Artwork

Вміст надано The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.
Player FM - додаток Podcast
Переходьте в офлайн за допомогою програми Player FM !

Data Privacy and Protection with CISA Chief Privacy Officer James Burd

43:19
 
Поширити
 

Manage episode 463536342 series 2442729
Вміст надано The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

In this episode, Justin interviews CISA Chief Privacy Officer James Burd about data privacy and protection. Topics include how CISA protects agencies and critical infrastructure, how they responded to a recent data attack, and what risk professionals and data privacy professionals can work together to ensure their organization is resistant to data breaches.

Listen for actionable ideas to improve the cyber security at your organization.

Key Takeaways:

[:01] About RIMS and RIMScast.

[:14] Public registration is open for RISKWORLD 2025! RIMS wants you to Engage Today and Embrace Tomorrow in Chicago from May 4th through May 7th. Register at RIMS.org/RISKWORLD and the link in this episode’s show notes.

[:32] About this episode. We will discuss data privacy with James Burd, the Chief Privacy Officer of The Cyber Infrastructure Security Agency (CISA) here in the U.S.

[:58] RIMS-CRMP Workshops! On February 19th and 20th, a two-day virtual workshop for the RIMS-CRMP will be led by former RIMS President Chris Mandel and presented by the RIMS Greater Bluegrass Chapter, the 2024 RIMS Chapter of the Year.

[1:20] The next RIMS-CRMP-FED exam course will be held from February 4th through the 6th, 2025. Links to these courses can be found through the Certification page of RIMS.org and this episode’s show notes.

[1:36] Virtual Workshops! Chris Hansen will return on February 11th and 12th to lead the two-day course “Claims Management”. Gail Kiyomura of The Art of Risk Consulting will host the “Fundamentals of Insurance” virtual workshop on February 19th and 20th, 2025.

[1:59] On February 26th and 27th, Elise Farnham of Illumine Consulting will lead “Applying and Integrating ERM”. “Managing Data for ERM” will be hosted by Pat Saporito. That course starts on March 12th, 2025.

[2:22] A link to the full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode’s show notes.

[2:34] The RIMS Legislative Summit 2025 is back! It will be held on March 19th and 20th in Washington, D.C. Join RIMS for two days of Congressional meetings, networking, and advocating on behalf of the risk management community.

[2:51] This event is open for RIMS members only so if you’re not a member, join now! Visit RIMS.org/advocacy for registration details.

[3:02] Interview! It is Data Privacy Week here in the U.S., through January 31st. This is an annual effort to promote data privacy awareness and education. Its events are sponsored by the National Cybersecurity Alliance. This week’s theme is Take Control of Your Data.

[3:23] Here to discuss how to take control of your data, and the best practices that risk professionals and business leaders need to know, is Chief Privacy Officer of CISA, James Burd.

[3:36] James is the senior agency leader responsible for managing and overseeing CISA’s privacy, external civil rights, civil liberties, and transparency programs.

[3:46] We’re going to talk about some of the big events that made headlines in late December and early January around cybersecurity and data privacy and the frameworks and strategies that risk professionals can implement to take control of their data.

[4:02] CISA Chief Privacy Officer James Burd, welcome to RIMScast!

[4:18] James has a fantastic team of privacy, transparency, and access professionals who provide transparency to the American public while integrating full privacy rights, liberties, and protections into the management of a safe, secure, and resilient infrastructure.

[4:48] As Chief Privacy Officer, James Burd’s primary responsibility is to ensure that privacy is at the forefront and integrated into every initiative, program, and policy CISA undertakes, regardless of whether it’s by policy, process, or technical solutions.

[5:00] This includes ensuring compliance with Federal privacy laws and embedding privacy considerations in the agency’s operations and partnerships.

[5:08] Protecting critical infrastructure inherently involves safeguarding sensitive and critical information that any organization holds, whether it’s CISA or any of the many stakeholders of CISA. Privacy and cybersecurity are inherently interconnected.

[5:21] CISA ensures its cybersecurity programs focus on protecting systems, networks, and data from unauthorized access while the privacy portion ensures that personal and sensitive data are handled responsibly, ethically, and securely.

[5:39] What are the keys to a strong cybersecurity strategy?

[5:52] The work CISA does in the privacy world is to ensure that the information CISA is holding is secure and safeguarded and also to tell the public how exactly they do that.

[6:14] In the early days of CISA, it was a Computer Emergency Readiness Team (CERT). CERTs respond to major cybersecurity incidents at a state, local, national, or international level. A cybersecurity incident in the U.S. is similar to a cybersecurity incident in any nation.

[6:50] All nations are facing the same cybersecurity issues. CISA’s international work is about information sharing and helping each other understand what threats we all face.

[7:19] Integrating privacy into risk management frameworks is a core consideration. A lot of the privacy work CISA does with risk managers is for ERM, identifying privacy risks and impacts and ensuring that mitigation strategies align with goals.

[7:42] Risk managers are key partners in implementing strong data governance practices. CISA works with them to establish policies for data handling, access, and usage that align with the security needs and privacy protection of an agency or organization.

[7:56] Risk managers have the opportunity to help privacy officers identify a privacy problem or privacy risk all across the organization. That’s part of the risk manager’s job as a point person. [9:13] CISA wants to do this privacy protection work with organizations before a breach. Many privacy professionals have learned the hard way that if you don’t collaborate up front, you have to collaborate later, as a result of your emergency. That’s not a great day.

[9:29] Risk professionals have different viewpoints to consider. They may see that some privacy risks overlap with some financial risks, depending on the risk owner’s point of view. It doesn’t make sense to solve the same problem in 10 different ways.

[10:30] The National Institute of Standards and Technology (NIST) is a valuable partner of CISA’s. NIST can see what works or doesn’t work as a conceptual or technical framework. NIST studies a problem from several angles and gives CISA an effective solution for the framework.

