RIMScast

Andréia Stephenson, an Enterprise Risk Analyst at the London Metal Exchange, shares her unique journey from a biology background to the world of risk analysis. She discusses the significance of passion for data and the need to communicate effectively within organizations. Andréia highlights the importance of simplifying risk assessments and influencing risk culture through thoughtful questions. She also elaborates on using AI as a supportive tool rather than a replacement, advocating for foundational knowledge and strong communication skills for future-ready analysts.

Dr. Gav Schneider, Group CEO at Risk2Solution Group, and Shreen Williams, Founder & CEO of Risky Business SW, delve into the transformative power of presilience in risk management. Schneider outlines how embedding resilience at individual and organizational levels can tackle complex challenges. Meanwhile, Williams tackles over 150 cognitive biases, emphasizing the importance of simple, visual risk frameworks to enhance engagement. They stress the critical role of awareness and mentoring to effectively address these biases in enterprise risk management.

Sadig Hajiyev, the Risk & Compliance Group Director at SOCAR Türkiye and winner of the RIMS Global ERM Award of Distinction, shares insights on transforming SOCAR's ERM approach from compliance-focused to a cohesive, strategy-driven system. He discusses the importance of provoking tough discussions around risk and adaptation strategies in response to external shocks. Sadig reveals innovations like an AI-driven scenario engine and the impressive leap in ERM maturity from level 3 to 5, emphasizing future priorities like incident management and optimizing insurance through captives.

Julie Anna Potts, President and CEO of the Meat Institute and expert in environmental law and agriculture, discusses her journey and the Institute's pivotal role in food safety. She highlights the importance of training resources like the listeria control course and the Protein PACT initiative, which aligns food safety with societal values. Potts dives into fostering a culture of safety from the top down and the challenges of navigating environmental risks like PFAS. She also shares insights on community engagement and the impact of the pandemic on supply continuity.

Lori Flaherty leads the ERM team at Paychex and has over 25 years in risk management, while Bill Coller, an experienced ERM practitioner, enhances their strategies. They discuss Paychex's recent RIMS Global ERM Award win, explaining how their team acts as the organization's conscience. Key insights include the importance of a strong risk culture, the innovative concept of risk rotation to engage non-risk staff, and tips for effective audience presentations. They also address emerging risks like AI and the mindset required for successful mergers and acquisitions.

Kellee Ann Richards-St. Clair is the Vice President of Commercial at Phoenix Park Energy Marketing Limited, bringing a wealth of experience in energy-sector strategy and enterprise risk management. She shares her unique journey from studying chemistry to leading commercial functions in a gas supply organization. The discussion dives into the interconnected nature of risks, the importance of storytelling in communicating analysis, and the integration of sustainability into ERM. Kellee also highlights emerging resource constraints and geopolitical risks that could reshape the energy landscape.

Chrystina Howard, an accomplished ERM leader with decades of consulting experience at HUB International, shares insights on navigating emerging risks. She delves into geopolitical volatility, AI's transformative role in healthcare, and strategies to keep resilience aligned with corporate goals. Chrystina also reveals engaging techniques for capturing C-Suite attention and emphasizes the importance of tailored communication focused on executive priorities. Tune in for practical tips on avoiding the pitfalls of traditional ERM approaches and enhancing risk management effectiveness.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society. In this episode, Justin interviews Shawn Punancy, Sr. Manager, Enterprise Risk Management of Delta Air Lines, Inc. Justin and Shawn discuss her fascinating career history, disruption in the airline industry, Shawn's risk philosophy at Delta Airlines, and how her ERM team stays connected to the business while maintaining a long-term strategic view of risk. Shawn will present two sessions with Lianne Appelt, the Head of Enterprise Risk Management at Salesforce, at the RIMS ERM Conference on November 17th and 18th in Seattle, Washington. Shawn shares some hints on what to expect from the sessions. Listen for Shawn's view on the biggest opportunity right now for ERM professionals to elevate their impact across the enterprise. Key Takeaways: [:01] About RIMS and RIMScast. [:15] The RIMS CRO Certificate Program in Advanced Enterprise Risk Management is our live virtual program led by the famous James Lam. Great news! A third cohort has been announced, from January through March 2026. [:32] Registration closes January 5th. Enroll now! A link is in this episode's show notes. [:40] About this episode of RIMScast. We are flying high today, with Shawn Punancy, the Manager of Enterprise Risk Management for Delta Air Lines, Inc. Buckle in for the many aviation puns you're going to hear during this episode! But first… [1:12] RIMS-CRMP Prep Workshops! The next RIMS-CRMP Prep Workshops will be held on October 29th and 30th and led by John Button. [1:24] The next RIMS-CRMP-FED Virtual Workshop will be held on November 11th and 12th and led by Joseph Mayo. Links to these courses can be found through the Certifications page of RIMS.org and through this episode's show notes. [1:41] RIMS Virtual Workshops! RIMS has launched a new course, "Intro to ERM for Senior Leaders." It will be held again on November 4th and 5th and will be led by Elise Farnham. [1:56] On November 11th and 12th, Chris Hansen will lead "Fundamentals of Insurance". It features everything you've always wanted to know about insurance but were afraid to ask. Fear not; ask Chris Hansen! RIMS members always enjoy deep discounts on the virtual workshops! [2:15] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode's notes. [2:26] RIMS Webinars! On October 30th, Swiss Re will present "Parametric Insurance: Providing Financial Certainty in Uncertain Times". On November 6th, HUB will present "Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World". [2:47] Register at RIMS.org/Webinars. [2:50] On with the show! Our guest today is the Manager of Enterprise Risk Management for Delta Air Lines, Inc. Her name is Shawn Punancy, and she has a fascinating career that I want to delve into today. [3:03] I also asked her to be on the show because she will have quite a presence at the RIMS ERM Conference 2025, which will be held on November 17th and 18th in Seattle, Washington. [3:14] On November 17th, at 11:45 a.m., she will be co-leading "Connections Count: Strategic Networking to Strengthen Risk Oversight." On November 18th, at 9:00 a.m., she will co-lead "How Deep Should You Go?: Rightsizing Risk Assessment for Maximum Impact." [3:33] In addition to learning about her fascinating career, I wanted to get a little preview of each of those sessions and learn a bit about her risk philosophy at Delta. Let's get to it! [3:44] Interview! Shawn Punancy, welcome to RIMScast! [3:53] Shawn Punancy is the ERM Senior Manager at Delta Air Lines, Inc. Shawn will be at the RIMS ERM Conference 2025, November 17th and 18th. Shawn has a fascinating career. [5:00] Shawn was an intelligence analyst at the U.S. DOD from 2011 to 2012, then moved to the CIA as a Senior Intelligence Analyst for seven years. [5:18] Shawn says it was great working at the CIA. She thinks there are very few places where you can work and have such broad awareness. Her year at the DOD was to prepare her to work at the CIA. [6:10] As an Analyst, Shawn worked in counter-terrorism, counter-narcotics, traditional political analysis, and leadership analysis. She did some targeting work, which is helpful for ERM. [6:27] After Shawn left the government, she worked briefly for a consulting firm in Atlanta, Georgia, doing business operating risk. She got word of a job in the Delta Corporate Safety and Security Division on the Intelligence and Risk Mitigation Team. [6:51] Shawn joined Delta, doing that for two years. She got to meet her Director, Eric Mai, whom she absolutely adores, and she's not just saying that because he may listen to this! Eric Mai introduced Shawn to the world of ERM. [7:07] Shawn started to see all the nexuses that existed between multiple different risks. Shawn says that working in corporate security on risk mitigation is like working at the DOD, but working in ERM is like working at the CIA. [7:42] Shawn was in high school on 9/11, and her mother was on a plane during the 9/11 attacks. Thankfully, she was not on a plane that was targeted on that terrible day. It left a lasting impression. [7:55] Shawn went on to study those types of events in International Affairs and Politics. That's how she got to her path in the government. Shawn is mission-driven and purposeful in her work. [8:42] Shawn applied to Delta when someone sent her a job posting. Shawn saw the posting and thought it looked like it was written for her. Shawn is thankful it worked out. [8:58] Shawn started as Program Manager for Intelligence and Risk Mitigation. She held that position for almost two years. In December of 2023, Shawn became Manager of ERM. The position did not exist before Shawn. ERM had been one person since 2019, when it was begun. [9:37] Eric Mai set up the ERM program. He realized that for it to continuously improve and grow, he needed another person. He went to bat for that role. Around the time it was posted, Eric came to Shawn and said that she might want to consider it, and he would love to have her apply. [9:57] Shawn is super grateful that Eric asked her. [10:13] Shawn says it is