 Ladies and gentlemen, thank you very much for joining us on this panel. It should be very enlightening since it's something that affects all of us, all the governments, all the corporations and of course all of our own devices and our own personal computers. Building regional cyber resilience is the title of our panel. That in itself is not a controversial title. We would all like to think that there needs to be resilience, but how do we achieve that? Those are the challenges and how do we thwart those who want to break the resilience, right? A single cyber attack last year accounted for about four billion dollars in economic damage. That's just one attack. There have been a number of attacks in 2017 that I, as a journalist for Bloomberg Television, covered quite extensively including the Equifax breach, $275 million, plus its reputational damage. There are a number of headlines of different breaches and a lot of other attacks that we don't necessarily hear about. We want to tackle the questions, how vulnerable are we all? How sophisticated are the attacks now and how sophisticated will they be going forward? What is being done and what is not being done? And again, what kind of cooperation can be reached when there might be competing interests? My name is Stephen Engel. I'm the chief North Asia correspondent for Bloomberg Television. I've been covering Asia for nearly 30 years for various news organizations including 15 with Bloomberg. The panelists, though, far more distinguished than I, and I start here on the left, is Kristoff Nicholas, founder and senior vice president of Kudelsky Security, but also the Kudelsky Group CIO, chief information officer. To his left is Jane Plunkett, the Swiss Re-Asia CEO. Perhaps you can give us some good insight into the insurance angles as well as other angles. Over here is Stanislav Kuznetsov, the deputy chairman of the Russian Bank-Zehra Bank. Thank you very much. You can give very valuable insights into perhaps the vulnerability of the financial sector. And to my right here is Trolls Orting Jorgensen, the world economic form head of center for cybersecurity. Hopefully you'll be able to touch on just about everything. And the fifth member of our panel are all of you. So I would hopefully throughout the course of this roundtable ask for your input and questions. Raise your hand. The microphone will come to you and I'll be more than happy to have you ask questions. Please no comments. Just ask a question and single question, not multiple questions, please. I want to begin it here with Kristoff. Very simple question, difficult to answer. How vulnerable are we right now? That's a good one. So I think the first things that was to mention is that in the cyber world we are not equal. So there is first the asymmetry between the attacker that needs just to find one single weakness in your ecosystem. And unfortunately it does not have to follow any legal framework. And the one playing defense needs to cover 100% of his base while being I think restricted to some extent by the legislation. So that's the first equation. When it comes to defining that it means that we are now really facing a global playground with different role games depending about where you stay, which country you are in and in which industry you are. I think while basic attack are still the majority of the attack that we are facing due to the lack of what we call cyber hygiene or cyber wellness, which is even better, people are also now facing more and more targeted and sophisticated attack from governments to I think critical infrastructure, large organization. Those guys need to face those kind of attacks which are much, I think, difficult to handle and also difficult to explain and to see. You have mentioned some of the attack that hit the headliner last year, Wanakrai being one, but there is other one less visible that are also taking and keeping us busy when it comes to the cyber resilience aspect. The fact that there is now the blurring of frontiers between the virtual world and the real world with all that force industrial revolution kicking in the digital transformation, we have more and more sensor being connected to the grid to the Internet being part of that new game. More potential hole. More potential hole. The ecosystem is expanding and those are not always, I think, the priority when it comes to a cyber professional to take care of them. So again, there is a complexity that is expanding as well as I think more information be available for hackers. Charles, maybe I can bring you in as well. Would you agree with this and also why are we more vulnerable now? Is it because we're too complacent because there are more attacks? There are more ways in? There are more incentives? Why? Well, it's a combination of all what you say. Organized crime will primarily have three driving factors. Investment, risk, profit. In cyber, it's relatively low investment. It's a relatively high profit and it's almost no risk because the police for various reasons because crime doesn't happen in the same country. The perpetrators are not in the same country. They cannot really cooperate so there is no risk. So that's the first thing. The second thing I think is if you look at the room here that we are moving from PCs to mobile, that will increase the internet population dramatically. We will all have smartwatch and you have smartwatch but that comes in the second sentence. The second sentence is that you have IoT now so you are connecting the physical world with the digital world. Anything. That was what Christoph said. Everybody says it's hard to make estimations but if we say that the internet population will increase from 3.5 billion to 7 billion because we all have portable devices and at the same time you connect approximately 50 billion devices to the internet that have machine to machine communication and you then enable us all to store all this data because we have cheap cloud services now which was a problem in the old days and you utilize AI on all of that so you can get meaning out then of course you will see that your attack vector landscape is much, much broader now. So that is a bad thing and the risk is also. The good thing is that we are getting better, right? So we are actually getting better. Sometimes I say but we are getting worse faster and sometimes we balance these two things out but I think we will have a bumpy road ahead