Season 2, Episode 1: 2022 Trends discusses predictions from Fusion's industry experts. Join our host Manager, Marketing Communications Bridget Anders and three amazing speakers Sr Director of Product Marketing Paula Fontana, Director of Cybersecurity Safi Raza, and Solutions Manager, Compliance Lauren Kornutick for a discussion on compliance, cybersecurity, regulations, and more. Learn more about Fusion Risk Management and see how technology can help with the basics. Discover what's possible and request a demo!
Bridget Anders (00:00):
Welcome back to Building a More Resilient World, sponsored by Fusion Risk Management. This podcast is where we discuss the basics of operational resilience, business continuity, and risk management. Today, we are discussing 2022 trends. My name is Bridget Anders, and we will be speaking with three amazing experts: Safi Raza, Director of Cybersecurity, Lauren Kornutick, Compliance Solutions Manager, and Paula Fontana, Senior Director of Product Marketing. Thank you all for being here today. Excited to get this started. Let's get the conversation going with Lauren. What upcoming trends do you foresee to be key in 2022?
Lauren Kornutick (00:40):
The couple of trends that I would flag are this new move to having personal accountabilities for directors, officers, and executives as part of regulation. And then in the U.S., there's, you know, the ability to sue them individually, and that's not something that's like been super common in the U.S. And then the next one is not really a regulation, but I wanna raise it because I think it's important. Insurance companies have started to use ESG programs and cybersecurity programs as part of their risk modeling. So while it's not regulatory per se, it kind of like fits into that area of, you know, things you need to do to successfully mitigate risk because everybody needs an insurance policy. Then this like whole concept of supervisory convergence in the European Union and how that will impact people doing business in Europe.
Lauren Kornutick (01:40):
Big example of that that everybody's talking about is DORA. DORA focuses solely on IT risk management, and a component of the focus of DORA is, you know, how you manage your most sensitive data and data privacy. And data privacy is not something that's going to go away. You know, there's this patchwork framework we have in the U.S. that's emerging. We've got continued emerging global framework, and it impacts, you know, upstream and downstream cyber regulations, regulations related to supply chain, and then also how breach response plans and incident management plans are run if there is a privacy incident. So that's kind of my rundown on what I see happening.
Safi Raza (02:28):
You mentioned one of the things that is on my list as well, Lauren, and that is cyber insurance. Obviously we had so many unprecedented attacks - and most from supply chain attacks - happen, and in 2021. So the insurance industry is taking a new look on the way they ensure or provide cybersecurity insurance. And to your point, Lauren, they are adding all these details: compliance with the ISO controls or whatever the mandates are. But they're looking at these things with the magnifying lens, whether even if you are in general compliance, but you miss one thing here and there, which could be a very minor thing in audit, they will actually - they have the ability to decline the coverage. One good example is really CNA. If you recall earlier this year or possibly middle of this year, CNA Financial was hacked or they had the ransomware issue. They ended up paying about 40 million dollars, and now the news on the street is not actually seen on news on it, but really from part of my CISA community that the insurance firm has declined to cover them, cover the 40 million dollar loss.
Safi Raza (03:44):
So, there's a concern. This spreaded, as soon as this news came out that what exactly is my obligation? Everyone is concerned about it. What to do in the future? Am I covered? Am I just paying that much of a premium for nothing? So I'm expecting a lot of changes to come, a lot of more details, more oversight possibly. So certainly that is something that's on my list as well, just from the cybersecurity insurance perspective. But supply chain attacks, yes - we do see them. They're going to continue to arise. I mean, we just paid again. I mean, I'm going to use CNA for example: this 40 million dollar for one group of hackers, and that's - when they start paying that kind of money, the people who have been sitting on the sidelines, they will jump in as well. We don't realize it in the United States or investors in Europe, but that is a big business of - hacking is business.
