SlideShare a Scribd company logo

The Ugly Secret about Third Party Risk Management.pptx

Download as PPTX, PDF
B
BreachSiren

The ugly secret about the Third Party Risk Management industry is that the data quality used to provide risk decisions is poor. We list a few solutions for your company to reduce its workload and make your third party program better. Learn more with BreachSiren [dot] com

Education
1 of 30
The ugly truth about third party risk management Data Breach Database
Your vendors are selling you bad, incomplete data. Who are their sources? 1. If they have NOT purchased a cyber loss feed from insurers, they cannot accurately quantify the financial impact of a risky vendor 1. If they are NOT sourcing breach notification data from all federal, state and industry regulators, they are not truly monitoring vendors. tl;dr - The Ugly Truth
Can you spot the issue?:
What’s so wrong? Problem 1
“Organizations should stop using risk scores and risk matrices. There is mounting evidence against (and none for) their effectiveness” — Doug Hubbard, author of “How to Measure Anything in Cybersecurity” Problem 2 Source: https://www.youtube.com/watch?v=bYjPmptlc14
Instead…
Solution = Better Data Breach data Cyber loss data
What is breach notification data?
Question: Are private companies mandated to notify their users if they leak their data?
All 50 states and the District of Columbia have laws requiring private businesses, to notify individuals of security breaches of [..] personally identifiable information.” — National Conference of State Legislatures Fun Fact Source: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
1. Breach notifications are regulated at state level 2. 35 states and DC require private companies to notify their Office of the Attorney General 3. 40 states and DC require notification to a credit reporting agency 4. Generally, notification is required for >=1,000 citizens 5. Notification requirements are ASAP to 45 days generally Things to know…
1. Breach notifications are real data. They are the Who, What, Where and When. 1. Not notifying impacted users = you’re breaking state law! 1. Breach notification data can be used to ensure vendors, clients and partners are being truthful 2. If you’re paying for risk/threat intelligence data but real data isn’t included, what are you really paying for? Takeaways
What is loss data?
Question: How would you identify the true financial cost of a data breach?
It’s your insurers job to know how much it will cost them if your company has a breach because of risk transfer. Why is this important… Insurance Company Reinsurer Insurance Linked Securities
● Company and industry identifiers ● External or internal caused loss including employee, vendor/consultant, terrorist, criminal organization, etc ● Actor vectors, proximate + secondary causes, compromised data sources, types, and affected counts ● Settlement amounts, legal fees, fines, restitution Fields
1. Cyber loss data is used purely for underwriting purposes not continuous monitoring of actual breaches as reported to regulators 1. It is occasionally the Why but always the How Much of our story. 2. Identify the REAL cost of a breach from an insurers POV 1. Enrich your risk tools for better storytelling Things to know…
Solution(s) Third Party Risk (continuous monitoring)
Vendor X - High Risk What story do we want to tell? ● What letter grade would another vendor assign them? ● What would their theoretical credit score be? ● What security issues are in their external facing sites?
Vendor X - High Risk An alternative story: ● How many breaches have been reported to a regulator? ● Have they reported a breach but not told us? ● Did they report something different than what was shared with us? ● How much did their breaches cost them and/or other parties?
Which story is better? A story: ● Vendor X reported three “incidents” last year ● They informed us of one of the three ● They lost the data of a competitor due to phishing ● The total loss amount was $5m USD A story: ● Vendor X has a risk rating of A- ● They have websites that don’t enforce HTTPS ● The vendor is mentioned in an unnamed forum on the dark web ● The range of industry losses is $500k-7m
“CISOs need to translate the cybersecurity request for funds into the language of the rest of the organization” — Doug Hubbard, author of “How to Measure Anything in Cybersecurity” Solution Source: https://www.youtube.com/watch?v=bYjPmptlc14
● For cyber loss data: ○ Verisk, IHS Markit, Zywave ● For breach notification data: ○ Sign up for breachsiren.com ● Reading: ○ “How to Measure Anything in Cybersecurity Risk” by Doug Hubbard ○ FAIR Blog: Shopping for Cyber Loss Data by Allison Seidel Recommendations…
Your vendors are selling you bad, incomplete data. Who are their sources? 1. If they have NOT purchased a cyber loss feed from insurers, they cannot accurately quantify the financial impact of a risky vendor 1. If they are NOT sourcing breach notification data from all federal, state and industry regulators, they are not truly monitoring vendors. The Ugly Truth
Questions? breachsiren.com

