Artisan Advisors Unfiltered
Artisan Unfiltered is a podcast series featuring frank and insightful conversations about banking. Each episode is moderated by Artisan Advisors and features a panel of industry experts, talking candidly about issues that matter to you, and your financial institution.
Artisan Advisors Unfiltered
Artisan Unfiltered #12: Cyber Security Risk and How to Manage It
Get a reality check about the risk and liability associated with data security and listen now to the Artisan Unfiltered podcast, Cyber Security Risk and How to Manage It. Panelist and data security expert Chad Holstead notes that for banks of any size, “the hard part is management's ability to rally and champion a security culture.” What’s your bank’s security culture? Listen now.
Artisan Podcast #13
[00:00:00]
Jim Adkins: Thanks for joining us today on Artisan Unfiltered. Today's topic is a timely one, cyber risk and how to manage it. I am Jim Adkins along with Jeff Voss, and we are the managing partners of Artisan Advisors. Today, we are excited to have with us Chad Holstead of BKS, Alan Blount of Risk Strategies, Dwight Williams of Risk Strategies to discuss cyber risk.
A quick background on the panel, Chad Holstead is president and founder of Business Knowledge Systems. BKS is a 24-year-old IT managed service provider. Focusing on providing security first IT services for banks and other small and mid-sized businesses. Chad is [00:01:00] currently part of advisory council helping IT managed service providers become more security focused on their business.
Dwight Williams is the National Account Director within the Management Liability Practice Group at Risk Strategies. He is a seasoned expert with more than 22 years of experience.
He provides risk advisory, strategy, and placement services to a diverse client base, ranging from emerging private companies to complex publicly traded financial institutions.
Alan Blunt is currently the National Cyber and Technology Product Leader at Risk Strategies. Allen has oversight over the cyber and tech E& O business, day to day operations, and he manages brokers across the country. Gentlemen, welcome. Jeff, why don't you start us off?
Jeff Voss: Cyber is, everybody knows, is one of the most talked about topics [00:02:00] in bank operations and technology. Um, the regulation risk assessments, you know, always seeming to be the focus.
Chad, I'm going to ask you first, uh, direct this question to you, but what do you, what should banks focus on, you know, with this ever changing topic, uh, to ensure compliance with both regulation and mitigation of risk?
Chad Holstead: So the easy answer to that is to focus on a framework and follow the guidance of a framework. So the big framework that everybody's talking about right now is CMMC, which is the DoD, Government Department of Defense framework. FFIEC has its own guidance and framework that is aligned with a lot of the national standards.
There's so many frameworks out there. CIS, NIST, FFIEC, FTC, CMMC. Pick a [00:03:00] framework and march down that road. So start with FFIEC. Follow the guidance. And here's the thing with that, though. When you do follow a framework, There's typically three things for every question. A physical control, you know, that if we don't take the tech out of it, you lock the door with the key, right?
A policy that says you lock the door with the key and the document that proves who unlocked and locked the door with the key, right? So just start with that. Take the tech out of it and create a guidance of, okay, just march through this step. One says this step two says that is been the easiest thing to start with.
Jeff Voss: Okay. What, what are you, What are you seeing, um, is the most significant threats that are impacting banks today?
Chad Holstead: So the biggest impact is, by far, it's not just banks, it's every industry, is phishing, okay? [00:04:00] Phishing is a form of social engineering that is technical, and it is pretending and trying to get somebody to trust a bad actor. Okay, it's uh, literally fishing for bait. Um, once, so your, your ultimate defense line is your end user.
So training your end users is your most valuable ROI. Uh, because if it doesn't get past the end user, it doesn't get on the computer. Once it's on the computer, if you don't have, there's so many things we could go into deep dives on why you need other controls, because once it's in, it can move lateral.
And we don't want that either. We want to try to segment as much as possible. But the, the first line of defense is going to be that end user, and phishing is probably the number one attack that is going on right now.
Jeff Voss: What, what are you seeing with, you know, another topic that I see out there is ransomware. Are you seeing that in your clients as well? Have
Chad Holstead: So, [00:05:00] ransomware is usually the result of phishing. So, you, you get phished, and you get on the computer, or you get access to something, and then you deploy some type of nefarious payload. Um, depending on what the actor is doing, they could just sit and watch your, your, your payload. Mailbox and collect sensitive information to sell in the dark web.
If you don't have any sensitive information, then they'll try to deploy payloads to ransomware, your data. So ransomware is usually a result of phishing. Um, but it is a big topic. Uh, and the problem with ransomware, the new ransomware is. They're extracting data. So when ransomware first became a thing, um, what, 10 years ago ish kind of thing, you, your data would be encrypted and there were two ways out of it.
Three ways. Forget about it. Move on. Pay the ransom or recover from backup. You had a good backup. You didn't have the [00:06:00] other two were not a problem. Now they're doing the encryption and they're taking your data and they're so they're they're threatening to put it on the dark web. So you sometimes you almost only have an option to pay at that point.
Um, so protecting that data and making sure it can't be exfiltrated. Or users don't have access to what they don't need will be a huge key on protecting your team from ransomware
Jeff Voss: you seen any, do you have any experiences in that with your clients so far that have had ransomware put on the machines and
Chad Holstead: Oh, yeah, we've had customers. We had one last year that uh was ransomed about four o'clock in the morning. Um That customer in particular only was paying for backups for us So we were not actually doing the full security stack on that one. But our backups, our backups do have ransomware detection. [00:07:00] So we were alerted to our backup system.
