Dan Bowden, CISO at Marsh, gives us an under-the-hood view of how insurance companies mitigate cyber risk, things they look for, and how they support their clients, in this week’s Reimagining Cyber episode, “Under the Hood of Cyber Insurance.”
Episode 39 | Reimagining Cyber
Under the Hood of Cyber Insurance | Dan Bowden
Dan Bowden 00:00
We had this thread going the other day about what happens when you're attacked by a nation state or suffer a catastrophic outage due to that. So, when insurance companies that cover flood, or earthquakes, you know, there's a certain point if the event is bad enough, they're in a way kind of rooting for the federal government to declare a disaster because what happens then FEMA covers certain things. There isn't a cyber-FEMA.
Rob Aragao 00:35
Welcome to the Reimagining Cyber podcast where we are short and to the point perspectives on the cyber landscape. It's all about engaging yet casual conversations and what organizations are doing to reimagine their cyber programs, while ensuring their business objectives are top priority. With my co-host, Stan Wisseman, Head of Security Strategist, I’m Rob Aragao, Chief Security Strategist, and this is Reimagining Cyber. Stan, who do we have joining us for this episode?
Stan Wisseman 01:01
Rob, our guest today is Dan Bowden, the global CISO for Marsh, the world's leading insurance broker and
risk advisor. Dan has three decades of experience in leadership, deploying robust business enabling cybersecurity solutions. And prior to Marsh, Dan served as a CISO for Centerra health care as well as the University of Utah health care system. He's also worked as a security leader at Zion Management Systems, regional banking system as well. It's great to have you with us today. Dan, is there anything else like to share on your background with our listeners?
Dan Bowden 01:35
No, I appreciate the opportunity to be here. Stan, thanks for the intro. The 30 years, three decades makes me shudder a little bit. But I also point out, I pointed out someone the other day, I'm so old, I can remember holding an encryption key in my fingers. So that's back in the 1900s. Right. So long time ago, but I guess it's time to just embrace it. Right. So
Stan Wisseman 02:02
I had a similar experience I was teaching in a conference last week. And I mentioned that I started in 84, at the National Security Agency, and I was using the orange book, and asked anybody know what the orange book was? And one person raised their hand out of 150 people, I was like, “Wow, I'm old.” Anyway, Dan as you are well aware, Marsh is one of those companies that sort of like the behemoth and cybersecurity insurance as one of the largest firms that offer cybersecurity insurance. And obviously, as the global CISO, you have responsibilities for the enterprise side of the house? Do you get involved with the insurance side of the business? And if so, how our extensively?
Dan Bowden 02:51
You know, it's interesting, we are probably a vendor for everyone. So, it seems like it and we do a lot of support for our client account teams, in a lot of ways, they get asked to be vetted as a vendor, so we assist with that. We also assist with opportunities, sometimes they like for us just to speak with others or even other vendors about cybersecurity, to understand what's going on. Views on where threats are trending, how we can assist. And so, it's a pretty wide variance of work that we do to support the business. I want to see Marsh win, right? That's the end game for me. And so, if a client account team needs kind of the ground game help of we've got this contract and they want to know how good we are protecting their data, or what can we help them then learn or glean or find solutions. And so, you know, at the end of the day, I'm here to help the team win, no matter what that means. And so, we get involved a pretty wide disparity but yeah, the day job protecting our people, protecting our assets, protecting our clients assets that we have stewardship for. But at the same time, what can we do to win and show people that we're the best option that they have in terms of those services?
Rob Aragao 04:30
Well, that's great to hear. You’re supporting the business and obviously multiple facets and it's nice to see discussions that you're having also with clients of yours as well. I think that type of collaboration at times is extremely needed. So, it's really great to hear that. You know, one of the things on the topic of cyber insurance that's been interesting to see Dan, is this perception out there that you know, are insurance brokerages are increasing. Obviously, the costs out for the coverage the organizations are getting. They're really looking at saying, “okay, you know, we're not going to cover you as much,” because they're taking a hit from a business perspective. And yet again, they're driving those costs and requirements up on the client side, just kind of what's your take? What are you seeing out there in that space?
