 Hello, it's really great to be here with all of you today. And it's been wonderful to hear the presentations and the topics and materials. So, and I'm afraid I don't have like a lot of great news for you anyhow. So first of all, I wanna thank the ESRB for inviting me to be here. And I'm gonna talk to you about how I see from the front lines that cybercrime is creating systemic risk for the global banking markets. Also, do we have it loaded yet? I must, maybe I'm a little ahead of you guys. Do you have it? Also, for the first person who asked me a question, I brought a signed copy of my book. And you may or may not know this, so back to self promotion. You may or may not know this, but this book is on the number one must read list of my mother and you should listen to my mother. So definitely have that available to you. And then whatever you don't get to, if you tag me on Twitter and tag the ESRB, I will answer every question that comes in on Twitter as well. And I'll be here at lunch. So, what's interesting is, is when I first got to the White House in 2006, so I was there from 2006 to 2008. Now, just shout out loud, how long do you think the average shelf life is of a White House political appointee that is a chief information officer? How long do you think they last? Prior to this administration. How long do you think the average? Just shout out, how long do you think they last? A year, two years? Two years? Yes, so the average before I got there was 13 months. So I was there two and a half years. So now you're thinking to yourself, wait a minute, we just got a speaker and she's really slow at doing her job. It took her two and a half years. No, there was just such tremendous change going on at that time. So if you think about it from 2006 to 2008, when is the first time we saw the iPhone? It was 2007, right? So when I first got there from the financial services industry, my focus around the operations was how do I remove systemic risk to White House operations? Now, I'm not a policy person, I'm an operational person. So I'm on the front lines of cyber crime and protecting and defending networks. But when I talked to the policy people, one of the things that we talked about was what types of changes are gonna happen that could actually remove trust from the system? What types of changes can happen digitally that remove trust? Because you can't walk into a bank and say, I'd like to see the gold and silver that backs up our currency. You can't walk into the bank and say, I'd like to see my money. You just have to trust that when you ask for it, it'll be there and it'll be in a timely fashion. So during that 2006 to 2008, we started to see interesting things happen. What happened in Estonia in 2007? Anybody remember? So Russia wanted to teach them a lesson. Cyber attack on the nation took their banking offline. 2008, what happened to Georgia? Russia wanted to teach them a lesson, impacted their infrastructure, took their banking offline. A lot of people at that time said, oh, this is not systemic risk, this is geopolitical risk. That was our tsunami warning and we missed it. So I'm gonna talk to you a little bit about when we look at today's emerging technologies and integrating them, what are some of the challenges and then offer some solutions. So it's not all dark, but it's gonna be a little dark until we get to the end. The other thing that I realized when I got to the White House, so when I worked in financial services industry, I was in it for 16 years, I was on the front lines of delivering cutting edge technology to our customers. So everything was about making sure our customers love doing business with us, reducing costs by taking expensive transactions out of the brick and mortar and providing self-service and oh, by the way, make it safe and secure. And while on the front lines of that, I was on the front lines of cyber crime. One of the things that I would think about as a cybersecurity person, and this is where fundamentally part of the systemic risk we have are all the solutions that we have in place today. Because as a security professional, I would think to myself when bad things happened, if I could just get to our customers and teach them a little bit about what I know, so we talk about education awareness, they would be safer and my job would be easier and life would be better. And then I get to the White House and 6.15 a.m. every morning, my security briefing is changing. And so my tactics have to change every single morning. And that's when I realize one of our fundamental systemic risks is nothing is actually designed for the human in mind. Nothing. I mean, ask anyone in this room who is not in risk or security, raise your hand high if you love strong passwords that expire every 30 days and can't look like a word. No one raised their hand, right? So fundamentally, we're already flawed before we get started. Before we move one piece of currency from one entity to another, we're already fundamentally flawed. Okay, so that's kind of the first premise. The second premise is we don't actually have an accepted definition of what systemic risk is. So I'd like to offer you mine. So the systemic risk as I see it, as far as cybercrime goes and its impact to banking globally is one either a series of small events that are joined together or one big catastrophe removes trust from banking. Now, what does removed trust look like as far as transactions go? So that could look like a run on banks. It could look like a slowdown or a stoppage of funds moving. It could look like a manipulation campaign creating distrust in banking officials, in a banking company, or in the industry itself. That is my definition of systemic risk that we're facing. Now, as I'm just gonna skip forward a little bit, as customers demand fast and