Join Sean Martin and Ryan T. Patrick as they discuss groundbreaking HITRUST initiatives like the continuous assurance model, AI security certification, and a new cyber insurance product that rewards robust cybersecurity practices. Discover how HITRUST's innovative approaches are helping organizations enhance security and manage compliance more effectively.
Guests: Ryan T. Patrick, Vice President of Adoption, HITRUST
On LinkedIn | https://www.linkedin.com/in/ryan-patrick-3699117a/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
____________________________
Episode Notes
In On Location Podcast episode, Sean Martin had a recap conversation with Ryan T. Patrick, engaging about the pivotal topics surrounding HITRUST and its Collaborate Conference. Ryan Patrick, Director of Corporate Audit and Compliance Operations at HITRUST, provided insightful commentary on HITRUST's mission and its recent initiatives to strengthen cybersecurity and compliance across various sectors. Throughout the episode, Ryan emphasized the significance of HITRUST's annual event, Collaborate. The conference serves as a central hub for customers, assessors, partners, auditors, security, and privacy professionals to share insights and build relationships.
One key discussion topic was the evolving concept of continuous assurance. Ryan highlighted how HITRUST is striving to transform annual assessments into a continuous process, enabling organizations to better manage and understand their security posture throughout the year. This shift aims to make security and compliance efforts more proactive and less burdensome.
Sean and Ryan also touched on the important role of HITRUST's Results Distribution System (RDS). This innovative system allows organizations to receive structured assessment results, which can be integrated seamlessly into GRC platforms like ServiceNow. By utilizing RDS, companies can more effectively compare vendor assessments and manage risk in a streamlined manner.
Another significant highlight from the conference was the announcement of HITRUST's first AI security certification. Set to launch in December, this certification will provide a comprehensive framework for securing AI technologies. Ryan explained that this initiative addresses the rising concerns around AI security by focusing on the controls needed to safeguard AI deployments. In addition, the certification will ensure that the underlying infrastructure supporting AI meets high-security standards.
Cyber insurance was another critical topic discussed. HITRUST's partnership with leading insurers has led to the creation of a cyber insurance product tailored for HITRUST-certified organizations. This product offers a 25% premium reduction for those who achieve HITRUST certification, potentially leading to lower premiums and higher coverage limits. Ryan noted that the product is designed to reward organizations that have demonstrated robust cybersecurity practices through their HITRUST certification.
The conversation wrapped up with a mention of HITRUST's impressive Trust Report statistics. According to Ryan, less than 1% of HITRUST-certified organizations experienced a security breach in the past two years, compared to over 50% of non-certified entities. This stark difference underscores the effectiveness of HITRUST's rigorous assessment and certification process in enhancing organizational security. Ryan’s insights during this episode illuminate the critical role HITRUST plays in advancing cybersecurity and compliance.
The initiatives discussed not only demonstrate HITRUST's commitment to innovation but also highlight practical steps organizations can take to fortify their security posture and achieve greater assurance in an increasingly interconnected world. This collaborative spirit and dedication to continuous improvement continue to set HITRUST apart as a leader in the field.
____________________________
This Episode’s Sponsors
HITRUST: https://itspm.ag/itsphitweb
____________________________
Follow our HITRUST Collaborate 2024 coverage: https://www.itspmagazine.com/hitrust-collaborate-2024-information-risk-management-and-compliance-event-coverage-frisco-texas
Be sure to share and subscribe!
____________________________
Resources
Learn more about HITRUST Collaborate 2024 and register for the conference: https://itspm.ag/hitrusmxay
Learn more about and hear more stories from HITRUST: https://www.itspmagazine.com/directory/hitrust
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Transforming Compliance and Revolutionizing Cybersecurity | A HITRUST Collaborate 2024 Conversation with Ryan T. Patrick | On Location Coverage with Sean Martin
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new on location episode here on ITSP magazine. And, uh, I'm excited for this chat with, uh, with, uh, Ryan Patrick from high trust. How are you Ryan?
