MASTERCLASS: Cybersecurity

In this edition of MASTERCLASS, four cybersecurity experts take on the growing challenge of preventing and combating cyber crime in the financial services industry. They discuss some of the major recent financial data breaches, evaluate current cybersecurity regulation, and share their best practices for developing and implementing a comprehensive cybersecurity program.

  • John Araneo - Managing Director & General Counsel at Align

  • Sid Yenamandra - CEO & Co-Founder at Entreda

  • Brian Edelman - CEO at Financial Computer, Inc.

  • Steven Ryder - President at True North Networks, LLC

  • |
  • 37 mins 02 secs
Gillian: Welcome to Asset TV, I’m Gillian Kemmerer. Financial services remain a top target for cyber security attacks in a world where hackers are only getting smarter. RT Jones was fined $75,000 for a cyber security breach in 2015, demonstrating both the vulnerability of financial advisory firms and the responsibility regulators place on them to safeguard their systems. The weapons are ever changing and varied and the number of solutions on the market can be equally overwhelming. Today I am joined by four experts who will share best practices in constructing a robust cyber security policy and keeping up with the wave of new regulations. Welcome to this edition of Masterclass. Gentlemen, thank you so much for joining us here today. And actually, Brian, I’m going to start with you. Just give us a brief introduction to what you do and how you fit into the cyber security universe.

Brian Edelman: My name, well, as you know is Brian Edelman; the company name is Financial Computer. And we’re an independent cyber security team. So we have something that’s called the Security Operations Center which is where our team watches over what’s happening at each of our clients to make sure that if there are hacks, attempts to get in, viruses, all the things that you might think of. Our team is actively watching over it so that we can take action and make sure that any incident doesn’t become a breach. And we deliver those cyber security tools that are required for the current regulations for advisors, very easily. We like to make sure that it’s as simple as possible. So in essence, they have a complete set of end point tools, and that’s our primary focus is on end point cyber security.

Gillian: Excellent, thank you. Sid.

Sid Yenamandra: Hi. So we at Entreda developed a cyber security risk management platform, primarily for financial services companies. What we do is we focus on this notion of a culture of compliance around cyber security. Because we think that cyber security is not a point in time activity, it’s something that needs to be done 24 by 7. So we’ve developed an enforcement platform to help firms enforce cyber security policies 24 by 7 on their devices, on their users, on their networks. So we’re based in Silicon Valley, we’ve been in business about five years.
Gillian: So bring your own device thing, very relevant given the most recent presidential election. Steven, tell us a bit about yourself.

Steven Ryder: Sure. My name’s Steve Ryder, I’m the President of True North Networks, we’re based out at New Hampshire. We have offices in Pittsburgh, Pennsylvania as well. We are a managed service provider and security service provider that specializes in the RIA industry. We have clients in multiple states throughout the country. A lot of what we do is protect our individual clients with security services that we have to offer. We bundle a security service package called Secure Workplace that offers the best of breed of protection to protect our clients from cyber breaches, intrusions and also, you know, any phishing type attempts that we offer to our clients as well.

Gillian: Great, thank you. And, John, finally with you.

John Araneo: Hi, John Araneo, I’m the General Counsel and Managing Director of Align Cyber Security. We provide cyber security risk management and advisory services, so that sort of encompasses the technology element, the governance element and the educational element.

Gillian: Okay, perfect. So I’m going to start off our real discussion with a graphic that I sent to all of you ahead of time. And it has to do with the percentage of major data breaches by industry; this is April 2015 through June 2016. So we see here, we have all of the various industries listed, financial services falls pretty high on this list. Now, we’ll see a graphic later that shows that against a lot of indicators, financial services is doing pretty well in terms of how it shores itself up. But they are a major target and we do see a lot of breaches. John, what are some of the headlines that have been most concerning to you in this space?

John Araneo: I think the level of unpreparedness for the attack. Cyber security has really upended the risk management paradigm. And the tools that are in the market and even the skill sets that are out there are not prepared to address the threats holistically and effectively.

Gillian: Sid, how do you think about this?

