Specialty Podcast: Navigating Cyber Risk for Financial Institutions

Intro (00:01):
Welcome to Financial R&R, a show dedicated to financial insurance and risk management solutions and trends shaping the market today. Here are your hosts, Ron Borys and Ryan Farnsworth.

Ron Borys (00:14):
Welcome everyone to the latest edition of the Financial R&R. I'm Ron Borys here with my co-host, Ryan Farnsworth. And today with us we have two senior members of Alliant's cybersecurity risk and compliance group, two very well-versed practitioners within this area of Alliant Cyber vertical that are working with clients every day in helping them through various cyber risk challenges, application and just looking at risk as a whole. Ryan, I thought it would be a very timely conversation. I think cyber is one of those topics that you can talk about many times throughout the year because it seems like it's always changing and evolving, and we're really lucky to have two experts like you on our team working with our brokers and our clients. So, welcome Adam Rauf and CJ Dietzman to the Financial R&R.

CJ Dietzman (01:00):
Thank you so much.

Adam Rauf (01:01):
Thanks for having us.

Ryan Farnsworth (01:03):
It's great to see you both and have this conversation. Normally we are talking with clients as well on the same meeting, the same chat line. That's become such an increased focus in addressing cyber risk, is doing it directly with clients and helping them manage risk. You both have been with Alliant for a couple years now. Give us a quick update on how the group is doing, what is it that we are doing, how are we helping our clients manage risk? And then we'll get a little bit more into the actual risk topics and trends that we're seeing in the market today.

CJ Dietzman (01:34):
Sure, 100%. Thank you so much Ron and Ryan, thrilled to be here talking about cyber risk, particularly in the financial services industry, but an update on Alliant Cyber. So, effectively what we've done is we've integrated the best of cyber insurance brokerage capabilities, risk transference, coverage analysis, cyber insurability. We've bolstered that with risk quantification and a consulting capability, assisting our clients with remediation, further analysis of cyber risks and threats and addressing those hand in hand together with our clients, helping our clients navigate the broader cybersecurity market in addition to the cyber insurance market. It’s an integrated approach to cyber risk management as part of a broader enterprise risk management capability that Alliant brings to bear. Adam and I are just thrilled, and it's a blast to serve clients in this manner and to work with Alliant colleagues. And it's working. Our integrated approach and methodology is working. We're seeing better cyber insurability outcomes for our clients, and we're also seeing them rise to a better posture for cybersecurity.

Ryan Farnsworth (02:46):
Thanks, CJ. Ron mentioned what at one point was a four-letter word when it came to cyber insurance, which is the application, right? The application was always so difficult to complete when you're talking about cyber risk because there's very little black and white in a response for how a firm is addressing cyber risk. That’s where Adam and his skills and experience comes into play and helps our clients help find that more rewarding way to manage risk, more rewarding way to manage cyber risk in this case. Adam, what are some of the highlights in your role as a cybersecurity practitioner that allows us to get past the old guard of doing black and white applications and helping clients best position themselves for cyber insurance placements?

Adam Rauf (03:31):
Yes, great question Ryan. Thank you and Ron for having me and great to be here with CJ too. You alluded to some of these items. Is that cyber insurance applications that used to be that 10 years ago probably you could just sign your name and essentially you got cyber insurance. And then what we saw with the pandemic was that a lot more remote access and remote work was happening. The carriers were having to pay out claims on things that organizations didn't spend a lot of time shoring up over the years. Multi-factor authentication for remote access and having exposed open RDP and other things exposed to the internet. So what happened was that the applications got more stringent around what are your controls and what are you doing?

To your point, they're set up in a totally binary fashion. You're either the best company in the world or the worst company in the world, and there's no room for in between. So a zero or a hundred percent response, and I think that within Alliant, we felt that that was an unfair way of representing clients and their risk. Because as you mentioned earlier too, most IT organizations are not set up in a black or white manner. You might have controls across 85% of your particular fleet, and then you've got mitigating controls for the other 15%. But if you have to answer a question of zero or a hundred percent, you're always going to choose zero. That doesn't accurately represent your risk of the carriers and the underwriters. Being as somebody who is on the other side of the table and going through cybersecurity applications that people had submitted, now taking that same inside knowledge and trying to help clients navigate that and help prioritize the things that they should be working on fixing, because we know those are the things that people traditionally have to pay claims out on.

Ron Borys (05:04):
Adam, for our listeners, maybe you can describe about what that process looks like because I think sometimes people think it's a little intimidating. You obviously work for us, and we make it very clear that the information that we decipher in these interviews and conversations is primarily intended to be a discussion about them and ways that we can help them be more in line with some of the standards that we're seeing across the board. We have a great purview into this because of the amount of clients that we work with here, but I think sometimes the anxiety around engaging in the conversation by the end of it, they're like, wow, this was great, and we really learned a lot. By the way, now we don't have to complete a cyber application. That's even better. But maybe you can just help our listeners understand that a little bit better.

Adam Rauf (05:48):
No, that's really a great question, Ron. I think we take a more boutique approach, and I'm sure CJ will probably agree to this. I think that a lot of times when you're going through this process, it's a lot of fill out a paper or PDF application. Go into a platform and fill out a bunch of answers. To that same point, as I said, usually there's not the opportunity to provide a lot of the context. Our process instead focuses on us having conversations directly with your CISO, your IT director, whoever it happens to be within, handling the technical aspects of security within your organization, having that more candid conversation around, instead of just walking down the line being like, hey, what do you have for EDR? What do you have for AV?