Ryan Patrick: I am doing well. How are you Sean?
Sean Martin: I'm doing great. I'm doing great. I miss you there, uh, in, in, uh, the, the greater Dallas area.
And, uh, yeah, we had a good time at collaborating. It was a good, good, uh, good weekend. Good week.
Ryan Patrick: We did. It was, it was a fun show. It was. It's great to connect with, uh, you know, old colleagues and, you know, build better relationships with new, new colleagues like yourself and, uh, got to talk about all sorts of fun things, you know, really fun cybersecurity things that everybody just is thinking about all the time.
Sean Martin: So exactly. Top of mind for everybody all the time.
Ryan Patrick: Um, yeah, for sure.
Sean Martin: There, there was, there was one topic, which I'm sure we'll get into that, that is on everybody's mind. Um, and that was a big, big part of the [00:01:00] conversation, uh, during the week. So just for everybody's reference, so, uh, HITRUST holds an annual event, uh, called Collaborate, and it brings together customers and assessors and partners and auditors and security folks and privacy folks.
And the whole goal is to, well, you can probably say it better than me, but the whole goal is to help. Raise awareness about what it means to raise the posture for security and privacy in a way that we achieve compliance more effectively and ultimately we can do better as businesses serving our customers, which could be health care, health, health, patients, or in retail or finance, or in in.
wherever it is that we need to be compliant. Uh, high trust is there with its ecosystem and partners and, and the broader community to help us achieve those things. So to me, that's, that's kind of the, the big picture of it all. And it didn't disappoint this year, right?
Ryan Patrick: Oh, yeah. The feedback that I got both.
During [00:02:00] the show itself. And then afterwards has been a resounding positive and success. You know, the fact that we've kind of grown, I don't want to say out of healthcare because we're still very much focused on healthcare, but we have a lot of new industries who are starting to participate in the conversation and we're learning from each other.
And I think that's The part about collaborate that I appreciate the most is exactly what it sounds like the ability to collaborate and have very candid discussions. You know, I trust has been doing this for 17 years and we've learned a ton in 17 years. And that's not because we're the smartest people in the room.
We're talking to the market every single day and learning from the market and learning, learning from other industries and what's working and in some cases when it's not working and building from there and collaborate serves as kind of the pinnacle event for us each year and having those conversations and being able to, you know, have those candid conversations.
Sean Martin: Yeah, it's a culmination of, uh, stuff that you see. And, and, and [00:03:00] to, to your point, another opportunity to connect and understand, well, where, where are people thinking? Where is the market headed? Where is the tech headed, where the reg's headed? Right. All that good stuff's coming. Um, I, I had the, I'm gonna take a moment here.
I had a pleasure to sit down with Dan Nku, the, uh, CEO and, and, uh, we had a good chat with the panel of, of some long time. If you call them founders, but certainly early, early adopters and early contributors and early supporters of what HITRUST does and, and the history and what the team has accomplished.
And to your point, um, it's not just HITRUST as an organization. It's a, it's a group of folks, um, That come together and they talk about, well, what is it? What does it mean to be secure? What does privacy mean? What are the frameworks that are built by industry and government? What are the regulations that we have to adhere to?
And what are the technologies that we're facing? Uh, the businesses that are deploying that we're trying to use to, [00:04:00] to run the business, to secure the business. And how does all that come together? It's super complex. And it was great to hear Dan and then the rest of the panel kind of talk through. The history of how HITRUST came to be and to see that the community there, um, really rooting itself in lessons learned over the years, embracing, embracing a solid foundation to take us to the next 17 years organization.
So I don't know, do what was some of your thoughts on looking back and how, how HITRUST has established stuff that we can reuse, but also learn from and maybe enhance. Moving forward.