so it's not over yet. Later in the conversation we are going to talk about how we build a bigger wall or if that's the solution but it's Fairbank. Is it getting more difficult to keep your money, your secrets, your data, your clients safe? I think yes. I think financial organization today is number target number one for cyber criminals today. Why? Because they have main goal to stick money and before I would like to say that cyber crime has no borders today and one cyber gang for example can be located in several continents and commit a number of cyber attacks in couple of hours, maybe in couple of minutes and it causes great damage to the global world. And I think, not small statistic, you mentioned that in 2017 the loss from cyber crime amounted to one trillion dollars and is projected to grow to three trillion dollars in the next two years. In WannaCry and Non-Page cases it was two, the largest attack last year. It caused four billion dollars of losses and this is official statistic only. I would like to say that many companies and everyone knows that many companies cancel the fact of being attacked today. And cyber attacks bring enormous damage to the real world today and massive cyber attacks cause shutdowns in the work of thousands of companies, thousands of organizations in the hundreds of countries including Russia. And you know that in case WannaCry attack Russia was the largest victim in these situations and in these cases the red actors don't even need to go out of their home. And cyber criminals have turned national borders and what allows them to attack any sector in any country. And I would like to say that in this situation the geopolitical turbulence makes international collaboration more complex and slows down. More important but more complex. Look what's happening in the world right now. Absolutely. And so for cyber criminals have a lot of time today to cover up their tracks. And this is why complex cybersecurity system in the organization is essential. And I mean it is very important for the large companies, for the large organizations to have developing cybersecurity system. And for our experience we can distinguish I mean several key areas of complex cybersecurity system within an organization. First of all processes, standards, rules. We have different rules today in every country. Second point is work force, work forces, technical tools. The third point is education and trainings. Maybe cyber vision, cyber culture, cyber trainings on the different levels for technical staff. One cyber security training and for high level top manager staff, another one. And the last point is the collaboration. And collaboration on domestic level and very important to have collaboration on international level. Right. Collaboration in good faith at a time right now perhaps when there is disruptions in the global economy and even between the two largest trading countries in the two largest economies in the world right now perhaps it gets knocked down the priority list. Would you guys all agree? And that plays to the perhaps the playground of the criminal, does it? Yeah, I think maybe just I'd take a step back and talk about the risk that we face here. We talked about risk already. So we all face all kinds of risks in our lives. And we always like to talk about, you know, how can I protect myself in this new world of cyber? And if you think about the other kinds of risks we face as people think about your health insurance. So what do you do first with health insurance? You try to keep yourself fit. You try to eat properly. You try to avoid getting sick. So you first you take many mitigation efforts to keep yourself healthy. And then when those don't work, then you go see the doctor and your insurance pays. So I think of cyber the same way. The first step is that you try to manage the risk, whether that's a company or an individual, manage the risk first through these mitigants that were already mentioned. Having the right IT protection, training employees on how to respond to different kind of phishing emails. Those are the first steps in this kind of risk management world. And then insurance comes at the end to transfer the risk that you cannot mitigate yourself. So I think it's easy to talk about all the threats, but we also have to think about the risk and how do we manage the risk. And the mitigation of that. And it's a new, well in emerging I would assume part of the insurance world. It's fairly easy to count up the number of cars and houses that are damaged in Hong Kong from the typhoon, but far more difficult for a cyber attack because there's so many problems to it, I would assume. Yes, and it's as the other panelists have said, it's crosses boundaries. It's not physical. So this virtual world creates a very different tracking mechanism. Yeah, just to jump on that. So I think we need to step back and say, OK, yes, maybe we have missed the point. If you think about the software industry, someone was telling once that you have a database, you don't have any liability, you put four wheels around it, then you start to have some responsibility. So I think it's time to make sure that we understand that when we connect infrastructure, we connect asset. We have also some responsibility and obligation. Yes, great power, great responsibility also there. And I think we have neglected that. We all know and there was a discussion yesterday about the lack of talent, the lack of understanding about those risks at every level. And I think, yes, we need more experts and more scientists for that, but we need also to make sure that our leadership really understand what is at stake. It's not anymore the e-commerce on the side. I think every business is now dependent about the Internet and the capability to reach the global footprint there. So therefore, they cannot neglect that or delegate that too much. I want to see more deputy chairman coming to cyber security discussion, not only CIOs and responsible of cyber security center. Before we get into how we need to stop this or prevent it, we need to get a sense of the sophistication of the attacks and how it has evolved. Do the hackers or the attackers have the same tools as those who are trying to put up the wall, yet they don't have maybe the same respect for the law, they don't have a bureaucracy within the government, they don't have bureaucracy within the company, and maybe they have