[11:23] Daniel Elliott of NIST has been on RIMScast. James has collaborated with Daniel.

[11:49] CISA is a collaborative agency. It does not exist without its partners and stakeholders. When NIST facilitates conversations between CISA and other stakeholders, it helps CISA figure out, of all the problems in the world, which critical problem we need to solve right now.

[12:17] CISA has Cyber Performance Goals or CPGs, which are a subset of the NIST Cybersecurity Framework. CISA will tell a small business that they should start with the CPG and get it right, and then expand to everything else.

[12:38] CPGs are not a substitute for a risk management framework, but they are a starting point. The CPGs would not exist if not for the work NIST had done in talking to small, medium, and large businesses and figuring out all the different issues they face.

[13:08] In December, Chinese cyber attackers infiltrated U.S. agencies. When there is a major incident like that, there is a whole-government response. CISA plays an important role in that response, like a firefighter. Law enforcement plays the role of investigator.

[14:16] CISA and its interagency partners are heavily involved in responding to recent Chinese activity associated with both Salt Typhoon and Volt Typhoon. They’ve been working very closely with the Treasury Department to understand and mitigate the impacts of the recent incident.

[14:35] There’s no indication that any other Federal agency has been impacted by the incident but CISA continues to monitor the situation and coordinate with other authorities, like the FBI, to ensure that there’s a comprehensive response.

[14:50] The security of federal systems and data is of critical importance to national security. CISA is working aggressively to safeguard any further impacts. The People’s Republic of China is a persistent threat, specifically, the GRC and related entities, who perform these activities.

[15:12] They’re one of the most persistent and strategically sophisticated adversaries we face in cyberspace today. The PRC has decades of experience in conducting rampant cyber espionage against U.S. businesses and critical infrastructure.

[15:26] CISA has become increasingly concerned over the last year that the PRC is not just doing espionage but is trying to burrow into the critical infrastructure for a rainy day. These state-sponsored activities are coming from campaigns like Volt Typhoon and Salt Typhoon.

[15:45] What happened to Treasury provides a stark example of these types of tactics. These tactics target critical infrastructure such as telecommunications, aviation, water, and energy.

[15:56] Their goal, as far as we can tell, is not to cause immediate damage but to gain persistent access to those systems and remain undetected until they want to do something.

[16:08] CISA has been very involved, not just responding to these incidents, but deeply studying these incidents to understand what is happening and what we need to do as a government and nation to protect ourselves from these burrowing activities.

[16:27] Plug Time! RIMS Webinars! Resolver will be joining us on February 6th to discuss “4 Themes Shaping the Future of GRC in 2025”.

[16:39] HUB International continues its Ready for Tomorrow Series with RIMS. On February 20th, they will host “Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025”.

[16:55] More webinars will be announced soon and added to the RIMS.org/webinars page. Go there to register. Registration is complimentary for RIMS members.

[17:07] Nominations are also open for the Donald M. Stuart Award which recognizes excellence in risk management in Canada. Links are in this episode’s show notes.

[17:20] Let’s Return to My Interview with James Burd of the Cyber Infrastructure Security Agency!

[17:42] Whether talking about AI, IoT, or 5G, the issues are hardware problems and software problems.

[18:02] The issues of the 1970s are similar to the issues of the 2020s, regarding vulnerabilities, exposure, and unsafe practices when developing software and hardware.

[18:20] What we’re seeing in the emerging technology space with AI, IoT, and 5G is an increase in the volume and velocity of data. The improvement of technology in this space is based on power and efficiency. Software improvement is based on the reach of interconnectivity.

[18:34] Privacy and cybersecurity risks do not just appear. We’re seeing existing risks and issues increasing in size and complexity. What we previously thought of as a perceived risk is now a real risk, thanks to advances in computational power and the amount of data available.

[18:54] It’s always been a risk but it was less likely to occur until this point where there’s more data, more volume, and more complexity. AI systems rely on a vast amount of personal data, raising concerns about data security, algorithmic bias, and a lack of transparency.

[19:11] We’ve heard about these risks with machine learning and big data databases. They require governance frameworks that address how data is collected, stored, and used in systems, or, in this case, AI models.

[19:28] Those frameworks should be familiar to anyone working in the data protection space or the risk management space for the last three decades. Insurers getting into the cybersecurity space have been paying stark attention to this.

[19:58] We’ve found out that IoT devices are probably the easiest and most risky entrance points within networks into homes and critical infrastructure devices. The biggest risks they create are unauthorized access, data breaches, and potential surveillance.

[20:19] These are not new risks. They’re existing risks that are promulgated because of the new avenue to get in. It used to be that the worst thing that could happen to an IoT device like a router is that it gets compromised and becomes part of a botnet to take down websites.

[20:38] Today, that still happens, but that IoT device is looked at as the back door for entering someone’s network if it’s not properly secured.

[20:49] In itself, 5G is awesome. There are fantastic things to do with increased data flow. With increased speed and connectivity come the ability to move more data at a time and we’re facing data being transferred in an insecure manner. People don’t know what data they’re sharing.

[21:15] We’re running into the same classic issues but they’re exacerbated by something we view as a major success, access. Access should be celebrated but we shouldn’t open doors because we can open them. We need to be able to make sure those doors are secured.

[21:48] James paraphrases Mark Groman, a privacy expert formerly with the FTC. “Privacy and cybersecurity are sometimes viewed as competing priorities. They are two sides of the same coin. I refuse to live in a world where you compromise security for privacy or vice versa.”

[22:11] We live in a world where you can have both. The great thing about advancing technologies is that we can do both. Both cybersecurity and privacy aim to protect sensitive data and systems, just from slightly different angles and for different reasons.

[22:31] There has to be a collaborative approach between cybersecurity and privacy. An intermediary like a risk professional can help cybersecurity and privacy teams work together.

[22:41] By leveraging things privacy-preserving technologies and designing privacy into cybersecurity measures, organizations can bridge the gap and achieve harmony between the two essential functions. This strengthens the organization and its overall risk management.