Ryan Patrick: Yeah, that was, I think, probably the most attended session of the entire show. And it was really great to get Dan's thoughts because again, he was there in the beginning, obviously, but the other stakeholders, the other members of the community that were there in the beginning to kind of take their [00:05:00] perspectives on where high trust came from and where Well, how it's gotten here.
And, you know, there was some pretty candid comments, you know, people have said, you know, we made mistakes. There were things that we thought were the right answer that were not the right answer. And we listened to the market and the market told us, Hey, you need to be thinking about it this way. And we've learned from there and we've made adjustments.
So I think that was the biggest takeaway for me. Is, you know, being honest with ourselves and saying, Hey, we're trying real hard here, we're, we're trying to make things better, or, you know, make the ability to grow security programs and establish trust between organizations as. Efficiently, but rigorously as possible.
And sometimes we've gotten it right. And other times we haven't, but that doesn't, that hasn't slowed us down. And I think that was the, the key takeaway from that session specifically for me is, you know, if you look at the folks that were on the stage, they were [00:06:00] talking about, Hey, this is what we've learned over 17 years.
And we are committed to continuing to evolve. From this day forward. So high trust is not going to be stagnant. We are not going to just rest on our laurels laurels to date. We're going to continue to innovate and we're going to continue to evolve and try to tackle the problems of the future
Sean Martin: and use the word continue.
And I'm gonna I'm gonna take us to the vision for continuous insurance and being in this industry for so long. It's not a new way of looking at things. Um, yeah. Moving from a point in time assessment to getting to a point where at any point in time, all the time, we know kind of what state we're in, and it's not just our own presentation or, or statement that this is where we are.
It's, it's a reliable proof with attestation through auditors and assurers. Um, to [00:07:00] say, this is what we know, here's our best foot forward here as a community. And as an ecosystem of people running businesses, we can together collectively say, we're, we're improving, here's our current state, here's the scope we're operating in.
So tell me a little bit more about, uh, the, the vision for 2025 and this idea of, of continuous assurance and some of the things you, you spoke to at the event and some of the things you heard as well.
Ryan Patrick: Yeah, it, it's still, Admittedly, somewhat of a moving target. We're still trying to figure it out to a certain extent because it's not a small undertaking to do what we're talking about doing.
And oh, by the way, even if we knew exactly what the right answer is, we couldn't flip that switch tomorrow because there's a lot of second and third order effects within our community and the way the assessments are done now that would probably wreak some havoc. So I think we'll see an iterative approach to it.
Um, going, getting to continuous assurance, but your, your comments are spot on. I mean, this is the direction [00:08:00] really that everybody should be going in. Because if you think about the threat landscape, the bad guys and gals are not stagnant. They're not resting on what worked yesterday. They're evolving.
They're figuring out new ways to attack. Maybe it's through, you know, the same types of vulnerabilities and similar exploits, but they're, they're evolving. And the ability to. To build an assurance program that tries to keep pace with that is difficult. So our chief research officer, our chief strategy officer.
I'm sorry, Robert. He's he's looking at this every single day. He talked about it at the show. I think you can probably. Expect a couple different things potentially the window in which testing is done right now It's a 90 day window for all testing for a high trust certification that window may change it may expand There may be other elements or other factors not for every single control, but the [00:09:00] controls that Probably have a greater frequency rate You know, if it's an annual control or, you know, a monthly or quarterly control, you may have a little breathing room and getting that done.
So, There's, there's this idea of we can't have this be a point in time, but right now it's everything for the, for the sake of argument is somewhat point in time. So how do we capture what's been going on overall, capture that in a point in time, but continue to assess that moving forward. So the idea of get high trust certified and as you move.
You can start testing controls as they come up during the frequency period and supply that to the external assessor, whomever, maybe even HITRUST. I, again, we're, we're figuring this out right now. It relieves the burden of trying to cram everything in to a 90 day window, but at the same time, it creates such clearer [00:10:00] visibility into the scalability and the maturity of these controls because you're able to look at them.