a few steps ahead of the defenders. Yeah, one of the challenges that in any type of battle, you need to understand the battlefield. So on cyber, the battlefield are us. Our assets are connected to the Internet. Your asset may be connected to the Internet and the back guy's asset will be also connected to the Internet. So how do you build that situational awareness mapping about that? Because on top of that, it's not a static battlefield. It moves during the year. So you may have an unpatched smartphone that will be attacking thralls next. And I will be taking benefit of that. So how do I map that? How do I make sure that even if you are not in business relationship with me, I want to make sure that you are doing your duty of patching and taking care of your asset. So that complexity is by definition of the way Internet has been built, one of the struggle. Because if I look at your asset, I may be reaching some privacy law, or I may be overarching my responsibility or duty. Whereas on the other side, the attackers will do that on a regular basis. And they will know exactly when you are not doing your duty, and they will take benefit of those. Is the answer. Go ahead. No, I think that cybersecurity is more than tech, and I know that you share that, Christoph. So tech is one part of it, and then you have people as another part of it, and then you have processes. And I think that you need equally to have holistic security, so you make sure that criminals are rather lazy. They are not trying to do it very smart to steal money. If it's easy to steal money, they will do it, right? So they will just misuse the lack of cyber hygiene in an organization to do it. So what I was in the bank, I always looked at who is the guy after me, the adversaries. If I know that, then what is their motive? He said money, blackmail, do they want to wipe, do they want to steal IPR? And then I tried to anticipate what kind of tool did they have. Then I looked at my own network. Where's my known vulnerabilities? Then I looked at my crown jewels, and you shouldn't protect everything at the same level. And last but not least, then I need to have my controls. Are they adequate to my appetite? There is no 100% security in cyberspace. It's not in physical, so you just have to create that. And I think again that the criminals have the upper hand now because we are sloppy as private people. First of all, secondly, as businesses, the majority of big corporations have a very flat network. It's not segregated. So if they have an entity in Africa, you go in there, you can probably reach their data center in London or whatever. So there is a number of areas where we can simply improve. And I think basically that insurance will do that a bit because you will have to pay an enormous amount in premium. To cover everything. If you don't have basic security, so they will probably lift the bar a bit. Yeah. I mean, do we not concentrate on the psychology of motive enough? And do banks, such as yourself, just try to build a bigger wall? No. We, like bank, have several products and insurance as well today. This is modern products. And I think like bank, we have main goal to protect our core systems and our clients. For protection of our core system, we have security operations center. This is modern center with many, many people. And for protection of our clients, we have fraud monitoring center. These two legs allow us to protect and to be very, very, very good on the market today. And I think it's very, very important to have the exchange of processes. 80% in every company, in every large organization to change processes and standards. The software, technical tools are not expensive or are very expensive. But 80% of the work in cybersecurity is changing of processes. This is a successful way to be successful. I think if I may add that money is one thing that you can steal. And that's, of course, very unfortunate. Normally banks will reimburse the customer at least up till now. But I'm more concerned about the future where my whole life is online. You know, it's my identity, maybe my biometrics. You know, everything I do, everything I like, everything I... And we're kind of pushed that way. We are pushing that, yes. It's not like I want my whole life up on the web. No, but still you sign, you know, a contract. If you want anything for free, you're the product, right? So you're not getting free lunches here. So people then want to have your data and if you are... And that is also something we in the future need to protect is our privacy and integrity on top of our economic security. Where you can replace... You can replace money. Money. But you can replace everything else that I... And my whole track record. You know, my phone knows everything about me. Where I am, what I listen to, what I like, what I watch, what I read, what I spend money on, anything. That is also valuable for criminals and many others. And your phone watch you. It does. Put the black tape over the camera, right? Yeah, and any one of us are now the system administrator of our phones. So except if it's a corporate phone and someone is looking at your back and taking care of the security there. As individual, we have the duty to keep that secure. And nobody likes the burden to update every day. I think nobody likes the burden to have a different user interface every day. As a group CIO, I know that I ask my guys to be business focused and to make sure that it's the convenience aspect on our system that is important. But security comes with a price tag. So you need to do that and you need to enforce that. And that's the difficulties because nobody wants to change a system that works. But there is a monthly patch on every system. So except some disruptive car company that are pushing your date on the car. Have you heard of any update, forced update on the car before? Average car have about 20, 25 computer built in. Do you think that there is no bugs in those appliance? So it's a change of mindset that we need to accept, unfortunately, to make sure that we will do that type of upgrade. The vulnerable ecosystems are vast. I mean, I only have just brainstormed a few. Corporate and financial institutions, governments, individuals, airlines, automobiles, IOT, energy sector. We saw a state sponsored attack of the US energy sector, I believe, last year. Medical systems are at risk. Again, as I said, the financial sector