striking that ERM has played a small role in many companies. What if you don't know who that person is, or you're not engaging with that person? [10:53] Shawn has noticed that in several industries, the aviation industry included, everything is highly siloed. How does one ERM person get to everybody across the business? How do they make ERM relevant for the leadership and the board? [11:15] Something different could happen any day in the airline industry. Shawn says every day they get a notification from their Duty Director about what the day will look like. Some days, the system looks good: they're moving tens of thousands of people on several thousand flights. [11:33] Other days, there's a hurricane or something, or there is a strike somewhere that completely upends the day. It's a lively environment. [11:56] The American Airlines regional jet and helicopter crash in Washington, D.C. this year put a spotlight on Safety and Risk Managers to ensure they had the proper protocols in place and understood all the communication channels. They double-checked the protocols. [12:40] One thing Shawn loves about the airline industry is that safety is for everyone. There's no competition in safety. No one places blame. They come together to ensure that they are in the best position to continue to put safety first, not only for customers but also for all employees. [13:17] If Shawn had a mantra, it would be, You get further together than you do as an individual. She learned that from her time in Corporate Safety and Security and as an ERM professional. She could not do her job without relationships and connections across the company. [14:05] Shawn says Delta has a strong governance structure. The risk committee reports to the executive leadership team. ERM meets with the risk committee monthly to talk about what is coming up. ERM tracks that, so as risks build, they remember what was said months ago. [14:29] They prepare themselves for the known events of the next couple of months, such as an upcoming audit, an issue with plane manufacturers, or a suspected coming fleet delay. [14:53] ERM uses its governance structure to think through how to manage the risk, who is responsible, who is touched, what should be reported up to the leadership, and what can be managed at the business level. [15:07] Looking longer-term, ERM recently started talking directly to board members, asking for their perceptions about risk over the next three to five years. ERM also asks that question of the business leadership annually, to make sure management shares the same vision as the board. [15:38] ERM adds value by showing where those visions aligned, or if and when they diverged. Using that information helps inform the broader risk landscape. ERM uses that to engage the Strategy team with their annual goals and pillars; their Annual "Flight Plan." [16:08] ERM shows the collected data on where risk lies to the Strategy Team and asks how it might affect the Flight Plan and the Five-Year Strategy. It's the role of ERM to highlight the risks they've identified through the forums they've engaged. [16:36] Shawn has two on her ERM team, including herself. Her team has strong relationships across Delta. That helps ERM to be a force multiplier. They lean on their colleagues to help stay aware, figure out the best direction to guide ERM efforts, and make an impact where possible. [17:24] Quick Break! RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through the 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when you register by October 30th! [17:43] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by October 30th, and you will also be entered to win a $500 raffle! Do not miss out on this chance to plan and score some of these extra perks! [17:57] The members-only registration link is in this episode's show notes. If you are not yet a member, this is the time to join us! Visit RIMS.org/Membership and build your network with us here at RIMS! [18:09] Save the dates March 18th and 19th, 2026, for The RIMS Legislative Summit, which will be held in Washington, D.C. [18:17] Join us in Washington, D.C., for two days of Congressional Meetings, networking, and advocating on behalf of the risk management community. Visit RIMS.org/Advocacy for more information and updates and to register. [18:33] Let's return to our interview with Shawn Punancy of Delta Airlines! [19:12] In the heat of a crisis, Delta Airlines has a number of immediate or intermediate response teams that stand up. ERM is a part of those teams. They help inform the strategy for how Delta will respond. In the immediate aftermath, ERM is in listening mode. [19:25] ERM takes what they heard and goes on to support the strategic planning, moving forward. Business Continuity or Corporate Communications will handle the immediate feedback and response. [19:38] If it's likely to have a long-lasting impact on Delta, ERM will facilitate conversations among stakeholders across the enterprise to ensure that Delta has completely and cleanly exited the crisis and that they're on a good footing to avoid future crises of the same ilk. [20:05] One Final Break! As many of you know, the RIMS ERM Conference 2025 will be held on November 17th and 18th in Seattle, Washington. We recently had ERM Conference Keynote Speaker Dan Chuparkoff on the show. [20:23] He is back, just to deliver a quick message about what you can expect from his keynote on "AI and the Future of Risk." Dan, welcome back to RIMScast! [20:34] Dan says, Greetings, RIMS members and the global risk community! I'm Dan Chuparkoff, AI expert and the CEO of Reinvention Labs. I'm delighted to be your opening keynote on November 17th, at the RIMS ERM Conference 2025 in Seattle, Washington. [20:49] Artificial Intelligence is fueling the next era of work, productivity, and innovation. There are challenges in navigating anything new. This is especially true for risk management, as enterprises adapt to shifting global policies, economic swings, and a new generation of talent. [21:07] We'll have a realistic discussion about the challenges of preparing for the future of AI. To learn more about my keynote, "AI and the Future of Risk Management," and how AI will impact Enterprise Risk Management for you, listen to my episode of RIMScast at RIMS.org/Dan. [21:26] Be sure to register for the RIMS ERM Conference 2025, in Seattle, Washington, on November 17th and 18th, by visiting the Events page on RIMS.org. I look forward to seeing you all there. [21:37] Justin thanks Dan and looks forward to seeing him again on November 17th and hearing all about the future of AI and risk management! [21:45] Let's Conclude Our Interview with One of the Presenters at the RIMS ERM Conference 2025, Shawn Punancy of Delta Airlines! [22:17] There are two opportunities to experience Shawn Punancy in person at the RIMS ERM Conference 2025, November 17th and 18th. She will be presenting with Lianne Appelt, the Head of Enterprise Risk Management at Salesforce: [22:47] Shawn says Lianne is the sweetest person she has ever met! Lianne is one of Justin's favorite people to work with on the Strategic Enterprise Risk Management Council. [23:24] On November 17th, at 11:45 a.m., Shawn and Lianne will present, "Connections Count: Strategic Networking to Strengthen Risk Oversight." If you're a new risk professional or a rising star, and you want to get to the basics, this is the sort of session you attend. [24:05] Shawn gives the elevator pitch for the presentation. She says, if you understand anything about ERM, you understand that it's not something you can do alone. Having relationships across an enterprise is paramount to the success of any ERM program. [24:22] Figure out what opportunities exist to pursue those relationships. Annual or quarterly risk assessments are natural avenues for building relationships, but there are lots of others. Outside of formal structures, how can you engage people? [24:39] How can you use the data you've collected to drive conversations that may not otherwise exist? Those conversations inform you better and equip you better as an ERM professional as you get ready to present to your leadership team, audit committee, or board. [25:42] Shawn has found that offering external information that may not otherwise be available to her stakeholders is a good way for her to go in and have a conversation. [26:00] The information she offers is either something she's gotten from a vendor, or a risk source she has been tracking, or something ERM has done internally but hasn't publicized. She says, We have this piece of information we think is valuable to you. [26:20] Shawn finds that it's an incredible way to open doors, strengthen or start relationships, and use that to find a way to continue the conversation iteratively. It's been incredible for expanding who ERM talks to since Shawn has joined the team. [26:37] ERM already had a broad network, but looking for new opportunities has expanded it. [26:43] Shawn says Never let a good crisis or risk go to waste. ERM gets a daily bulletin of every news clip that mentions Delta. [27:00] ERM uses that as an opportunity to say, We've not engaged with you, but we saw this and it's something worth tracking at a more macro level on this other part of the spectrum. We'd love to talk to you about how the two pieces connect. [27:17] Some of that depends on company culture. Delta is one of those amazing places where you can email just about everybody and they will respond. That has been very helpful for Shawn. She knows that's not easily replicated everywhere. Shawn has also never met a stranger. [27:41] Understanding that ERM has value to add, whether it's relaying information or showing interconnections, there's a lot there, and people are usually responsive. [28:17] Talking to the board goes back to the relationships you have and the conversations you've had. If you're talking to the right people throughout the year, who have access to significant board member concerns, use that to help craft your story. [28:37] Shawn says pairing the insight you've