Over time, and that's the direction we're trying to move in is giving organizations things that I don't want to say are more predictable, but more reliable and more relevant in time so that they can make risk based decisions.
Sean Martin: Yeah, I love it and well, well stated and I want to boy so many directions to go here.
I want to. Let me ask you this. So people listening and watching this, um, what, what does that mean to them? So let's speak first to existing high trust entities, organizations that, that are working on or have, have, uh, a level of assurance with one of the three, three levels. Um. How should they prepare for this transition and what, how can it help them with their business?
Ryan Patrick: So, if there's anybody [00:11:00] out there that has ever heard me speak in the past, you've probably heard me say that you need to build, not necessarily a program of compliance, but a program built on something like HITRUST. You can't try to take all of the work, and let's take the R2, the one assessment that everybody knows us for.
It's also the hardest, and I call it a significant emotional event. It is not an easy undertaking, and a lot of people try to cram all of that work into a very, very short R2. We forced them to do it within 90 days. Some of them are, are just getting prepared at 120 days out. And it is so stressful. It creates such a burden on the organization because everybody's sprinting to the finish.
So what I have told people over the years is the day you get certified, You get one day break and then day two, you should already be thinking and building the processes to prepare for the next certification. So [00:12:00] instead of generating all of these artifacts within a 90 day period, if you're generating them throughout the full year as they come up, right?
So again, think about controls, the frequency in which these controls are supposed to be operating. You know, you do that annual disaster recovery exercise. Well, now you can package that. And put it aside and say, here's the D. R. Plan and D. R. Exercise for my high trust certification. That's nine months away.
Or if you have to, you know, look at audit logs for access control to make sure that, you know, people haven't had any permission creep or what have you, you're doing that on a quarterly basis. So if you're doing that on day two after your certification, you know, That first quarter, you take that, you package that up, you put it away.
The next quarter, you take that, you package up instead of trying to look back when it's time to get certified, you've already done that work. So I think that's really at the crux of current HITRA certified organizations is start to build those business processes now. In [00:13:00] preparation for the inevitable, because this is the direction that we're moving in.
And I would argue that a lot of other organizations and frameworks and governing bodies, if you will, government agencies, for that matter, are going to be moving in this direction. So if it's not for high trust, it's going to be for somebody. And this is something that we should have been doing all along.
So let's just get started now.
Sean Martin: Yep. Excellent points. And, uh, we'll touch on. Cyber insurance, I'm sure at some point here as well, um, they're going to be looking for this same type of thing. So let's, um, let's switch it to folks who haven't embarked on their high trust journey yet. And I don't know if that starts at an E1 or maybe, maybe in the middle at the I1.
How does, how does this idea or mindset of continuous assurance, um, help shape how they start their journey perhaps?
Ryan Patrick: I think it's promising. You know, because the first time someone goes through a certification, it's, it's gonna, it's going to be new. High [00:14:00] trust is unlike other things that you've probably been through.
And if you haven't been through anything, then maybe it won't feel as unnatural. If you've been through other assessment types, I trust isn't like that. It's, it's, it's way more prescriptive. It tells you exactly what to do, not necessarily the technologies to implement, but the configurations of the controls within those technologies.
You have this idea of prescriptiveness, and if you are able to set that from the get go, like, let's say you're a startup, and you don't really have a really mature security program, the fact that you're going to adopt HITRUST and it's moving to this continuous assurance model is actually a really promising thing.
It is going to, it's a forcing function for you to build good cyber hygiene. And be able to maintain that over time, because what we don't want, and unfortunately what we see in many industries with many assurance mechanisms is it becomes a check the box exercise. Let's just get through it because [00:15:00] I need it for a contract.
Well, that's, that's all well and good until the bad day happens when some kind of incident happens. Whereas if we have this element of continuous assurance, like I said, you're building those good habits, that good hygiene to continuously evolve. Your program to protect against the latest threats that are happening.
So I think it's a real positive thing for brand new organizations to the high trust world.