So we were able to make sure that the data they had on their backup was recoverable. But unfortunately, they had a lot of users that were storing data that was not on the backup. And I think they ended up paying the ransom for that.
Jeff Voss: so I want to, I want to throw this out to the risk strategies guys as well to weigh in, um, is that what you're seeing in terms of, uh, most significant impact on your clients phishing, ransomware, are there other, are there other items as well?
Allen Blount: Yeah, I agree with Chad. I mean, what we're seeing is phishing and social engineering, right? So I would say from the claims we see, about 80 percent of the claims is due to some type of social engineering, right? Threat actor spoofs as a prince from another country, or The CEO of a company or executive,[00:08:00]
Allen Blount: know, as the secretary or the admin to divert funds and believe it or not, that still happens.
Right. But with phishing, yeah, it's two, um, along those same lines. Threat actor gains access to the system, well, threat actor gains access to the system by sending efficient email, employee clicks, encrypts the system, or again, like Chad said, stays there and watch. Um, what we're seeing with our clients is three main things.
Things like, you know, leading to cyber claims, right. And that may lead to ransomware, um, is, is again, the fishing number one, um, to failure to patch, right. We see a lot of, um, a lot of claims due to failure to patch, um, um, vulnerabilities, whether that's due to the end of life technology or just, uh, it goes back to that employee, just employee, the MSP or, you know, [00:09:00] Microsoft, Google, whoever released the patch and that individual did not pass the vulnerability. Um, and third is, um, which surprisingly, a lot of clients really doesn't do not understand, um, vendor management issues, right? So, um, you know, you have a third party cloud provider and believe it or not, everyone, especially small businesses, is not on AWS.
They're not on these big companies. They're relying on third party vendors. Their, um, their system is penetrated. Um, the malware moves from there. system to the client system, right? And that's why policy is so important. And I'm sure we'll talk more later, uh, later. Um, we'll talk more about it later with contingent business interruption, because a lot of organizations believe, well, my vendor is taking care of that.
So I'm off the hook, which is not the case. If you're collecting PII, um, you can, or any type of [00:10:00] information, you cannot offload that liability. And many times vendors have that right in their contract. You did not hire me for security, so don't come back to me for security purposes. So those vulnerabilities are there.
Three main drivers, uh, with respect to ransomware. Um, uh, I think 2023, according to, you know, our numbers is the largest of all time, uh, 2024, that trend seems to be remaining, even though the clients who have paid the payouts have been lower. I'm not, I, I'll be honest. I can't pinpoint why that is the case.
I have some ideas. That's a whole ‘nother conversation, but, um, but the ransomware is still very high.
Dwight Williams: just, and I would just add just, you know, to Alan's point about the cyber sort of exposures and the issues, uh, and just as important as the cyber policy is, um, there is a fidelity and crime policy. That can [00:11:00] potentially respond to some of that social engineering, um, acts that Alan spoke about earlier.
And obviously, there's going to be some, um, perhaps overlay between the policies, some interconnectivity between the two, but it's certainly important to, um, You know, first look towards your cyber policy, which is going to be more, probably more robust and probably, you know, crafty with the specific intent to respond to certain coverages.
And then you supplement that with looking at that fidelity and crime policy as well.
Jeff Voss: Yeah, I know. Have you seen, Chad, have you seen any, any of these cases where, um, you know, the fraud is perpetrated with phone calls rather than technology where they get, where they get the retail person on the phone or a customer service person, talk to them about [00:12:00] changing names, talk about changing email addresses.
The bank itself. We'll turn around or the company will turn around and change the address. Next thing you know, they're requesting wire transfer of funds and those wire transfers all appear to be legitimate based on the documentation and next thing you know, the money's out the door.
Chad Holstead: and where they're starting with that is, and it's nothing personal. It literally is nothing personal, but your data is out on the dark web. Okay. You can buy every single person on this call. I can go probably find your driver's license number for 25 cents on the dark web, right? But the more information that we have about you on the dark web, the more expensive your dossier gets.
up to let's say 5 to 7 a, record, but that's enough where I can go in and I can call the bank and go, yeah, I'm Chad Holstead. My mother's maiden name is. [00:13:00] You know, Jane and my social security number is 555 1212. And all of a sudden, all of those things check every box for the bank, right? You knew your mother's social security number.
And now I can go in and I can change my online password and boom, I just shut Chad out of Chad's bank account. Kind of thing. And Chad has no recourse whatsoever. So what we're recommending, and this goes to the technology side of the house, this is where a multi factor comes in. We saw a huge rash of people losing their Facebook pages and their business Facebook pages back in November and December, because they Facebook, somebody would send them a Facebook message that looked like it was from Facebook.
And it said, Hey, you're using copyrighted content. We need to verify you. Um, Sign this in so that's for your username your password you have a picture of your driver's license and all this stuff They then take that go online change all your Facebook account information to their information [00:14:00] And you're locked out of your own Facebook page at that point and they're trying to sell you stuff, right?
It's the same process if a bank or any type of system has a multi factor password. Hey, thank you Chad, I appreciate you have everything in here. What's your key code? That key code is probably not on the dark web. But also, don't use your mother's maiden name for your key code, because that is on the dark web.
Kind of thing.
Allen Blount: Yeah. And along those lines, what Chad is saying is human nature, right? There's a human nature factor because we, as humans, your bank password is probably the same as your Macy's password, right? Or your Instagram password we receive. Password or maybe just add a 1, 2, 3 after your mother in a name. So threat actors, right?
