have them completely segregated from their network. It's something that clients have to stay on top of. And lastly, it comes down to money. We're somewhat in an uncertain time here; economically things seem to be good one day and the next thing they're not. And people are expanding budgets and pulling budgets back and doing layoffs and then hiring people. So, money's all over the place. And we've heard from numerous clients recently, there's been some pretty deep cuts. These are in some clients where they're in a pretty highly regulated industry, but I think they're still seeing cuts between staffing as well. And then having to pull back on various technologies.

And for cyber, it’s almost like you just can't do it. And if you do it, you can count on either risk at your organization going up exponentially. But if you're having a tough economic quarter, maybe a tough year as a company and you have no choice but to cut back, that just increases the risk for clients at large. But those are based on what we've seen in the last 6 to 12 months. Those are things that really come top of mind for me. But you know, as I always like to say with cyber, it's not always doom and gloom. What do you think from your perspective are things that clients should really be thinking about when they're trying to batten down the hatches?

CJ Dietzman (06:12):
Brendan, an important question. I was just sitting here reflecting and saying, wow, that's a lot. You said a lot, you covered a lot of ground and I think you nailed it in terms of some of the key themes we've certainly seen on the front lines, it can be overwhelming. First things first, you mentioned gloom and doom. So, we've got to prioritize and we've got to take that, dare I say, surgical, pragmatic, targeted approach with our clients against those risks and those threat considerations that have the greatest probability to cause a really bad day for the organization. And by all means, October, Cybersecurity Awareness Month is a really good time to pause, reflect, and take a fresh look at some of our current strategies and plans and tactics and initiatives in flight, and say, are we focusing on the right things right now based on not only our last cyber insurance application and our last renewal?

Hey, we did great last year, or not so great, but we got through it, whatever it might be. But really taking a fresh look and saying, based not only on cyber insurance carrier requirements, which are super important, we talk about them all the time and will continue to evolve as cybersecurity threats evolve, but also let's take a look at what other related organizations, industry leaders and other entities are doing to address some of these challenges head on. So, a couple things come to mind in the spirit of remaining vigilant, focusing on what matters most in light, Brendan, are some of those things that you mentioned. First things first, incident response readiness. I always say the readiness is all, but this harkens back to the days of business continuity planning and disaster recovery planning and lessons learned from environmental disasters and other catastrophic level events, long before cyber was a top five risk for many boards and leadership teams.

Organizations were oftentimes bit with a fire or an environmental event or other catastrophe that they really didn't see coming or that they really weren't as ready as much as they thought they were. So, I use that BCP and DR analogy because it's absolutely relevant in the cyber incident realm. Foundational cyber incident response planning. Do we have a reasonable, documented, useful and actionable approach to addressing those critical matters? When our organization's hair is on fire, when we've got a cyber incident, suspected cyber incident, malicious activity in our environment, our systems are down, our business processes are adversely affected. We've got angry customers, public media, law enforcement involvement, all of these things culminating when and if the organization has, as I say, a really bad day during a cyber incident. Are you ready? And unfortunately, we're still seeing many organizations that are just not there.

The good news, it's been done before, it's been figured out. We know what a reasonable, defensible, useful incident response program looks like. A solid plan, a relationship with service providers, one or more who can provide those specialized digital forensics, incident response, e-discovery, breach council services that an organization is absolutely going to need. You don't want to be negotiating those terms and conditions for those partners during an incident. You don't want to be selecting your team and writing your playbook the day of the Super Bowl, to use a sports analogy. Same thing applies here in the incident response realm. Tabletop exercises never ceases to amaze me. Cyber incident response, tabletop exercise, I consider it low cost, high impact. It's easy to crank one out and it can pay dividends. Just getting all the principles in the organizations who are going to play a critical role during a cyber catastrophic event, or even a material or significant event around cyber threat activity or cyber attack.

Getting those folks around the table who are all busy, they have their day jobs, but to just walk through your plan, walk through roles, responsibilities, communications, protocols, who's going to be making key decisions, escalation paths, critical partners, the insurance claims process; an ounce of prevention in this space and an ounce of preparation will absolutely pay off during a cyber incident. So, the time is now to dust off incident response plans, take a fresh look, conduct those tabletops, make sure your retainers and your third-party relationships are in place. These are things that we're helping clients with every day.

Brendan Hall (10:51):
I was going to add to that, CJ. I just came up with a client yesterday talking about having multiple incident response firms on retainer. Because some of these larger crazier breaches, we've seen your primary responder may be conflicted out from working for you because they're working for another party in that same breach. So, there's that risk. There's also the risk that, in some of these larger breaches that happen, thinking of SolarWinds when the entire industry is maxed out or close to it; if your primary is not available, you want to make sure you have a backup ready. And again, so that way you're not negotiating an SOW or in terms of limitations of liability and confidentiality clauses while there's an active breach happening in your network.

CJ Dietzman (11:30):
Oh, it's so true. Great, important points. And to your advice there, Brendan, it's not necessarily something organizations are thinking about. And the time is now to take a fresh look at some of those things. Working in the front lines of cyber risk management security, the other one I'll mention that continues to come up is vulnerability management. You know, when I think about over the years, all of the matters and the incidents and the outages and the attacks and the investigations and the postmortems, wash, rinse, repeat, that I've been involved with and some incredible war stories we don't have the time to talk about today, Brendan, but when my head hits the pillow at night, sometimes I say to myself, if that organization had been doing some reasonable vulnerability management, they may not have gotten into this predicament, or it may not have been as severe.