Sean Martin: And, uh, I'll, I'll use this as the kind of the transition or shifting point. Because I think a lot of drivers for new, new entities coming into the high trust fold is often through another entity having reliable, reliable partnership with another entity.
So they become a third party to. To the, to the main party. And so HITRUST for years has invested heavily in, in third party risk management and finding [00:16:00] new ways to capture the information, present the information, share the information. And one of the things that was announced, uh, was the HITRUST TPRM and ServiceNow, um, huge deal, right?
To, to be able to bring that into a platform that a lot of organizations use to help kind of wrangle some of this stuff. Together. So I don't know if you can, can you touch on some of the highlights there?
Ryan Patrick: For sure. So this is actually a great example of how high trust listen to the market and is trying to develop solutions based on that feedback.
So as you mentioned, Sean, there's a lot of organizations out there that. Utilize or rely on high trust certification to build that trust between themselves and their vendors or their supply chain, you know, entities, whomever it may be. And what we have found is that those TPRM managers, they will collect high trust, but in some cases they have [00:17:00] to collect other things because that's all the vendor has.
And they need something now to ascertain the risk because there's a business case beyond behind the reason why they're having that. Conversation, right? But when you start to look at how do I compare the results of these different assessment types, it becomes really, really hard and they've gravitated towards GRC platforms like ServiceNow, like OneTrust, like Archer and many others, but there wasn't a really good way to get the data.
Out of a static PDF, right? So whether you have a SOC 2, some kind of NIST report, a HITRUST report up until recently, there was only a PDF. And in some cases it was hundreds of pages long. So it was super hard, really inefficient. And just frankly,
it's not
actionable whatsoever. So HITRUST, uh, I think two years ago came out with this, uh, Um, I call it a product, but this capability, if you will call the results distribution [00:18:00] system, and it's a way of getting the assessment results from a high trust certification in a structured data format so it can be just be ingested into a GRC platform or what have you could be some kind of homegrown platform.
So you get that structured results. So when you're comparing one vendor to the next, or you're looking at your. Vendor pool overall. And, you know, you're really concerned because there was an incident recent recently around MFA. Well, how many of my vendors have MFA enabled and oh, by the way, is it enabled across the board or just for certain systems you'd have to dig through each one of these individual PDFs and not only try to find.
Where MFA is covered, if it is, but then you have to try to decipher the auditor's comments on the maturity of it. Is it fully implemented? Is it deployed? You know, so on and so forth. Whereas now with RDS, the results distribution system, you can ingest all of that information straight from the high trust assessment into whatever tool you have.
And we're [00:19:00] excited that we announced it. Uh, partnership with ServiceNow, they will be the first platform provider, if you will, GRC provider that has a TPRM module that will, we're building an app within their app store that you can download for free that will, you know, integrate, if you will, I'm using these terms loosely, uh, with ServiceNow, between ServiceNow and HITRUST.
So you can seamlessly bring all of that assessment information into your tool, and then you can decide how you want to analyze, manipulate, or interpret that data behind the scenes because it's structured. It's not some random PDF. It is actual data coming in, uh, Directly through APIs. So we're really, really excited about this, this integration.
And as I mentioned, we're not stopping with ServiceNow. The goal is to continue to, uh, work with the other GRC providers and TPRM providers. So if there is someone you want us to work with, maybe Sean, we can throw my email address out there at the end. Feel free to reach [00:20:00] out to me. We're, we're, we're listening.
Now you want, okay. So ryan.Patrick@hightrustalliance.net.
Sean Martin: There you go. And, uh, yeah, we'll, we'll include links to connect with you as well. Um, one, one quick point, because folks who might be looking at why work just mainly in a third party context, um, what is, what's my posture? It's usually a spreadsheet where somebody makes a statement.
Um, what you're describing is actual requirements, policies leading to requirements leading to controls that are then assessed independently and certified. By high trust. So you have some proof and some reliability, uh, with that information. It's not just some, some salesperson trying to, uh, get the deal done.