frictionless transactions, are we just heading towards fast and frictionless catastrophes, right? So they don't wanna use passwords. Everybody's enamored with the idea, I'll just pick up my phone, show it my face, and now I'm into my system, and now I can move money. There's a lot of appeal to that. It's a lot easier than remembering a password. It's hard for someone to steal your keystrokes, but we've already shown that we do a very poor job of actually protecting the most basic of information, much less the imprint of your face, right? And as they demand fast, the other pieces, and so many of the speakers today already covered this, we have non-banks that are in the financial ecosystem now. And the customer, whether it's a commercial entity or a consumer, they see it all as banking. So whether you like it or not, these non-banks, they see as I am conducting a banking transaction. They don't get held to the same standards, the same regulatory models, and they are missing from our cybersecurity playbooks. We don't even really think about them, and they could be the weakest chink in the armor as it relates to the global banking ecosystem. Okay, so time will tell. I'm gonna talk about some of these technologies that are on the scenes, that are integrated already today, either into our physical infrastructure, the buildings that we enter, the buildings that our customers are in, whether they're commercial customers or consumers, as well as the technology that we're using in the banking industry. Now, see, I trust the banks as it relates to thinking about resiliency, reliability, security, and privacy. We don't always get it right, but we've been thinking about this for over 100 years. These newcomers, these new players, we're lucky if they've been around even a decade. Okay, so this is where we have introduced into the financial ecosystem players who don't really get it. So as you think about, for example, quantum computing, so I started off as an artificial intelligence developer when I came out of graduate school and first started in banking. And what I love about computing is, is so I'm definitely a self-professed geek. So computing today, the only way I can make it faster is to have to get a faster processor, more memory, more hard drive, faster hard drive. So I just add to the computing power. With quantum computing, it is stateless. It is neither a zero nor a one. So all programming to this point prior to quantum computing, no matter how cool and awesome the technology looks, in the background, it gets translated into very boring ones and zeros. It's on or it's off. With quantum computing, it is neither on nor off. It is neither a zero nor a one. It is stateless, it's both. Which means we will crunch through amazing amounts of data. This will be huge for fighting cybercrime. This will be huge for fast and frictionless payments. It will also be huge for nation states and cybercriminals who want to crack encryption. We are not ready. Okay, so there are think tanks and researchers working on post-quantum computing encryption. But all encryption is is one big old math problem. So as soon as quantum computing is commercially available or at least in the hands of nation states, expect what we use for encryption to protect transactions expected to not be safe anymore. So a couple of things that I want you, I'm gonna, you've got homework assignments from me. So you're not gonna walk out of here like, oh, that was just a really interesting conversation. I really want everybody to go back to your workplace and maybe ask a few questions about the playbooks that we have in place because the playbooks must change. Everything about how we think about cybersecurity today and the global banking ecosystem is very singular. It's focused on things that have already happened and how to make sure that doesn't happen somewhere else. And maybe a little extrapolation into the future. You have the other thing it's very focused on and I would offer that we have actually had a systemic event and I'll show you a statistic in a moment. But the fact is, is we shut it down either in individual banking institutions or we shut it down within a region and we move on. Okay, so as we integrate these new technologies we need newer playbooks to actually mitigate the risk that we have in the system. So first I wanna talk to you about Internet of Things like bulbs. So one of my clients today is one of the largest transportation industry clients I can think of and I was in one of their facilities and as we were going through the facility to work on basically thinking about incident response plans, we go through and the engineer says to me, Teresa, the next time you come through this building it's going to be amazing. All of the lights that you see up there, they're all gonna be Internet of Things smart light bulbs. And when people come into this transportation facility they can download an app on their phone. They can select their music preferences. They can let us know what country they're coming from. And then the light bulbs will follow them as they're walking through on their phone. It's going to be incredible. They'll have mood lighting, they'll have music, they'll have everything they want. So I said, wow, that is pretty incredible. And so I look up at the ceiling and I said, so if there is a Mariah botnet, like what happened October 2016 which different Internet of Things, including light bulbs, including babycams were actually infected and used to create a distributed denial of service attack, a DDoS attack against part of the Internet infrastructure and your light bulbs are impacted, what will you do? Will you work in the dark? And the engineer said, I'll get back to you. So the last time I visited they said, Teresa, guess what? We're gonna be 60% old school light