Sid Yenamandra: You know, that’s an excellent question. We see that about 95% of the cyber attacks against any firm, financial firms in particular happen because of user error or human error. There’s always a human element that’s missing. And a lot of that goes right back to core policies, procedures and implementation of those policies. And that’s an issue that we see across all markets, financial services included.

Gillian: Okay. And, Steven, you actually sent me a graphic this morning that talked a little bit about the nature of these breaches, tell us more.

Steven Ryder: Yeah. I mean the nature of the breaches over the past few years has been a huge increase in phishing attempts and ransomware. There’s a statistic that I read recently that in 2015 there were reported about four million ransomware attacks. And in 2016 there was an increase to 638 million ransomware attacks, so a lot more phishing as Sid had mentioned, a lot more user attacks that are much more profitable for hackers to prey on those vulnerabilities.

Gillian: Okay. So the users are a big problem. And we’re going to talk about how to safeguard against that. Brian, lastly, how do you react to this?

Brian Edelman: I mean it’s clear that the financial services space that the hackers understand how to turn hacking a financial services firm into money. And it really comes down to these days, they’re in it, it’s a business. They’re trying to make money and they’re doing it. The larger financial institutions have spent a lot of money over the last couple of years in order to shore up their systems so they’ve been catching a lot of the obvious types of getting money, in other words, transferring out of the account, and all of the things you would think of that would be the normal way of getting money. And these guys are very creative, so they start to find new ways of generating income out of just cyber attacks. And what they found is that the financial advisors who have always had this position, that they’re not a target, because I mean for years they just felt that way. They also don’t typically have the budgets to be able to be able to protect themselves as well. That’s why ultimately, you know, that was the driving force behind us coming out with tools that were inexpensive and easy to deliver, because at the end of the day they still need to be safe.

Gillian: I just read a study this morning that was saying that among all of the private sectors that are investing in cyber security, financial services are facing the biggest bill, are buying up the most. So it’s interesting to talk a little bit more about what, you know, the various solutions are and how many of them or all of them do you need. So let’s move over to the regulatory side though, before we talk about the solutions, because obviously the regulators are getting involved. We saw the Central Bank of Bangladesh get hacked. We saw HSBC face a major breach, obviously RT Jones and Morgan Stanley we’ll talk about a little later, as case precedents, they’re very relevant to our viewers. But John, could you start off, you come from a legal background, give us an overview of what cyber security regulation looks like right now.

John Araneo: Sure. So the SEC in particular with a bunch of other regulators, FINRA, NFA and CFTC, they have all began to sort of rush with this regulatory initiative surrounding cyber security. One of the commissioners had said that cyber security was actually the defining issue of our times. And it certainly is a pervasive issue. The recent regulatory trend really was traced back to about 2014 when the SEC called the roundtable and brought in some thought leaders and industry practitioners to sort of exchange ideas and have a robust dialog about the phenomena in and of itself. Then following that in 2014 there was a risk alert and got in some materials that talked about cyber sweeps that would occur within the asset management industry, encompassing broker dealers and registered investment advisors. There were a few other subsequent initiatives. The reports of those initiatives and the results were shared, the Division of Investment Management also issued a release that covered a principals’ based approach which was not black letter law or clear indications, but sort of espoused a framework or a philosophy of how to approach cyber security. So in 2015 that continued, another regulatory sweep was conducted. And the first enforcement action by the SEC against, as you mentioned, in the opening, RT Jones was an interesting case. And then in 2016 a much larger, to date, the most substantial enforcement action involving cyber security failures was against Morgan Stanley.

Gillian: We’re definitely going to come back to those. Steven, how do you keep up?

Steven Ryder: You have to keep up on the times. I mean there’s a lot of times I will do cyber security presentations at different venues throughout the country. And oftentimes I have a prepared speech ready to go and what I’ll do is read what’s going on in the paper within the last week to see what the latest events are. So we can always be relevant at the times. You know, a lot of these things within the regulations are really critically important that these firms stay relevant with what is going on. And a lot of times that’s what I think all the folks here do is try to keep our firms relative with what’s going on in the world, how we can do, what we can do to help protect them with different tools that we have.