So a lot of great information in there and the integration is, is huge as well. I want to, um, I want to shift to, where do I go with this? So [00:21:00] the AI was certainly a topic and I think it was in most everything, but I had, I had a conversation with, uh, folks from in bold health and stack aware, and it was. The conversation was rooted in the, the assessment of AI, so helping them identify the best ways to produce an app that's AI enabled that would maintain security and privacy and lead them to, um, whatever regulations may come.
Right. Uh, with respect to security and privacy. And it was a fantastic conversation. And in short, the app essentially gives their customers a way to find the best provider for the specialized health service that person is looking for based on information that the user, the health, the patient provides, it'll provide [00:22:00] feedback and actually list out providers driven by AI.
And the cool thing is that they, they took this by design. Right. They brought in high trust. They brought in an assessor. They, they, they took the hard stuff first and said, this is what we want to build. And it was great feedback. So I'm going to encourage everybody to listen to that. I'm not going to recap the whole thing here.
Um, but they're very excited about another new announce. So that was kind of a year long project from high trust that they embraced early on their, their, uh, their product is, is released with that, I believe. And they're excited about the next step, which is an actual. Stamp of approval for my trust. So talk to me about the, the, if it's called assurance or certification, but the AI piece that, that actually says we did what we needed to, uh, just to be planned on doing what we needed to.
Ryan Patrick: Yeah. So as you mentioned last year at collaborate, we announced that we were going to, to come out, hopefully, with the first AI security certification. [00:23:00] So, think about security controls around the actual models, around the data, around the system itself. Nobody's come out with that. Everybody's familiar with the AI, uh, NIST AI RMF, and you have several iterations of ISO.
The one probably most prominent now is 42001. 42, 001 is very, very broad. It talks about all aspects of responsible AI security is just one of those elements. So nobody's really cracked the nut. So we are excited to announce that in December of this year. So, uh, just a few weeks away. We are going to be releasing the first AI security certification.
So very similar to our standard security certification, there is a bar to be met, but it's around the actual security of the AI technology, not. Kind of at a high level right now, all that stuff that I mentioned is around risk management. [00:24:00] So it gets a lot deeper, a lot faster. Intel's organizations, primarily AI, deployers and implementers, what types of controls they should have in place.
So we've released a request for comment just before Collaborate, got tons of comments at Collaborate, and we've received a bunch since then. So we're taking all that feedback and tweaking things as necessary, but that's really what. What we're trying to get out before the end of the year is kind of the question or the answers to the questions that people have been asking.
Well, how do I secure AI technologies? Well, we're going to, we're going to give that to you. So it's not going to be, um, a really large assessment. Not like the R2 where, you know, there's 300 plus controls on the average for an R2. Right now it's hovering around 50 controls, so it's a manageable size assessment, but it's [00:25:00] tackling some of the most important elements from a security perspective around those controls themselves.
So, the only other thing I would offer is, we at HITRUST don't believe that you can, quote unquote, have secure AI unless the underlying Infrastructure that the AI is sitting on is also certified. So in our world, you will actually get a security certification over or through the lens of the infrastructure that it's sitting on, as well as the AI technology, making it a much more complete picture for, you know, Business partners, vendors, whomever, customers, whoever's going to use this technology, it gives them a much healthier, uh, trust that the technology is secured appropriately.
Sean Martin: I love it. And, uh, I had a chat with, uh, Jeremy Huval, uh, about this as well. So I encourage everybody to listen to that. And, and certainly the, the conversation with Enbold Health, cause what really struck me and, and, [00:26:00] uh, they really pointed to it during the conversation is. The work that you did at HITRUST gave them kind of the, the oomph to really drive a well designed and our product required requirements, design, architecture, the whole way through, uh, to test and, and, and attestation of what they built.
That's, and that's great to help them through.