They know that, right? It's just because it's human nature, right? We all do it or have done it at some [00:15:00] point. So, um, you know, if. You know, even if, if the actor may have a password and maybe your bank password is different, more than likely, if that threat actor is committed, he or she can do some talk some type of configuration with your password to figure it out.
Dwight Williams: And it's, it's interesting. You go, you go back to the point that you were asking about, about whether or not some of these, uh, frauds, particularly in a social engineering front, whether they're being sort of perpetuated, uh, over a voicemail or through a phone call, you know, one of the things that the crime infidelity policy requires you to do, at least some of them require you to actually do a callback, you know, so you're prompted to hang up.
Call back at a number
Chad Holstead: A known number.
Dwight Williams: right. That not the number that just called you to have you verify that this person is real and they exist and that those instructions are not fraudulent. [00:16:00] So, um, you know, there are ways to mitigate it. Uh, not all policies, at least from an insurance perspective are crafted the same way, but that's one of the features that exists in some of those policies, which we'll try to sort of mitigate some of that risk.
Chad Holstead: Very much
Jeff Voss: Yeah, I know. I, I, I, uh, have a client that had that happen to him and they went back with their insurance policy, their crime policy, and they had not followed those procedures. Guess what? They didn't get the claim. And, and they did not get paid out on the claim. So I think it's very important to understand the provisions of, of those policies.
It's common sense. In many, many situations here, but following the correct procedures to protect the organization, probably the most important thing you can do to make sure that you've got your, you know, fallback insurance coverage when things do go wrong.
Chad Holstead: there's very that's that's [00:17:00] huge Jeff. That's key because there's multiple lawsuits going on right now Within the IT space because the insurance asked if you had 2FA. You said yes Well, the insurance question was vague. It didn't say 2FA on everything. It said do you have 2FA? Well, the account that got phished didn't have 2FA because it wasn't asked right?
So there's lawsuits going back and forth The other piece of this too is if you have a policy that says you have to do a call back And you don't ever do a call back. Don't write it in the policy
Chad Holstead: We'll look at that policy And the way you you don't have a policy so we're going to charge you more for insurance because you're a higher risk But if you tip if you say you're going to do something and you don't do it is more risk Than if you don't say it and don't do it.
Jeff Voss: Or you need to, you need to explain to the insurance what your procedures are. And it's up to them to decide if they want you to do something different, require you to do something different to tell you.
Allen Blount: Yeah. It's getting [00:18:00] very, um, it's getting tricky. This is evolving space, right? Because of AI. So we've seen maybe two claims already with respect to the bishing, right? The voice, the voice where, um, the threat actor called using the voice of the executive. And there was two FA in place, meaning the callback, but the employee, this is recent claims.
Employee was so convinced. that it was her boss on the other line. Yeah, this is, this is Jim from the C suite and directed the bank to issue payment. She was so convinced and honestly, yeah, I probably would have been convinced too. I would have still called back, but, um, but with AI and, and, and, and deep fake voiceover, it's becoming even more complicated.
Jeff Voss: I, that's, that's a great, great point. Um, you [00:19:00] know, AI has changed the game completely at this point. Right. I mean, it is,
Chad Holstead: done changing the game yet
Jeff Voss: yeah. You know, it's, as you said, it's evolving and, and I, I really wonder how we're going to be able to protect ourselves from something like AI, unless you don't allow AI in your shop.
Right. If there's a way to avoid that.
Chad Holstead: So one you're going to use ai to protect yourself against ai Um, we actually encourage customers to write acceptable use policies for other stuff, right? We have an acceptable use policy for AI here at DKS. Um, and a couple of things that it calls out are one, only reputable AI systems that you have researched will be approved.
So don't go to Jane Doe's AI system, but ChatGPT, Microsoft [00:20:00] Copilot, or We have a lot of them in the industry that are doing stuff kind of thing. So, uh, use those. Um, you cannot use one that's not been pre approved by admins and, uh, you cannot put corporate data. On AI because AI uses AI to grow AI Uh, there are pieces of the puzzle where you can put places that your data stays secure So like microsoft copilot your data stays within your tenant and it's not used to feed the rest of the engine um We I recommend to customers if they're not going to pay for something like copilot If they want to put up and I have a friend of mine that puts his pnl on ai and has ai chat gpt analyzes His pnl
Chad Holstead: But I encouraged him to go in and whitewash it, take the corporate name off of it, take any, uh, account name that could point it back to you and sterilize it, right?
Then you can put it up there all day long. Cause nobody's going to know who it's you and you can still get the same [00:21:00] result out of it, but sterilize it before you put it up.
Jeff Voss: Interesting. So, so were the claims, uh, that you saw on the insurance side or the, uh, the, uh, filed claims, were they AI related this year? Is that what you're seeing most of? Is AI?
Allen Blount: I wouldn't say most, I would say so far, um, they've been the vishing and it's been
Jeff Voss: Fishing. Okay.
Allen Blount: Yeah, that's the voice fishing. Um, it's been about two, um, one December 2023 and one early this year. Yes.
Jeff Voss: Okay. Try, trying to assess the, a little bit about the size of the institutions and the quality of, of, you know, cyber threat mitigation. prevention. Um, is there a direct correlation between, you know, [00:22:00] large companies being 100 times better than smaller companies? You know, what do you see, Chad, in the banking space?