And when I say vulnerability management, I'm talking discovery and scanning for technology vulnerabilities, analysis of those vulnerabilities. Is it an issue of deprecated software, end of life systems? Is it a case of missing patches, not just in one platform or in a Microsoft space, but across the entity, wing to wing, not just relying on patches that come out, so on and so forth? But really considering those platforms, applications and technologies that matter most to the organization that are externally facing or that involve interconnected networks. If there are vulnerabilities in those systems, those can be soft spots and jumping off points or privilege escalation points for a would-be attacker. Penetration testing, which again, by itself is not enough. We've got to couple that with vulnerability scanning, analysis, remediation, patching, hardening, we need a secure baseline for these systems.

And then we need governance and reporting on all of the above. So, when I say vulnerability management, it's capital vulnerability, capital management. This is a domain; this is an ideal that we need to strive for. And it's not just, hey, we did a vulnerability scan or last year's pen test told us A, B and C. That's not enough. It's also not enough to say, well, when Microsoft Tuesday comes out, we patch all of our desktops, that's not enough. And I'm not picking on Microsoft or any other platform. What I'm saying is organizations really need to ensure that they have an integrated approach, a holistic approach to vulnerability management that may sound overwhelming on the surface, but the reality is this is a discipline that has been validated and proven over the years. There are third-party service providers that we encourage our clients to work with who can provide some or all of these capabilities in a managed service format or even a hybrid, some of our clients' capabilities, coupled with a third party.

We've also got clients who are doing some of these things, which is fantastic, but we've got to make sure that we address vulnerability management holistically. And if I sound like I'm on a tree stump, maybe I am, but consider, as someone who's been toiling in this realm for a long time, malicious actors are steady exploiting these technical vulnerabilities. And one of the things that I find most frustrating about it is that it's not the zero days, the newest, most sophisticated, recently discovered vulnerabilities that are getting exploited. For the most part, in my experience, the matters that I've worked on and the incidents I've worked on, I've seen malicious actors exploiting vulnerabilities literally that were 3, 4, 7 years old. And that to me indicates a breakdown in vulnerability management. We talked a little bit about this, but the concept of preventative controls, detective controls, response controls; no trapeze artist at the circus works without multiple nets.

And I always apply that analogy when I think about a cybersecurity and risk program and how we stay vigilant against some of these risks and threats that you mentioned earlier. Detective security measures, ensuring that we've got detection in response up to and including endpoint detection in response, desktops, laptop servers. And we've been encouraging many of our clients to move towards more of a managed detection and response model, particularly for those organizations in the mid-market, generally who might be constrained around those resources. You need that 24 by 7 eyes-on-glass capability because unfortunately malicious actors don't follow our work schedule. Identity management, privileged access management, multifactor authentication. There are still organizations who have not made the progress to mitigate those key risks around the crown jewels, the most important usernames, passwords, administrative access to the environment. If we don't have solid identity management in place as a preventative control program, including a strategic approach to authentication and authorization and restricted access, the organization is exposed.

I just spoke to a client this past week, and yes, they've got multi-factor authentication in place, but their implementation has stalled. Yes, they've got certain elements of privileged access management (PAM) in place, but their implementation has stalled. Thinking like a malicious attacker, they're going to look for the path of least resistance. They're not going to target the accounts that have been hardened, that have MFA, that are subject to advanced workflows and capabilities from a PAM solution. They're going to look for the soft spot. And if your organization has only done a partial implementation or has had a new acquisition or other technology platforms that have not been hardened, now's the time to dust off those plans. Take a fresh look at it. Something else that you mentioned, Brendan, was certainly the innovation, business process innovation, new technologies, whether it's mobile, IOT, cloud, you name it, we need to start front ending some of those innovation projects, those revenue driving, wonderful lifeblood-giving business initiatives.

We need to integrate cybersecurity risk and compliance early days. That's not to slow down the project, that's not to say no to aspects of the project. That's to ensure that we as security and risk practitioners, risk managers, technology risk leaders, security leaders, we identify those critical risks, those compliance matters early days. How's it going to affect our cyber insurability? How's it going to affect our overall risk posture? How might it affect certain other risk and compliance matters that the organization has been aligned with for years? If we don't identify that early days in the project, there's a good chance the project's going to run afoul and then the horse is out of the gate. It's really hard sometimes to retrofit good security controls and governance after one of these innovative, fast-paced paced business projects are up and running. It's much better to invest the time and the resource, whether it's through your PMO or through business executive leadership.

I promise you, risk managers and CISOs and risk leaders in the organization can be heroes when they call attention to some of these potential gaps. Because the last thing you want to do is set yourself up for exposure in getting ahead of yourself with some of these innovative projects. One last thing I want to mention, we could spend a heck of a lot more time, but certainly recovery procedures, controls, plans, testing detective and preventative controls. How about the human element? Brendan, so often when you and I have worked with clients who've been in a tough spot, staff employees, third-party contractors have played a role. So, during this Cybersecurity Awareness Month, I don't think we can overstate the importance of security awareness and training. What do you think?

Brendan Hall (19:18):
I agree with you. You're only as strong as your weakest link and if somebody's having a bad day and they're otherwise not paying attention, things can all go sideways from there. This has been a great discussion, especially heading into our favorite month of the year, October. And as a cybersecurity professional, I so appreciate the time and hope everyone enjoys listening.

CJ Dietzman (19:35):
Outstanding. Thank you so much Brendan and thank you everyone. And looking forward to speaking with you again on a future Alliant Specialty podcast and let's together remain vigilant and continue to drive for better cyber risk management outcomes. Have a great day.