John Araneo: And peer groups, peer groups are very substantial. We have an esteemed panel today and I don’t intend to let them leave until we exchange some ideas. But in all seriousness, the problem, cyber security requires a multidisciplinary approach. So you need experts that have depth in their field. And there needs to be an integration of ideas to really be prepared as the risks evolve.

Gillian: Now, Sid, directing to you, do you find that any of these regulations across the bodies are perhaps redundant? Are any of them attacking the same problem or are each of these regulatory bodies taking it from a different angle?

Sid Yenamandra: You know, that’s an excellent question. At the end of the day when you look at cyber security frameworks for governance, there’s really a couple of different ways in which people attack it. The most commonly used one is the NIST SB-800 which is viewed as gospel for a lot of cyber security professionals. It’s the cyber security framework. It talks about basically five steps within cyber security which is: identify, detect, respond, recover and then there’s a protect in the middle. And the core of that philosophy is what all the regulatory frameworks are based on. So what we do as a firm is when we work with companies, you know, yes, you definitely have to keep up with all the new rules and the regulations, that’s a big part of what we do and the value that we deliver. But the most important thing is to have a culture within the organization that makes sure that you’ve got adequate checks and balances and you’ve got a governance framework that meets regulatory standards, right. And so you could do that manually or you could do that via efficient smart methodologies. And that’s part of the core of the philosophy we believe in.

Gillian: Interesting. Now, Brian, there’s a New York State regulation that just came into effect yesterday, I believe. Is it the most stringent of all?

Brian Edelman: Again, what’s happening is we’re seeing an evolution of the same set of tools, so it’s just getting better, it started with [inaudible], had really some of the first data privacy type laws, then followed by, as we talk about, NIST, which has to be [inaudible] down by the financial services space to OC guidelines. These guidelines are very similar and they’re the right guidelines that need to be in place. So the regulators have really done a tremendous job for the safety of our most valuable citizens in America. Because they’ve gotten people with the action with what it is that they’re doing. And that’s really what it’s designed to do, they’re doing what they needed to in order to protect American citizens from cyber attacks and have the money go overseas, because that’s where it’s going. So really from our perspective, I’ve been doing this almost 30 years, and this is the first time that I’ve seen, I went to a conference and people were coming up to me at the conference and they were so excited to tell me what they did last year in cyber. It’s the first time in 30 years that these guys are literally taking their head out of the sand and saying, “I have to understand this.” It is absolutely critical that we don’t end up as the next firm that’s either fined, or we have to go to our clients and say, “I lost your data.” Because today the clients are becoming more sophisticated too, so the clients are becoming more sophisticated, and the institutions are more sophisticated. The one who’s going to get caught is that person in the middle that we’re so passionate about protecting.

Gillian: And given the amount of data that a financial services giant would have on you as a client, it’s no surprise that they ranked so high. I think healthcare and government were the others that were ranked above it.

Sid Yenamandra: Exactly. There’s another point to this, when you look at all those different sort of verticals, what makes the financial services vertical stand out is the fact that they’ve actually got a watchdog organization in SEC and FINRA that’s taken cyber security enforcement on upon themselves. And they’re actually doing something about it. Many of the other frameworks, healthcare has had HIPAA for a long time. But the enforcement function isn’t quite as pronounced. SEC, FINRA, you will get audited if you’re a financial services firm once in 12 months, once in 18 months, they will ask you questions around cyber security because it is part of their examination effort. And so all the examiners now are trained to ask about financial questions, but also cyber security, so the enforcement function is probably what makes the financial industries, you know, it sets them apart from the other verticals.

Steven Ryder: Yeah, I was going to say, I agree with that. We do have clients in other spaces as well. But a lot of our financial services, again that’s our focus is the financial services industry, but as Sid had mentioned, they are focused on cyber security and what we can do to help them because they are regulated.

Gillian: I think this is the most positive conversation I’ve had about a regulatory body in a long time.