Ryan Patrick: Yeah, that's great to hear because too frequently you hear that security is an afterthought and to hear that people are taking the work that HITRUST is doing and using that in the design phase of a technology is really where we want to get to across the board.
Take AI out of the question for a second. That's really what we need to be doing is building security in at the foundation as opposed to trying to play catch up on the back end.
Sean Martin: Yeah, it was super cool. So great story. Um, I want to touch on cyber insurance, another big topic, a number of conversations and presentations throughout the week.
I know it got [00:27:00] a lot of people's attention. I've had a few conversations. Those are being produced. So stay tuned for those. Um, give us the, give us the one, two punch on that. I mean, the bottom line is anybody listening has tried to acquire. Cyber insurance has probably found it's harder than ever if, if even possible.
And even if you do get the look and the nod, you're probably not going to be too happy with what the numbers are and the letters are in the, uh, in the policy. Um, So talk to me about what you've done with HITRUST and some of your partners to actually leverage the work that most companies are probably already doing, right?
Bringing HITRUST in to validate that and then the results are what?
Ryan Patrick: Yeah, so this one is something I'm super passionate about. I, uh, I think the cyber insurance space, uh, leaves a lot to be desired and, and I'm I'm comfortable saying that knowing that I partner with cyber [00:28:00] insurance carriers, underwriters and brokers, because they're saying the same things.
It's not the typical insurance space. Cyber is much different and they're still trying to figure it out to a certain extent. But what we've done is we've at HITRUST, we've educated the carriers, the underwriters, the brokers on not only the framework and the depth and breadth of the controls, but the The process and the methodologies and the assurance program that we've built on top of that And the fact that our assessments are actually based on threat intelligence And if we can get into that if you'd like they've they've realized that the quality assurance built on all those things is above and beyond Anything else that's in the market today, and it gave them a sense of comfort to understand or to realize that high trust certified certified organizations present lower risk than pure organizations who are not high trust certified.
So they built. [00:29:00] Yeah, yeah, absolutely. And what they've done is they built a product based on high trust certification. So if you are high trust certified, you can go to your current broker, any broker, um, can take advantage of this product and present your high trust results right now it's for the R2, but coming next year, the E1 and the I1 will have, uh, some capability there as well.
You present that from the get go, you get a 25 percent credit on your policy. Yeah, that's a huge victory, right? And what we have found, and I don't have all the details because they, they don't and shouldn't share these details with us, but generally speaking, they're finding that either premiums are lower, coverage limits are higher, or both in some cases, just because the proof is in the reporting.
You know, HITRUST forces you to get better. [00:30:00] Other mechanisms out there, I won't name any specifically, don't actually force you to get better. It's a report on where you stand today, or it's an opinion on where you stand today. Whereas HITRUST, you can't get certified unless you get better. So the cyber insurance industry has responded to this and the facility is backed by Lloyd's London and it's growing.
Uh, with each day, I think this is going to be a huge benefit to any and all organizations that want to pursue high trust. And oh, by the way, another thing that's near and dear to my heart, you get to do what high trust has been saying for years for assess once report many. So use your assessment results more than one occasion.
There's no, there's no world where it makes sense for you to do a high trust certification. The cyber insurance application, something for, you know, say the federal government or CMMC or what have you, when a lot of those controls that everybody's looking for. Arguably the [00:31:00] same. So why not reuse the work?
It saves time. It saves money. It's stayed, it saves stress. You know, audits are not fun, so it's a pretty exciting time. And I think we'll see that product gain some pretty serious traction in 2025.
Sean Martin: Yeah. And, uh, I've heard nothing but excitement, uh, surrounding this whole thing. And I know it's something that HITRUST has been working on for a while and it's great to see it, See it culminate and come together and, uh, be available.
Ryan, um, comment on your shirt. Maybe you can, you can show your shirt. I mean, one of the highlights from the event was, was all superhero, uh, superhero shirts that you wore. Yeah. So I wanted to highlight that, but is there anything else from that week that you want to touch on before we wrap up here?