Recommended

The Ugly Secret about Third Party Risk Management.pdf
The Ugly Secret about Third Party Risk Management.pdfThe Ugly Secret about Third Party Risk Management.pdf
The Ugly Secret about Third Party Risk Management.pdf
BreachSiren
 
The Unseen Enemy - Protecting the Brand, the Assets and the Customers
The Unseen Enemy - Protecting the Brand, the Assets and the Customers The Unseen Enemy - Protecting the Brand, the Assets and the Customers
The Unseen Enemy - Protecting the Brand, the Assets and the Customers
BDO_Consulting
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to Waste
Dave Steer
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Financial Poise
 

Recommended

The Ugly Secret about Third Party Risk Management.pdf
The Ugly Secret about Third Party Risk Management.pdfThe Ugly Secret about Third Party Risk Management.pdf
The Ugly Secret about Third Party Risk Management.pdf
BreachSiren
 
The Unseen Enemy - Protecting the Brand, the Assets and the Customers
The Unseen Enemy - Protecting the Brand, the Assets and the Customers The Unseen Enemy - Protecting the Brand, the Assets and the Customers
The Unseen Enemy - Protecting the Brand, the Assets and the Customers
BDO_Consulting
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to Waste
Dave Steer
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Financial Poise
 
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsKnow Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
SurfWatch Labs
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
CBIZ, Inc.
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber Insurance
Joseph Brunsman
 
CPA firm Cyber Insurance Specifics
CPA firm Cyber Insurance SpecificsCPA firm Cyber Insurance Specifics
CPA firm Cyber Insurance Specifics
Joseph Brunsman
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data Breach
Shawn Tuma
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
Financial Poise
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
David Willson, Attorney, CISSP, Security +
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
Resilient Systems
 
Business Ethics: The impact of technology
Business Ethics: The impact of technologyBusiness Ethics: The impact of technology
Business Ethics: The impact of technology
Rakesh Mehta
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
Robert Craig
 
How Cyber-Secure is your Family Enterprise? A special report for clients of P...
How Cyber-Secure is your Family Enterprise? A special report for clients of P...How Cyber-Secure is your Family Enterprise? A special report for clients of P...
How Cyber-Secure is your Family Enterprise? A special report for clients of P...
Declan Winston Ramsaran
 
BEA Presentation
BEA PresentationBEA Presentation
BEA PresentationGlenn E. Davis
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
IFLP
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 

More Related Content

Similar to The Ugly Secret about Third Party Risk Management.pptx

Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsKnow Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
SurfWatch Labs
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
CBIZ, Inc.
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber Insurance
Joseph Brunsman
 
CPA firm Cyber Insurance Specifics
CPA firm Cyber Insurance SpecificsCPA firm Cyber Insurance Specifics
CPA firm Cyber Insurance Specifics
Joseph Brunsman
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data Breach
Shawn Tuma
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
Financial Poise
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
David Willson, Attorney, CISSP, Security +
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
Resilient Systems
 
Business Ethics: The impact of technology
Business Ethics: The impact of technologyBusiness Ethics: The impact of technology
Business Ethics: The impact of technology
Rakesh Mehta
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
Robert Craig
 
How Cyber-Secure is your Family Enterprise? A special report for clients of P...
How Cyber-Secure is your Family Enterprise? A special report for clients of P...How Cyber-Secure is your Family Enterprise? A special report for clients of P...
How Cyber-Secure is your Family Enterprise? A special report for clients of P...
Declan Winston Ramsaran
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
IFLP
 

Similar to The Ugly Secret about Third Party Risk Management.pptx (20)

Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsKnow Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber Insurance
 
CPA firm Cyber Insurance Specifics
CPA firm Cyber Insurance SpecificsCPA firm Cyber Insurance Specifics
CPA firm Cyber Insurance Specifics
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
Government Notification of Data Breach
Government Notification of Data BreachGovernment Notification of Data Breach
Government Notification of Data Breach
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
 