John Araneo: Well, I wanted to touch on one of the things that Brian mentioned, I’m encouraged to hear that he’s getting that feedback, and I too am hopeful. And I think anecdotally I’ve seen that we’ve reached the tipping point. So I, as a practicing attorney and also as a managing director of Align Cyber Security, we get into the frontlines in a very intimate setting. And what we’ve seen in the asset management space is the risk is pervasive and you need to have a protection element. But it’s almost like sending your child to school that you can prevent them from getting a cold but they’re going to get the cold. And you have to be prepared to react. And what we have seen the financial services industry as a whole, there is a common element of trust and being a fiduciary. And when a breach happens and there is a theft of money, some of the principals themselves would rather cover the theft out of their own pocket than acknowledge what had happened, without opining on what the result is, the mentality of how to deal with this and what’s going on in the frontlines is troubling. And people are not prepared. So we are all preaching the same message and this is a different animal and you have to approach it differently. And I think the nature of talking about it, you approach a defensive posture, by most managers, they don’t really want to admit it and they don’t really want to talk about it. But if you can unlock that and get them speaking about it, that’s the first step to solving the problem.

Gillian: Okay. And Brian, I’m going to go into the case precedents of RT Jones and Morgan Stanley and all of you please weigh in on this. What I find most interesting here, obviously the end users are the victims of a data breach in particular. But in this case these firms which, you know, you may say are the victims of a cyber attack are not victims in the eyes of the regulators. In fact they are very much liable, can you talk us through it?

Brian Edelman: Yeah. I mean when they put together the guidelines, and again the guidelines they put through are really is a step by step guide of what you should do, not only for you, but those are the same questions you should be asking for vendors. Now, in their case the breach happened at a vendor of theirs. And because the breach happened at a vendor and they did not have the appropriate documents in place, I mean a lot of it starts with some of the legal documents, very similar to the way you do a financial plan. You have to have your documents in order. That really is the guide for what it is you’re supposed to do after that. And then once you start to follow that and then ultimately the key is proof. So when they walked into RT Jones and RT Jones had no proof of anything. They didn’t have an information security policy. they didn’t have proof that they were even having educational classes. They didn’t have any proof of anything they were doing on cyber. That’s when the regulators looked at it and said, “This is a case that under these circumstances we have to fine this firm because this is unacceptable.” It is no longer acceptable for a firm, and remember, and quoting the eyes of the law, cyber security is completely reverse. You are guilty until proven innocent. So if you tell me that you have the right tools on there, well then, prove it. And that’s really one of the key components. You are guilty in cyber until you’re proven innocent.

John Araneo: That’s exactly right. And the SEC has really taken a strict liability approach. RT Jones as the seminal case, and the first one was really quite instructive. Brian is right, there was a categorical failure to take any steps, no policies, no penetration testing, no vulnerability assessments whatsoever. Ironically in the case it was never proven definitively that there actually was a theft of any data, there was a compromise. And I think it is telling to the disposition of the regulators that if you don’t take action and if you don’t address this, you’re going to get fined for it.

Gillian: Okay. So incredibly important point, and you also mentioned that if an advisor is working with let’s say a bank that gets violated, the advisor could also be culpable.

Steven Ryder: And as more and more things go to the cloud it’s really important that your relationships with your cloud providers and your third party providers are also checked as well. So a lot of these folks just blindly will put things in the cloud without checking the policies of the respective providers, so it’s critically important.

John Araneo: But this is where the issue I think gets exponentially important. So in the asset management industry in particular and in the financial services industry, we have service providers and those serve oftentimes as extended networks. So those multiply the technological problems and it also multiplies the governance problems. And the recent law that was just enacted yesterday in New York State really has been criticized for putting an unpractical onus on each covered entity to take responsibility for all their vendors. And by virtue of that, what it’s also done is the entities that are not covered by the law, if they want to do business with the covered entities, then they too by the fact they’ll have to comply with the law. So it’s ever encompassing and you can’t get away with it, even if you’re not covered by the law.

