 I want this is Apple and Garcia with health guard here to talk about. Using open fair to improve. Cyber risk governance and resource capital allocation and healthcare. I'm a a long time fair practitioner, better part of a decade. And also have a have a risk management business. Health guard today's. Session is going to be covering 3 general themes. 1 is we're going to be taking a quick look at the risk landscape that hospitals and healthcare providers in general are facing. I will be talking a little bit about cyber risk governance and really what that means. And then we'll be diving into a brief case study on how we've used open fair to help both improve governance, but also general decision making around significant cyber risk investments. For those for those of you that aren't familiar with the healthcare landscape, there's basically a general domains. According to the American side of healthcare risk management that that hospitals and providers are are facing 1 is operational risk. That is just the the general risk of of doing business both on the clinical and administrative side. The others other is specifically clinical or patient safety risk. That includes both harm events and and obviously death obviously in a hospital setting. That's a very significant concern for for everyone involved also strategic risk. A lot of people don't realize how much strategic issues that that hospitals have to deal with. Deal with navigating both the regulatory environment, but also the changing healthcare landscape, the emergence of of technology, you know, telemedicine and and and pandemics most recently. So there's there's a lot of strategic issues that leadership and boards have to deal with and have to address when they're dealing with risk. There's also general financial risk, both from a credit standpoint and a market investment standpoint. There's a human capital risk and that was really brought to light with the nursing issues that especially US based hospitals, but, but I imagine hospitals around the globe are dealing with the same issue where a lot of nurses got burnt out due to the stress. And the high workloads and even the risk associated with the pandemic. So, so human capital risk is very real in a hospital setting also goes without saying that there's a illegal and regulatory series of risk both, both from a malpractice standpoint, but also from a compliance standpoint here in the US. We deal with HIPAA and other regulations that that that hospitals face. There's obviously technology, the, the, the explosion of digital records and the adoption of of IOT and medical devices, et cetera, have really increased the technology risk over the last couple of decades. And then finally, hazards are natural disaster type risk, you know, fire and flooding and all the other things that that most organizations face, but, but again, just to kind of level set and, you know, help you get a better sense for the type of risks that that that hospitals are have to deal with. And in today's talk is really going to be focused on the technology and operational risk, which we're going to kind of dive into here. For those of you that haven't been keeping track, you know, the risk landscape more specifically here in the US hospitals are dealing with it from all sides, you know, we talked about that the changes in technology, we, you know, obviously cyber security and cyber risk, you know, we'll be talking about ransomware and some other types of threats that have, have really, really started to ramp up in the last couple of years, several years, but, but in general US based on, you know, US based hospitals are struggling. There, there are double digit bankruptcies and closures hospitals face, you know, the pandemic, obviously had a huge effect, you know, costing US healthcare systems hundreds of millions of dollars last year. But, but even prior to the pandemic hospitals were already stressed financially leaders, hospital administrators and leaders trying to find ways to, to build, you know, viable business models to deliver care in an affordable and safe manner. It's been a huge challenge for hospitals over over the last decade plus. I definitely feel for, you know, CFOs and CEOs and CEOs that are trying to navigate these tumultuous waters. Uh, as it relates to, to the pressures, the financial pressures, uh, and, and, and again, the risk landscape that, that, uh, that they have to work in, um, and another interesting statistic that kind of talks to the, the, some of the, the operational challenges around risk management. Uh, there was a study that came out late 2020. It was a review of the HIPAA audit reports that was put out by the regulating body here in the US, the Department of Health and Human Services study they did between 2016 and 2017. Uh, they said that 94% of covered entities are failing to implement appropriate risk management activities and to be clear the bar that they set for what constitutes appropriate risk management is, is not that high candidly. It's, it's, it's not that high. So the fact that 94% of, of organizations of healthcare covered entities, HIPAA covered entities are struggling with basic risk management is, is, uh, uh, you know, it's, it's. A little surprising, but it's also a little scary in terms of them being able to make decisions under uncertainty and, and, uh, you know, manage their risk effectively. I kind of changing gears for a little bit. I want to, want to make sure that we're on the same page as far as what governance is. Uh, and, and I'll, uh, if you'll hear me a little bit, I'll, I'll read this slide. Uh, what a board does requires an understanding of the areas over which the board exercises exercises a governance role. So when we're talking about cyber risk governance, we're talking about at an organizational level, at a board level, how well do they. Oversee, uh, you know, the various risks of the organization in, in particular, cyber risk, which, as we all know, has been a, a growing emerging type of risk that, that hospitals and other organizations face, uh, says typically the board overseas matters, including mission and vision development and strategic planning quality and patient safety, financial and management performance risk assessment and management stakeholder input and feedback and board development. So, you know, and this is from, uh, the center for healthcare governance from the American hospital association, their guide for good governance for hospital boards, uh, that was published back in 2009. So it's not a, it's not anything new, uh, and, and, uh, emerging, uh, but, but, you know, it's, it's in black and white there that, that, uh, that, the, while organizations are struggling to, to, uh, to manage risk effectively, it is, is clearly, uh, want 1 of the, the cord. For requirements of, of good governance for hospital boards. So, uh, you know, by and large, um, hospital systems and, and, and their leadership, I need to take a hard look at how well and effectively they're managing risk. Um, it's, it's no, uh, it's, it's no news to folks, uh, that, uh, you know, healthcare has, has been under, under siege of sorts, uh, by some of the, the recent attacks, uh, while the beginning of the pandemic, we thought the, some of the, that guys were going to take a