Ryan Patrick: Yeah.
So shirts. Big hit, got a few more coming up and then I'm gonna have to find a new shtick, you know, trying to insert some, some, uh, some, some personality into, you know, boring [00:32:00] cybersecurity conferences. But to me, you know, we, we hit on a lot of the highlights. The one thing that I would offer to the audience is, you know, right now, depending on who you see, arguably 53 percent of organizations in any industry has suffered an incident and or breach in the last year.
So you're statistically more likely than not to suffer a breach. Think about it from a third party perspective of that 53%, over 70 percent of those are through some kind of third party. So these are pretty horrifying numbers and I've seen numbers that are even higher than those. I offered all that because.
Earlier this year, HITRUST released its first ever, we call the trust report in April, and it highlighted some statistics and among other things, and we're going to continue to write this year over year. But one of the things that jumped out at me is that in 2022 and 2023, and this is [00:33:00] inclusive all three.
Assessment options you have for high trust only 64 percent less than 1 percent of high trust certified environments suffered a breach in that two year period. You compare that to the 53%. Those numbers are pretty darn compelling on the fact that high trust actually works. So that's one thing that I try to talk about anytime.
Anybody's willing to listen to me and let me speak is the proof is in the numbers. The data doesn't lie. High trust. Gets you better. It helps reduce risk. And is it perfect? No, nothing's perfect, but it reduces that risk pretty darn dramatically. And there's a number of reasons for that, but I want to highlight that for folks because I think it's lesser known statistic in the risk management space, the cybersecurity space that people need to start paying attention to.
And I can, I can tell you, because I asked my compliance officer this, they were actually trending [00:34:00] downward. In 2024, so the breach rate in 2024 is actually less than what I just said to you. So we'll see how it ends up. I think the trust report coming out in 2025 will be, um, a good one to read, but the proof is in the pudding.
High trust works and. I really want to highlight that and I'll probably continue to talk about it anytime you let me talk, Sean, um, and it's because we're committed to evolution. We're actually making our assessments based on threat intelligence, as opposed to just making it up in a vacuum, thinking those are the right controls.
So I guess I'd leave the audience with that.
Sean Martin: Yep. Proovability, uh, breeds trust and, uh, transparency breeds trust. And I know it sometimes. Yeah, nothing is 100 percent or nor zero. Right. And so to have a number like that is pretty darn impressive. And I'm glad, glad the team did the research and and was able to present that number.
That's huge. That's huge. As you note.
Ryan Patrick: Yeah, I would [00:35:00] offer that when I, uh, when I heard that number. I didn't believe it. Like, I was like, you need to go do that math again, because there's no, there's no way it's, that's the way it is. Call me a paranoid security security person.
Sean Martin: So
listen, uh, Ryan, it was fantastic seeing you at the event. Uh, I was grateful to be part of it. Grateful to have so many good conversations. Hopefully folks check some of those out, uh, as well. And I know some of the recordings from the sessions are available for those who attended. Uh, collaborate, and so I'd encourage everybody to catch all of those.
If you miss some of them or read, listen to them, I'm sure you'll find new nuggets in there. Always great to see you, my friend, and fantastic conversation. Great recap, and hopefully we'll see everybody collaborate 2025, uh, with, uh, an E1, an I1, or an R2, uh, underway. That's right. That's right. Thanks so much, Sean.
Thank you. And thanks, everybody, for, uh, listening to this on location, uh, with [00:36:00] Sean and Marco. Marco's not here. I don't know where he's been, but, uh, eventually Marco will join the, enjoy the, uh, enjoy, will join, I'm sorry if I can only speak, will join the, uh, the conversations with HITRUST and, uh, all the good things they're doing.
So thanks for listening, watching, and, uh, be sure to share with your friends and family and, uh, subscribe and we'll see you on the next one. Thanks Ryan.