gotten from those relationships with the data you have in your program helps drive a compelling narrative. [28:56] On November 18th, at 9:00 a.m., Shawn and Lianne will present an advanced-level session, "How Deep Should You Go?: Rightsizing Risk Assessments for Maximum Impact," tailoring risk assessments to organizational maturity. [29:21] Shawn says it's a mistake for an ERM group not to understand what they have at their disposal in terms of data or stakeholders. Everything doesn't work for everybody. [29:28] You don't need a major, formalized 16-step assessment process when you're a new and burgeoning program. An older, more established program doesn't need something overly complex that doesn't match your company culture. [29:45] Shawn says she has been doing ERM for just shy of two years, so she's not the foremost expert in the room. She likes to rely on her historical experience of taking a bunch of data and talking to a lot of people, collecting intel, and figuring out what the story is. [30:02] Shawn is super passionate about this. With the 8,000 ways you can do a risk assessment, it's so important to consider some specific factors that will help you to have a stronger impact when you do the assessment. Shawn will save those for the presentation. [30:55] Shawn says she firmly believes the biggest opportunity for ERM professionals is to find and communicate that interconnected risk. We hear it everywhere. Justin points out that a paper on "Understanding Interconnected Risks" is in this episode's show notes. [31:13] Shawn thinks that's the biggest opportunity for ERM. Many teams have their risk evaluation silos. Having someone come in and show how A is connected to D, is connected to X, is the next step and the game-changer for a lot of teams. [31:38] Justin says, I'm looking forward to meeting you in person, and I'm so glad that you're going to be delivering the two sessions, Monday, November 17th, and Tuesday, November 18th! It was a pleasure to meet you! [32:08] Shawn is very thankful for this opportunity and super excited about talking about this content, partnering with Lianne, and meeting the broader RIMS community. [32;21] Special thanks again to Shawn Punancy of Delta Airlines for joining us here on RIMScast! Be sure to catch her presentations on November 17th and 18th at the RIMS ERM Conference 2025 in Seattle, Washington. [32:27] A link to the agenda is in this episode's show notes. Register today, we want to see you there! [32:43] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [33:11] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [33:28] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [33:45] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [34:01] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [34:15] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [34:27] Practice good risk management, stay safe, and thank you again for your continuous support! Links: RIMS ERM Conference 2025 — Nov. 17‒18 RIMS-CRO Certificate Program In Advanced Enterprise Risk Management | Jan‒March 2026 Cohort | Led by James Lam RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 RISKWORLD 2026 — Members-only early registration through Oct 30! RIMS-Certified Risk Management Professional (RIMS-CRMP) The Strategic and Enterprise Risk Center RIMS Diversity Equity Inclusion Council RIMS Risk Management magazine | Contribute RIMS Now RIMS Professional Report: "Understanding Interconnected Risks" Upcoming RIMS Webinars: RIMS.org/Webinars "Parametric Insurance: Providing Financial Certainty in Uncertain Times" | Oct. 30, 2025 | Sponsored by Swiss Re "Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World" | Nov. 6 | Sponsored by Hub Upcoming RIMS-CRMP Prep Virtual Workshops: RIMS-CRMP Virtual Exam Prep — Oct. 29‒30, 2025 RIMS-CRMP-FED Exam Prep Virtual Workshop — November 11‒12 Full RIMS-CRMP Prep Course Schedule "Intro to ERM for Senior Leaders" | Nov. 4‒5 | Instructor: Elise Farnham "Fundamentals of Insurance" | Nov. 11‒12 | Instructor: Chris Hansen "Leveraging Data and Analytics for Continuous Risk Management (Part I)" | Dec 4. See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops Related RIMScast Episodes about ERM: "AI and the Future of Risk with Dan Chuparkoff" (RIMS ERM Conference Keynote) "Tom Brandt on Growing Your Career and Organization with ERM" "James Lam on ERM, Strategy, and the Modern CRO" "ERM, Retail, and Risk with Jeff Strege" "Bigger Risks with the Texas State Office of Risk Management" | Sponsored By Hillwood "ERMotivation with Carrie Frandsen, RIMS-CRMP" "Live from the ERM Conference 2024 in Boston!" "Risk Quantification Through Value-Based Frameworks" Sponsored RIMScast Episodes: "Cyberrisk: Preparing Beyond 2025" | Sponsored by Alliant (New!) "The New Reality of Risk Engineering: From Code Compliance to Resilience" | Sponsored by AXA XL "Change Management: AI's Role in Loss Control and Property Insurance" | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Demystifying Multinational Fronting Insurance Programs" | Sponsored by Zurich "Understanding Third-Party Litigation Funding" | Sponsored by Zurich "What Risk Managers Can Learn From School Shootings" | Sponsored by Merrill Herzog "Simplifying the Challenges of OSHA Recordkeeping" | Sponsored by Medcor "Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report" | Sponsored by AXA XL "How Insurance Builds Resilience Against An Active Assailant Attack" | Sponsored by Merrill Herzog "Third-Party and Cyber Risk Management Tips" | Sponsored by Alliant RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed! RIMS Events, Education, and Services: RIMS Risk Maturity Model® Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information. Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts. Have a question or suggestion? Email: Content@rims.org. Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn. About our guest: Shawn Punancy, Sr. Manager, Enterprise Risk Management of Delta Air Lines, Inc. Production and engineering provided by Podfly.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society. In this episode, Justin interviews Katherine Henry of Bradley, Arant, Boult, Cummings, and Harold (Hal) Weston of Georgia State University, Greenberg School of Risk Science, who are here to discuss their new professional report, "A 2025 Cybersecurity Legal Safe Harbor Overview." Katherine and Hal take the discussion beyond the pages and delve into best cybersecurity practices, cyber insurance, and Safe Harbor laws offered by some states and possibly to be offered soon by others. They discuss frameworks and standards, and what compliance means for your organization, partly based on your state law. Listen for advice to help you be prepared against cybercrime. Key Takeaways: [:01] About RIMS and RIMScast. [:16] About this episode of RIMScast. We will be joined by the authors of the legislative review, "A 2025 Cybersecurity Legal Safe Harbor Overview", Katherine Henry and Harold Weston. Katherine and Harold are also prominent members of the RIMS Public Policy Committee. [:48] Katherine and Harold are also here to talk about Cybersecurity Awareness Month and safe practices. But first… [:53] RIMS-CRMP Prep Workshops! The next RIMS-CRMP Prep Workshops will be held on October 29th and 30th and led by John Button. [1:05] The next RIMS-CRMP-FED Virtual Workshop will be held on November 11th and 12th and led by Joseph Mayo. Links to these courses can be found through the Certifications page of RIMS.org and through this episode's show notes. [1:23] RIMS Virtual Workshops! RIMS has launched a new course, "Intro to ERM for Senior Leaders." It will be held again on November 4th and 5th and will be led by Elise Farnham. [1:37] On November 11th and 12th, Chris Hansen will lead "Fundamentals of Insurance". It features everything you've always wanted to know about insurance but were afraid to ask. Fear not; ask Chris Hansen! RIMS members always enjoy deep discounts on the virtual workshops! [1:56] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode's notes. [2:08] Several RIMS Webinars are being hosted this Fall. On October 16th, Zurich returns to deliver "Jury Dynamics: How Juries Shape Today's Legal Landscape". On October 30th, Swiss Re will present "Parametric Insurance: Providing Financial Certainty in Uncertain Times". [2:28] On November 6th, HUB will present "Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World". Register at RIMS.org/Webinars. [2:40] Before we get on with the show, I wanted to let you know that this episode was recorded in the first week of October. That means we are amid a Federal Government shutdown. RIMS has produced a special report on "Key Considerations Regarding U.S. Government Shutdown." [2:58] This is an apolitical problem. It is available in the Risk Knowledge section of RIMS.org, and a link is in this episode's show notes. Visit RIMS.org/Advocacy for more updates. [3:12] Remember to save March 18th and 19th on your calendars for the RIMS Legislative Summit 2026, which will be held in Washington, D.C. I will continue to keep you informed about that critical event. [3:24] On with the show! It's National Cybersecurity Awareness Month here in the U.S. and in many places around the world. Cyber continues to be a top risk among organizations of all sizes in the public and private sectors. [3:40] That is why I'm delighted that Katherine Henry and Harold (Hal) Weston are here to discuss their new professional report, "A 2025 Cybersecurity Legal Safe Harbor Overview". [3:52] This report provides a general overview of expected cybersecurity measures that organizations must take to satisfy legal Safe Harbor requirements. [4:01] It summarizes state Safe Harbor laws that have been developed to ensure organizations are proactive about cybersecurity and that digital, financial, and intellectual assets are legally protected when that inevitable cyber attack occurs. [4:15] We are here to extend the dialogue. Let's get started! [4:21] Interview! Katherine Henry and Hal Weston, welcome to RIMScast! [4:41] Katherine was one of he