[22:58] When a risk is realized in one area, it’s common for it to be a harmonious risk with another risk in a different area. In the privacy and cybersecurity space, risks overlap often. Conflicts between cybersecurity and privacy are easily bridged.

[23:24] Cybersecurity professionals want to collect more data; privacy professionals want you to minimize the amount of data you collect.

[23:34] Cybersecurity relies on extensive data collection to detect, monitor, and respond to threats. Privacy wants to collect only what’s necessary and maintain it for a minimum time.

[23:46] Security monitoring tools like intrusion detection systems may gather logs or metadata that could include personal data, creating potential privacy risks, especially for an insider threat.

[24:00] Organizations can implement privacy-aware cybersecurity solutions that anonymize or pseudo-anonymize data where possible, allowing cybersecurity professionals to get to the root of the problem they’re trying to solve while masking sensitive data.

[24:13] If you’re investigating an insider threat, you can unmask the data. Do you need that data to do the job that you’re tasked to do? If not, why run the risk of inappropriately accessing it?

[24:53] Privacy frameworks will always encourage transparency about data usage and sharing, especially by private entities doing consumer business and handling personal information.

[25:07] The public needs to know what you are collecting from them, how you are using it, and whether are you sharing it. They need to know if you are handling their data securely.

[25:38] James would tell cybersecurity professionals that if they think obscurity is security, they should find another job. Obscurity is typically the worst way to secure things.

[25:51] There are ways to describe how data is being held or secured by an organization without compromising the cybersecurity tools or techniques used to monitor or look for vulnerabilities.

[26:03] Transparency can be maintained without compromising security and can be used in a way to assure the public that an organization is keeping serious security techniques in mind when handling the public’s data. James tells how to share that message with the public.

[27:08] When James opens software, he reads the Third Party Agreements. He knows most people don’t. Government agencies include a plain language version of the agreement. Some private companies are doing the same to help people understand how their data is being used.

[28:40] Quick Break for RIMS Plugs! The first of hopefully many RIMS Texas Regional Conferences will be held in San Antonio from August 4th through August 6th, 2025.

[28:58] This groundbreaking event is set to unite the Texas RIMS Chapters and welcome risk management professionals from around the world! Also known as the Risk Management Roundup in San Antonio, you can join as a speaker!

[29:11] The Conference planning committee is interested in submissions that explore technology and cyber risk, workforce protection and advancement, energy and sustainability, extreme weather, construction, restaurant, retail, hospitality, and other trending now sessions.

[29:28] The deadline to submit your proposal is Monday, February 24th. The link to the event and the submission process is in this episode’s show notes. Go check it out!

[29:39] The Spencer Educational Foundation’s goal to help build a talent pipeline of risk management and insurance professionals is achieved in part by its collaboration with risk management and insurance educators across the U.S. and Canada.

[29:58] Since 2010, Spencer has awarded over $3.3 million in general grants to support over 130 student-centered experiential learning initiatives at universities and RMI non-profits. Spencer’s 2026 application process will open on May 1st, 2025, and close on July 30th, 2025.

[30:20] General grant awardees are typically notified at the end of October. Learn more about Spencer’s general grants through the Programs tab at SpencerEd.org.

[30:30] Let’s Return to the Conclusion of My Interview with the Chief Privacy Officer of CISA, James Burd!

[31:00] A lot of ERM frameworks exist because they were required by regulation or law.

[31:10] Privacy professionals are starting to see the same risks that risk management and compliance professionals have been dealing with for decades. The big tools that privacy professionals use are called Data Privacy Impact Assessments (DPIA).

[31:29] DPIAs vary, depending on the regulatory framework or law. DPIAs do two things: they identify what data assets you have and they examine the risks that are associated with the handling of those data assets and what mitigations must be in place to buy down those risks.

[31:48] That assessment can populate half of an ERM framework’s register. Getting involved with your privacy program manager as they do these DPIAs may first cause the privacy program manager to resist your risk assessment, but a risk in one space is a risk in another space.

[32:21] The DPIA is a valuable source of information for a risk manager. You can see the risks earlier. You can identify with the privacy program manager what some of the major risks might become. That means both realized and unrealized risks, which are equally important.

[33:06] A privacy program manager will be preoccupied with a lot of the perceived risks. A risk manager wants to know which risks are more likely and identify them early.

[33:40] A likelihood assessment will help the privacy officer identify how many “calories” to spend on this risk. The risk manager and privacy manager have a mutually beneficial relationship. They help each other.

[34:17] CISA provides cybersecurity education, news on vulnerabilities and cyber threats, threat intelligence, and service to critical infrastructure providers once there is an incident of some sort. The CISA website shows cyber threat indicators of what a compromise might look like.

[35:40] CISA has found novel patterns on networks that make it hard to tell that your network has been compromised. CISA calls those things “Left of Doom.” On the “RIght of Doom,” CISA prioritizes the incidents that it responds to.

[36:02] CISA focuses primarily on critical infrastructure. If you have a situation CISA cannot respond to, they will assist you by a local field office to find the people to help you, whether it’s law enforcement, local cyber security service providers, or a local Emergency Response Team.

[37:03] Companies are involved in the California wildfires. Could an incident like that distract them that they might become susceptible to data breaches? James notes that you can’t address every problem at the same time. Prioritize, rack, and stack.

[37:17] Incidents are going to happen. CISA asks agencies and companies to take the time and spend the resources to knock out all the low-hanging fruit. The great majority of incidents CISA sees are bad actors exploiting very simple, easy-to-fix vulnerabilities.

[37:55] It might be companies not using encrypted traffic, or only using a password to secure access to a server. The fix is relatively low cost or low impact. It takes time to figure out how to do the fix, but you’ll be grateful that you took the time and spent the money to implement it.