hiatus, uh, and, and give hospitals a pass the number of attacks that happened in 2020 actually ratcheted up. So there was an opportunity for, uh, for folks to, to, to exploit some of these vulnerabilities and exploit the desperation that some of these hospitals were, were facing in terms of keeping their systems up and making sure that they had access to appropriate data, patient data, patient information and, and clinical systems. Uh, so, so, you know, the, the, the, the scenario that we're going to be talking about the, uh, the case study that we'll be talking about on, on using open fair, uh, is, is just this exact, uh, scenario, this exact threat. Uh, so, so in this case, uh, you know, we, you know, it was a particular customer that asked us to, to look at, um, at their, their risk to ransomware. Uh, and as we looked at the, the entire life cycle of ransomware, both from a preventative standpoint, uh, as well as a detective, uh, response and recovery standpoint, uh, you know, we determined that there was some, some potential issues with their, their backup strategy. Uh, and in this case, it wasn't just the fact that their systems were being, uh, you know, that their systems were vulnerable, uh, to, to, uh, to a ransomware attack. It was the issue that their backups were actually vulnerable because as, as many of you on this call, I'm sure are aware, uh, you know, the bad guys changed their strategy to not only encrypt systems, but to disable backups so that the organizations couldn't recover. And, and if anyone that's familiar with, with healthcare knows, uh, a lot of, of, of systems have been, at least in the US have been consolidated in electronic health records, uh, you know, systems like Cerner. And epic, uh, a lot of that data is, is now essentially housed in, in, in large, uh, large, large systems and databases. So, um, you know, if, if they, if a ransomware attacker is able to, uh, not only encrypt the system, but also to disable and destroy the backups, uh, then, then, you know, the system, you know, the hospital has no, no option, but to either pay the ransom or try to rebuild the systems, which is, is, is not a, not feasible for, for a lot of organizations. Uh, so, so as we looked at this particular issue, uh, what, what we were able to do with, with open fair is, uh, quantify to, to analyze and quantify both the original risk, which is there in the 1st column under starting risk, but also look at options, right? So, so 1 of the things that, that, uh, as we all know, uh, you know, organizations and hospitals in particular, um, have limited resources. So, so just throwing money at a problem is only feasible for a select few, a lot of organizations, a lot of hospitals, because of the, the, the dire financial strates that we were discussing earlier, uh, they, they, you know, they don't have the resources that banks and other other organizations have, uh, in other industries. So, so it's very important for them to be laser focused. You can almost say surgical, uh, if you pardon the pun, uh, with, with regard to how they make investments. So what open fair allows organizations to do is to be surgical in terms of how they apply those resources. How they invest in mitigation or risk transfer, which we'll talk about in a second. But in this case, uh, you know, looking at the starting risk, looking at some, uh, in the purple shaded column, uh, there is some, some basic controls applied and what that risk, that residual risk, if you will, looks like with basic controls. And then looking at an option at a 3rd option in blue, uh, that is a more costly, but, but arguably more effective control set of controls, uh, that would allow an organization to reduce risk further and candidly, you know, using traditional risk analysis methods, like, like heat maps and ordinal scale based risk ratings, you just can't do you need to have a quantitative method, like fair, like open fair, uh, to be able to get to this level of, of, of accuracy and, and, and detail in terms of, of evaluating control efficacy and risk mitigation. So, in this case, uh, what we're able to do is, is show them quantitatively how each, how the original risk and then how each of the 2 options, uh, when applied, uh, would, would potentially reduce their risk. Uh, and the bottom section there is probably of exceeding expected loss value. We're able to also say, based on specific, you know, expected loss value amounts of 10 million and 20 million, you know, what, what's the probability of exceeding, uh, either 1 of those amounts and the reason those numbers are significant, uh, is, you know, is, is from a, from a business decision standpoint, uh, looking at, you know, both their coverage. In this case, the customer had, uh, $20 million in cyber coverage with the $500,000 retainer. So I'm going to flip back here for a second. You can see down here at the bottom that let that bottom row, uh, you know, that their leadership and including their, their director of risk is asking the question. What's the probability that we're going to exceed our coverage? Do we need to raise our coverage? Uh, or, or do we have adequate coverage for this particular threat? Um, so, so, in terms of risk transfer, and say, we're able to, to evaluate and say, okay, I think we have generally have enough coverage. Uh, but then the next question is, okay, if we have enough coverage, uh, you know, how should we, uh, be evaluating our risk mitigation and what are those costs so that, that this 1st column here in purple was that residual risk of basic controls that's option 1. So, so this was just leveraging existing technology, changing some process, changing some, some procedures, uh, and, and applying a few, a few, um, controls that they, they could, uh, you know, do what we'd call low hanging fruit. They could do fairly, fairly cost effectively the 2nd control there, uh, which is the item in blue, uh, the offline backup was going to require a $2 million investment. So, so now from again, from a, from a, from a business decision making, and from a, and from a governance standpoint, uh, you know, they're able to make a decision. Do we need to invest that $2 million or couldn't we use that those resources that $2 million for something else? Um, so, again, you know, the, the, the beauty of using open fair for, for this type of decision for this type of analysis again allows, allows folks outside of it to make well and informed decisions. Uh, and so from in this particular case, uh, you know, the, the leadership, the, the executive team was briefed on, on this particular risk, but also the board was briefed on this risk. So, so, both from a governance and from a management standpoint, uh, the organization was able to make a decision, um, you know, using, using this type of information. So, uh, you know, I hope this has been, been helpful as a, as a simple case study. I didn't go into the, the fair ontology, knowing that the, uh, uh, speakers before me, we're going to be covering some of the details on, on fair, uh, and, uh, I would definitely, for those of you new to fair, I definitely would encourage, uh, going to the open group website and, uh, downloading the body of knowledge. So, feel free to reach out to me if you have any questions and thank you for your time and attention.