Dan Bowden 05:21
You know, it's interesting, I think that to your point, we're learning what does a good target for a hacker look like? And I think for those of us who have been in the security game for a while, we know this, just through experience, right, that were things we've seen. But in terms of assessing organizations, there's some big glaring things. Now, if you're not, if you don't have MFA, you know, on your external portals, I explained to someone and I'm sure I have friends or family members, I watched a family member do this the other day, walked out of her apartment, locked the door and threw the key under the mat. And, if you don't have MFA, that's what your external portals are. You throw the key under the mat and somebody who wants to get in, they're going to figure out a password, they're going to find out a password to someone's account in that portal. They are really good. And if they're good once they get there, even if you think that portal goes nowhere. Well, the IT team has utilities they run, their scripts, they need their management services they use, and a good bad guy is going to find those things, they're going to decompile some stuff, they're going to find another set of credentials, and they're going to find you get off that off that server to somewhere else. So even though you may think, “Oh, well, that's the portal to this place with no important stuff.” Well, it's part of a bigger management framework that's used. And so that's the key one. And then other things, you know, how are you doing for managing vulnerabilities, that's still a ground game thing. And really hard to keep track of for organizations. And then just workforce training and awareness, phishing attacks, phishing attacks are still the hackers’ favorite weak spots. Instead of trying to beat you at one point of attack against your controls head on, they can spray a phishing attack across hundreds or 1000s of members of your workforce. And statistically, we know and you know, if you've been doing phishing campaigns, your organization, what percentage is going to click and then you've got to decide how that works. But that's where we come back to MFA, you assume someone's going to give up their password, the bad guy is going to find the key under the mat. And, so that's what the second factor is for is protecting that, but that's what we're learning in the insurance side is how to tell who's going to have a bad time, who's going to struggle, and kind of vet those out and let them know, Hey, if you want to be one, just doing the right thing, protecting your organization, and then doing things right. If you want to have insurance coverage, if you want to have regulatory coverage, or assurance, contractual assurance, reputational assurance, there's a lot of good reasons you should do some of these things that are really sharp consulting and risk management advisory teams recommend.
Stan Wisseman 08:42
So, Dan, I've never worked for an insurance company. And I have to say I have a very high-level understanding of how they work. But my high-level view is that, you know, they have historic data sets that actuaries use to help make those kind of risk-based decisions on whether or not to provide coverage or whether or not the cost of that coverage, if they want to provide it the policies etc. It sounds like from what you're saying, in the cybersecurity domain, we're building some of that data, we're actually now creating that historic data sets that allow you to make those risk based decisions. And there's been enough runway and experience that you're starting to say these are the kinds of controls that you definitely need to have to be insurable and or your rates are going to go up if you don't have it. You know, you mentioned MFA. Any other controls that are must haves?
Dan Bowden 09:38
Yeah. It's interesting, right? It's a great question to your point about the runway. We have a lot. There's a lot of great tools out there now. They kind of fall in the category of third party risk or attack surface management. And these companies will go pull historical security breach information. In your public information, open source information. And I'm sure you know, we can now curate what happens? How did it happen? Was it ransomware? How the ransomware gets in. So that's one historical point. But at the same time, when you're vetting or being vetted, you may be asked, what are you doing? What kind of endpoint solutions are you using? Is it advanced, kind of the category of advanced solutions? Or are we talking old school, AV on the desktop. And so over time, I think we're going to get much smarter and be able to develop and curate information to say what it looks like over the past three years, all of our clients who followed our guidance and use these kinds of solutions, none of them had an incident, where of all those that didn't X percentage did happen to have an incident. So, we are trying to profile a little bit of that that information and say, which controls? And did they have your more advanced protections on? Because that's the thing, there's always somewhat of an argument, right? Well, if I've only got so much money to spend, should I spend on A or should I spend on B. And I think that's what we're going to try to help them figure out is, based on your circumstance, the kind of organization you are the threats that tend to come your way, we would recommend, you know, one or the other based on that.