first guests on RIMScast. Katherine is Chair of the Policyholder Insurance Coverage Practice at Bradley, Arant, Boult, Cummings. Her office is based in Washington, D.C. She works with risk managers all day on insurance issues. [5:05] Katherine has been a member of the RIMS Public Policy Committee for several years. She serves as an advisor to the Committee. [5:12] Justin thanks Katherine for her contributions to RIMS. [5:25] Hal is with Georgia State University. He has been with RIMS for a couple of decades. Hal says he and Katherine have served together on the RIMS Public Policy Committee for maybe 10 years. [5:48] Hal is a professor at Georgia State University, a Clinical Associate in the Robinson College of Business, Greenberg School of Risk Science, where he teaches risk management and insurance. Before his current role, Hal was an insurance lawyer, both regulatory and coverage. [6:05] Hal has a lot of students. He is grading exams this week. He has standards for his class. In the real world, so does a business. [6:46] Katherine and Hal met through the RIMS Public Policy Committee. They started together on some subcommittees. Now they see each other at the annual meeting and on monthly calls. [7:05] Katherine and Hal just released a legislative review during RIMS's 75th anniversary, "A 2025 Cybersecurity Legal Safe Harbor Overview". It is available on the Risk Knowledge page of RIMS.org. [7:20] We're going to get a little bit of dialogue that extends beyond the pages. [7:31] Katherine explains Safe Harbor: When parties are potentially liable to third parties for claims, certain states have instilled Safe Harbor Laws that say, If you comply with these requirements, we'll provide you some liability protection. [7:45] Katherine recommends that you read the paper to see what the laws are in your state. The purpose of the paper is to describe some of those Safe Harbor laws, as well as all the risks. [8:04] October 14th, the date this episode is released, is World Standards Day. Hal calls that good news. Justin says the report has a correlation with the standards in the risk field. [8:43] Justin states that many states tie Safe Harbor eligibility to frameworks like NIST, the ISO/IEC 27000, and CIS Controls. [9:27] Hal says, There are several standards, and it would be up to the Chief Information Security Officer to guide a company on which framework might be most appropriate for them. There are the NIST, UL, and ISO, and they overlap quite a bit. [9:56] These are recognized standards. In some states, if a company has met this standard of cybersecurity, a lawsuit against the company for breach of its standard of care for maintaining its information systems would probably be defensible for having met a recognized standard. [10:23] Katherine adds that as risk managers, we can't make the decision about which of these external standards is the best. Many organizations have a Cybersecurity Officer responsible for this. [10:44] For smaller organizations, there are other options, including outsourcing to a vendor. Their insurance companies may have recommendations. So you're not on your own in making this decision. [11:14] Katherine says firms should definitely aim for one recognized standard. Katherine recommends you try to adhere to the highest standard. If you are global, you need to be conscious of standards in other countries. [11:46] Hal says California tends to have the highest standards for privacy and data protection. If you're a financial services company, you're subject to New York State's Department of Financial Services Cyber Regulation. [12:02] If you're operating in Europe, GDPR is going to be the guiding standard for what you should do. Hal agrees with Katherine: Any company that spans multiple states should pick the highest standard and stick to that, rather than try to implement five or 52 standards. [12:23] When you're overseas, you may not be able to just pick the highest standard; there are challenges in going from one country or region of Europe back to the U.S. If one is higher, it will probably be easier. [12:38] There are major differences between the U.S., which has little Federal protection, vs. state protection. [13:10] Katherine says if you don't have the internal infrastructure, and you can't afford that infrastructure, the best thing is to pivot to an outside vendor. There are many available, with a broad price range. Your cyber insurer may also have some vendors they already work with. [13:40] Hal would add, Don't just think about Safe Harbors. That's just a legal defense. Think about how you reduce the risk by adopting standards or hiring outside firms that will provide that kind of risk protection and IT management. [13:59] If they're doing it right, they may tell you the standards they use, and they may have additional protocols, whether or not they fall within those standards, that would also be desirable. A mid-sized firm is probably outsourcing it to begin with. [14:21] They have to be thinking about it as risk, rather than just Safe Harbor. You have to navigate to the Safe Harbor. You don't just get there. [14:31] Quick Break! RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through the 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when you register by October 30th! [14:50] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by October 30th, and you will also be entered to win a $500 raffle! Do not miss out on this chance to plan and score some of these extra perks! [15:03] The members-only registration link is in this episode's show notes. If you are not yet a member, this is the time to join us! Visit RIMS.org/Membership and build your network with us here at RIMS! [15:16] The RIMS Legislative Summit 2026 is mentioned during today's episode. Be sure to mark your calendar for March 18th and 19th in Washington, D.C. Keep those dates open. [15:28] Join us in Washington, D.C., for two days of Congressional Meetings, networking, and advocating on behalf of the risk management community. Visit RIMS.org/Advocacy for more information and updates. [15:41] Let's return to our interview with Katherine Henry and Hal Weston! [15:54] We're talking about their new paper, "A 2025 Cybersecurity Legal Safe Harbor Overview". Katherine mentions that some businesses are regulated. They have to comply with external regulatory standards. [16:38] Other small brick-and-mortar businesses may not have any standards they have to comply with. They look for what to do to protect themselves from cyber risk, and how to tell others they are doing that. [16:54] If you can meet the standards of Safe Harbor laws, a lot of which are preventative, before a breach, you can inform your customers, "These are the protections we have for your data." You can tell your board, "These are the steps we're taking in place." [17:13] You can look down the requirements of the Safe Harbor law in your state or a comparable state, and see steps you can take in advance so you can say, "We are doing these things and that makes our system safer for you and protects your data." [17:34] Hal says you don't want to have a breach, and if you do, it would be embarrassing to admit you were late applying a patch, implementing multi-factor authentication, or another security measure. By following standards of better cyber protection, you avoid those exposures. [18:07] Hal says every company has either been hacked and knows it, or has been hacked and doesn't know it. If you're attacked by a nation-state that is non-preventable, you're in good shape. [18:26] If you're attacked because you've left some ports open on your system, or other things that are usually caught in cybersecurity analyses or assessments, that's the embarrassing part. You don't want to be in that position. [18:43] Katherine says it's not just your own systems, but if you rely on vendors, you want to ensure that the vendors have the proper security systems in place so that your data, to the extent that it's transmitted to them, is not at risk. [19:07] Also, make sure that your vendors have cyber insurance and that you're an additional insured on that vendor's policy if there's any potential exposure. [19:22] Hal says If you're using a cloud provider, do you understand what the cloud provider is doing? In most cases, they will provide better security than what you could do on your own, but there have been news stories that even some of those have not been perfect. [20:22] Hal talks about the importance of encryption. It's in the state statutes and regulations. There have been news stories of companies that didn't encrypt their data on their servers or in the cloud, and didn't understand encryption, when a data breach was revealed. [20:52] Hal places multi-factor authentication up with encryption in importance. There was a case brought against a company that did not have MFA, even though it said on its application on the cyber policy that the company used it. [21:13] Hal says these are standard, basic things that no company should be missing. If you don't know that your data is encrypted, get help fast to figure that out. [21:51] Hal has also seen news stories of major companies where the Chief Technology Officer has been sued individually, either by the SEC or others, for not doing it right. [22:07] Katherine mentions there are insurance implications. If you mistakenly state you're providing some sort of protection on your insurance application that you're not providing, the insurer can rescind your coverage, so you have no coverage in place at all. [22:23] Katherine says, These are technical safeguards, but we know the human factor is one of the greatest risks in cybersecurity. Having training for everyone who has access to your computer system, virtually everyone in your organization, is very important. [22:49] Have a test with questions like, Is this a spam email or a real email? There are some vendors who can do all this for you. Statistics show that the human element is one of the most significant problems in cybersecurity protection. [23:05] Justin says it's October, Cybersecurity