Small banks versus large banks? You know, what are we seeing? Is it easier for a smaller bank or you think it might even be easier for a smaller bank just because they're small? If you're employees, but they don't have maybe the resources.
Chad Holstead: technology, right? Bank of America still uses a core processor system, although it's their own, probably homegrown processor system. And local community bank 123 probably uses an outsourced core processing system, right? But they still use a core processing system.
They both use Office 365 for email. They're all using the same basic technology, just scaled differently, right? So security has to scale with that. Now, you know, I always joke with people that I can secure your data. I'll lock it in the vault. You need access to it. You didn't ask for that, right? So there's a, there's [00:23:00] a give and take that you have to have.
Uh, I don't necessarily think it's easier for big business versus small business. I think what really is the only hard part is. Management's ability to rally and champion a security culture. So if you've got a great C level team, I don't care if it's Bank of America or local community bank that is championing security level and putting investment in it at the rate that's compensatory to the size of their bank, right?
It's a doable task. If you have a C level executive that is a curmudgeon that is stuck in yesterday's past that is, you know, I own a bank because I have a bunch of money and that's what i've done, right? You he doesn't he or she doesn't see that forest for the trees and They're never going to instill that security culture and they are always going to be a threat [00:24:00] kind of thing or a risk Excuse me, not a threat
Jeff Voss: So can you say the same thing and I'll throw this is out to both you guys, all three of you guys, the regulatory framework that's out there. Does it, is there a size component to this as well? Does it matter whether you're small or large or the same scale of. Uh, oversight is expected. Um, my, my sense with the regulatory framework is they don't care if you're a hundred million dollar bank or a 10 billion bank, there are certain fundamentals that they're going to expect out of you, no matter what it costs. And you're going to have to do that period. There are some basic things out there.
Allen Blount: Yeah.
Jeff Voss: And it depends on the, on the, the software depends on the products and services that [00:25:00] they're offering. I mean, if you're not, you know, we still have a client that's not even connected to the internet. Right.
When I say that they're, they're, they're not connected for transactional purposes, so they don't have a website. They don't have internet banking, any of that stuff, um, which is hard to believe in today's world. But. Does exist that that would be obviously a different situation, but for the bank that's got a normal suite of products and services, you know, want to get your thoughts on that.
Sorry.
Allen Blount: Yeah. So I'll start. So a few, a few things here, um, you know, to start, you know, to follow what Chad was saying, you know, from a threat actor perspective, maybe 15 years ago. You know, banks, especially the big banks were targets, but these days, the threat actors, I mean, [00:26:00] during times of civil unrest and war, right? you know, country, you know, sovereign backed actors may target, but generally threat actors don't target a specific entity. They don't target a specific size. It's is there a vulnerability in 3 65? We're going at it. If we get you, we get you. If we don't, we'll move on to the next vulnerability, right? It's looking for the next suck sucker.
So all hands are on deck. Okay, from that, from that perspective. Now, with that said, right, with the regulatory aspect, the SEC does not care. And we are, from insurance perspective, we are seeing our carrier partners and risk strategies is especially pushing for additional coverage on the cyber policy to specifically cover The cost of reporting cyber [00:27:00] events, okay, you may mean some carriers have added those endorsements are really already in brokers are really pushing that and we've gone back to ask for that coverage now and that those endorsement does not distinguish between community banks, large banks, um, they're all the same reporting obligations because again, it's all All of the same, um, technology again, my test, it just scaled differently.
But if, um, if there's a vulnerability, it's going to be a systemic issue. And, you know, um, you know, there's going to be, um, regulatory implications to that.
Dwight Williams: Yeah, and I would and I would just say to, you know, just to piggyback on on Chad and Alan, um, we know that, you know, last summer, the SEC adopted their, you know, final cybersecurity disclosure rules. Uh, and that's going to impact, you know, obviously. Publicly traded banks, but even to some extent, some that are beneath that threshold.
And, you know, again, whether you're a, you know, a large money center bank or [00:28:00] your community bank, you're still going to be subject to those rules at different levels and at different time frames. Right. And so, um, you know, I think it's really important. You know, Chad, to your point that the C suite, you know, not fall to sleep at the wheel here, you've got some serious responsibilities, um, to take care of.
And it's not just the responsibility of the chief information security officer, right? This runs all the way to the top of the organization. Uh, you know, as, as board members, you have all of these duties of loyalty of care, obedience, and you really have to fulfill those duties. And you can't just sort of haphazardly attend board meetings without, um, you know, really understanding your job and making sure that you're complying with applicable federal state and local law.
Right. Uh, and so it, it's, you know, to Alan's point, it's, it's really not necessarily a, a size thing. It's as if you, uh, If you are serving at this, at this board level, if you're serving those officerships, you've got a responsibility. Uh, and, [00:29:00] uh, the sec has made it clear that they will go after me. I don't know if you saw last, uh, uh, fall, um, you know, solar winds got a, uh, an sec file security, uh, disclosure suit against them for, Um, you know, misleading investors, um, around what the cyber security measures are and, and, uh, procedures were.
And so this could obviously given the regulatory oversight that, um, is had on banks, this could easily be any bank. And so we just have to be really careful about, um, about what we say or what we omit, um, related to those, uh, to those securities. And there are huge, obviously cyber, uh, liability policy implications, but they're going to be DNO, uh, big DNO issues, um, as well.