Stan Wisseman 11:33
So Dan, I think one things you said there that I'm wondering if is changing as far as the self-attestation, or self-assessment versus, and more in depth kind of review of that potentially, is doing some discovery of the controls yourself? Are you seeing that change? Are you still doing questionnaires and letting them complete them? And say, yes, I have this, but they may or may not?
Dan Bowden 11:58
You know, it is tough to get that level of validation, especially when you have many to assess. I think across the board, everyone is still basically doing the self, you know, we're asking the question, they're filling out the survey. And then sometimes there's a follow up. Now, here's the hazard right, if you don't tell the truth to your insurance company, no matter what it is, if it's car insurance, or anything else. If you violate certain bounds that are written into the contract, you're not going to be covered anyway. So, I guess, I mean, driving is a little bit different, where they can look at your history, and there's maybe so much that you can be untruthful about. But still, if you haven't gotten your safety inspection, if you are driving impaired, something like that, there's a lot of things you can do that invalidate that, and in the cybersecurity game is not going to be any different. You know, if anyone's being untruthful, they only get along, get away with it as long as they don't crash, or suffer some kind of an event. But it's hard to, to validate firsthand, every single opportunity. And even with us when someone's like, well, I want to do this or do that. Wow, okay, well, I need to I need to hire somebody to come in and facilitate that kind of engagement. And it's a two-way street, right? It cuts both ways. If you want to dig that deep, you got to ask yourself, Do I want to hire someone? What do we learn? Or do I try to create a contractual instrument that holds someone accountable for not living up to their word? I think we're still in that phase of things. That's my impression right now.
Rob Aragao 13:49
I think you're accurate, it still is very early on paying it back to the initial point of, you know, there is so much historical data for other facets of the insurance business. So, this is still a bit of a mature area. One of the things that I'd love to get your take on, that came out last year, actually, towards the end of last year was from Lloyds of London, and an announcement that they actually made, which was centered on the definition of cyber war. And as it impacts their clients specifically, right. Now, when you think about this, right, they're basically saying that they're no longer going to cover losses resulting from quote unquote, cyber war. And so, they define it as cyber operations carried out by a nation state, in essence, and it has keywords, has a major detrimental impact on the functioning of the state, quote, unquote. So that's open to interpretation. So pretty gray areas. My question to you is kind of like, what do you see in that area? What are some of the transitions? Has that come up as a topic of conversation, any of the discussion you've been having?
Dan Bowden 14:51
Well, it certainly does. And this weighs on the mind of our risk advisors and our folks will figure out this coverage and you know. I was actually thinking about this and sorting some of the topics. But along with war, there's just all kinds of variables around software, and things like that. But we had this thread going the other day about what happens when you're attacked by a nation state or suffer a catastrophic outage due to that. And there in terms of just United States, we don't have a cyber-FEMA. So, when insurance companies that cover flood, or earthquakes, you know, there's a certain point if the event is bad enough, they're in a way kind of rooting for the federal government to declare a disaster because what happens? And then FEMA covers certain things. There isn't a cyber-FEMA.
Stan Wisseman 15:48
There’s no cap, there's no cap coverage.
Dan Bowden 15:52
Exactly. There's no cyber-FEMA. That's the hard thing we talked about is the cyber war exclusion language, I think that's going to become a thing. I don't know to what length or how we decide who it applies to, or do you just have to say it applies to everyone. But it's going to become a challenge and great a great topic, if you ever get a chance to talk to some of our advisory people, I pay. You know them how they dig into these things. I think you probably will pine on this for an hour about all of those things and those opportunities.
Stan Wisseman 16:31
Well, Dan, I think one of the things that's happened in the last, what five years is that there's general recognition that cyber insurance is a risk mitigation strategy recognized by executives now. Right. But there are differences in what's being offered, I think, and how you're determining and a large enterprise versus a small business, both with benefit having that as a risk management, risk mitigation approach. How does you know, how does Marsh and others handle the distinction and the differences between those two kind of entities as far as the size and what they need?