[38:24] The cost of a greater fix from the breach of a simple vulnerability will be far greater than the resources you’d spend to address it in the first place. Establishing that floor will help you focus on other “fires” that pop up while assuring you won’t get “popped” for a silly reason.

[38:49] If somebody’s going to get you, make sure they’ve tried their hardest to get you.

[38:58] It’s Data Privacy Day today, as this episode is released! It’s the start of Data Privacy Week! The theme is Take Control of Your Data!

[39:22] Robust privacy governance tips: Figure out where your data asset inventory is for your organization. Keep track of it and keep track of the risk associated with each data asset, Each data asset may have a different set of risks.

[39:47] Every organization should maintain a comprehensive inventory of data assets, detailing what data is collected, where it is stored, who has access to it, and how it’s used.

[39:56] The risk professional probably isn’t the one who takes the inventory, but they should have access to it and they should be evaluating that inventory.

[40:06] The risk professional can help the privacy manager by helping them establish clear policies and procedures for handling data, access control, and breach response, based on real risk. A privacy officer sometimes has difficulty identifying a real risk over a perceived risk.

[40:23] By focusing on real risks, you avoid the problem where privacy officers spend too much energy coming up with solutions for the most unlikely scenarios, leaving organizations unprepared for what’s likely to happen.

[40:42] Special thanks again to James Burd of CISA for joining us here on RIMScast! There are lots of links about Data Privacy Day and Data Privacy Week in this episode’s show notes.

[40:54] Also see links to RIMS Risk Management magazine coverage of data privacy through the years and links to some RIMScast episodes that touch upon the topic. Be sure to tune into last week’s episode with Tod Eberle of the Shadowserver Foundation on cyber risk trends of 2025!

[41:18] More RIMS Plugs! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes.

[41:47] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate and help you reach them! Contact pd@rims.org for more information.

[42:05] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information.

[42:23] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.

[42:39] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management.

[42:53] Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org.

[43:00] Thank you all for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!

Mentioned in this Episode:

RIMS Risk Management magazine

RISKWORLD 2025 — May 4-7. | Register today!

RIMS Legislative Summit — March 19‒20, 2025

Cyber Infrastructure Security Agency

National Cybersecurity Alliance | Data Privacy Week 2025

Nominations for the Donald M. Stuart Award

Spencer Educational Foundation — General Grants 2026 — Application Dates

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

RIMS Texas Regional Conference 2025 | Submit an Educational Session by Feb. 24.

RIMS Webinars:

RIMS.org/Webinars

“4 Themes Shaping the Future of GRC in 2025” | Sponsored by Resolver | Feb. 6, 2025

“Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025” | Sponsored by Hub International | Feb. 20, 2025

Upcoming RIMS-CRMP Prep Virtual Workshops:

“Stay Competitive with the RIMS-CRMP” | Presented by the RIMS Greater Bluegrass Chapter

February 19‒20, 2025 | Instructor: Chris Mandel

Full RIMS-CRMP Prep Course Schedule

Upcoming Virtual Workshops:

“Claims Management” | February 11‒12, 2025 | Instructor: Chris Hansen

“Fundamentals of Insurance” | Feb. 19‒20, 2025 | Instructor: Gail Kiyomura

“Applying and Integrating ERM” | Feb. 26‒27, 2025 | Instructor: Elise Farnham

“Managing Data for ERM” | March 12, 2025 | Instructor: Pat Saporito

See the full calendar of RIMS Virtual Workshops

RIMS-CRMP Prep Workshops

Upcoming RIMS-CRMP Prep Virtual Workshops:

“Stay Competitive with the RIMS-CRMP | Presented by the RIMS Greater Bluegrass Chapter”

February 19‒20, 2025 | Instructor: Chris Mandel

Full RIMS-CRMP Prep Course Schedule

Full RIMS-CRMP Prep Course Schedule

Related RIMScast Episodes:

“Cyberrisk Trends in 2025 with Shadowserver Alliance Director Tod Eberle”

“Kicking off 2025 with RIMS CEO Gary LaBranche”

“Year In Risk 2024 with Morgan O’Rourke and Hilary Tuttle”

“AI and Regulatory Risk Trends with Caroline Shleifer”

“Cybersecurity Awareness and Risk Frameworks with Daniel Eliot of NIST” (2024)

“Cybersecurity and Insurance Outlook 2023 with Josephine Wolff”

Sponsored RIMScast Episodes:

“Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor

“Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL

“How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog

“Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant

“RMIS Innovation with Archer” | Sponsored by Archer

“Navigating Commercial Property Risks with Captives” | Sponsored by Zurich

“Breaking Down Silos: AXA XL’s New Approach to Casualty Insurance”| Sponsored by AXA XL

“Weathering Today’s Property Claims Management Challenges” | Sponsored by AXA XL

“Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company

“Partnering Against Cyberrisk” | Sponsored by AXA XL

“Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh

“Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos

“Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL

“Elevating RMIS — The Archer Way” | Sponsored by Archer

“Alliant’s P&C Outlook For 2024” | Sponsored by Alliant

“Why Subrogation is the New Arbitration” | Sponsored by Fleet Response

“Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd.

“Subrogation and the Competitive Advantage” | Sponsored by Fleet Response

RIMS Publications, Content, and Links:

RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community!

RIMS Virtual Workshops

On-Demand Webinars

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

RIMS Strategic & Enterprise Risk Center

RIMS-CRMP Stories — Featuring RIMS Vice President Manny Padilla!

RIMS Events, Education, and Services:

RIMS Risk Maturity Model®

Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.

Want to Learn More?

Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.

Have a question or suggestion? Email: Content@rims.org.

Join the Conversation!

Follow @RIMSorg on Facebook, Twitter, and LinkedIn.

About our guest: James Burd, Chief Privacy Officer, Cyber Infrastructure Security Agency (CISA)

Production and engineering provided by Podfly.

  continue reading

102 епізодів

Artwork
iconПоширити
 
Manage episode 463536342 series 2442729
Вміст надано The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

In this episode, Justin interviews CISA Chief Privacy Officer James Burd about data privacy and protection. Topics include how CISA protects agencies and critical infrastructure, how they responded to a recent data attack, and what risk professionals and data privacy professionals can work together to ensure their organization is resistant to data breaches.