goes on and on. Back to the insurance sector. How do insurance companies or our insurance companies adequately assessing risks when each one of these ecosystems have their different vulnerabilities and different preparedness? It's one of the challenges because we live in this, as we said, this interconnected world. But all of the things that we ensure are also connected. So it's been a multi-year journey to think about how can we model this? How can we partner with some of the companies that actually know how to model this risk differently? That's what insurance companies do all the time, is model risk and try to predict what it looks like. But this one is a bit more difficult. And I think the interesting thing always about these discussions is we tend to focus on the large companies, the large banks. But the reality is there's a tremendous number of small and medium-sized enterprises all around the world, particularly in this region, and they don't have the same sort of security measures yet. And the cost might be too high for them. So I think that's the other thing we should talk about is these smaller companies and how can they get the same sort of risk mitigation as the larger companies do? Well, how do that? And are they targeted? Are the small... Yeah, they are all looking at the global markets as an opportunity. With a couple of people and PC, they can access those consumers, but without having maybe the knowledge nor the focus on the basics of cyber hygiene or security. So we need maybe to create incentive for them to look at that. I think when a country is pushing for, I think, clean energy, they are creating incentive. Are we doing the same in cyber? If we really want to tackle that, are we, as a community, as a public-private partnership organization, re-creating that incentive? So where does cyber hygiene to borrow your term? Where does it begin? Cyber hygiene begins here. So it's that I update now to iOS 12 that I make sure that I have secured everything that I look into my privacy settings. Every time you download an application, the first thing it asks, you could have access to your camera, to your microphone, to your location, so no, there's no need for that. And then secondly, I would say that you asked about cyber criminals. It's organized cyber crime. They're very, very good. And they will attack a medium companies as well. They do it very much and very organized by stealing credit card credentials, buying online from these shops. They sell a commodity to a mule that receives it. And this small entity is going to pay because the bank is not going to pay. It was probably a card that was stolen and the credit card company is not going to pay, so it's the person who lost the asset that is going to pay. And I think that again shows you that it might be a faceless crime for the crime committer, but it's very much a crime that has implications on the victims. And that's also why I think it's so important that we discuss it and that we protect the good side of the internet and the ability for the internet to drive prosperity and growth and lots of good things, but we simply need to do a bit more in the security agenda. And we tend to forget that. We spent a lot of time talking about cyber currencies and we know that there's been a nefarious angle to that as well. Has that promoted maybe the propagation of ransomware that we've seen? I saw a 2700% increase, 2500% increase in 2017. There's no doubt that, again, when I was a see-saw in a bank, all the ransomware attacks that we got or blackmail attacks, we should pay in bitcoins. Bitcoins, yeah. Period. When I was a police officer, there was loads of child sexual exploitation where you could watch kids being raped live and then you paid for that in vouchers that was anonymous also or Bitcoin was not so up-to-date at that time. So anonymity in that area, of course, fuels a lot of activity. That is simply as simple as it is because people don't want to get caught. So you try to minimize the risk. Right. So do you take away through government intervention the avenues for people to get rich that way through a cyber currency or a cryptocurrency or does it, again, start with building a bigger wall? That's the big question. I think it's a bigger question beyond cyber security because there might be other drivers in that. So I'll just narrowly keep focus on that, that virtual currencies is very, very much used in cyber crime, period. You've seen that, too, with your numbers? Yeah, definitely. That was something that was adopted very first way by the bad guys because it gives them, I think, that sensitivity. They cannot be traced or are difficultly traced and also the issue is that law enforcement, at least we've started to see Bitcoins what, eight years being used by the bad guys, if you go to your preferred law enforcement eight years ago and say, okay, I run some in Bitcoins, they will look at you and see from which planet you are coming from. So I think nowadays it's more common, but I think they are using also that delta between the people and the education. We should not confuse that the transportation layer for crypto and currency blockchain is very, very good. So it's not connected. And that can be used for security purposes also. Absolutely. What would you like to see as far as government and private partnerships? So it's a bit hard to dream about everything, but I would say there's a few things. So for example, data protection regulation does help. I always have to be careful with regulation to have the right level of it, but I think it does help also in terms of setting standards. We see that in certain countries and it does help us to create a more predictable insurance market by having these standards. But it creates silos of protection, if you will, individual countries instead of for all of us. I think there's probably a hundred different nationalities in this room. I think maybe that's a question for the World Economic Forum to think about how do you bring the whole world together in terms of these things. The reason I like the mission that we are trying to get off the ground now is that it's a fact that the world gets more and more online and the risk will still increase. At the same time, the trust between nation-states is going the other way. So it's not easy to get law enforcement to work together from Russia, China, US, UK and EU. And that's of course what