Jeff Voss: Yeah, that's a great. That's a great point. Because certainly in the community bank space, board [00:30:00] membership. Um, you know, I, I guess I challenge not just our client base, but banks out there, how many banks are really, can they, how many banks have expertise in technology on their board? Right. And that, that to me is, is, is something that we as, as consultants, um, are really mulling over in terms of our client base, trying to help them as we look at their board membership, who do they have on the board?
What skill sets do they have? In the lack of technology expertise, when they're being told that they're responsible for the decisions and understanding all of this information, you know, Chad, with all the acronyms that are thrown out based in the technology arena,
Jeff Voss: it's almost impossible to [00:31:00] understand some of the reports that are presented.
At a board level, I, I think the reliance then is on third party, you know, providers of services that are either examining the situation to put it in layman's terms for board members of what, what's important, what isn't important, but what are you seeing out there and certainly on, on the insurance front, I'm curious to see, um, you know, are you seeing you.
Companies improving their board capabilities by going out and attracting technology based individuals to the board so they can act, if you will, as leaders for the board and understanding this stuff.
Allen Blount: Yeah, that's a great question. So a few things. So even before I get into a direct response, you know, just think of Cecil's right to chief information security officer. That chief is in the [00:32:00] title, but I'm a big advocate for having. CTOs, CISOs, CIOs as true parts of the C suite. So many large organizations and mid markets organizations, they have the chief in the title, but that's not nested, not necessarily part of the C suite.
And I think that's a big mistake. Um, those individuals should be part of this C suite on a board level. Every risk management committee should have someone with a technology slash cyber background. Um, if you ask risk strategies customers, right, um, these days, cyber is their leading concern is their leading exposure.
They worry about it every day in smaller entities. We have seen some ransomware attacks. take them to bankruptcy. So I think it's a big mistake. Um, second on the cyber application, many of them, one [00:33:00] of the first questions is what was your technology budget? Last year and what will it be next year or what is it this year and what will it be next year?
So cyber carriers track technology budgets if that budget decreases There will be follow up questions. Why? What's going on? Why do you feel right?
Jeff Voss: Sure.
Allen Blount: Additionally, cyber applications, especially for midsize to larger companies, do ask about reporting structure. Is there a direct line to the board? So carriers want to know Is there a top line investment and whether the board is keeping up, um, with trends, with technology, why?
It goes back to what Chad said, culture. Culture is the first line of defense. So there's not all in from the top down. Carriers do, um, do view the risk, [00:34:00] um, with, you know, squinted eyes. They just really want to understand these questions.
Chad Holstead: But Jeff, to your point, from a technology standpoint, being that third party provider, um, I would rather have somebody on the board that understands technology compliance. Now, banking compliance is this whole ending, right? You have financial compliance, you have, you know, all these other, but I'm only really caring about the technology compliance side of the house.
If there's a C, a CSO, a CTO, somebody like that, that understands the compliance, not just understands how a server works, because I don't care about that. That's my job, but I wanted them to go, Hey, we're not compliant in this, this, this, this, this, what are we doing about it? Not just asking for a report to ask for a report kind of thing.
That would be much more beneficial to me from the technology side than having just a guy that understands how to spell the word server [00:35:00] kind of thing.
Dwight Williams: I just want to go back to something that Alan raised in terms of that chief technology person being really ingrained and embedded into the C suite. I do see more of that happening now, uh, in the last two years than ever. Um, typically it was, you had a risk manager and the risk manager oversaw everything and then, you know, Uh, perhaps maybe the CFO was involved in the DNL now at the tops of minds at every board meeting, you ask any board member, what is your chief concern?
Cyber is one or one a it's absolutely. And so the, uh, the technology, uh, chief, uh, or information chief is Intricately involved in every conversation, sometimes admittedly, even over my head in terms of his ability to sort of articulate the exposures, but that's a great thing because even because the cyber [00:36:00] underwriters are looking for it, even D.
N. O. Underwriters are wanting to make sure to your point, Chad, that there is a technology expertise there. We see an applications all the time. You know, does So The applicant have written controls and procedures in place to ensure compliance with, you know, securities law with, you know, um, you know, employment law with, um, banking rules.
There are questions now being slipped into the applications specifically around cyber and technology. So it is definitely going that route. And I think, you know, in order to protect themselves from these new rules that are being adopted, uh, Clients might want to take a hard look at that and perhaps incorporate that philosophy into their organizations.
Jeff Voss: Great. Great. Well, we've talked about some of the best practices in the industry, employee training and awareness, multi factor authentication, patch management. One of the areas, encryption, [00:37:00] One of the things that we haven't really talked about yet is incident response plans are, are you seeing more attention being paid to cyber being included in the incident response plans?
And are they, are they doing, you know, mock testing of cyber proof? Disasters, if you will, and how to recover from that. Chad, I'll throw it out to you first.
Chad Holstead: It is actually really ironic that you asked that question because I am hosting a webinar in, uh, 45 minutes for a bunch of MSPs to talk to them about tabletop exercises for incident response. It is something in our industry as a whole that we are preaching not just for our customers, for ourselves because our customers need it and we have to do it to teach our customers.
Um. If you're not 10 years ago, we had to do backup tests every six months to a year, right? Is your data recoverable? That's still a [00:38:00] thing, but we're doing that daily. Now we've automated that our industry's automated that, but we still now need to do incident response every year. You need to do and train your team.
What happens and we are telling customers don't start tech incident response is a learned, uh, process Start with somebody something everybody knows a tornado came through that's an incident. It is right Everybody can talk through that especially up here in the midwest, right? Um, but then you go. Okay.