Let's talk about your tech stack. Let's talk about the risks that are presented to your organization, and then let's figure out the ways to talk about that risk intelligently back to the carrier markets. To your point, instead of filling out a traditional paper application, our process, because we've been sitting down and having conversations with the carriers and understanding what they prioritize and what are they paying out claims on, working with some of our MDR partners, our DFIR partners, talking to them about the latest TTPs from threat actors, what are the things that we need to be concerned about and ask those questions around? Because we're not using the paper application method, we can be more nimble. So even before the carriers started asking questions about CrowdStrike outages from earlier this year and what we saw around third-party risk management, we can just ask that question as part of our conversation.

That gives us the opportunity to convey that risk to the carriers and the underwriters before they have to come back and say, hey, by the way, you guys have CrowdStrike. What was the outage like for you? We asked that at the front end because we have the opportunity to have that conversation and treat it more of an interview as opposed to filling out paper applications. Year over year, instead of going back and spending a couple hours going through an application or sitting down with one of us to have that conversation, now we just focus on the delta and what's changed. A lot of times when clients have gone through the process with us the first year where we've maybe spent a couple hours going through collecting all the information, a lot of our client updates calls are done in 30 to 45 minutes, and you're done with your cyber stuff for the year, which tends to be beneficial for everybody and saves them a lot of time.

Ryan Farnsworth (07:51):
That’s where really the rubber meets the road when it comes to managing cyber risk and then figuring out how to transfer that risk to the insurance markets, is these risks and trends are always evolving. We have the CrowdStrike issues with Change Global. Third-party risk management has been thrust to the forefront, and that's where CJ and a lot of our other Alliant cyber team from a consulting and risk management perspective, truly become an integrated part of our client's approach to cyber risk management. CJ, speak to a few of the trends that you're seeing now and how Alliant is helping our clients manage those cyber risks and trends that we're seeing.

CJ Dietzman (08:31):
Ryan, I'm glad you raised that. This is an important moment for a lot of organizations to think and look at third-party risk management, business partners, service providers in the context and in light of the advent of something like a CrowdStrike event that we experienced this summer. First things first, I think probably unfair and shortsighted to make it a focus on CrowdStrike. CrowdStrike was not the first instance of a service provider vendor having a technology, a software update, configuration related issue that caused a significant outage for dependent organizations and consumers of the service of the platform. So there's that. The broader thing here though is organizationally we can't just say, well, we fell victim to the CrowdStrike issue. There'll be another. I wish I was wrong about that prediction, but I'm not. I'm right about it. There'll be another third-party incident or outage related to a software service. The question for our clients and for businesses is, how are you managing this body, this population of third-party service providers, vendors?

Who's making updates to your servers, software, endpoints that could potentially have downstream impact, cause a business process disruption? We can't just say, well, we've got terms and conditions in place with a given service provider, therefore we're good to go. There's so much more to it than that. And certainly the insurance markets, the carriers, Adam and I are seeing it more and more. They're asking, probing, tougher questions, dare I say, and this has become a hot button point of focus, organizationally how are you managing those vendors? Do you know your vendors? Do you know what critical business processes and functions have critical dependencies? Where are the technology dependencies? Where are the soft spots? Where are the vulnerabilities in those dependencies? Do you have the right controls, governance and monitoring around those vendors and those service providers? Lessons learned from CrowdStrike is that it's more of an opportunity for some introspective thinking and evaluation of how we govern, manage and monitor those providers. I think the other thing that is just the reality that we're going to face in 2024, onward 2025, is that the insurance market is going to be hypersensitive to third-party risk management.

Ron Borys (10:51):
Yes, all excellent points, CJ. As I like to say to our clients regularly, if an insurance policy is responding, it's usually because something bad happens. That’s not just cyber insurance, that's just the general nature of insurance. There's an event that caused a claim that ultimately is going to result in a loss. I think our approach since creating our cyber vertical and certainly acquiring talent like you and Adam, has been to focus more on the cyber hygiene. Focus more on making sure that people are aware of the things that are out there which change and evolve every day. To your point, CJ, hopefully we don't have another event like CrowdStrike, but chances are statistically there will be another event that is a more macro type event impacting a number of different users. I think what we really wanted to accomplish today, and I think we certainly did so, is to just really highlight the resources that we have within Alliant that can help clients not only get through the application process for cyber insurance, but really help them obtain a better understanding of what they can do to stay current and up to date with good cyber hygiene policies, procedures, et cetera. So with that, we'll wrap up today's discussion. Again, for those who are listening and have more interest in learning more about Alliant and the resources and capabilities we have both in financial institutions and within our cyber vertical, feel free to visit our website at www.Alliant.com. Again, can't be grateful enough to have practitioners and experts like you all working with Ryan, working with me, working with our brokers, and most importantly, helping us serve our clients. So appreciate your time and look forward to having you guys on the Financial R&R again at some point down the road.

CJ Dietzman (12:32):
Thank you.

Adam Rauf (12:33):
Yeah, thank you Ron and Ryan. Really appreciate it. Thanks, CJ.