Awareness Month in the U.S. Last week's guest, Gwenn Cujdik, the Incident Response and Cyber Services Lead for North America at AXA XL, said the number one cyber risk is human error, like clicking the phishing link. [23:45] Justin brings up that when he was recently on vacation, he got an email on his personal email account, "from his CEO," asking him to handle something for them. Justin texted somebody else at RIMS, asking if they got the same email, and they hadn't. [24:14] Justin sent the suspect email to the IT director to handle. You have to be vigilant. Don't let your guard down for a second. [24:48] Katherine has received fake emails, as well. [24:51] Hal says it has happened to so many people. Messages about gift cards or the vendor having a new bank account. Call the vendor that you know and ask what this is. [25:12] Hall continues. It's important to train employees in cybersecurity, making sure that they are using a VPN when they are outside of the office, or even a VPN that's specific to your company. [25:32] Hal saw in the news recently that innocent-looking PDF files can harbor lots of malware. If you're not expecting a PDF file from somebody, don't click on that, even if you know them. Get verification. Start a new thread with the person who sent it and ask if it is a legitimate PDF. [26:08] Justin says of cybercriminals that they are smart and their tactics evolve faster than legislation. How can organizations anticipate the next generation of threats? [26:34] Katherine says, You need to have an infrastructure in your organization that does that, or you need to go to an outside vendor. You need some sort of protection, internally or externally. [27:11] Katherine says she works with CFOs all the time. If an organization isn't large enough to have a risk manager, it's a natural fit for the CFO, who handles finances, to handle insurance. When it comes to cybersecurity, a CFO needs help. [27:46] The CFO should check the cyber policy to see what support services are already there and see if there are any that are preventative, vs. after a breach. If there are not, Katherine suggests pivoting to an outside vendor. [28:07] Hal continues, This interview is for RIMS members who are risk managers and the global risk community. Risk managers don't claim to know all the risk control measures throughout a company. They rely upon the experts in the company and outside. [28:29] If the CFO is the risk manager, he or she has big gaps in expertise needed for risk management. It's the same for the General Counsel running risk management. Risk managers are known for having small staffs and working with everybody else to get the right answers. [28:55] If you're dealing with the CFO or General Counsel in those roles, they need to be even more mindful to work with the right experts for guidance. [29:09] One Final Break! As many of you know, the RIMS ERM Conference 2025 will be held on November 17th and 18th in Seattle, Washington. We recently had ERM Conference Keynote Speaker Dan Chuparkoff on the show. [29:26] He is back, just to deliver a quick message about what you can expect from his keynote on "AI and the Future of Risk." Dan, welcome back to RIMScast! [29:37] Dan says, Greetings, RIMS members and the global risk community! I'm Dan Chuparkoff, AI expert and the CEO of Reinvention Labs. I'm delighted to be your opening keynote on November 17th at the RIMS ERM Conference 2025 in Seattle, Washington. [29:52] Artificial Intelligence is fueling the next era of work, productivity, and innovation. There are challenges in navigating anything new. This is especially true for risk management, as enterprises adapt to shifting global policies, economic swings, and a new generation of talent. [30:10] We'll have a realistic discussion about the challenges of preparing for the future of AI. To learn more about my keynote, "AI and the Future of Risk Management," and how AI will impact Enterprise Risk Management for you, listen to my episode of RIMScast at RIMS.org/Dan. [30:29] Be sure to register for the RIMS ERM Conference 2025, in Seattle, Washington, on November 17th and 18th, by visiting the Events page on RIMS.org. I look forward to seeing you all there. [30:40] Justin thanks Dan and looks forward to seeing him again on November 17th and hearing all about the future of AI and risk management! [30:48] Let's Conclude Our Interview about Navigating Cyber and IT Practices to Legal Safe Harbors with Katherine Henry and Hal Weston! [31:17] Katherine tells about how Safe Harbor compliance influences cyber insurance. If your organization applies for cyber insurance and you can't meet some minimum threshold that will be identified on the application, the insurer will not even offer you cyber insurance. [31:34] You need to have some cyber protections in place. That's just to procure insurance. Cyber insurance availability is growing. Your broker can bring you more insurers to quote if you can show robust safeguards. [32:05] After the breach, your insurer is supposed to step in to help you. Your insurer will be mindful of whether or not your policy application is correct and that you have all these protections in place. [32:21] The more protections you have, the quicker you might be able to shut down the breach, and the resulting damage from the breach, and that will lower the resulting cost of the claim and have less of an impact on future premiums. [32:36] If the cyber insurer just had to pay out the limits because something wasn't in place, that quote next year is not going to look so pretty. Your protections have a direct impact on both the availability and cost of coverage. [32:50] Justin mentions that the paper highlights Connecticut, Tennessee, Iowa, Ohio, Utah, and Oregon as the states with Safe Harbor laws. The Federal requirements are also listed. Katherine expects that more states will offer Safe Harbor laws as cybercrime lawsuits increase. [33:42] Hal says Oregon, Ohio, and Utah were the leaders in creating Safe Harbors. Some of the other states have followed. Safe Harbor is a statutory protection against liability claims brought by the public. [34:06] In other states, you can't point to a statute that gives protection, but you can say you complied with the highest standards in the nation, and you probably have a pretty defensible case against a claim for not having kept up with your duty to protect against a cyber attack. [34:55] Hal adds that every company is going to be sued, and the claim is that you failed to do something. If you have protected yourself with all the known best practices, as they evolve, what more is a company supposed to do? [35:18] The adversaries are nation-states; they are professional criminals, sometimes operating under the protection of nation-states, and they're using artificial intelligence to craft even more devious ways to get in. [36:19] Katherine speaks from a historical perspective. A decade ago, cyber insurance was available, but there was no appetite for it. There wasn't an understanding of the risk. [36:32] As breaches began to happen and to multiply, in large amounts of exposure, with companies looking at millions of dollars in claims, interest grew. Katherine would be surprised today if any responsible board didn't take cyber risk extremely seriously. [36:55] The board's decision now is what limits to purchase and from whom, and not, "Should we have cyber insurance at all?" Katherine doesn't think it's an issue anymore in any medium-sized company. [37:17] The risk manager should present to the board, "We benchmark. Our broker benchmarks. Companies of our size have had this type of claim, with this type of exposure, and they've purchased this amount of limits. We need to be at least in that place." Boards will be receptive. [37:43] If they are not receptive, put on a PowerPoint with all the data that's out there about how bad the situation is. The average cost of a breach is well over $2 million. The statistics are quite alarming. A wise decision-maker will understand that you need to procure this coverage. [38:10] Katherine says, from the cybersecurity side, you procure the coverage, you protect the company, and take advantage of the Safe Harbors. All of those things come together with the preventative measures we've been talking about. [38:24] You can show your decision-makers and stakeholders that if you do all those things, comply with these Safe Harbor provisions, you're going to minimize your exposure, increase the availability of insurance, and keep your premiums down. It's a win-win package. [38:41] Justin says, It has been such a pleasure to meet you, Hal, and thank you for joining us. Katherine, it is an annual pleasure to see you. We're going to see you, most likely, at the RIM Legislative Summit, March 18th and 19th, 2026, in Washington, D.C. [39:01] Details to come, at RIMS.org/Advocacy. Katherine, you'll be there to answer questions. Katherine looks forward to the Summit. She has gone there for years. It's a great opportunity for risk managers to speak directly to decision-makers about things that are important to them. [39:42] Special thanks again to Katherine Henry and Hal Weston for joining us here today on RIMScast! Remember to download the new RIMS Legislative Review, "A 2025 Cybersecurity Legal Safe Harbor Overview". [39:58] We are past the 30-day mark now, so the review is publicly available through the Risk Knowledge Page of RIMS.org. You can also visit RIMS.org/Advocacy for more information. In this episode's notes, I've got links to Katherine's prior RIMScast appearances. [40:18] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [40:47] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [41:05] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [41:22] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [41:39] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [41:53] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [42:05] Practice good risk management, stay safe, and thank you again for your continuous support! Links: RIMS Professional Report: "A 2025 