the criminals benefit on. That's what I said, it's risk-free. That's the first thing. Then on the positive thing, I actually happen to believe that if you take the best and the brightest we have in private companies, in governments and in academia and bring them together and put a problem, a cyber problem in the middle we can do something about it. I simply think we can. The problem is to bring them together and first of all create trust between corporations. In the beginning banks would never say anything to each other because that was a lack of faith and whatever. I think they have changed that now. I think that everybody realizes that trust will be the biggest competitive differentiator for the future. But to secure the internet and make it crime safe is not a competitive differentiator. We will work together. I'll work with a Russian bank with no problems, with a Swiss company or with everybody. And that is what we are trying now to do by bringing these together in a neutral place, Switzerland and Geneva. They might not meet in Beijing, in Moscow or in Washington but they might meet here and we might be able to bring people together. And if we do that and we are not trying to do a PhD over the next six years but try to keep up pace and deliver actionable, impactful solutions I think we can actually move the needle to our advantage. I don't think it's so difficult that we should give up No, no, of course we can. Well, as an executive of a major Russian bank is there a trust deficit right now in the world that pushes this down? I think the private companies can be faster. They can be faster in comparison with officials, with law enforcement as well. And we can push, for example, officials as well. We know our problems, we know exactly our clients. They have problems as well. And like example, last year in Russia was launched the government program Digital Economy in five directions. The fifth direction is cybersecurity. And I run the Center for Competence of Cybersecurity from the business side. And we have great opportunity to create the special plan for changing the situation. And we can push officials to change the situation, to change legal system, change rules, change standards, change education. And I think change technical rules in many, many companies. And you mentioned that huge companies have expensive cybersecurity complex systems. Yes, right. But many, many countries have legal law for critical infrastructure and law enforcement responsible for this infrastructure, that's critical infrastructure. And who is responsible for smaller companies? This is a big question today in Russia as well. I think trust, the trust issue is suffering from one thing. That is that you put everything that happens on the internet into the same basket. I'm trying with my sensor to separate. The sensor will only deal with cybercrime, greedy cybercrime, terrorism or hacktivism, not nation state activity. Nation state has always spied on each other. They've done that and they will do this also in the next 200 years. You're saying, including in the news media, we lump it all into one threat. You know, to try to influence opinion from one country has been doing, you also went on during the Cold War, you know, before the incident. To influence politicians and whatever, that's one thing. I'm trying to separate that because that pollutes the whole discussion about trying to do something about the organized crime. So they again are profiting from our inability to work on that area. There might be gray areas, fine, but still if we take away the gray areas, we have 70% of the evil things going on on the internet that we can do something about. And I think that I've actually received from a Russian bank information about crime going on in a western country. They just handed it. And I could then send it on to that company in that country and say, you are infected by this and this and this and do something about it. And they did and saved loads of money. And I think I've got from you four reports. So again, it can be done if we want to. We need collaboration for sure and to build on what Stanislas has said. Sometimes a gentle push on the back from the private sector to the government helps. I think it's matter of leadership in any type of new threat. Sometimes there is that hot potatoes going around there. And also in Switzerland, we are pushing now the government through a digital Switzerland to speed up a bit the process when it comes to digitalization of the country. And I think one of the outcome was that they agreed now that they need a Mr. or Mrs. cyber at the government level at the top level to re-tackle that because before it was kind of a heaven level position. Yeah, it's always the same. So it's okay. Is that the army in charge? Is that the law enforcement or so everybody were involved? Nobody was in charge. So I think now we are tackling that. And that's also something. It's a pattern that we see a multiple time in country. Even in the army, sometimes you need a joint cyber defense organizations to tackle that. So we have open book for Center for Cyber Security. Right. So we need a multilateral approach, but at a time when bilateralism is taking center stage right now, we can't even come to conclusion or agreement on climate change for God's sake. So it seems like it's a bigger task than just sitting here and saying we need to cooperate better. It's a much bigger task than that. Wouldn't you agree? Yeah, it's definitely a big task. But I would just pick up on this framing of the issue because I think it's a really good point. It's always easy in these settings to talk about these really scary scenarios and sort of state sponsored attacks. But I think the point is that you make is most of what we see is actually it's business related. We have standard practices that can address it. And if you think about sort of what risk you face, you face the risk of data protection. So that's one thing, stealing the data. The second risk is what we call business interruptions. So does your business, is it closed for a period of time and you have a loss of income because of that? And then you have this bigger threat, right? This state sponsored. And I think if we think about those first two risks, it's more manageable. Yeah. It's more modelable. Yeah. The third one is it's a bit hard I think for the private sector to deal with. You might get there if we