Now you understand the process of a tabletop Now let's turn it into tech and let's talk about what you we do a lot of tech tech talks about the third party vendor Management you brought it up earlier Your vendor got hacked. How did they get to you? Right? Kind of thing. And what did you do to stop it? Um, that's kind of where we're pushing every customer to do it yearly. And by the way, [00:39:00] it's not included in your package. You talked about that too. You've got to tell people what they have and don't have as an industry. Secure it. People have been trying to bring our focus and our scope down so that you guys understand that we don't do it all.
So make sure you understand your contract with your it people as to what they do, because they're probably going to charge you to do the tabletop exercise. So.
Jeff Voss: That's a great point. Yeah, that's a great point.
Allen Blount: You are a organization of a certain size and do not have an incident response plan, you probably will not get coverage, cyber coverage, because from an underwriter's perspective, and this is very cliche, it's not if, it's when. So an underwriter, they're assuming because all of our credentials are on the dark web, right, information.
is out there. They're assuming you're going to get attacked. So the view of the underwriter is like, okay, when it happens, how can I best mitigate my exposure? Right? And that's where the business [00:40:00] continuity incident response plans come into play. So it's a it's a huge, if maybe M. F. A. Is one in points or two.
And then incident response is three. Um, third control carries look at.
Jeff Voss: So, you know, switching, kind of switching directions here and getting back into the cyber insurance coverage. Um, what, for, for banks out there that may not have. Purchase cyber coverage, or they have limited knowledge at the board level. Can you describe the types of coverage that are available to banks today?
Jeff Voss: what broadly, I mean, obviously there's a lot of intricacies in this and. You probably do a whole hour-long podcast on that alone.
Allen Blount: So, so there's positives here. 10 years ago, uh, carriers [00:41:00] were afraid of banks, right? And maybe I'm being generous. Five, six years ago, carriers were afraid, afraid of banks, both community and the larger banks. Today, carriers love banks. They love them as risk. Why? One, because they're regulated. Carriers like regulated entities.
Okay. And they have, they probably let the charge with investing into security controls. Why? Because there's too much at risk, right? You really with banks and financial institutions is really difficult when it comes to cyber to do a cost benefit analysis, right? Because Yeah, they're hacked. It's just it's bad news all around.
So, uh, financial institutions have led really, you know, them and health care have really financial institutions have led the way when it comes to cyber security. Now, the negative side is that the underwriting is brutal. The underwriting process for financial institutions can be brutal because again, [00:42:00] there's so much at risk, especially those institutions, you know, with various apps.
They may have a FinTech exposure, right? So that can be a very involved underwriting process, uh, that have a payment aspect to it, right? So when you talk about, you know, to name like a Zelle, right? Things like that nature, that's additional underwriting. Um, but Chad mentioned it. Early in this, um, discussion, um, the carriers are going to use a NIST approach.
So the underwriters, you know, if you may not realize it and some applications are smaller or longer, but it's really a NIST approach, right? The application is going to, um, reflect NIST. So as long as the, uh, financial institution has that framework in place, they'll be okay. Now there may, so there'll be a NIST approach with a heavy emphasis on payment transactions.
Okay, PCI compliance, things of [00:43:00] that nature, as well as ransomware, it'll, it will be significant questions around ransomware procedures and incident response. That's high level, but the coverage is broad, right? For banks, it's regulatory, social engineering, the banks, um, the, the banks really will get a standard.
Policy is really no different from any other insurance policy breach response culture coaches Um third party third party. So a cyber policy split into first party and third party Find um third party The claims in that space are not huge meaning there's not a lot of them but financial institutions That's where the third party claims are at financial institution in health care.
Why? because Their breach a million people Personal information is out there And the lawyer is like, [00:44:00] giddy up, let's go, let's settle this, let's sue, or, you know, the, uh, state, local state agency's attorney's general office wants to bring, um, an action. So when you
Jeff Voss: So is that where, I'm sorry, is that where, uh, the bank is using a third party to provide services and that third party's breached?
Allen Blount: third party as opposed to first party. So the first party coverage would pay for, we call that breach response. So that coverage would help the bank or any other organization get their, um, their, um, recover, right. Get there, do a forensics investigation. So help the, uh, bank understand how they got hacked.
What was the point of. Um, if they have to send out notices of breach to customers, the first party coverage would pay for that. The third party, um, would provide coverage if there's any lawsuits as a result of that breach. So lawsuits from the state, [00:45:00] from the federal government,
Jeff Voss: Okay.
Allen Blount: traded or individual customers bring a lawsuit.
That's where the third party, uh, average with would come into play.
Jeff Voss: Okay.
Dwight Williams: And Alan, I'm glad you sort of went through at a macro level, just how robust that cyber coverage can be. I think oftentimes the misconception amongst, uh, financial institutions, banks in particular, is that if I have a DNO policy, then I'm covered. I don't need all of this, these other ants, you know, and air quotes, ancillary products.
Uh, and as you can see by what Alan just described, that cyber policy covers a lot. Now that is not to say that a DNO policy Could not respond to a D. N. O. claim potentially related to a site emanating from a cyber event. It could, although insurers are now being [00:46:00] more clear by putting very clear specific cyber exclusions on the D.