Business Ethics: The impact of technology
Business Ethics: The impact of technologyBusiness Ethics: The impact of technology
Business Ethics: The impact of technology
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
How Cyber-Secure is your Family Enterprise? A special report for clients of P...
How Cyber-Secure is your Family Enterprise? A special report for clients of P...How Cyber-Secure is your Family Enterprise? A special report for clients of P...
How Cyber-Secure is your Family Enterprise? A special report for clients of P...
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 

Recently uploaded

Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 

Recently uploaded (20)

Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 

The Ugly Secret about Third Party Risk Management.pptx

  • 1. The ugly truth about third party risk management Data Breach Database
  • 2. Your vendors are selling you bad, incomplete data. Who are their sources? 1. If they have NOT purchased a cyber loss feed from insurers, they cannot accurately quantify the financial impact of a risky vendor 1. If they are NOT sourcing breach notification data from all federal, state and industry regulators, they are not truly monitoring vendors. tl;dr - The Ugly Truth
  • 5. “Organizations should stop using risk scores and risk matrices. There is mounting evidence against (and none for) their effectiveness” — Doug Hubbard, author of “How to Measure Anything in Cybersecurity” Problem 2 Source: https://www.youtube.com/watch?v=bYjPmptlc14
  • 7. Solution = Better Data Breach data Cyber loss data
  • 9. Question: Are private companies mandated to notify their users if they leak their data?
  • 10. All 50 states and the District of Columbia have laws requiring private businesses, to notify individuals of security breaches of [..] personally identifiable information.” — National Conference of State Legislatures Fun Fact Source: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
  • 11. 1. Breach notifications are regulated at state level 2. 35 states and DC require private companies to notify their Office of the Attorney General 3. 40 states and DC require notification to a credit reporting agency 4. Generally, notification is required for >=1,000 citizens 5. Notification requirements are ASAP to 45 days generally Things to know…
  • 12.
  • 13.
  • 14. 1. Breach notifications are real data. They are the Who, What, Where and When. 1. Not notifying impacted users = you’re breaking state law! 1. Breach notification data can be used to ensure vendors, clients and partners are being truthful 2. If you’re paying for risk/threat intelligence data but real data isn’t included, what are you really paying for? Takeaways
  • 15. What is loss data?
  • 16. Question: How would you identify the true financial cost of a data breach?
  • 17.
  • 18. It’s your insurers job to know how much it will cost them if your company has a breach because of risk transfer. Why is this important… Insurance Company Reinsurer Insurance Linked Securities
  • 19. ● Company and industry identifiers ● External or internal caused loss including employee, vendor/consultant, terrorist, criminal organization, etc ● Actor vectors, proximate + secondary causes, compromised data sources, types, and affected counts ● Settlement amounts, legal fees, fines, restitution Fields
  • 20.
  • 21.
  • 22. 1. Cyber loss data is used purely for underwriting purposes not continuous monitoring of actual breaches as reported to regulators 1. It is occasionally the Why but always the How Much of our story. 2. Identify the REAL cost of a breach from an insurers POV 1. Enrich your risk tools for better storytelling Things to know…
  • 24. Vendor X - High Risk What story do we want to tell? ● What letter grade would another vendor assign them? ● What would their theoretical credit score be? ● What security issues are in their external facing sites?
  • 25. Vendor X - High Risk An alternative story: ● How many breaches have been reported to a regulator? ● Have they reported a breach but not told us? ● Did they report something different than what was shared with us? ● How much did their breaches cost them and/or other parties?
  • 26. Which story is better? A story: ● Vendor X reported three “incidents” last year ● They informed us of one of the three ● They lost the data of a competitor due to phishing ● The total loss amount was $5m USD A story: ● Vendor X has a risk rating of A- ● They have websites that don’t enforce HTTPS ● The vendor is mentioned in an unnamed forum on the dark web ● The range of industry losses is $500k-7m
  • 27. “CISOs need to translate the cybersecurity request for funds into the language of the rest of the organization” — Doug Hubbard, author of “How to Measure Anything in Cybersecurity” Solution Source: https://www.youtube.com/watch?v=bYjPmptlc14
  • 28. ● For cyber loss data: ○ Verisk, IHS Markit, Zywave ● For breach notification data: ○ Sign up for breachsiren.com ● Reading: ○ “How to Measure Anything in Cybersecurity Risk” by Doug Hubbard ○ FAIR Blog: Shopping for Cyber Loss Data by Allison Seidel Recommendations…
  • 29. Your vendors are selling you bad, incomplete data. Who are their sources? 1. If they have NOT purchased a cyber loss feed from insurers, they cannot accurately quantify the financial impact of a risky vendor 1. If they are NOT sourcing breach notification data from all federal, state and industry regulators, they are not truly monitoring vendors. The Ugly Truth