bulbs and 40% Internet of Things light bulbs. So be asking yourself as it relates to our incident response playbooks for the global banking system, how are we thinking about these newer technologies in the buildings? For me, one of my biggest nightmares is is that the special access that we now use for buildings, for vaults, for thermostats, all of that technology is Internet of Things enabled. And it can be cool and it could be awesome and it can definitely help with security. It can also be hacked. And the idea that somebody could simultaneously use another botnet to lock customers into vaults, lock them into branches is one thing that I worry about. So now you know what my nightmares are like. So secondly, let's talk about AI chatbots, right? So I told you I started off as an artificial intelligence and expert systems developer when I started in banking. One of our clients is a global insurance client. We were working with him on thinking about forensics for a particular case. And he said to me, Teresa, I know you used to have the internet channel and the phone channel when you were at the White House and when you were in banking. So guess what we're doing? We have a pilot. We are using AI chatbots. And during this pilot, these customer service chatbots are outperforming our most experienced customer service agents. The customers love them. And I said, that's right. Chatbot never has a bad day. And he said they're outscoring and outperforming all of our humans in the call center. And I said, well, that's interesting. I said, so as an artificial intelligence chatbot, they're self-learning and contextually aware. And I said, let me guess. Did you tell the engineer average talk time, keep that really low? Yes. Customer delight scores, keep those really high. Yes. Make sure it does not drop out to a more expensive delivery channel. He said, that's correct. And I said, how did you honor your user access controls and your user authorizations for these chatbots to make sure it mimics the same thing? So if you think about it in banking, we don't give everybody in the bank access to all data. There's a process for that. You elevate to a manager. You elevate to somebody who is decision-making authority. We're not all super users at the banks and it's for a very good reason. It's for audit and compliance and maker checker rules. And he said, I don't know, I'll get back to you on that. And so he does get back to me on that. And what they found, thankfully there was no data breach, but what they found was, one chatbot would say to the other, you always ask me for your mother's maiden names. That's my alarm saying, wrap it up and get into a Q&A. So it would say, you always ask me for mother's maiden name. Why don't I just give them all to you? And you'd say, that's great. You always ask me for credit card data. I'm just gonna give it to you. And so the self-learning, contextually aware chatbots all created each other as super users and they were storing all of the insurance company's client data in the clear, not encrypted. Thankfully a pilot, thankfully no data breach, but what a scary scenario. So again, as you're looking at your playbooks, many financial institutions have gone to AI customer service chatbots. Am I telling you this to tell you not to do that? No, we need to improve customer service. We need to find ways to have fast and frictionless engagement with customers. But you have to be thinking about the strategy that this technology will always fail you. All technology by design today is designed to be open so you can change it, which means it's always designed to be hacked. And then sort of the last story I'll share with you and then I'll get into like, so what do we do about this? This particular story is about a global entertainment client who accepts a ton, a ton of payments for tickets online. Credit cards, debit cards, cryptocurrency, you name it, they take it. We had them on monitoring where we look on social media, on all different types of social media, not just kind of like Facebook, Instagram, and Snap and things like that. We're also looking at Reddit, Payspin, other sharing places on the internet. And we look for keywords as it relates to this client. One of the alerts went off and somebody on Reddit was bragging about having the source code that is used to process payment bank information and payment data. So the client called me up and said, they're bragging about having the source code and they're saying you have to go to the dark web marketplace to buy it. Obviously we don't want to go to the dark web marketplace as our company name. And we know that, so we actually have alternate identities in my company where if we need to go to the dark web to take care of some things we can. And so they asked us if we would actually go see if it was legit and buy back the source code. So at my kitchen table for three nights I was negotiating with a cyber criminal who had stolen the source code not from the customer but actually from the vendor who supplies the payment transaction processing. And so I'm negotiating with him and I say to him, here's the thing, if I buy the rights to this code, and by the way he was upselling me, he was trying to cross sell me on I've got it all highlighted where the vulnerabilities are in the code and if you would like for a little bit more money you can buy an attack against that vulnerability or I can set you up with basically a hack as a service. You just tell me what vulnerability you want and I'll tell you how much it'll cost. And I said that's good, I just really want the source code but I need exclusive rights. Like if I see that you sell this to somebody else I'm gonna be really upset. And he said I will give you exclusive rights it's gonna cost more, I said that's fine. And I said well