N. O. policy, we would tend to push back on those. But the reality is that there is a robust coverage available to you for, um, in my mind, at least relatively cheap, at least relative to the risks that it can cover that are not going to necessarily be covered under DNL policy. I hope that, you know, if nothing you take away from me is that, that you have to be clear that a DNO policy does not respond the same way that a cyber policy would, and that's very, very important, and that's why we've got experts like Alan on the cyber insurance side that can really, you know, sort of speak and articulate those exposures and risks that you have as a bank.
Jeff Voss: So, so let me, let me ask the question that board members ask. How much coverage should I have? How much is enough?
Dwight Williams: Well, [00:47:00] this is an easy one. I can defer to Alan on that. That's the easy response.
Allen Blount: So what we do, we use analytics, um, and benchmarking tools to help us determine that. Um, and we use that. Um, I'll walk you through it. We take general. Um, factors such as the bank's revenue, um, sometimes AUM, um, their PII count, their employee count, and, um, and their SIC code. Okay. And we tend to run about 50, 000 Monte Carlo simulations of, um, severity, like worst case scenario.
And we compare them, um, that, um, bank to pick to their peer group. Um, and we look at what the average amount their peer group is carrying and what the median median amount is. And from there, we like to see, um, that you transfer about [00:48:00] 95% of your financial loss. Okay. So, um, why that helps, uh, that would help, um, our insurance is because look, it says, yeah, you should carry 95 percent and your peers are doing the same thing.
Okay. So, um, one thing, and this is great. One thing that was always challenging with Cyber, right, then specifically cyber policy compared to DNO, compared to property and other lines. It is a young product. It is a very young product in its current stance, right? They were cyber attestive, cyber endorsements attestive policy, property policy years ago, but in its current form, it is a very young product.
So the data. Right. The lost data has always been an issue. But now with analytics and claims history and things of that nature, we're able to really assess what [00:49:00] limits, um, uh, banks, financial institutions and other clients should carry. So we use, um, analytic modeling system to help determine what limits should be carried.
Jeff Voss: You know, as a, as a rule of thumb, are you seeing for banks that the DNO coverage levels approximate the levels of cyber coverage? Is that, so if you get a five million dollar policy for DNO you're going to have a five million dollar cyber policy?
Allen Blount: find that they carry more D and O.
Jeff Voss: Okay.
Dwight Williams: Yeah, I would agree. I think people tend to carry more DNO just from a historic perspective, right? Um, you know, those policies have existed, you know, perhaps a client's been carrying DNO coverage for 20 years. Cyber is relatively new and they're sort of growing their way into the purchase. Uh, you know, maybe you start off with a million and you grow to three and five.
Uh, my [00:50:00] guess though, is that at some point, Um, you know, we'll get to that place where they, they become closer matched. Um, but obviously, um, you know, at this point cyber is, is probably still lagging behind the d and o purchase.
Jeff Voss: it. you, are you seeing any DNO claims or suits against directors,
Dwight Williams: Yeah,
Jeff Voss: for, for the cyber that the DNO policy needs to protect against or?
Dwight Williams: yeah. This, this is, this is a, this is a, a tough conversation and I'm glad we're having it. I, I just wanna sort of re reiterate this, that the cyber policy. Is a policy that you need to purchase. Don't presume that do you know policy is going to cover you fully in the event of a cyber event. That's the first thing right now.
There are pieces of D. N. O. Right. So, so the D. N. O. policy is meant to cover you in [00:51:00] your capacity as a director and officer or the company. For mismanagement breaches of duty. Now, could, you know, your lack of disclosure or your omission of something in your sec filing, right? Relative to the cyber exposures.
Could that be deemed a D and O claim? Yes. Are you going to get covered? You know, to Alan's point, as he ran through the, the, the breadth of coverage under the cyber policy, are you going to get coverage for, you know, some third party vendor issues under the D and O policy? No, um, you know, our insurance companies now trying to draw the line very clearly between a cyber claim and a DNO claim by adding exclusionary language to the DNO policy.
Absolutely. Obviously, as a broker, at least at risk strategies, we want to give the board and officers as much coverage as we possibly can within the confines of what the DNO [00:52:00] policy is intended to do. So, you know, for instance, under the DNO policy, under DNO policies, some Insurers might give you very small sublimits to respond to, uh, some things.
They may give you a what we what we call a crisis event coverage, uh, where there's a cyber Uh, event. And as a result of that, there is a restatement or there is a, a need to, uh, you know, potentially think about bankruptcy or, you know, some mark, some event that requires a marketing team to get around it, to, to sort of corral it and, and present the company in the right light.
Yes. Don't assume that for that direct cyber loss, that there is any coverage under the DNO policy. Um, and I would. Even go so far as to say that the board, the D's and O's should be suggesting that we look at a cyber policy. I think that that has to be [00:53:00] responsibility. Number one.
Jeff Voss: Alan, you mentioned that, uh, This is an evolving insurance product as well. Um, I'm sure there have been lots of changes in the forms and the coverages and requirements of the policies. Is there anything that you hear of that you guys are observing that you expect to see coming down the road in these policies or coverages?
That aren't there today, you know, it's kind of a loaded question, but,
Allen Blount: No, it's a fair question. So I'll, I'll tell you there are some things that we're interested in that maybe, uh, particularly one thing we kind of touched upon, um, is AI.
Jeff Voss: AI, AI, right? Look for I was having with
Allen Blount: what, what will, What will, um, how will the policy [00:54:00] change? Right? Um, you know, for example, uh, and I'm just throwing this out there just based on just community discussions, right?