Listen for actionable ideas to improve the cyber security at your organization.

Key Takeaways:

[:01] About RIMS and RIMScast.

[:14] Public registration is open for RISKWORLD 2025! RIMS wants you to Engage Today and Embrace Tomorrow in Chicago from May 4th through May 7th. Register at RIMS.org/RISKWORLD and the link in this episode’s show notes.

[:32] About this episode. We will discuss data privacy with James Burd, the Chief Privacy Officer of The Cyber Infrastructure Security Agency (CISA) here in the U.S.

[:58] RIMS-CRMP Workshops! On February 19th and 20th, a two-day virtual workshop for the RIMS-CRMP will be led by former RIMS President Chris Mandel and presented by the RIMS Greater Bluegrass Chapter, the 2024 RIMS Chapter of the Year.

[1:20] The next RIMS-CRMP-FED exam course will be held from February 4th through the 6th, 2025. Links to these courses can be found through the Certification page of RIMS.org and this episode’s show notes.

[1:36] Virtual Workshops! Chris Hansen will return on February 11th and 12th to lead the two-day course “Claims Management”. Gail Kiyomura of The Art of Risk Consulting will host the “Fundamentals of Insurance” virtual workshop on February 19th and 20th, 2025.

[1:59] On February 26th and 27th, Elise Farnham of Illumine Consulting will lead “Applying and Integrating ERM”. “Managing Data for ERM” will be hosted by Pat Saporito. That course starts on March 12th, 2025.

[2:22] A link to the full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode’s show notes.

[2:34] The RIMS Legislative Summit 2025 is back! It will be held on March 19th and 20th in Washington, D.C. Join RIMS for two days of Congressional meetings, networking, and advocating on behalf of the risk management community.

[2:51] This event is open for RIMS members only so if you’re not a member, join now! Visit RIMS.org/advocacy for registration details.

[3:02] Interview! It is Data Privacy Week here in the U.S., through January 31st. This is an annual effort to promote data privacy awareness and education. Its events are sponsored by the National Cybersecurity Alliance. This week’s theme is Take Control of Your Data.

[3:23] Here to discuss how to take control of your data, and the best practices that risk professionals and business leaders need to know, is Chief Privacy Officer of CISA, James Burd.

[3:36] James is the senior agency leader responsible for managing and overseeing CISA’s privacy, external civil rights, civil liberties, and transparency programs.

[3:46] We’re going to talk about some of the big events that made headlines in late December and early January around cybersecurity and data privacy and the frameworks and strategies that risk professionals can implement to take control of their data.

[4:02] CISA Chief Privacy Officer James Burd, welcome to RIMScast!

[4:18] James has a fantastic team of privacy, transparency, and access professionals who provide transparency to the American public while integrating full privacy rights, liberties, and protections into the management of a safe, secure, and resilient infrastructure.

[4:48] As Chief Privacy Officer, James Burd’s primary responsibility is to ensure that privacy is at the forefront and integrated into every initiative, program, and policy CISA undertakes, regardless of whether it’s by policy, process, or technical solutions.

[5:00] This includes ensuring compliance with Federal privacy laws and embedding privacy considerations in the agency’s operations and partnerships.

[5:08] Protecting critical infrastructure inherently involves safeguarding sensitive and critical information that any organization holds, whether it’s CISA or any of the many stakeholders of CISA. Privacy and cybersecurity are inherently interconnected.

[5:21] CISA ensures its cybersecurity programs focus on protecting systems, networks, and data from unauthorized access while the privacy portion ensures that personal and sensitive data are handled responsibly, ethically, and securely.

[5:39] What are the keys to a strong cybersecurity strategy?

[5:52] The work CISA does in the privacy world is to ensure that the information CISA is holding is secure and safeguarded and also to tell the public how exactly they do that.

[6:14] In the early days of CISA, it was a Computer Emergency Readiness Team (CERT). CERTs respond to major cybersecurity incidents at a state, local, national, or international level. A cybersecurity incident in the U.S. is similar to a cybersecurity incident in any nation.

[6:50] All nations are facing the same cybersecurity issues. CISA’s international work is about information sharing and helping each other understand what threats we all face.

[7:19] Integrating privacy into risk management frameworks is a core consideration. A lot of the privacy work CISA does with risk managers is for ERM, identifying privacy risks and impacts and ensuring that mitigation strategies align with goals.

[7:42] Risk managers are key partners in implementing strong data governance practices. CISA works with them to establish policies for data handling, access, and usage that align with the security needs and privacy protection of an agency or organization.

[7:56] Risk managers have the opportunity to help privacy officers identify a privacy problem or privacy risk all across the organization. That’s part of the risk manager’s job as a point person. [9:13] CISA wants to do this privacy protection work with organizations before a breach. Many privacy professionals have learned the hard way that if you don’t collaborate up front, you have to collaborate later, as a result of your emergency. That’s not a great day.

[9:29] Risk professionals have different viewpoints to consider. They may see that some privacy risks overlap with some financial risks, depending on the risk owner’s point of view. It doesn’t make sense to solve the same problem in 10 different ways.

[10:30] The National Institute of Standards and Technology (NIST) is a valuable partner of CISA’s. NIST can see what works or doesn’t work as a conceptual or technical framework. NIST studies a problem from several angles and gives CISA an effective solution for the framework.

[11:23] Daniel Elliott of NIST has been on RIMScast. James has collaborated with Daniel.

[11:49] CISA is a collaborative agency. It does not exist without its partners and stakeholders. When NIST facilitates conversations between CISA and other stakeholders, it helps CISA figure out, of all the problems in the world, which critical problem we need to solve right now.