deal with the two first. Yes. And there might be norms like there are norms in warfare and whatever. Yes. But that's not a starting point. Starting point is that we all, I remember when I was in Europol, I had actually two Russian captains from the Moscow police working because it was child sexual exploitation. Everybody hates that. Everybody wants to do something about child sexual exploitation. I think we can do the same with pure cyber crime. I think we can. At least we should try. And then we'll build trust. Don't expect miracles. But what is the alternative? Yeah. Can we ever be 100% safe though? No. No, no, no. Nowhere. How many people in this room have been hacked or think they've been hacked? Pretty high number. Pretty high number. How many people have no idea? That's arrest. Anybody who says that, they probably have been hacked. They don't know that it was hacked. Well, because you mentioned that, okay, 2017, there were a lot of high profile, whether it's what want to cry or some of the other big attacks. But there are many other attacks that are happening already this year that we don't know happening behind the veil. Yeah. I think there is a continuous noise of attacks or the opportunistic type of hackers that just look for unpatched, unsecured devices. I think if you go to the global situation space, we demonstrate some. We took an attack from 2014. So four years old. And at that time, we started to monitor the, let's say, quality of the reaction of the security professional. So in matter of two days, only 17% have done their duty. After a month, 50% of them have fixed the issue. But more frightening, we checked last December. Four years later, there was still a 100,000 web server not patched for that single attack four years ago. So the opportunistic one will always look for that and they will always find their share of that. The same way as you are receiving spam email, sometimes 0.01% will click and that's good enough for them. So that noise is ongoing. And most of the big corporation, most of the country are dealing with that. I'm not saying that they are solving that, but they are dealing with that. But my kids or my father are not aware of those kind of things. So those are the typical targets. And then for, I think, big corporation, big country, you have Taylor and Sophie, that are ongoing. Unfortunately, it's not because you don't see that in the news that they are not happening. On average, an attack will be sitting in your ecosystem in your servers for more than 100 days until they are found. So even if you are looking as an educated company on cyber, you will probably miss it for a couple of months. Right. And a lot of these attacks into a corporation, I know at Bloomberg, they put the onus back up onto the individual employee as well. Oftentimes, we're the point of vulnerability, aren't we? Since there are so many different avenues to get into a system. Bloomberg is completely safe. Of course. Let me just say, in case my boss is watching. But it's the individual that makes either an unwise click or what? It's not always just the IT department. It's to your point about, can we ever be 100% safe or eliminate 100% of the risk? It's not possible. But if you think about all the other risks in your life, you can't eliminate those either. So what we've done over the years has gotten smarter about those things. I gave the example of health insurance. We've all gotten smarter about how things affect our bodies and how to remain healthy. And I would say we need to do the same thing with this threat. We need to get smarter about it and understand how things affect us. And then we can manage our own personal risk a bit. And criminals are lazy again. They don't want to spend $1 to steal 50 cents. They want to do it because it pays off. So I think that if you make it a bit more tricky because you have cyber hygiene, you have what you should have also in the company, we can now drive it down to an acceptable limit. The only thing we need still is the third, you know, the nation state always says we can prevent, we can protect, and we can prosecute. That's the three ways that you influence crime in a country. And you can increase punishment or whatever. But here the third pillar is a bit gone because the criminal will never ever visit China to steal money, intellectual property or ID, always be on a distance. So it's out of reach for law enforcement, which again then demands that law enforcement works together if you want to drive down the risk. Otherwise everybody wants to be a cyber criminal. What's the best deterrent? Because I was seeing number two, you know, you talk about the aviation industry. There's going to be a pilot deficit of XXX percent. There's in the cancer world, there's going to be oncologist shortage. I would assume there must be, if this is growing threat, there's going to be a shortage of experts to protect the systems. Already now I think the number is at least a depress around 3 million globally that you lack of cybersecurity experts. And that is something you can see very clearly also, and I would guess the insurance industry will also adjust premiums about that because they will, I remember when we had a cybersecurity insurance, they will come and assess our level, our expertise, our tools and whatever. So that is part of it, and we lack that. So that is one of the projects we have in the center is to see if we can produce more cybersecurity workforce so at least you have a talent pool that you can begin with. Yeah, but going back maybe to the analogy of cyber hygiene, it's the same as before we had proper hygiene there, there was a lot of infections, so we are not discussing about the number of doctors or surgeons that we need. We need to make sure that everybody understands the basics there too. And that started at the kindergarten. I have the luxury to live in Switzerland. We still have policemen coming to the kindergarten to explain to our kids how to cross the road because the big innovation last century was the car. So they are still starting there or how to brush their teeth or stuff like that. So let's make sure that we have the basics also understood by our kids there. And then they will do the reverse mentoring. They will teach our teacher, they will teach our elderly people and that will at least clean the basis. Because if we only had doctors, surgeons, security experts, we are not tackling the issue. Just to stress that I think that maybe our education system also needs adjustment. We cannot wait five years to have a computer science expert. And we have loads of talent in my world that wants to be the good guys, but they don't want to go to a university for various reasons. But they are very, very good. And if we could get them into some online diploma courses of three months, six months and nine months, I can't think that we can actually have somebody moved into then a sock and then they can grow into that. So I think that's also maybe part of it. How much do you spend on cyber security and how do you know it's enough? We have in cyber security division today in Sberbank 800 guys. 800 employees. 