And, and Chad mentioned this. Uh, if, if your company uses AI, but do not have an AI policy in place, And there is a breach of some sort, right, because of use, meaning your corporate information has gotten out to the cyber world because a cyber policy. With cover, um, you don't always have to be breached with covers to be implicated.
There could be, Oh, on the, what we call the unauthorized release of personal information. Right? So in that case, if AI is used inappropriately or use some rinky dink, you know, [00:55:00] system, like, like Chad didn't use rinky dink, but you know, one of the lesser known, um, AI tools and there's an unauthorized release of data.
And you do not have a policy in place, would coverage be triggered? Right? So the policy could, we can see some changes within the cyber policy that may speak to that, right? Because that's the question right now. Um, but, you know, as far as change, you know, you, you know, The evolution of the policy, we still see things, uh, occurring with the war exclusion, right?
That's an ever evolving, um, uh, provision of a cyber policy, um, that we have to keep a close eye on. Um, one is the world we live in. Um, and two, I'm, I think it's safe to say mostly every carriers, exclusion, it's somewhat different. Okay. [00:56:00] Um, and three systemic risk. Okay. Um, systemic risk is always changing, you know, as the world gets smaller, um, a systemic risk is, you know, to, to, to define it broadly, it's one event occurring that's impacting multiple organizations.
Jeff Voss: Yep.
Allen Blount: Right. Many. So, you know, change health care, right? That's a view. That's a systemic risk. You know, it's, it's, it's one attack that impacted, you know, a significant portion of the health care industry, uh, the, the pipeline, right? That impacted, um, uh, the entire East Coast. So carriers are still looking at how to deal with that.
Three years ago, we saw those systemic, um, limits, uh, um, really decreased. So it's hard to get full coverage that's back. But again, that's always changing. And carriers have [00:57:00] added language to the policy to basically say, for example, if, if, um, if you course, Carrier assistant. Well, not if you cause, but if AWS released a patched patch, right?
And you ensure did not patch, you will have no coverage, things of that nature, right? That's the decrease of systemic. systemic exposure.
Jeff Voss: Great. Well, listen, we are approaching. Our time limit. , I want to give you each of you guys, uh, an opportunity to frame up anything you like on cyber, uh, as it relates to your, your company, your firm. Any advice, quick advice you might have all of our clients collectively, um, before I kind of wrap it up here.
Allen Blount: Yeah, sure. Uh, you know, Harris strategies where, uh, national firm, very strong [00:58:00] cyber practice. What I appreciate about us is that with us, you get, And I mean, it's white glove bespoke service, also with, you know, with our team, we're not just insurance, we consider ourselves consultants as well.
And one way we show that, um, we just don't have insurance people, um, Members of our teams are certified security professionals as well. So we speak the language, we talk security, we talk assurance, but we really get our hands dirty in this space. That's something I really appreciate about rich strategies.
Um, and one reason I came over here after spending 12 years on the insurance carrier side, um, with respect. So, you know, all of our clients, um, you know, definitely culture and remain diligent. Um, again, this is. an exposure that is on top of mind, and that is for good reason. [00:59:00] Uh, claims are everly increasing, um, not as big as they once were, but we're still seeing large, really large claims.
So again, it's a diligent, stay, um, apprised of what's going on in this space and to invest, invest, invest, invest in your security.
Jeff Voss: Great.
Dwight Williams: And, and I, and I would just say, you know, to sort of piggyback on, on Alan's point, um, there, there is a reason that. Our, you know, risk strategies has a management liability practice team who focuses on DNO and professional liability and fiduciary and fidelity and crime, but also embedded into our team is the team that Alan leads, the cyber liability practice.
On tops of mind to his point at the board level, D and o, but it's also cyber. So we are able to have those conversations collectively and [01:00:00] comprehensively with the C-suite and with the CSO included in that conversation. Um, and we really bring the, you know, we, we bring to the table the full suite and capabilities of our group, um, on both d and o and cyber.
And I think that's, um, unique and, uh, a, a reason why I joined the firm. So. Um, you know, if you have any cyber concerns, management liability concerns, uh, it's one place, one team working with you on that at risk strategies.
Jeff Voss: And I'll, I'll wrap this up by saying, uh, both BKS, Chad and BKS, his team and risk strategies and your team. Uh, we are users of both of your firms. Um, so we, we asked you to join us here today because we, we believe in your skillset, we believe in your experience and what, and what it can bring to, um, our banking community, our banking clientele that we represent.
[01:01:00] So with that, my final thought is this, this cyber security threat, it's out there is everybody has said, this is, if not the top concern in banking, it's certainly one of the, one of the top two concerns. Um, you know, there's a, there's a convergence of technology risk. Safety and soundness risk and compliance risk here, uh, it doesn't just touch the one pillar of technology, the financial impact of, of this, uh, threat that's out there can equally impact your safety and soundness and your compliance with various regulations that are out there.
So keep that in mind that this topic, you know, again, ever changing, ever evolving, extremely important, and, uh, the people at [01:02:00] Artisan Advisors would love to be able to chat more with any of you that have concerns about, your cyber situation, uh, at your bank.
Jim Adkins: All right. Well, it looks like we are out of time for today. We could go on for hours. The topics is that important. I want to thank Dwight, Chad, and Alan for joining us.
If any of our listeners want to reach out to any of the panel, email me. My email is on our website, artisan advisors. com. On behalf of Jeff and all the Artisan team, thanks for listening and have a great day.