Safi Raza (04:41):
Even though I recalled my first interaction was, about something like that, was in 2007 when we found out that they actually run an office there. People work from 9:00 to 5:00 at a job in some country in Eastern Europe where their job is to hack people and demand ransom. So we'll see increase in upcoming months. Across the board, we've already seen increasement, and the folks are attacking. It's not specific to the big banks, the big insurance companies, or financial firms - they're attacking everyone, from small mom and shop business operations to JP Morgan's of the world. So we'll kind of, we'll continuous see increase in that segment as well.
Bridget Anders (05:27):
Great, thank you, that's really great information from both of you. Paula, do you have anything else you would like to comment?
Paula Fontana (05:33):
Yeah, and obviously operational resilience is just going to continue to accelerate. I mean, there's a lot of discussion in the analyst community around organizational resilience and, you know, the differences between, you know, operational resilience and organizational resilience, so it'd be interesting to see how that all plays out. Organizational resilience is a little fluffier and more ambiguous - tends to be more focused on things like HR and finance and less on, like, the day-to-day operating elements necessary to deliver critical product or service. It lacks a real regulatory trigger, at least at this juncture. I think we're going to continue to see a lot of focus on AI and machine learning, you know, predictive technologies. I think one thing that really hasn't picked up a lot of steam but has been kind of on the periphery of the discussion has been like, how do you use - more around like the Internet of Things, right?
Paula Fontana (06:39):
Like how do you use sensors to - especially as we kind of go back to more of a physical world, like, is there an opportunity for the use of sensors and other types of smart devices to enforce, like, various controls and measure more effectively? One thing that's come up quite a bit in recent panels, and I think this will just accelerate as we kind of define the new world of work, is, you know, this element of behavioral science. And especially because there's a ton of ambiguity as to what the future of work will look like ultimately. I think we're writing the script as we go, but, like, thinking about behavioral science and, like, what's the best way to motivate people and ensure that you have proper governance in place. And I love this trend that I'm seeing within the compliance community.
Paula Fontana (07:32):
And I know, Lauren, you could elaborate on this point, but the compliance less as like the "person running around with a stick" - more as someone who is a change enabler, who sets the guardrails by which you operate the business, and effectively manages change for the organization. I think with the emergence of ESG as a key focus for the organization, like, that's going to be more and more the case, you know: risk and compliance as business enablers as opposed to just, you know, loss or prevention or risk prevention. So I think that's a really exciting development. I know we talk a bit already in our messaging around risk and resilience, and even compliance is like a performance enabler. Or there's the dual side in nature risk: it's not just about sensing those things that could go awry or would be bad for your organization, but also spotting opportunities.
Paula Fontana (08:31):
And the chaos that surrounds us every day more as a strategic measure or using that data to really sense and predict how likely it is that you are able to achieve your strategic objectives - you know, staying on the course and the trajectory that you are. So I think that's super interesting. I mean, some of the other things I think were mostly touched on - I think the role of like good risk management and innovation. We talk a lot in our roundtables about, kind of, the concept of risk tolerance and how risk tolerances are actually not - like, they're not even across the organization, especially large organizations, because depending on the business unit and what you're trying to do, your risk thresholds are different, right? And so the regulators actually say that they expect that - like, that's a healthy indicator that you've done the work to really assess what, you know, those tolerances and that appetite is.
Paula Fontana (09:30):
So I think that would be a really interesting topic. You know, the networked economy I think is. So, like, there's a lot of work being done, and, Safi, you could probably talk much more extensively to this, but a lot of consortium groups kind of forming specific to cyber security, and so how can we band together more as a collective or like an ecosystem in just creating, like, smarter, more resilient ecosystems? You know, because that kind of speaks to, like, third party as well. Like, how are we all reliant on one another and the cascading impacts of disruption? And I think, like, just generally, like, board and executive agendas - and how, like, not only in the case of ESG, but also just disruption generally, has become business as usual. So that's really influenced the way that our boards and executives think about risk and even things like strategic planning. And I think, Lauren, you touched on this concept of, like, reputational risk, but I feel like it's always been the case. So, you know, it could take, like, decades or even a century to build a brand, but it can be destroyed overnight. I feel like that risk is just accelerated or been amplifying.