Brian Edleman: The complexity, now, a big part of this is because it’s a different language, so they’re starting to hear this and they get scared because they start to hear it. So one of the key things that our peers, and we’re starting to do is starting to speak in more terms that they might relate to, whether it be financial services, you know, bringing it down to and making it as simple as possible so that they understand what a written information security policy is or what an incident response plan. They sound like big words, scary words, but once you go through the process, you see these guys understand it and it’s like a light bulb goes off and they don’t get scared anymore. And now they’re starting to ask the right questions. What do my agreements look like with my vendors that have private data? Great. Great question. What are those vendors doing to protect my private data, because ultimately I’m responsible if I don’t ask the question. Are they focused? Are they a best of breed provider in the same, in financial services together? Are they focused on what it is that I’m regulated by? Because if they’re not, you just can’t use them, it’s that simple.

Steve Ryder: As I say, that Brian, both these gentlemen’s point. I mean I don’t feel we’re asked enough. You know, we’re a trusted provider for many firms across the country. And we’re really not asked enough for our information security policy, our disaster recovery policies. A number of our firms that do ask for them and it’s really important that, you know, anyone who’s listening out there, understands to ask these questions from their providers, all their providers. Because if you’re trusting people with your data and your client information, they should have all these things in place.

Sid Yenamandra. Yeah. So it’s an interesting point, because in the healthcare business there’s always been what’s known as the Omnibus Rule, which meant that every healthcare firm and every associate is liable for negligence. In fact they can be pulled into a lawsuit. So you know, many of the other verticals have had this framework already in place, or a precedence of making sure that the technology vendors or the accounting firms that they work with have sort of a fiduciary responsibility to make sure that they’re following the rules. I think in financial services it’s happening now more and more. When we talk about users, right, there are two types of users. You’ve got your employees, your contractors and then you’ve got external vendors, people that you do business with. And contractors kind of fill that grey zone between the two. You have to have policies and procedures in place to make sure that all of these entities are following the same guidelines that you practice your business with.

Gillian: This is a good segway actually. I want to move to a proactive element of this discussion which is how do we actually assemble a holistic cyber security policy? And I want to hear each of your points of view on this on how you even begin to construct it, John, we’ll start with you.

John Araneo: Sure. So it’s a great question and I think this is sort of the conundrum that the market is contending with. So as some of us were discussing prior to the segment, the market of service providers is fractionalized and there are some amazing experts that have depth in their field. But to really solve the problem it needs to be a faceted solution and it needs to require an understanding of the law and regulation of what your obligations are. It needs to involve a component of putting this together in the form of governance, policies, procedures, best practices. There needs to be an element of employee training. And there needs to be an element of accountability. So all of these things need to come together, and as experts in the field we sort of have to lead the charge and weave this together. And again as Brian said, I think these elements just have to be familiarized because there’s a wall to whether it’s vernacular, or whether it’s an understanding. It’s an unfamiliar exercise to know what my network is. If you can escape that wall then we’re really talking about things that we all know how to do.

Gillian: Okay.

Steve Ryder: As I say, you need to, it obviously has to start at the top, the management of a company. And second, I mean you really cannot just download this document off the internet. It just can’t be fill in the blank and this is what it is, because every company’s different, whether they have internal servers or external servers or things in the cloud, things not in the cloud, remote users, not remote users, contractors as others have mentioned. So it’s really critical that you work with your compliance folks, whether they’re internal or external, whether you work with your IT firm to put this together. But really critically important you look at your company rather than just some template that you download off the internet.

Gillian: Sid, obviously please answer this question but I also want to redirect a bit to you, you talk a lot about enforcement. So it’s not enough to just have a policy in place, people need to be using it.

Sid Yenamandra: Correct. And that’s oftentimes the biggest error that a lot of firms make. But I wanted to take this back a notch. I did a project for the NSA in 2008, where the NSA was actually, we were contracted as a firm to develop a piece of technology to help them secure certain assets of national interest. During that time we came across, we would sit around the room and we would look at vulnerabilities. We would look at attack vectors. I can tell you for a fact that you can’t buy enough technology to prevent an attack. There is no magic pill, it doesn’t exist. The best thing you can do is really three things. One, build a solid cyber security policy, make sure it meets the standard. Second, make sure you enforce it. And when you enforce it use methodologies that are both manual as well as automated, because you can’t do everything manually, things are going to fall through the cracks. Third, make sure you take copious notes to make sure that you are doing what you say you’re doing, because you might get asked about it. You might be asked to produce evidence. If there is a breach incident and a regulator comes in and says, “Can you prove to us in November of last year you were in fact doing these five things?” You better have the evidence to be able to prove that. So we think these three philosophies is what we have always told our financial services clients, and that’s the best you can do in any organization.