[12:17] CISA has Cyber Performance Goals or CPGs, which are a subset of the NIST Cybersecurity Framework. CISA will tell a small business that they should start with the CPG and get it right, and then expand to everything else.

[12:38] CPGs are not a substitute for a risk management framework, but they are a starting point. The CPGs would not exist if not for the work NIST had done in talking to small, medium, and large businesses and figuring out all the different issues they face.

[13:08] In December, Chinese cyber attackers infiltrated U.S. agencies. When there is a major incident like that, there is a whole-government response. CISA plays an important role in that response, like a firefighter. Law enforcement plays the role of investigator.

[14:16] CISA and its interagency partners are heavily involved in responding to recent Chinese activity associated with both Salt Typhoon and Volt Typhoon. They’ve been working very closely with the Treasury Department to understand and mitigate the impacts of the recent incident.

[14:35] There’s no indication that any other Federal agency has been impacted by the incident but CISA continues to monitor the situation and coordinate with other authorities, like the FBI, to ensure that there’s a comprehensive response.

[14:50] The security of federal systems and data is of critical importance to national security. CISA is working aggressively to safeguard any further impacts. The People’s Republic of China is a persistent threat, specifically, the GRC and related entities, who perform these activities.

[15:12] They’re one of the most persistent and strategically sophisticated adversaries we face in cyberspace today. The PRC has decades of experience in conducting rampant cyber espionage against U.S. businesses and critical infrastructure.

[15:26] CISA has become increasingly concerned over the last year that the PRC is not just doing espionage but is trying to burrow into the critical infrastructure for a rainy day. These state-sponsored activities are coming from campaigns like Volt Typhoon and Salt Typhoon.

[15:45] What happened to Treasury provides a stark example of these types of tactics. These tactics target critical infrastructure such as telecommunications, aviation, water, and energy.

[15:56] Their goal, as far as we can tell, is not to cause immediate damage but to gain persistent access to those systems and remain undetected until they want to do something.

[16:08] CISA has been very involved, not just responding to these incidents, but deeply studying these incidents to understand what is happening and what we need to do as a government and nation to protect ourselves from these burrowing activities.

[16:27] Plug Time! RIMS Webinars! Resolver will be joining us on February 6th to discuss “4 Themes Shaping the Future of GRC in 2025”.

[16:39] HUB International continues its Ready for Tomorrow Series with RIMS. On February 20th, they will host “Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025”.

[16:55] More webinars will be announced soon and added to the RIMS.org/webinars page. Go there to register. Registration is complimentary for RIMS members.

[17:07] Nominations are also open for the Donald M. Stuart Award which recognizes excellence in risk management in Canada. Links are in this episode’s show notes.

[17:20] Let’s Return to My Interview with James Burd of the Cyber Infrastructure Security Agency!

[17:42] Whether talking about AI, IoT, or 5G, the issues are hardware problems and software problems.

[18:02] The issues of the 1970s are similar to the issues of the 2020s, regarding vulnerabilities, exposure, and unsafe practices when developing software and hardware.

[18:20] What we’re seeing in the emerging technology space with AI, IoT, and 5G is an increase in the volume and velocity of data. The improvement of technology in this space is based on power and efficiency. Software improvement is based on the reach of interconnectivity.

[18:34] Privacy and cybersecurity risks do not just appear. We’re seeing existing risks and issues increasing in size and complexity. What we previously thought of as a perceived risk is now a real risk, thanks to advances in computational power and the amount of data available.

[18:54] It’s always been a risk but it was less likely to occur until this point where there’s more data, more volume, and more complexity. AI systems rely on a vast amount of personal data, raising concerns about data security, algorithmic bias, and a lack of transparency.

[19:11] We’ve heard about these risks with machine learning and big data databases. They require governance frameworks that address how data is collected, stored, and used in systems, or, in this case, AI models.

[19:28] Those frameworks should be familiar to anyone working in the data protection space or the risk management space for the last three decades. Insurers getting into the cybersecurity space have been paying stark attention to this.

[19:58] We’ve found out that IoT devices are probably the easiest and most risky entrance points within networks into homes and critical infrastructure devices. The biggest risks they create are unauthorized access, data breaches, and potential surveillance.

[20:19] These are not new risks. They’re existing risks that are promulgated because of the new avenue to get in. It used to be that the worst thing that could happen to an IoT device like a router is that it gets compromised and becomes part of a botnet to take down websites.

[20:38] Today, that still happens, but that IoT device is looked at as the back door for entering someone’s network if it’s not properly secured.

[20:49] In itself, 5G is awesome. There are fantastic things to do with increased data flow. With increased speed and connectivity come the ability to move more data at a time and we’re facing data being transferred in an insecure manner. People don’t know what data they’re sharing.

[21:15] We’re running into the same classic issues but they’re exacerbated by something we view as a major success, access. Access should be celebrated but we shouldn’t open doors because we can open them. We need to be able to make sure those doors are secured.

[21:48] James paraphrases Mark Groman, a privacy expert formerly with the FTC. “Privacy and cybersecurity are sometimes viewed as competing priorities. They are two sides of the same coin. I refuse to live in a world where you compromise security for privacy or vice versa.”

[22:11] We live in a world where you can have both. The great thing about advancing technologies is that we can do both. Both cybersecurity and privacy aim to protect sensitive data and systems, just from slightly different angles and for different reasons.

[22:31] There has to be a collaborative approach between cybersecurity and privacy. An intermediary like a risk professional can help cybersecurity and privacy teams work together.

[22:41] By leveraging things privacy-preserving technologies and designing privacy into cybersecurity measures, organizations can bridge the gap and achieve harmony between the two essential functions. This strengthens the organization and its overall risk management.

[22:58] When a risk is realized in one area, it’s common for it to be a harmonious risk with another risk in a different area. In the privacy and cybersecurity space, risks overlap often. Conflicts between cybersecurity and privacy are easily bridged.