Cybersecurity Legal Safe Harbor Overview" RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 RIMS ERM Conference 2025 — Nov. 17‒18 RISKWORLD 2026 — Members-only early registration through Oct 30! RIMS-Certified Risk Management Professional (RIMS-CRMP) The Strategic and Enterprise Risk Center RIMS Diversity Equity Inclusion Council RIMS Risk Management magazine | Contribute RIMS Now Cybersecurity Awareness Month World Standards Day — Oct 14, 2025 Upcoming RIMS Webinars: RIMS.org/Webinars "Jury Dynamics: How Juries Shape Today's Legal Landscape" | Oct. 16, 2025 | Sponsored by Zurich "Parametric Insurance: Providing Financial Certainty in Uncertain Times" | Oct. 30, 2025 | Sponsored by Swiss Re "Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World" | Nov. 6 | Sponsored by Hub Upcoming RIMS-CRMP Prep Virtual Workshops: RIMS-CRMP Virtual Exam Prep — Oct. 29‒30, 2025 RIMS-CRMP-FED Exam Prep Virtual Workshop — November 11‒12 Full RIMS-CRMP Prep Course Schedule "Risk Appetite Management" | Oct 22‒23 | Instructor: Ken Baker "Intro to ERM for Senior Leaders" | Nov. 4‒5 | Instructor: Elise Farnham "Fundamentals of Insurance" | Nov. 11‒12 | Instructor: Chris Hansen "Leveraging Data and Analytics for Continuous Risk Management (Part I)" | Dec 4. See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops Related RIMScast Episodes about Cyber and with Katherine Henry: "National Cybersecurity Awareness Month 2025 with Gwenn Cujdik" "AI Risks and Compliance with Chris Maguire" "Data Privacy and Protection with CISA Chief Privacy Officer James Burd" "Cyberrisk Trends in 2025 with Tod Eberle of Shadowserver" "Legal and Risk Trends with Kathrine Henry (2023)" Sponsored RIMScast Episodes: "The New Reality of Risk Engineering: From Code Compliance to Resilience" | Sponsored by AXA XL (New!) "Change Management: AI's Role in Loss Control and Property Insurance" | Sponsored by Global Risk Consultants, a TÜV SÜD Company Demystifying Multinational Fronting Insurance Programs | Sponsored by Zurich "Understanding Third-Party Litigation Funding" | Sponsored by Zurich "What Risk Managers Can Learn From School Shootings" | Sponsored by Merrill Herzog "Simplifying the Challenges of OSHA Recordkeeping" | Sponsored by Medcor "Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report" | Sponsored by AXA XL "How Insurance Builds Resilience Against An Active Assailant Attack" | Sponsored by Merrill Herzog "Third-Party and Cyber Risk Management Tips" | Sponsored by Alliant "RMIS Innovation with Archer" | Sponsored by Archer "Navigating Commercial Property Risks with Captives" | Sponsored by Zurich "Breaking Down Silos: AXA XL's New Approach to Casualty Insurance" | Sponsored by AXA XL "Weathering Today's Property Claims Management Challenges" | Sponsored by AXA XL "Storm Prep 2024: The Growing Impact of Convective Storms and Hail" | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Partnering Against Cyberrisk" | Sponsored by AXA XL "Harnessing the Power of Data and Analytics for Effective Risk Management" | Sponsored by Marsh "Accident Prevention — The Winning Formula For Construction and Insurance" | Sponsored by Otoos "Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties" | Sponsored by AXA XL "Elevating RMIS — The Archer Way" | Sponsored by Archer RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed! RIMS Events, Education, and Services: RIMS Risk Maturity Model® Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information. Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts. Have a question or suggestion? Email: Content@rims.org. Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn. About our guests: Katherine Henry, Partner and Chair of the Policyholder Coverage Practice, Bradley, Arant, Boult, and Cummings Harold Weston, Clinical Associate Professor and WSIA Distinguished Chair in Risk Management and Insurance, Georgia State University College of Law Production and engineering provided by Podfly.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society. In this episode, Justin interviews Gwenn Cujdik, the Incident Response and Cyber Services Lead for North America at AXA XL. Justin and Gwenn cover various cybersecurity topics, and how her 15 years as an Assistant District Attorney prepared her for her current role of responding to cyber attacks. Listen for tips on securing your organization, large or small, from cyber attacks and responding when, not if, they come. Gwenn shares her experiences and some advice. Listen for Gwenn's insights to help you be vigilant and prepared against cybercrime. Key Takeaways: [:01] About RIMS and RIMScast. [:14] With great sadness, the RIMS family lost a true leader in September. Susan Meltzer was an exceptional risk professional and passionate volunteer with RIMS. She served as the Society's President in 1999 and 2000. [:29] RIMS has established a scholarship fund in her name. You can donate to that fund through RIMS, The Foundation for Risk Management®, at RIMS.org/FRM. [:46] About this episode of RIMScast. This is our National Cybersecurity Awareness Month episode. Here to lend her insight on all things cyber is Gwenn Cujdik. She is the Incident Response and Cyber Services Lead for North America at AXA XL. [1:19] We're also going to talk about her fascinating career that antedates her time in cyber. [1:24] RIMS-CRMP Prep Workshops! The next RIMS CRMP Prep Workshops will be held on October 29th and 30th and led by John Button. [1:36] The next RIMS-CRMP-FED Virtual Workshop will be held on November 11th and 12th and led by Joseph Mayo. Links to these courses can be found through the Certifications page of RIMS.org and through this episode's show notes. [1:53] RIMS Virtual Workshops! RIMS has launched a new course, "Intro to ERM for Senior Leaders." It will be held again on November 4th and 5th and will be led by Elise Farnham. [2:07] On November 11th and 12th, Chris Hansen will lead "Fundamentals of Insurance". It features everything you've always wanted to know about insurance but were afraid to ask. Fear not; ask Chris Hansen! RIMS members always enjoy deep discounts on virtual workshops! [2:26] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode's notes. [2:37] Several RIMS Webinars are being hosted this Fall. On October 9th, Global Risk Consultants returns to deliver "Natural Hazards: A Data-Driven Guide to Improving Resilience and Risk Financing Outcomes". [2:51] On October 16th, Zurich returns to deliver "Jury Dynamics: How Juries Shape Today's Legal Landscape". On October 30th, Swiss Re will present "Parametric Insurance: Providing Financial Certainty in Uncertain Times". [3:08] On November 6th, HUB will present "Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World". Register at RIMS.org/Webinars. [3:20] On with the show! It's National Cybersecurity Awareness Month here in the U.S. and in many places around the world. Cyber continues to be a top risk among organizations of all sizes in the public and private sectors. [3:35] Joining me today to discuss cybersecurity awareness is Gwenn Cujdik. You may remember her from the RIMS AXA XL webinar on September 4th, "Lock Down & Level Up." [3:52] During that webinar, we had a brief, fascinating discussion about her time as an Assistant District Attorney in Pennsylvania. [4:01] I wanted to learn more about how someone transitions from a colorful career to cybersecurity and eventually becomes the Incident Response and Cyber Services Lead for North America at AXA XL. [4:15] She's got a lot on her plate. She's got a huge risk radar. We're going to talk all about it and help all the risk managers out there use her insight and perspective to protect their organizations. Let's get to it! [4:28] Interview! Gwenn Cujdik, welcome to RIMScast! [5:09] Gwenn is Incident Response and Cyber Services Lead for North America at AXA XL. When a client has a cyber breach, they call AXA XL and work with Gwenn's teams. [5:42] Gwenn works on training her teams to be able to respond, setting up procedures and processes to make the response seamless and collaborative, and making sure the clients get consistent service, whoever handles the call. [6:16] Gwen's team has 18. Four are in leadership with 14 more team members. Two managers directly supervise the teams to help them with answers to questions about unusual situations. [6:50] Gwenn helps the teams understand massive events and how they might affect AXA XL and their clients, how to interact with brokers, and technical matters. She helps the team understand coverages when it comes to something unique. "It's all hands on deck for us!" [7:55] Gwenn says, Fighting crime is a part of who I am. She is driven by helping others get through some terrible times. She has seen the worst of the worst. Sometimes it takes just one helping hand to get people through tough times. She has seen how impactful that can be. [8:44] Sometimes, in a crisis, how people interact with the victim could be the recipe for them to recover fully from that event. Gwenn has seen people recover, take back their lives, move forward, and be survivors. She has seen corporations and companies do so and become better. [9:39] Justin repeats that Gwenn has seen the worst of the worst: homicides, murders, abuses of women and children, arson, and more. She has seen it all, including things that she wishes she hadn't seen. [10:27] Gwenn compares cyber incident response to her ADA work. A prosecutor has to be able to handle things under pressure. The best prosecutors are looking to do the right thing. Gwenn has met many people who, absent the crime, would have been friends. [11:06] You have to be able to see there's a human on the other side, and there are humans that they hurt. You do right by understanding that there are a lot of players involved, who are humans. [11:26] It helps you understand where somebody might be coming from. It helps you understand why they might be screaming at you. "I'm just the messenger, but let's talk about why you're so upset." [11:39] Gwenn says one of the cool things about being a prosecutor is that every case you