Gillian: Brian, please, actually that references the RT Jones example you gave earlier.

Brian Edelman: Yeah, having a background in insurance what I can tell you is that you can eliminate the financial and reputational risk by following those OC guidelines. So what we did is we actually built the guide, a financial advisors guide to cyber security, which is a step by step guide that literally just takes what OC put out there, converts it into financial language and says, “If you follow this checklist and these steps, the written information security policy, your documents.” But the key is, and like everything else if you look at somebody even doing a financial plan, if you’re about to do your will the best thing to do is write that everything you think you want to have in that will and then take it to a professional. But the act of taking in, writing everything down at least covers you, because once it’s written, and again I can’t stress enough you’ve got to have proof and you’ve got to have it in your cyber security file. And that file should not be electronic. So I look at these things and we come across these environments where all of a sudden an examiner comes in and says, “Show me your cyber security.” And they go to the computer and they’re like, “Well, let’s just pretend your computer’s not available.” What do we do? Because in an attack, if they shut down your computers and everything is on the computer, how do you respond? So the key is again, that whole idea of bringing it down to the advisor’s language, having them get confidence in cyber security. The more confidence they have the more questions they have, the more kind of questions that they’ll start to ask their vendors. And that’s when you know that we will be in the intended space that these regulators have driven everybody, because again, without them I just don’t see that there would have been the kind of action that there is today.

Steven Ryder: I was also going to add, I mean the huge threat factor as I think we will all agree right here right now, is employee awareness and training. I mean if you look at the majority of issues that breaches happen, you know, where phishing attempts, ransomware attempts, successful attempts of grabbing money or encrypting files. You know, having a policy, again we’ve all talked about enforcing that policy, got to be really critically, that’s the hugest component that I think sometimes people oversee. They’ll spend thousands of dollars on all this infrastructure to protect the environment, where they’ve got to really spend their money on employee training and awareness, which is huge.

Gillian: Yeah. Speaking of thousands of dollars, when we’re navigating this world of cyber security suites and solutions, how do you decide what exactly you need and how many of them, John?

John Araneo: It’s a good question. So I think what we’re talking about is all the fractionalized pieces and how to weave them together. You need expertise. It does have to start at the top. I think we’re at the beginning of the era where we will see a rise of the CISO, so the CISO being the Chief Information Security Officer. We don’t have the population of talent to infiltrate the workplace and be able to sustain the need. But the idea of centralizing this and to have a professional or a center point that can integrate all of these pieces so it can understand the obligations. It can work to memorialize the policies. It can talk within the structure of the organization to implement the governance controls, train the employees, document the process. I think that that role, you’re doing eight different things and you’re required to have different skill sets. So at Align Cyber Security we do a virtual CISO. So we will act as an outsourced CISO. And whether we work with security officers, compliance officers, attorneys, chief technology officers, but I think that’s where the industry is going. Because it does require a sort of a reset and a pulling together of certain unfamiliar tenants, combining them together and then making sure it’s pushed through and cascades through the whole enterprise top to bottom.

Sid Yenamandra: Yeah. I mean I would agree with that. I mean I think that when you prioritize, because you can’t spend all your dollars in one area, a risk based approach is always the best strategy. Prioritize based on risks for that organization, whether it’s, you know, if you’re dependent on contractors, maybe that’s a risk factor. If it’s employees and it’s a captive market where you’re delivering laptops to all your users, you probably don’t need to worry so much about those assets. You might need to worry about your bring your own device type assets. So I think a risk based approach, but always work with a professional that can help you kind of build that risk based model. And you can focus your dollars around the core areas you need to invest in. But it all starts with an Uber holistic governance model for the firm.