800 employees today. And in dollars I think maybe... Is it enough? Maybe, no, it's not that secret. How much? In rubles this is two billions rubles. How many? Two million rubles. How much? Thirty million dollars. Thirty million dollars here in the year. It's not expensive, but I think I give one example. We need another level for sharing information. For example, we are using today AI in our core systems, in our cyber security complex systems. And for example, when we have telephone number, cyber criminal number, telephone number, we can see in one second the whole net, the cards, the accounts, the banks, the addresses and the different differences. We can share this information with law enforcement, with our colleagues. And this is very, very important to have automated platform for sharing information. It's very important and I hope in... AI is going to be critical. ...center for cyber security. We can organize most faster in comparison with officials. But to come back to your SME point, I think that's where we are not equal. Right. On average, companies spend between let's say five to twenty percent on IT spending. And out of that, roughly, between also five to ten percent are spent on security. If you have a big number in terms of your top-line revenue, then you can do things. An SME, even if they are doing a few hundred K, they will have only the money to maybe pay for the antivirus and that's it. So that's where they need help, because they cannot scale, they cannot really have their internal program there. So they need to rely on someone else. And that's a big issue, because that's a big part of the economic... AI will be both good and bad. I just attended a presentation today by an Israeli professor that explained that AI is used by you and other ones in defence. But adversarial AI is now the new black for the criminals where they can much, much faster scale their attacks and they can find vulnerabilities much faster. They can bypass other AI and they can find vulnerabilities quicker. Yes, and they can invent new types of crime. So that's areas that we need to look into also, because the problem with innovation is it's done for the good part, but very, very soon you'll look for the bad part and then we just need to be prepared. It's not too complicated, it's just another thing we just need to take care of, to look at this also, because every weapon will be used for two purposes. You build a weapon, it's always used, right? Expensive or not. Sberbank is the largest bank in Russia in Eastern Europe today. It's the first company in Russia on capitalisation. We have 300 employees, 300,000 employees in 60,000 branches. And we have 120 million clients today. It is huge responsibility for our clients. I was just thinking, it's interesting, because in all these different sessions around the forum, some of them are talking about, will all the jobs disappear because of automation and robots? It's kind of interesting, because our discussion here is actually about creating jobs. We're saying we don't have enough digital risk engineers, we don't have enough support for SMEs. So it's kind of interesting that actually, this is probably creating quite a few jobs in the future. AI will probably take out some automated job in the lower end, but you will have a need still for the human brain and interaction. To assess motive? Yeah, in many, many years to come. Because you can teach and AI everything, but not the motions, right? Are there questions from the audience? This is your chance for your burning question. Very good, we have covered everything. Here's a question here. My name is Hugo Rohner, I'm the CEO of SkiDate. I have a question for you, CEO of Switzerland. What are you doing in your job to make sure that you're having things under control and you're not being hacked as a company? So we're like all other financial services companies. So I think you've given all the good examples of what the banks do, and insurance companies aren't different. We have a certain responsibility to protect data, and we have all the common IT measures that all the banks have as well. So I think insurance companies are not different in that way than banks are, given the large volume of personal data that we have. We also do a lot of work with our employees in terms of teaching them. What it means, we do little tests to see do they click on the mail that comes through. And of course, many people click on the mail, and it helps to teach them that they shouldn't do that, because this awareness of the risk is really the only way to help prevent some of these things. Making everyone more aware of what's coming in all the time, I think, is the key. So this training around hygiene or cyber defense is, I think, of critical importance. Maybe this is about culture. This is cyber culture, maybe, to create some cyber culture. Security needs to be part of your corporate DNA. On average, one out of four or five will click on a phishing email in a company. One out of five. So it means that you need just to target five, ten people to do that. When you train them, you can go down maybe to one out of twenty or one out of forty, but still there will still be someone that click on that email that they've been told not to click on. And that opens a hole. And that opens a hole. So we should not only blame the end-users. So we're discussing about that there. So they need for sure be educated. But as an IT guy, you need to make sure that that email doesn't reach you also. So it's a balance between, I think, what we can do in the back-end, as well as how to educate end-users. How big an industry is the insurance industry for cyber crime, for a company to take out a