have presents a different set of facts and circumstances. There's a law that's intertwined with it, and that's interesting for Gwenn. [11:54] The first time Gwenn had an arson case, she had to work with the Fire Marshals to understand how they knew the fire started here. How did they know it was a chemical? She started with the Fire Marshals and then went to the crime scene to talk to Forensic Chemists. [12:11] The Forensic Investigators explained the chemistry behind the Molotov Cocktail that was thrown through the window. This was how the fire started, and then it enveloped the room. [12:22] When Gwenn first worked with DNA, she found it to be incredibly complicated. She had to learn it to be able to explain it. Her job was to explain to 12 people why DNA mattered, why it's this guy, and not anybody else, that committed this crime; the numbers are insane. [12:44] It could be one in a hundred quadrillion that it's another person. Those numbers are insane, and it's really hard to understand. [12:56] Gwenn was in the DA's office when cell site analysis came around; being able to triangulate where someone is, using cell towers. The Philadelphia Field Office had one of the pioneers in that science. Gwenn learned from him. [13:13] One of Gwenn's matters was a homicide. They tracked the defendant from the scene of the crime, through public transportation, back to his house, using cell site triangulation. While they were mapping, the actor Joe Piscopo came by, touring the building. Gwenn was an SNL fan. [14:23] Gwenn's prosecutorial experience translates to cyber in that each matter is a little different. There's a bad guy at the other end. Gwenn is not sympathetic to the bad guys because they are anonymous. Nobody sees them or knows them. It's usually a criminal enterprise. [14:59] It's a group of people working together, motivated by money and wreaking havoc on people who are trying to make a living and support their families. The bad guys want to extort millions of dollars and put businesses and livelihoods in danger. [15:42] In Philadelphia, the elite of the elite prosecutors worked in homicide. Some spend 20 or 30 years there. Gwenn was an ADA for 15 years, but couldn't see herself doing it for 20 or 30 years. She wanted to stay positive and be a force for good when she was dealing with bad. [16:34] She wondered where she could go to have a similar impact for good, investigating, and helping people get through an awful time. [16:45] Gwenn had a friend who worked with her in the Family Violence and Sexual Assault Unit. She had left the office to work for a new law firm doing cyber incident response. She called Gwenn and said she would be really good at it. She explained it to Gwenn. [17:50] Gwenn interviewed with the firm and got an offer the day she interviewed. She realized that was what she wanted to do. Some former prosecutors were doing it. There were some amazing people, and she wanted to be a part of that, something new, interesting, and growing. [18:15] Gwenn wanted to be challenged and get to help people. Once she discovered it, she couldn't think of a better transition for people who are in law enforcement than going into cybersecurity. [18:39] RIMS Events! On November 17th and 18th, join us in Seattle, Washington, for the RIMS ERM Conference 2025. The agenda is live. Check out Episode 357 for Justin's dialogue with ERM Conference Keynote Presenter Dan Chuparkoff on AI and the future of risk. [18:59] Visit the Events page of RIMS.org to register. [19:02] RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through May 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when you register by October 30th! [19:16] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by October 30th, and you will also be entered to win a $500 raffle! Do not miss out on this chance to plan and score some of these extra perks! [19:30] The members-only registration link is in this episode's show notes. If you are not yet a member, this is the time to join us! Visit RIMS.org/Membership and build your network with us here at RIMS! [19:42] Let's return to our interview with Gwenn Cujdik! [20:14] Gwenn says cybersecurity takes a village. What she learned in criminal prosecution is that as long as there have been humans, there has been crime. We're fortunate as a society to have laws, law enforcement, governing bodies, and organizations to keep crime down. [20:54] It's not dissimilar to cybersecurity. If Gwenn were talking to a board, she would say, It takes everybody in your community, in your organization, to build resilience, protect yourself from cybercrime, and react to it. [21:12] Gwenn says a big mistake people often make is thinking incident response is a job for just their tech team. The IT team is not trained in all the various fields you need to be an expert in to get through a cyber incident. [21:41] Your IT team will be able to get you up and running, collaborate, and be a good foundation for the incident response, working with outside experts. It takes people who understand the law and who understand communications. [21:54] It takes people who understand the brand, who are the heart of the organization, to be able to respond. Your CISO may say, Here's how I think that we should respond, but your CEO may say, This isn't how I think we would respond to an event like this. Keep in mind who we are. [22:32] Your legal team is there to say, Here's why we can't do that, the risk is too great; It will be worse if you do X, Y, Z; You shouldn't do that because you need to be compliant with the law. [23:11] Gwenn says good leaders lead best when they model. If you expect people to be open-minded and collaborative, you need to be the same. For the most part, organization leadership is very aware that cybersecurity is an important part of who they are and will be. [23:55] Gwenn has met a ton of CEOs who admit they don't know what they don't know and ask for help to understand cybersecurity so they can help their organizations in the best way possible. Some CEOs are thinking ahead and putting teams together that understand their role. [24:20] Gwenn has encountered CEOs who are just messing up the process. One wanted to invite his wife, not an employee, to the conversation because she would like to hear about it. From a legal and business perspective, it's very risky for the company. [25:04] One Final Break! The Spencer Educational Foundation's goal to help build a talent pipeline of risk management and insurance professionals is achieved, in part, by its collaboration with risk management and insurance educators across the U.S. and Canada. [25:23] Since 1999, Spencer has awarded over $2.9 million to create more than 570 Risk Management Internships. The Internship Grants application process is now open through October 15th, 2025. [25:39] To be eligible, risk managers must be based in the U.S., Canada, or Bermuda. A link to the Internship Grants page is in this episode's show notes. You can always visit SpencerEd.org, as well. [25:53] Let's Conclude Our National Cybersecurity Awareness Month Interview with Gwenn Cujdik! [26:05] It's National Cybersecurity Awareness Month 2025, here in the U.S. It's a big month for everyone in Gwenn's house; they have to pull their own weight a little more because she's traveling a lot, she's out a lot, and there are a lot of conferences and meetings going on! [26:29] Gwenn tries not to shove everything cyber just into October. October is busy, and she loves it. [26:56] On October 29th, at the Sheraton New York Times Square Hotel in Manhattan, Gwenn will be the Conference Co-Chair for the Zywave Cyber Risk Insights New York event. It's a full day with a lot of very knowledgeable individuals from a range of companies. [27:50] It is one of Gwenn's favorite events. It's a day packed with good information. She would love to see more risk managers and CISOs join it. The amount of information you can get in one day is almost unbelievable. The content is pretty diverse. [28:21] It covers claims, the state of the market, the different ways threat actors are attacking, how to prepare better for attacks and for business continuity, and how to organize invoices and costs as you're going through an incident response. [29:01] Gwenn says, Get the small things right so you can deal with the big things. While you tackle the small things, you can talk about whether or not the law requires you to file notifications to seven million people and how to get through that as a company. [29:22] Gwen says it's a great event. Gwenn will be there, giving opening remarks. Justin will be there, after attending a heavy metal concert the night before. The link is in this episode's show notes. [30:52] When Gwenn entered the cybersecurity field, she was surprised at the female presence. One of the managing partners who interviewed her was a female. There are also savvy female hackers out there. [31:35] Gwenn says that in criminal law, people have trouble understanding that women can commit crimes, the same way that men can. Gwenn points out Elizabeth Holmes and the book Bad Blood, about Theranos. [32:23] Gwenn mentions a woman in government who embezzled $22 million from her community to show horses. [32:42] Gwenn says, in terms of cybersecurity being a male-dominated field, we're all learning together; anybody who tries and is committed to it can do it. Because it's new, people come from different backgrounds with diverse experiences. [33:11] Gwenn says, We're seeing value in people coming from different careers and different industries and seeing their skillsets translate to cybersecurity. In this field, you need great diversity with people from all different backgrounds to be able to tackle this. [33:38] It's not one-size-fits-all. There are personalities involved. There are different businesses involved, from small to large, public to government. You have to be able to understand a huge variety of people and businesses. You have to understand a huge amount of technology. [34:00] Gwenn talks about the differences between cybersecurity and