wait a minute, how do I know you're not gonna sell it to somebody else? And he says to me I am an honorable businessman. Okay I'm on the dark web, right. I am an honorable businessman, if I give you my word I will keep it. Right, okay so I said he said do you see my perfect five star rating for customer service? I said yes I noticed that. He said that is very important to me. If I give you exclusive rights I promise you I won't sell it to anybody else but I need my five star rating from you. And I said it's a deal but I'm going to be monitoring, now he doesn't know it's me, it's my alternate identity. And so I said but I'm going to be monitoring you and if I see that you sell this to somebody else I'm knocking you down to a one star. He goes no, no, no, no that would be bad for business. So he sells me exclusive rights. Thankfully it was older version of software than what my client was using. There were still some vulnerabilities. They fixed them and for the greater good passed on the source code to the vendor who supplies this payment processing software for many companies around the globe. So again why do I bring this up? I bring this up because our playbooks are outdated. Our playbooks are very focused on sort of these singular events, things that have already happened, things that we already know about. You know in the 1990s I think it was 1993 New Yorker magazine had a cartoon that said on the internet nobody knows you're a dog and now nobody knows you're an AI voice. So we have three instances in the United States one of which hit the news, two of which have not been reported where a CEO's voice has been put through AI and been used to call the CFO to actually request a wire transfer. Okay so where do we go from here? So I'm gonna just kind of skip a couple of these. So I said earlier that I believe we already have hit a threshold that we do have systemic risk and the issues are happening and in front of us today but because we don't look at things holistically we're not really acknowledging it. One billion times a year that number represents the number of successful attacks on banks across the globe, one billion. If that does not hit your threshold for systemic risk what does? Okay a billion successful attacks. Okay we're gonna have more than six billion active internet users predicted by 2022 that will be transacting commerce. And then this stat from Lloyds of London said that if one internet service provider in the United States was not available for 72 hours the impact on the US economy alone could reach $15 billion. It's a three day outage for one internet service provider in the United States. Hey again so we've got the makings of a real issue here. So what I wanna do is give you a couple predictions then go into what I offer as something that I want all of you in the room to work on. So I've got kind of a big, hairy, audacious goal. We call them B-hags out in the United States. So I've got a B-hag for this group that I want you to be thinking about. But here are my predictions for 2020 and I'm happy to even debate some of these during the Q&A. The first one is, so I predicted in 2016, January 2016 that manipulation campaigns would be used to disrupt elections. I wish I had been wrong. And I said that would be a global thing. That actually I have a book coming out in spring of 2020 called Manipulated the Global Playbook to hijack elections and distort the truth. So that started a two and a half year research journey on the side besides running a company and being mother of three athletes and two great rescue, great Pyrenees, rescue dogs. But what I am saying here is that a manipulation misinformation campaign is actually going to destroy an industry or a company by the end of 2020. I've already seen in my research where Putin has actually been using amplification campaigns so that's the truth but amplified and misinformation and manipulation campaigns for the American fracking industry. Why would he do that? He funds his economy through sales of energy to the rest of the world. If we have energy independence and we keep fuel prices low, that impacts his ability to charge higher prices for energy. Secondly, I say that what people think is going to be the silver bullet, the blockchain, that it will be cracked. We're already starting to see some chinks in the armor and some of the implementations that my team and I have been doing. The second thing, the third thing that I'm predicting is that AI powered bots that they will actually commit cyber crimes without human intervention. So just like those chat bots I talked to you about that AI powered bots would actually be launching crimes without humans driving them. And then lastly, there's a job. I made up this job title. There is a job that is needed that is nobody is trained for today and that is digital forensic anthropology. So just like if the Louvre says tomorrow that they think they found a Da Vinci in the back closet, we would bring an art historian in to say, well, let me look at this. And the art historian might say, if you watch some of these shows, I love these shows, might say, this is clearly not a Da Vinci but it is a student of Da Vinci and let me show you how I saw the differences. And they say clearly if you look at this, if you look at this, if you look at this and then you watch and you say, of course, I knew that too. I knew it wasn't a Da Vinci, it was a student of Da Vinci. We need technology and individuals trained to know how to spot that AI pretending to be the CEO initiating a wire transfer. We need to know digital forgeries. So documents, one of the things I worry about that is a systemic risk, it's not just data breaches, it's not just the theft of money. It is the alteration of data, who owns an account? How much money was in the account? The