policy to protect and mitigate their losses of intellectual property, data theft, financial. How big a market is that becoming now? It's a growing market. So there are as many estimates as there are risks about how big this market will be. But I think it's important to know that it's not a new market in many ways. So it's been a market in the United States for a few decades now in terms of data protection. And there's about $2 billion of insurance premiums written in the U.S. to protect this. So if you think how can you scale that, you can imagine multiples of that around the world. But in the U.S. it's not a new market in terms of data protection. I was seeing one number. The reason I ask you is cyber insurance market on track to triple its worth to $7.5 billion by 2020. Sounds small number. $7.5 billion? I think the issue is that, again, the first defense is to protect your IT system, train your employees. And then comes the risk transfer. But if you have so many dollars to spend in your budget, most companies spend it first on protecting their IT system. Are there more questions? Back here. What's the most creative cyber attack or phishing attempt that you have either encountered or know of? You maybe ask Kadevsky here. So I think just to take the simple one because I think it's interesting. Even if you educate people not to click on that email, now hackers are calling you before saying, hey, you will receive an email from my CEO and you have an important payment to be done. And that lowers drastically the sensitivity of the guys not being able to click because you have broken that. So someone called me to do that. So as soon as you mix what we call social engineering capability, you engage with people and then some technology, then you are very efficient. So sometimes very basic, you call the guys and you will receive an email, click on that fairly. It's very important and you're done. Russia is a huge problem with social engineering too. Yeah. Social engineering, yeah. Yeah. So that's one of the best vectors that you fight now, social engineering. They go to LinkedIn because everybody will update anything on LinkedIn because you want another job right. You put all your credentials in. And then they will search, if they want to search, Spare Bank or Bargdis or Kudelsky, they will search for employees that are employed in IT with admin rights and whatever and it will narrow down. Yeah. And then sometimes they will even then predict that they are headhunters. So they will send you an inbox. They have a profile as a headhunter. They say, I have this great job, $1 million plus a bit extra. You have a really good profile. Would you be interested? Yes. Could you send me an updated CV and you send an updated CV with all kinds of private information, your private phone number, your private address and your wife's shoe number and everything to convince this guy and then they will use it against you and they do it, right? So they're very, very good in that. You can look at the Internet on black at this year in Vegas in July. One girl was good at social engineering and was just calling your bank pretending that she was the spouse of that guy and they have added her on his bank account. She put a baby crying in the background and she was just arguing with the guy, I need to pay that payment and not receive my credential. So can you add me that in two minutes they were in? Two minutes. And you know what? Fake social sites. So have you checked how many of you have a duplicate? If you're important enough, you will have a Facebook page or Twitter page. I can assure you or LinkedIn. So my previous boss, we took down 272 fake Facebook accounts every quarter for him. So people produce them with the right pictures and names and then other ones, they really want to be friends with the chairman of a big bank or whatever. And then again, they start social engineering. Loads of potential, yeah. Hi, welcome to the days of just having a virus on your computer. It was easy. Yes, over here, Sarah? Hi, I'm Sarah. I'm a global shaper from Vienna, Austria and I work for the Impact Hub. And you mentioned quickly the energy sector. And as far as I know, the energy sector is connected in whole of Europe. And I wanted to know if you know about how well protected the energy companies are and how likely a European-wide blackout is. I think there was a US power grid attack in 2017. This is critical infrastructure. I think it will be classified as critical infrastructure. So it will normally be on the radar of the national governments. That doesn't always increase cyber security, but that's an indicator that they take it serious. There is a number of tools that are very, very good to attack grids and electricity power stations. And we actually work with the energy sector, because again here they want to work together because they have similar problems and the enemy could either be a nation state for preparation or it could also be somebody who wants to blackmail them because they know that if you blackmail, if you encrypt a power station or make it go down and all the lights go out in London or Brussels or whatever, you are in deep trouble, right? So you will pay your ransom. So I think that they have a double dip. We have only one minute. Does anybody else have a last takeaway from this? Oh, you have a last question? Okay, quickly. Hi, the question is just that, what do you see in the near future, the nearest collaborative initiative across at the national levels? Have you come up with something? I hope that we will be able in the platform in the cyber center in the World Economic Forum to have partners and we have a very good beginning from Russia, from China, from Asia, from Africa, from Europe, from the US, from the Americas, first of all on state level, secondly then on business level and thirdly on business level in various sectors. Now we start rolling the ball I think in the crime area, not in the other areas. And I think that we day by day build some kind of trust and that we all share the same desire to make sure that the internet is not polluted by crime and that regardless of if you are trying to steal from a Russian, a Chinese, an American or a Dane, I think we share that. So I'm very optimistic. Again, don't expect miracles, but we are actually moving. And we should all practice cyber hygiene. That's very important. That does it. Thank you very much.