2021 Cyber and Technology Risk Management Forum

Multiple Regulatory/Oversight Use Cases

360 View Regulators leverage SSC’s data via an API pull for its own internal purposes, and SSC’s platform will allow regulators to privately store examiners’ notes. Historical Data With 7 years of SSC’s historical data , examiners (and investigators) can see a covered entity’s security posture over time (e.g., S S C recently conducted a data analytic investigation of a major bank after a breach for 2018 and 2019 .) Self ‐ Monitoring and Third ‐ Party Risk Management Working with regulatory agency CISOs to provide valuable data for the agency to monitor the safety of its own network and assist creation of its own third ‐ party vendor risk management program.

Cyber Intelligence Powering Regulators’ Cyber Intelligence Units with intel collection and supplementing regulators’ threat intelligence and threat hunting capability with SSC’s threat intelligence group; brief regulators on major breaches (including SolarWinds, MS Exchange, and Pulse Secure) and support regulators’ investigations teams. Exam Scoping and Risk ‐ Based Oversight S S C continuously monitors covered entities at scale with ML and AI helping regulators identify and properly scope examinations based on state cyber rules and regs. S S C allows examiners to take a risk ‐ based approach to exams and audits (i.e., start with audits/exams of ‘F’ rated companies, move on to ‘D’ rated companies, etc.), raising the fl oor on cybersecurity for the entire industry

Summary of SSC’ s Current Work with State Regulators

● Understanding that regulators cannot audit/investigate the thousands of covered entities they regulate every year, regulators use S S C to select and scope annual exams. S S C helps regulators identify entities falling behind and triage issues to focus on ● S S C ratings are used to verify accuracy of questionnaires and regulatory fi lings ● S S C can provide historical data for speci fi c research projects and analysis ● S S C maps state compliance regimes to our data to provide continuous monitoring of regulatory compliance Exams

Additional Initiatives

● Weekly meetings with regulators to address questions, discuss exam ‐ related issues, and review progress for ongoing work ‐‐ spanning exam, intelligence, and investigation ‐ related matters ● S S C has conducted periodic intelligence brie fi ngs to provide further color on its originally published research ● S S C provides trainings for audit and investigations sta ff