Brian Edelman: And as long as the cyber security, I mean so many of the tools are available today that are even built into the operating systems. For example, Microsoft does BitLocker. In the operating system when you have a pro version of their operating system, it just has to be turned on. And you just have to be able to demonstrate proof. So the cost of getting into compliance could be as little as zero and it goes up from there, clearly. And certainly establishing and working with professionals, the difference is, when you’re working with professionals, not only you don’t have to learn everything, you can rely on those professionals. But they can deliver those cyber tools much more efficiently than let’s say an IT support firm might be able to.

Steven Ryder: Yeah. A lot of firms there are RIAs that are managing peoples’ money, are experts that manages peoples’ money. You know, you’re looking for an IT partner that is used to managing IT security services. So I think it’s pretty important that you rely on a company that can, you know, help you with those services as trusted advisors, as firms are trusted advisors to their clients?

Gillian: Now, we’re coming to the end of our discussion. And I want to give you each the opportunity to pinpoint one vulnerability or pain area that you see that really permeates financial advisors that they should tackle right now upon watching this program. So, John, I’ll start with you.

John Araneo: Yeah. So I see the failure to integrate the necessary pieces. So there are policies out there that are pristine and quality documents that are purchased and relegated to a drawer and never used. There are excellent employee training programs that are insightful and clear and thorough. There’s technologies, and some of the technologies are amazing. One of the things that we’ve noted earlier about the problem is it has to be reportable, you have to demonstrate while you’re figuring out and while you’re fixing these problems, you have to be able to demonstrate that you’ve been doing this. There are reporting functions, so you press a button and it’ll show you your eight employees completed their training program and the policies have been filed. But to me I think the market is not clear and financial services, not clear where to start, not clear where to have the conversation, and not clear how to really provide a holistic solution.

Gillian: Okay. So it’s about integrating all the parts into the hall. Steven, what’s a pain point that you see?

Steven Ryder: I see huge, huge problems with again, employee awareness and training as we’ve all spoken. I’ve seen one client wire money to the wrong place. I’ve seen clients getting ransomware, we’re cooking on the wrong things. We’re cooking on Facebook and downloading something they shouldn’t do. Recently as a matter of fact I sent an email to my controller asking him to wire some money and because we’re in this business I said to my controller, I said, “Go ahead and [0:33:20] the person and reply and say where do you want the money to be wired to.” Now, which was a beautiful thing because what happened is they gave instructions, you know, bank account, name, routing number, then we took all that information and fed it to the FBI. The FBI had a great website to fill in and all that information. So you know we’re all about risk in this business. And so the biggest dollar bang for the buck is employee awareness and training, if you consider that’s the largest threat factor.

Gillian: Okay. So a holistic approach, employee training. Sid.

Sid Yenamandra: Yeah. I mean I would say I would second what Steven just said. I think the human factor in my opinion is probably one of the biggest vulnerability that exists within an organization. And when you break that down further it’s devices that that human owns, it’s the passwords that that human has access to. And anything that you can do to ensure that you assess the behavior of that individual and you have a constant culture of vigilance within the organization, not to go overboard and get into sort of the big brother domain. But have commonsensical type models in place so you know that if an employee’s moving data into Dropbox and they shouldn’t be doing that, you have checks and balances. So I’d say human factor and, you know, adding checks and balances within an organization, I’d say are the key vulnerabilities that we see across the board.

Gillian: Perfect, thank you. And last but not least.

Brian Edelman: And I look at leadership confidence in cyber security. I look at it and say the old conversation that I’m a financial advisor and I don’t know anything about technology. That has to go away. And what they have to start to do is ask the questions. Ask the questions of their won team. Ask the questions of the vendors. And then ask for the proof that the answers to those questions can be backed up in a way that shows that they asked the questions and at the time they asked it, this was the proof they were given. So those are the most important things.

Gillian: Okay. Well, this has been a fantastic discussion, thank you so much for taking the time to be part of our first ever cyber security masterclass. And thank you for tuning in. From our studios in New York, I’m Gillian Kemmerer. And this was the latest edition of Masterclass.