alteration and forgery of documents that look so real, you don't remember what the original looked like because everything's digital now. So I thought you might need a little zen moment. This is a picture of the White House flower shop. So I just thought after all of that darkness you might just need to look at something pleasant. And this, we really, when we thought about systemic risks of the White House, one of the things I had to think about was how do I modernize the White House? While maintaining a sense very much like Downton Abbey, we have an under the stairs of the White House. That's where the ushers office is. They decide the China, they update the curtains, they make sure the kitchen is stocked, they plan all the state dinners with the first lady and the president or the vice president and the vice president first lady's office. And we had to modernize that. And I would think to myself, what are my known unknowns where some type of a vendor connected to a vendor connected to a vendor connected to the White House where I'm implementing all of this new technology and how could they, if there was some type of a cataclysmic event intended for somebody else, how do I segment us off to protect us from that? So two strategies I want you to be thinking about for your incident response playbooks and to be looking at holistically for the global banking industry is where have we segmented it? We would say at the White House segment it to save it. So where have you created physical and logical segmentation strategies so that if something does happen, you can actually cordon different parts of the banking industry off of that issue? I don't know what that is. I gave you the transportation industry example of the one facility where they're not gonna go 100% internet of things light bulbs. So be thinking about how do you create that segmentation? The next thing I want you to be thinking about is a kill switch. So we had kill switches installed and we do this with our clients today all over the place. And the best way I like to explain a kill switch is I like to use Barbie as an example. So I don't know how many cybersecurity presentations you've had with Barbie and then, but this might be your first and last. But talking Barbie, when she first came out, she was full of actual computer viruses talking Barbie. It's now been fixed and she connects to the internet and listens to your child and then responds to your child. And I remember sitting in the room, so I've got two boys and a girl. So the boys Kieran and Aiden are 16 and 13. Maeve, my little girl, the princess, she's 10. This is a couple of years ago and I'm in the other room and Maeve says for Christmas I'm gonna ask mama to get me a talking Barbie. And my oldest says talking Barbie, I don't think that's gonna go over well with mama because Barbie's probably in the cloud. And then my middle one says, how does she work Maeve? And she says, well, Barbie will listen to me talk to her and she'll answer. He goes, oh, definitely some rando. So for those of you that don't have Gen Zs in your life, rando is a random person. Some rando is going to be listening in the cloud to respond to you, which is an invasion of your privacy. So I'm like having this proud moment in the next room in the kitchen. And she says, you're right, I'm gonna ask mama for an easy baked oven instead. But my point in bringing up this story to you is when Barbie had these computer viruses where she was connecting to the internet network she shouldn't be connecting to, she actually had a couple different computer viruses. What could you do? You disconnect her from the internet until security patch is available and you can still play with her old school. She's just not gonna talk back unless you talk for her. That's an example of a kill switch. So we need to be asking, we had kill switches, where do you design them in the global industry so that if we do have one of these new technologies or these new players who's not really a bank but they're moving money around, how will you have yourself cordoned off that segmentation and then where can you flip a kill switch and still have limited functionality? Now, right before we get into Q and A, so we're getting real close to Q and A, I really wanna make sure that from a cybersecurity standpoint that we avoid the Black Swan event, right? So Black Swan, this is a really smart room so I know you know what it is. I'm telling you how I explain it to my mother. And so Black Swan event is after something terrible happens like the global financial crisis of 2009, we look back and we say these things were so obvious. How did we miss it? That's the Black Swan. Okay, so here's my big, Heriaudaceous goal for this group. I would love to see the ESRB, the smart people in this room, for you to do a facilitated offsite. At that offsite, I would like to see you bring in global policy makers. I would like to see regulators, I would like to see insurance companies. I'd like to see law enforcement and this is where this is really important. I want people who are very good at writing fictional spy thriller novels and movies to be in the room. Why? Because we have to get out of our mindset of what happened and then extrapolating. We have to actually envision fiction so that we can update our models based on all of these new technologies coming at us, based on fast and frictionless, based on what we're facing with the tactics and the evolving maneuvers of nation states and cyber-criminal syndicates. So that Black Swan, the only way to avoid it is we're gonna have to imagine it and then turn around and update our models, our incident response playbooks, how you underwrite, how you score risk. That is the only way to avoid that. The last thing I'd like to offer for us to be thinking about is we really