Lauren Kornutick (10:45):
Yeah, and it's not just with compliance issues now - it's everything. So yeah.
Safi Raza (10:51):
I would say that until now, until December of last year, when I have heard the word "SolarWinds," I had different thing in my mind. So something else pop up that for monitoring solution that I have used extensively in the past, in my past life. But now every time, is it me or one of my colleagues - whenever we hear the term "SolarWinds," the first thing goes, "oh, the hack." So, yes, the reputation damage that's being done is huge. I agree with the point that it'll take decades to get out of something like that.
Lauren Kornutick (11:26):
Yeah, and to Paula - your point before, when you were talking about how risk and compliance have become kind of like the champions and change enablers, I think an important point to make in that discussion is that it ties back to your value proposition of your organization. And nearly every organization has some version of trust, integrity, I don't know, pick a word in that theme, as a value, but reputational damage is when you're putting that front, right, on the front that you have these values - you really have to live and breathe them, so you don't run into that, like, reputational damage, and you can better explain incidents as a one off if they do occur. So it's really that cultural change and that, you know, championing of that culture of compliance, integrity, ethics, risk, risk management, etc.
Safi Raza (12:19):
And that precisely is right. And I like the same point Paula mentioned, and she said that compliance is often viewed as someone chasing the people to do their job with a stick, right, and that's exactly what it is. So how people have seen their day-to-day compliance is just a check in the box, but what we really need to see - and this is a number of organizations that are working towards this - is about creating a security and compliance culture as something that is built into the design, the training, and security. Something that people - security pricing, compliance are some of these things that people should think about from the very beginning. And a number of organizations are focusing their efforts towards creating a more robust, more security-centric, privacy-centric, compliance-centric, security culture.
Lauren Kornutick (13:07):
And that's the hard change, right, is that cultural change. Because like you just said, Safi, you can have a compliance program, and you can check the box that you did the "thing," whatever it is, like, whether it's financial-, IT-, resiliency-related, you could check the box that you're doing it, but regulators are actually looking at what your value system and value structures are. If there is an incident, and organizations that have shown that they do have values and, you know, good structures in place and good practices that are continuously improved in place, are not as harshly fined as some of their, you know, counterparts. And I think that's important to note: that it's not a "one-and-done" - it's a lifelong, living, breathing process.
Paula Fontana (13:56):
Yeah, I think that's something that the regulators, you know, continue to reinforce with the community, is that, like, we're all learning together, right? Nobody has the secret sauce as to what works every time. And, but, at the same time, you know, we're always getting a bit better, but the inherent, like, utter - and this goes back to machine learning and AI, right, like being able to capture what's happening in the environment, understand it, you know, test like a theoretical response, or put in the right controls or preventative measures. And then, you know, as you kind of work through those responses, learn what works and what doesn't. And not only capturing those insights on a micro scale, like looking at the macro overall, and I think this is the opportunity with Fusion, right? How do we create more discreet, you know, best practices and benchmarks and eventually put ourselves in a position where we're able to articulate and direct our customers based on what we've seen work? And, so, I think that is so exciting - to see that evolution. And I think you hit the nail on the head, like, this is just a continuous process of learning, and you're never really done.
Bridget Anders (15:10):
Is there anything else anyone wants to add on?
Safi Raza (15:14):
I think Lauren mentioned the fines. We continue to see more of these things coming up because as governments are getting serious, regulators are getting serious, they start issuing fines when they find a lapse in the compliance. So certainly something more to come over there.
Lauren Kornutick (15:32):
And also criminal penalties - a component of DORA is potential criminal penalties for the executives who did or did not implement it. And you see that with fraud legislation in the U.S. If something's a severe and persistent problem, like Volkswagen, for example, you know, there is a criminal component attached to the wrongdoing. And it's not, you know, necessarily the person on the bottom, but it is going to be the executive who sanctioned and condoned that culture.
Bridget Anders (16:04):
It's been great learning from all of you today. Thank you all again for your insights, and thank you to our listeners for joining us on Building a More Resilient World, sponsored by Fusion Risk Management. Have a good one!