[23:24] Cybersecurity professionals want to collect more data; privacy professionals want you to minimize the amount of data you collect.

[23:34] Cybersecurity relies on extensive data collection to detect, monitor, and respond to threats. Privacy wants to collect only what’s necessary and maintain it for a minimum time.

[23:46] Security monitoring tools like intrusion detection systems may gather logs or metadata that could include personal data, creating potential privacy risks, especially for an insider threat.

[24:00] Organizations can implement privacy-aware cybersecurity solutions that anonymize or pseudo-anonymize data where possible, allowing cybersecurity professionals to get to the root of the problem they’re trying to solve while masking sensitive data.

[24:13] If you’re investigating an insider threat, you can unmask the data. Do you need that data to do the job that you’re tasked to do? If not, why run the risk of inappropriately accessing it?

[24:53] Privacy frameworks will always encourage transparency about data usage and sharing, especially by private entities doing consumer business and handling personal information.

[25:07] The public needs to know what you are collecting from them, how you are using it, and whether are you sharing it. They need to know if you are handling their data securely.

[25:38] James would tell cybersecurity professionals that if they think obscurity is security, they should find another job. Obscurity is typically the worst way to secure things.

[25:51] There are ways to describe how data is being held or secured by an organization without compromising the cybersecurity tools or techniques used to monitor or look for vulnerabilities.

[26:03] Transparency can be maintained without compromising security and can be used in a way to assure the public that an organization is keeping serious security techniques in mind when handling the public’s data. James tells how to share that message with the public.

[27:08] When James opens software, he reads the Third Party Agreements. He knows most people don’t. Government agencies include a plain language version of the agreement. Some private companies are doing the same to help people understand how their data is being used.

[28:40] Quick Break for RIMS Plugs! The first of hopefully many RIMS Texas Regional Conferences will be held in San Antonio from August 4th through August 6th, 2025.

[28:58] This groundbreaking event is set to unite the Texas RIMS Chapters and welcome risk management professionals from around the world! Also known as the Risk Management Roundup in San Antonio, you can join as a speaker!

[29:11] The Conference planning committee is interested in submissions that explore technology and cyber risk, workforce protection and advancement, energy and sustainability, extreme weather, construction, restaurant, retail, hospitality, and other trending now sessions.

[29:28] The deadline to submit your proposal is Monday, February 24th. The link to the event and the submission process is in this episode’s show notes. Go check it out!

[29:39] The Spencer Educational Foundation’s goal to help build a talent pipeline of risk management and insurance professionals is achieved in part by its collaboration with risk management and insurance educators across the U.S. and Canada.

[29:58] Since 2010, Spencer has awarded over $3.3 million in general grants to support over 130 student-centered experiential learning initiatives at universities and RMI non-profits. Spencer’s 2026 application process will open on May 1st, 2025, and close on July 30th, 2025.

[30:20] General grant awardees are typically notified at the end of October. Learn more about Spencer’s general grants through the Programs tab at SpencerEd.org.

[30:30] Let’s Return to the Conclusion of My Interview with the Chief Privacy Officer of CISA, James Burd!

[31:00] A lot of ERM frameworks exist because they were required by regulation or law.

[31:10] Privacy professionals are starting to see the same risks that risk management and compliance professionals have been dealing with for decades. The big tools that privacy professionals use are called Data Privacy Impact Assessments (DPIA).

[31:29] DPIAs vary, depending on the regulatory framework or law. DPIAs do two things: they identify what data assets you have and they examine the risks that are associated with the handling of those data assets and what mitigations must be in place to buy down those risks.

[31:48] That assessment can populate half of an ERM framework’s register. Getting involved with your privacy program manager as they do these DPIAs may first cause the privacy program manager to resist your risk assessment, but a risk in one space is a risk in another space.

[32:21] The DPIA is a valuable source of information for a risk manager. You can see the risks earlier. You can identify with the privacy program manager what some of the major risks might become. That means both realized and unrealized risks, which are equally important.

[33:06] A privacy program manager will be preoccupied with a lot of the perceived risks. A risk manager wants to know which risks are more likely and identify them early.

[33:40] A likelihood assessment will help the privacy officer identify how many “calories” to spend on this risk. The risk manager and privacy manager have a mutually beneficial relationship. They help each other.

[34:17] CISA provides cybersecurity education, news on vulnerabilities and cyber threats, threat intelligence, and service to critical infrastructure providers once there is an incident of some sort. The CISA website shows cyber threat indicators of what a compromise might look like.

[35:40] CISA has found novel patterns on networks that make it hard to tell that your network has been compromised. CISA calls those things “Left of Doom.” On the “RIght of Doom,” CISA prioritizes the incidents that it responds to.

[36:02] CISA focuses primarily on critical infrastructure. If you have a situation CISA cannot respond to, they will assist you by a local field office to find the people to help you, whether it’s law enforcement, local cyber security service providers, or a local Emergency Response Team.

[37:03] Companies are involved in the California wildfires. Could an incident like that distract them that they might become susceptible to data breaches? James notes that you can’t address every problem at the same time. Prioritize, rack, and stack.

[37:17] Incidents are going to happen. CISA asks agencies and companies to take the time and spend the resources to knock out all the low-hanging fruit. The great majority of incidents CISA sees are bad actors exploiting very simple, easy-to-fix vulnerabilities.

[37:55] It might be companies not using encrypted traffic, or only using a password to secure access to a server. The fix is relatively low cost or low impact. It takes time to figure out how to do the fix, but you’ll be grateful that you took the time and spent the money to implement it.

[38:24] The cost of a greater fix from the breach of a simple vulnerability will be far greater than the resources you’d spend to address it in the first place. Establishing that floor will help you focus on other “fires” that pop up while assuring you won’t get “popped” for a silly reason.

[38:49] If somebody’s going to get you, make sure they’ve tried their hardest to get you.

[38:58] It’s Data Privacy Day today, as this episode is released! It’s the start of Data Privacy Week! The theme is Take Control of Your Data!