other industries. eDiscovery for cyber is not the same as eDiscovery for litigation. You need special people and tooling, and you have to understand what the tooling is, which helps you figure out timing. [34:43] Technology is always developing. Gwenn compares it to cat and mouse. We're constantly chasing the bad guys to figure out what they're doing. Sometimes it's reactive. They'll think of something new, and we've never seen it before. This is how we get through it. [35:04] The tools and a skillset you've used dealing with everything before help you tackle what's coming. Even the way we investigate and respond to things has changed. [35:16] Gwenn says when we came on the scene, we would grab images of all the computers. If there were 50 computers, you would have 50 images, which would mean people going through a massive amount of data, taking a really long time. [35:30] We don't do that now. We have tools and technology that can get through a system programmatically, to pull the evidence we need to do these investigations without having to go into a shop and take copies of laptops or servers to get through that. [35:49] That makes a potential difference of millions of dollars in responding. It's the difference between months and a month to respond. [36:15] Gwenn has not seen a malicious actor with technology or an algorithm that is beyond what she has seen before. She says, We have the technology they have. You'd be surprised how much private industry gives to our community in terms of intelligence and technology. [36:35] Gwenn adds, We work with the government to find out solutions. The industry is armed pretty well. Gwenn has seen some things that have impressed her. One attacker was pulling searches from a legal hold, getting into sensitive information. [37:16] Their searches looked legitimate, like what an attorney would look for, so it didn't set off bells and whistles. Gwenn wonders how they knew to look in a legal hold. Were they lawyered? That was something small but ingenious to Gwenn. [37:46] Seeing a smart attack invigorates Gwenn to use her brain and try to be as smart or smarter. She says that's what is great about this job. It's constantly changing. You're constantly moving. It's not for weak minds. [38:11] To excel, you have to be smart, tenacious, and love learning. You have to love that you may be an expert in this, but you may become obsolete. You've got to keep your game up. Gwenn says she is just a big nerd for it. [38:33] Attackers are using AI more. Gwenn recalls two incidents recently where two different groups, for two different reasons, were attacking Salesforce. That's the rub of being popular. One group used AI to search quickly for sensitive information to leverage attacks on companies. [39:27] Unfortunately, people are reusing passwords, and the bad guys know that. Gwenn says you'd better not! [39:57] Justin comments that AI being used for a cyber attack should be on companies' risk radars. How can they adjust defense strategies to stay ahead of something like that? [40:08] Gwenn is dealing with that at this moment. If you are a big company with subsidiaries and locations around the country or the world, segregate the networks. If an attack hits your facility in Oklahoma, they won't have access to your facility in Belgium. [40:38] If your locations are networked, it's a domino effect. If one goes down, they all go down. In terms of business resilience, that is the one factor that can tumble everything with the press of a button. [40:55] The tools that bad guys are using are meant to get them through fast. They get in, use AI to conduct reconnaissance, and get terabytes of data out quickly. It's important to take every effort to reduce the severity of an attack in its spread and the amount of data stolen. [41:40] Can they move laterally within a company or elevate privileges by getting to the admin, who has access to everything? It's great to focus on how to prevent it, but the reality is, they're going to find a way. It's not if, it's when. [42:09] While you have to prevent the attack from happening, and be vigilant. If you get an attack, you have to make sure it's small, you respond quickly, and it's not going to hit every facet of your company. Attacks that hit every facet of the company are the most devastating. [42:39] Justin says you've been wonderful. You've given us so much to think about when it comes to National Cybersecurity Awareness Month. You do great work! I look forward to seeing you in more AXA XL RIMS collaborative webinars! [42:55] We'll see you in the city for the Zywave Cyber Risk Insights New York, on October 29th, delivering the opening address and mingling with attendees. [43:04] Gwenn says, I'll be there all day, attending sessions, supporting my friends on panels, my cyber family, and for folks who want to meet me. I'm always happy to talk cyber! [43:24] Justin says, Lock Down & Level Up: Turn Up Your Cybersecurity Game Against Creative Cyber Criminals. [43:30] You've been such a wonderful guest, and I appreciate all your time and insight today. Thank you, Gwenn! [43:43] Special thanks to Gwenn Cujdik of AXA XL for joining us here to discuss all things cyber. The AXA XL RIMS webinar, "Lock Down & Level Up: Turn Up Your Cybersecurity Game Against Creative Cyber Criminals," is now available on demand through the RIMS.org/Webinars page. [44:05] A link is also in this episode's show notes. [44:07] Gwenn will deliver the opening address at the Zywave Cyber Risks Insights New York Conference on October 29th in Manhattan. A link is in this episode's show notes. [44:19] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [44:47] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [45:05] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [45:23] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [45:39] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [45:54] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org. [46:06] Practice good risk management, stay safe, and thank you again for your continuous support! Links: RIMS ERM Conference 2025 — Nov. 17‒18 Spencer Internship Program — Registration Open Through Oct. 15. RISKWORLD 2026 — Members-only early registration through Oct 30! RIMS-Certified Risk Management Professional (RIMS-CRMP) The Strategic and Enterprise Risk Center RIMS Diversity Equity Inclusion Council RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 RIMS Risk Management magazine | Contribute RIMS Now Zywave's 2025 Cyber Risk Insights Conference — Oct. 29, 2025 | New York City StaySafeOnline.org "RIMS Issues Statement on the Passing of Legendary Risk Leader and Former RIMS President Susan Meltzer" Upcoming RIMS Webinars: RIMS.org/Webinars Natural Hazards: A Data-Driven Guide to Improving Resilience and Risk Financing Outcomes | Oct. 9 | Sponsored by Global Risk Consultants Jury Dynamics: How Juries Shape Today's Legal Landscape | Oct. 16, 2025 | Sponsored by Zurich Parametric Insurance: Providing Financial Certainty in Uncertain Times | Oct. 30, 2025 | Sponsored by Swiss Re Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World | Nov. 6 | Sponsored by Hub "Lock Down & Level Up: Turn Up Your Cybersecurity Game Against Creative Cyber Criminals" Upcoming RIMS-CRMP Prep Virtual Workshops: RIMS-CRMP Virtual Exam Prep — Oct. 29‒30, 2025 RIMS-CRMP-FED Exam Prep Virtual Workshop — November 11‒12 Full RIMS-CRMP Prep Course Schedule "Risk Appetite Management" | Oct 22‒23 | Instructor: Ken Baker "Intro to ERM for Senior Leaders" | Nov. 4‒5 | Instructor: Elise Farnham "Fundamentals of Insurance" | Nov. 11‒12 | Instructor: Chris Hansen "Leveraging Data and Analytics for Continuous Risk Management (Part I)" | Dec 4. See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops Related RIMScast Episodes about Cyber: "AI Risks and Compliance with Chris Maguire" "Data Privacy and Protection with CISA Chief Privacy Officer James Burd" "Cyberrisk Trends in 2025 with Tod Eberle of Shadowserver" Sponsored RIMScast Episodes: "The New Reality of Risk Engineering: From Code Compliance to Resilience" | Sponsored by AXA XL (New!) "Change Management: AI's Role in Loss Control and Property Insurance" | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Demystifying Multinational Fronting Insurance Programs" | Sponsored by Zurich "Understanding Third-Party Litigation Funding" | Sponsored by Zurich "What Risk Managers Can Learn From School Shootings" | Sponsored by Merrill Herzog "Simplifying the Challenges of OSHA Recordkeeping" | Sponsored by Medcor "Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report" | Sponsored by AXA XL "How Insurance Builds Resilience Against An Active Assailant Attack" | Sponsored by Merrill Herzog "Third-Party and Cyber Risk Management Tips" | Sponsored by Alliant "RMIS Innovation with Archer" | Sponsored by Archer "Navigating Commercial Property Risks with Captives" | Sponsored by Zurich "Breaking Down Silos: AXA XL's New Approach to Casualty Insurance" | Sponsored by AXA XL "Weathering Today's Property Claims Management Challenges" | Sponsored by AXA XL "Storm Prep 2024: The Growing Impact of Convective Storms and Hail" | Sponsored by Global Risk Consultants, a TÜV SÜD Company "Partnering Against Cyberrisk" | Sponsored by AXA XL "Harnessing the Power of Data and Analytics for Effective Risk Management" | Sponsored by Marsh "Accident Prevention — The Winning Formula For Construction and Insurance" | Sponsored by Otoos "Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties" | Sponsored by AXA XL "Elevating RMIS — The Archer Way" | Sponsored by Archer RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed! RIMS Events, Education, and Services: RIMS Risk Maturity Model® Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information. Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts. Have a question or suggestion? Email: Content@rims.org. Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn. About our guest: Gwenn Cujdik, Incident Response and Cyber Services Lead for North America at AXA XL Production and engineering provided by Podfly.