need an international accord and policy that says the banking system is off limits. Just like we say you can't be bombing civilians because you're upset today and we have some huge issues obviously with North Korea and Iran and others who do that. But just as we have an international agreement that you don't do that, we need one for the banking system. I know we're talking about concerns about credit, about assets, about liquidity. I understand we're talking about that, but if we do not solve and prevent this Black Swan event and create a deterrence for attacks on our infrastructure, what happened in 2007 and 2008 between Russia and Estonia and Georgia, that will look like just a little cautionary tale compared to what could happen next. So with that, I would like to get into Q and A. I've got a recap here of the top five actions that I think we need to do. And then also if you don't get a chance, I'll be here at lunch, I'll stay afterwards. You can reach out to me on LinkedIn, but also if you don't get a chance to ask a question while we're here, if you will tag ESRB and ECB and myself, TrackerPayton on Twitter, I will answer every question that comes in unless the answer's classified and then I won't answer. So with that, what kind of questions can I answer for you? And who's my first one? Cause you get a book. I'm gonna hand you the book to. I can donate that to the general public, but I mean, I would appreciate it, of course, and I will read from it to my children. Thank you. Since we were talking yesterday, obviously about electronic currencies and much more importantly about electronic banking. So let me ask the L question. So what would you advise Zuckerberg and friends? Go forward with Libra, if yes, how, and if not, why? Okay, so we're out of time for questions. Just kidding, just kidding. You know, it's interesting. Really, I would love to see the banking industry actually set the standard for cryptocurrency and to really step out on a limb and to offer an alternative to what's going on in the cryptocurrency markets today. The challenge that we have is again, consumers are looking at cryptocurrency as just another form of banking and they do not understand the lack of consumer protections they have. We already know about a SIM swapping attack where a technology, I mean somebody who is very good at technology, he had a SIM swapping attack against his phone, he lost millions of dollars in cryptocurrency and there's nothing that can be done to help him. So my advice to Facebook would be no, or you need to step away and let an entity run that. You cannot have a social media platform so directly tied to cryptocurrency and you've already proven yourself not trustworthy in how you interpret your privacy policies. So because of that, my recommendation would be they should stop. They're not going to. They're looking for other opportunities to be a more a part of everybody's lives. And I think the only way to really combat that is the global banking community needs to step up and offer an alternative. The banking community is not offering an alternative. It's kind of doing a, and I get it. There's a lot of unseemly processes. Cryptocurrency is not environmentally friendly. There's a lot that needs to be done to really secure digital wallets and so it is a daunting undertaking but the banking industry turns its back on it, I believe at our own peril, our own global economic peril. Did I answer your question? Okay. Other? Yes. Thank you for your extremely interesting food for thought. I have a question, putting a few of your comments together, both the kill switch, the financial services and so the question is both an assessment. Do you think the industry as such and also regulators are on top? If you look at your comment regarding the destruction of data or alteration of data, at the same time we have continuous backup solutions to safeguard data. So what if one had a deliberate attack at, for instance, account data or balance data and customers of a medium-sized bank were to wake up one day and all of the account data is zero or is gone? To what extent would banks be able to recover data and also assess whether the recovered data is actually not corrupted? No, I think it's a fabulous question and part of it would also depend on the savviness of the attacker. So for example, what we are seeing now in ransomware, extortionware and destructionware cases and we work several of those a month, sometimes several a week. And what we're seeing in those cases now is a level of sophistication where surveillance, they're actually on the system of the victim and we've seen this cross all industry sectors. They've been on it for a little while. They then determine where the backups are and they encrypt or destroy or whatever they're going to do, extortionware. They encrypt the backups first and nobody notices and then they encrypt operations. So it would depend on the savviness whether or not recovery would be a real thing. And I'm surprised because in my time in banking we actually had, so we had both a cold failover and a hot failover. Hot failover was everything was live, live backups, everything's continuous. So you basically can have a 99.999997 of availability, reliability and resiliency. But we also had cold. So we logically and physically had cold storage that was created at the end of a batch cycle so that if something were to happen to this part of the ecosystem you had something segmented and cordoned off. My concern is I'm going into financial institutions coming from, I guess, old fashioned construct. I don't think of myself as that old. But and people are like, oh no, we're all in the cloud. It's all in the cloud. No, there's segmentation. No, we're good. We've done our incident response playbook. And so then when I walk through a