[39:22] Robust privacy governance tips: Figure out where your data asset inventory is for your organization. Keep track of it and keep track of the risk associated with each data asset, Each data asset may have a different set of risks.

[39:47] Every organization should maintain a comprehensive inventory of data assets, detailing what data is collected, where it is stored, who has access to it, and how it’s used.

[39:56] The risk professional probably isn’t the one who takes the inventory, but they should have access to it and they should be evaluating that inventory.

[40:06] The risk professional can help the privacy manager by helping them establish clear policies and procedures for handling data, access control, and breach response, based on real risk. A privacy officer sometimes has difficulty identifying a real risk over a perceived risk.

[40:23] By focusing on real risks, you avoid the problem where privacy officers spend too much energy coming up with solutions for the most unlikely scenarios, leaving organizations unprepared for what’s likely to happen.

[40:42] Special thanks again to James Burd of CISA for joining us here on RIMScast! There are lots of links about Data Privacy Day and Data Privacy Week in this episode’s show notes.

[40:54] Also see links to RIMS Risk Management magazine coverage of data privacy through the years and links to some RIMScast episodes that touch upon the topic. Be sure to tune into last week’s episode with Tod Eberle of the Shadowserver Foundation on cyber risk trends of 2025!

[41:18] More RIMS Plugs! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes.

[41:47] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate and help you reach them! Contact pd@rims.org for more information.

[42:05] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information.

[42:23] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.

[42:39] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management.

[42:53] Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org.

[43:00] Thank you all for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!

Mentioned in this Episode:

RIMS Risk Management magazine

RISKWORLD 2025 — May 4-7. | Register today!

RIMS Legislative Summit — March 19‒20, 2025

Cyber Infrastructure Security Agency

National Cybersecurity Alliance | Data Privacy Week 2025

Nominations for the Donald M. Stuart Award

Spencer Educational Foundation — General Grants 2026 — Application Dates

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

RIMS Texas Regional Conference 2025 | Submit an Educational Session by Feb. 24.

RIMS Webinars:

RIMS.org/Webinars

“4 Themes Shaping the Future of GRC in 2025” | Sponsored by Resolver | Feb. 6, 2025

“Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025” | Sponsored by Hub International | Feb. 20, 2025

Upcoming RIMS-CRMP Prep Virtual Workshops:

“Stay Competitive with the RIMS-CRMP” | Presented by the RIMS Greater Bluegrass Chapter

February 19‒20, 2025 | Instructor: Chris Mandel

Full RIMS-CRMP Prep Course Schedule

Upcoming Virtual Workshops:

“Claims Management” | February 11‒12, 2025 | Instructor: Chris Hansen

“Fundamentals of Insurance” | Feb. 19‒20, 2025 | Instructor: Gail Kiyomura

“Applying and Integrating ERM” | Feb. 26‒27, 2025 | Instructor: Elise Farnham

“Managing Data for ERM” | March 12, 2025 | Instructor: Pat Saporito

See the full calendar of RIMS Virtual Workshops

RIMS-CRMP Prep Workshops

Upcoming RIMS-CRMP Prep Virtual Workshops:

“Stay Competitive with the RIMS-CRMP | Presented by the RIMS Greater Bluegrass Chapter”

February 19‒20, 2025 | Instructor: Chris Mandel

Full RIMS-CRMP Prep Course Schedule

Full RIMS-CRMP Prep Course Schedule

Related RIMScast Episodes:

“Cyberrisk Trends in 2025 with Shadowserver Alliance Director Tod Eberle”

“Kicking off 2025 with RIMS CEO Gary LaBranche”

“Year In Risk 2024 with Morgan O’Rourke and Hilary Tuttle”

“AI and Regulatory Risk Trends with Caroline Shleifer”

“Cybersecurity Awareness and Risk Frameworks with Daniel Eliot of NIST” (2024)

“Cybersecurity and Insurance Outlook 2023 with Josephine Wolff”

Sponsored RIMScast Episodes:

“Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor

“Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL

“How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog

“Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant

“RMIS Innovation with Archer” | Sponsored by Archer

“Navigating Commercial Property Risks with Captives” | Sponsored by Zurich

“Breaking Down Silos: AXA XL’s New Approach to Casualty Insurance”| Sponsored by AXA XL

“Weathering Today’s Property Claims Management Challenges” | Sponsored by AXA XL

“Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company

“Partnering Against Cyberrisk” | Sponsored by AXA XL

“Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh

“Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos

“Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL

“Elevating RMIS — The Archer Way” | Sponsored by Archer

“Alliant’s P&C Outlook For 2024” | Sponsored by Alliant

“Why Subrogation is the New Arbitration” | Sponsored by Fleet Response

“Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd.

“Subrogation and the Competitive Advantage” | Sponsored by Fleet Response

RIMS Publications, Content, and Links:

RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community!

RIMS Virtual Workshops

On-Demand Webinars

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

RIMS Strategic & Enterprise Risk Center

RIMS-CRMP Stories — Featuring RIMS Vice President Manny Padilla!

RIMS Events, Education, and Services:

RIMS Risk Maturity Model®

Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.

Want to Learn More?

Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.

Have a question or suggestion? Email: Content@rims.org.

Join the Conversation!

Follow @RIMSorg on Facebook, Twitter, and LinkedIn.

About our guest: James Burd, Chief Privacy Officer, Cyber Infrastructure Security Agency (CISA)

Production and engineering provided by Podfly.

  continue reading

102 епізодів

Усі епізоди

×
 
Loading …

Ласкаво просимо до Player FM!

Player FM сканує Інтернет для отримання високоякісних подкастів, щоб ви могли насолоджуватися ними зараз. Це найкращий додаток для подкастів, який працює на Android, iPhone і веб-сторінці. Реєстрація для синхронізації підписок між пристроями.

 

Короткий довідник

Слухайте це шоу, досліджуючи
Відтворити