Dan Bowden 17:14
So, would this be on the advising them how to approach side? Right? That's a great question. I think what it comes down to is at the end of the day, that business impact of our services of our data, if there's a kind of this is where you can kind of blend the business impact along with the CIA triad, right? Confidentiality, integrity, availability, if one of those three factors are exploited in a significant way, against a given service or data, what does it mean business impact wise? Are we on the news tonight? Did we did we violate a law? Did we violate contractual obligations, reputational harm and all those things that there are different countermeasures an organization may be willing to take, and that's the hard thing to explain where they have to do a lot of thinking. But I think the model is the same, regardless of size, but the scale and in which they choose to address a particular threat. And you know, here's a kind of cherry-picking topic, PCI. Right? So, honestly, it's about confidentiality, right? If my system goes down hard, and no one can process payments. I'm still PCI compliance. I didn't lose any credit card data, right? My customers might be mad because they can't pay for things and its business impacting, but I think that's the kind of examples you have to unpack with people on that business impact is, how far do we go, you know, my web portal as a denial-of-service vulnerability, my payment portal? Well, what happens when it's exploited? Well, it just goes down hard. Okay, well, do you want to patch it or not? You know what I mean? So, as a CISO, you may say that, “I'm comfortable signing off on that for PCI,” you know, you might get CISO that does that, because, hey, they can't get to the data. But the person in charge of revenue, the CFO may say, “Well, you know, I think I'd like to patch that anyway. Because business is better if we provide that.” That's the problem, I think the gap is that I think, to your point, every executive now cares about this issue, no matter what size of business, I think the problem is, they don't have enough people to help unpack those nuances of that impact. You know, what does it mean once I'm still PCI compliance, which is what the CISO cares about, but the CFO cares about making money? Well, I do want to patch the vulnerability, you know, that denial of service moment ability so I can keep making money. And that's the gap in all these organizations. And that's the hardest thing for insurance brokerages to figure out in an organization. You can talk to people. And what's two or three times, you know, before I worked for Marsh, I was a Marsh client, right and, and I had to do these calls with insurance carriers. And sometimes there were 10-15 carriers on the phone. And I had to do like a 60-slide presentation in 45 minutes. So, I obviously sent it ahead of time for people to read it, but then boom, boom, boom, boom, boom, I'm going through all this. But that's the hard nuances. Partially, they're judging me. But in that controls structure, and determining impact, that's what the gap is. I think a lot of businesses underestimate what it means. That's why that PCI example, so easy to reference is there's security impact and compliance impact. But then there's business impact. And not always everybody's on the same page, when it when it comes to that
Rob Aragao 21:11
It runs a great perspective into that kind of weighing of, you know, the operational risk, versus the cyber risk, there's a crossover in certain areas, and then there's still kind of those areas of gaps that people can kind of try to interpret it different ways. And that's part of this conversation that's been happening, evolution of, you know, really understanding what's the business looking for? What is the business impact, as you're talking about? And then what are my responsibilities to drive better cybersecurity capabilities back into what we need, right. So, Dan, thank you so much for coming on today. We really had a great conversation. I think your analogy, from an MFA perspective, keeping it really simple. It's leaving the key under the doormat. Very good analogy you drew out there. I think it just kind of paints that picture of you got to think differently, right? The attackers are always going to be out stepping people, how can we change it up? That's a very simple one to think about. So, thanks for sharing your experiences, your perspective also, and what we're doing now at cyber insurance, some of the where it's going as well.
Dan Bowden 22:04
Thank you it is a pleasure to have a chance to talk with you all.
Stan Wisseman 22:07
And thanks, Dan.
Rob Aragao 22:09
Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes. And don't forget to subscribe. This podcast was brought to you by CyberRes, a Micro Focus line of business where our mission is to deliver cyber resilience by engaging people process and technology to protect, detect and evolve.