scenario just like your question, there's kind of a, I don't know. I have to check that. So we are at a very critical tipping point where to answer your question there are going to be financial institutions who are not going to be able to recover and it's going to depend upon the sophistication of the cyber criminal syndicate ordination state that actually launched the attack. I really have happy things to talk about too. So they asked me why I run so much. That's why. Other questions or comments. Disagreement is always welcome. Yes, one more? Yep. Thank you to follow up. So if for instance such an attack were to happen, I think the financial regulators or the supervisory community, they're more accustomed to let's say traditional financial crises where you have a weekend to sort of think about what you want to do. But if you imagine either a nation state or a very sophisticated private actor intentionally destroying a count or a bank in this fashion, the speed and scale of such a cyber attack would probably prompt a much quicker response than sitting down over a weekend and then reflecting because at the same time, you'd probably face a social media campaign that's trying to stir social unrest. So what would you suggest as key steps towards a rapid response in these scenarios where we might simply lack the time that we had in more traditional crises? Yeah, I think that's really a great observation. That's where the incident response playbooks actually taking a scenario like this and rehearsing it with your legal team, with your crisis PR team, the people that manage social media, your insurance company asking them what they're gonna cover, what they're not going to cover with your backup company and asking them, would you spot that somebody was trying to encrypt or destroy our backups and that it's not us? Like what kind of behavioral based analytics do you have on the backups to show this is not a normal transaction coming here to interact with our data? And so all of that can be rehearsed in quarterly exercises and updated in the incident response playbooks and hopefully you'll never need it, but if you do, the time to figure that out is not during the incident. And I think we see during ransomware events, you can tell the companies who might have become a victim to one, but they seem to recover a lot better than some other companies. And a lot of that is that preparation, that thoughtfulness, that having a playbook to at least start from in that crisis is gonna be so critical. So thank you for that. Yes, I think last one, last question and because I'm in between you and lunch, which is never a good thing, that or drinks. So I have to get everybody to food. Yes, sir. Given your definition of the systemic cyber risk and given what you have said about the role of the confidence, do you treat this cyber attacks as a source of a systemic risk or you need to have an environment already weakened like for instance, huge imbalances in the financial system. So it's a financial risk build up so as to have the systemic events that you have described or you can have just perfectly safe financial system and then you will have an attack and then basically the result of this direct attack will be a systemic event in the financial system. So inability to deliver services. I mean, I think it's a little bit of both because as you look at the ecosystem today, the way I would describe the global banking ecosystem is you have a series of haves and have nots as it relates to cybersecurity posture. So some of the largest institutions, I mean, you've heard the American Bank CEOs of the large banks, JP Morgan Chase Bank of America for example to say security team as an unlimited checkbook. I don't know how accurate that is but they've invested a lot of time in talent, technology and processes. And then you've got sort of the mid tier and then the smaller that don't have those types of resources available to them. So I think your question is a great question and my answer is it's sort of a hybrid already today. So the systemic risk exists because you have the series of have and have nots that are in the ecosystem. And either way, whether you're the most well defended with a great offensive posture to the least defended it doesn't matter because when that cataclysmic set of events goes off, everybody's gonna be impacted. The flow of money will stop or slow and the trust will be gone. Sorry to say but I have a second question. Okay, what are we doing? Oh, I'm being told over lunch. We have, you have said that you have said that we have multiple attacks but till now very few of them had systemic consequences. And the examples that you have given primarily attacks because of geopolitical reasons. Do you see any other types of attacks? So no, without these geopolitical objectives to have a systemic effects. Yes, so what I have seen is attacks on resiliency and reliability to actually create kind of a distrust. So we had one warning bell, two warning bells. We had the securities pricing by Morgan that there was some technology glitches and we actually had securities pricing wildly because of technology glitches, not security. We also had the Twitter account in 2013 hacked by the Syrian electronic army. They hacked the associated press accounts that there was a bomb, they mentioned Obama. And the stock market went down and just barely flat lined and recovered before the bell closed that day. So we've had our warnings that the systemic risk is there and the opportunity for that catastrophe is there and we haven't completely heeded the warnings because we're going single point. It has been my honor and pleasure and I'm so sorry to keep everybody from eating lunch but it's been my honor and pleasure and I'll be around for the rest of the time. Thank you. Thank you.