Editor's Notes

  1. Note: Verizon DBIR historically used a small subset of breach data (~17 states) for trend analysis Fun Fact: How many TPRM vendors have this information? I’ve checked and to my surprise. I have yet to find a single one.
  2. This problem lives in our tools. How do we communicate value when our tools don’t use REAL data?
  3. One we’re missing the big metric = real money but more importantly we’re failing to tell a story. I want to know what’s impacted my competitors and industry peers quarterly and annual earnings. Not some breach study with averages or someone’s opinion on what the dark web values.
  4. Literally most of the tools in our industry are pushing us in the wrong direction here…
  5. We can do what Doug says to do which is to use historical observations and to also quantify those observations.
  6. To build out that story with data, we’re going to look at insurance and legal and deal with our topics for the day which are two different types of closely related data types (breach & cyber loss data). Before we hop in let me tell you a quick story about we ended up here…
  7. That was a clue that we needed more data and lead to the question what are breach notifications really?
  8. Show of hands. We know about HIPAA. Right but what if it’s just PII?
  9. Not 5, 10, 25 but all 50 states have laws requiring you to notify.
  10. What I find fascinating is that to be honest, I didn’t know this until last year. If your company is not notifying the state, you may be breaking the law. This gets really interesting when we think about whistleblowers. Let’s look at these and learn more…
  11. Here’s a breach reporting form for the state of New York in 2012. In a lot of cases, what happens is that inside counsel works with outside counsel who handles notification and contacts the AG’s office.
  12. Note: Verizon DBIR historically used a small subset of breach data (~17 states) for trend analysis Fun Fact: How many TPRM vendors have this information? I’ve checked and to my surprise. I have yet to find a single one.
  13. Secondary question: Can you compute reputational damage?
  14. As an example, here’s a slide from a presentation that I did many years ago on the Anthem (Wellpoint) breach of 80 million records of PHI. Here are the actual costs as reported in their annual reports and regular reporters.
  15. We could attempt to crunch the numbers ourselves but we cut corners here by understanding a little bit about how the insurance industry works…
  16. Now that we understand what it is and why it is. Let’s dive in to what the data looks like and how it can be used.
  17. Now that we understand what it is and why it is. Let’s dive in to what the data looks like and how it can be used. In this case, we have the largest cyber losses from last year. Instagram was the winner with $401m due to GDPR violation. The other top 4 were hacking losses in the cryptocurrency industry.
  18. For 2022, we can see that breach losses as a whole cost more than privacy losses.
  19. Fun fact: Insurers pay a ton of money for this data and there are entire companies that specialize in helping them model and price out risk. Starting price hundreds of thousands to millions of dollars annually.
  20. Let’s wrap up and talk solutions.
  21. Status Quo - Let’s assume that they’ve completed a questionnaire and in this case we just want to know about their technical risks. The current options let us check the box and lets be honest that does have value but there are so many gaps that it borders on fraudulent. What happens if a vendor doesn’t have a significant online presence? How does a letter grade tell me whether their using MFA or if they’re getting quality pentesting or not?
  22. Current tools can’t provide you this information and when they do its for a tiny subset of what’s out there. Again it’s time for change.
  23. Let’s suppose that your vendor process is the same in both of these stories. A questionnaire has been completed along with a quality SOC2. From here, we can arm legal with resources to build out meaningful asks for added insurance coverage or security language.
  24. Here’s one last quote from Doug Hubbard the author of #1 bestselling business math book, “How to Measure Anything” and also “How to Measure Anything in Cybersecurity.” Two of his books are required reading for the Society of Actuaries exam prep.
  25. Note: Verizon DBIR historically used a small subset of breach data (~17 states) for trend analysis Fun Fact: How many TPRM vendors have this information? I’ve checked and to my surprise. I have yet to find a single one.