What if your client's financial safety was only one call away?
More often than not, that's the easiest way to stop a cyber attack before it starts.
The problem is the lack of awareness and acceptable paranoia that comes with taking that extra step.
But creating a workplace environment that encourages that level of caution can make a big difference.
Steve Robinson, RPS National Cyber Practice Leader, talks about ways you can help your clients keep their company's sensitive information safe.
Joey Giangola: Mr. Steve Robinson, how you doing today, sir?
Steve Robinson: Great, Joey. How are you?
Joey Giangola: I'm doing all right. I'm doing all right. So I want to know, and this is maybe a tough question to own up to, but I often run into these things, do you have a moment of failure in terms of the professional environment that you often stumble upon that, "How do I keep forgetting to do this thing," or is there just one thing that just, as much as modern technology is, it sometimes seems to elude you?
Steve Robinson: You mean such as setting up the Zoom meeting today? I ran into several obstacles. So even when you're in charge of a group called technology and cyber, these things can happen. So that's a great question. I'll give you a good example. I think, and I've talked to a lot of my colleagues and I'm hearing similar things, when you're particularly in this work from home environment, things have changed a lot for all of us. And so frequently there will be things in the position that I'm in or many people find themselves in where they have to respond to urgent requests internally for finance related things. "We have a wire transfer we need to make," or something like this. It's been a little bit of a tough transition sometimes with that when you need to scan documents, you need to sign them, you need to send them back through a secure environment. And it's very easy to take shortcuts in things like this.
"Well, I could just send it to my personal email address. It'd be a lot easier, as opposed to using the cloud that's encrypted and that sort of thing." So I would say that's been the trickiest thing to make adjustments to, particularly when there's expediency required for things like that. Is, "When I was in the office, I could do this really easily. Now that I'm home, I've got to have a work around." And I think we're starting to see that a lot show up in terms of cyber claims that we have happening, where people find themselves in a new environment and they're not as used to it. And the same security things that they're used to and the crutches that they have at work that they can rely on are no longer there. And that's led to some errors, and as a result, we've paid some significant claims, our carrier partners have pay some significant claims because of that.
Joey Giangola: [inaudible] a little more innocent. I'm very good at setting up meetings that I'm the only one invited to. I don't know about you, but it's very easy to set up a meeting in Outlook. I'll send you an invite and then I just don't invite anybody. And then I'm sending links and nobody's showing up.
Steve Robinson: Right, right.
Joey Giangola: It's embarrassing. But yeah, let's talk about that a little bit more because people are obviously in a much more prolonged work from home environment than maybe any of us really anticipated. They've maybe been doing things or maybe they started out doing things to the letter of the law. And now maybe it gets laxed up a little bit. But this idea of social engineering, it's a term that you don't hear. You hear a little bit, but if I had to guess, if I had to stop somebody on the street and say, "Do you know what social engineering is?" I don't know what the hit rate would be, but my guess is you'd be surprised that most people wouldn't necessarily know what that means. So, what are we talking about? Because it's been around almost as long as the internet has existed, I would imagine. Right?
Steve Robinson: Well, no. Social engineering has been around as long as people could talk to one another, really, because I think that's one important thing here is in our insurance world, we think of social engineering as the good guys giving money to the bad guys when they didn't mean to. And we think of it as just money, but I think we need to even step back a little more than that in 30,000 foot view. And so really social engineering is a tactic. It's a tactic where the bad guys are trying to get something via information, be it money, be it access to something that they're not entitled to, and through the means of deceptive practices, try to get that. It might be email, it might be through phone call. It could be through texting.
So yeah, what's interesting is, again, I think largely because of the broader attack surface that we have in this work from home environment, we've seen a significant uptick in claims of this nature, really in the last 90 plus days. So yeah, it's been around as long as the internet. Sure, the internet is only made this much easier for those who are doing these types of things. But again, we would see this in the past come through, someone would come up to the welcome desk of a business and they would say, "Hey, I was just here a couple of hours ago and I was working with Bill." Knowing the Bill's the IT person and I'm a consultant and, "You know what, he gave me the password for this and I walked out without it. Could you just give that to me really quick?" And they're preying on people's good intentions through these deceptive practices and they come in all shapes and sizes.
Joey Giangola: Yeah. And that's the interesting part because it happens without you even really noticing in a lot of cases. And we were talking before this that sometimes if you do feel suspicious, you kind of feel weird about being suspicious. I'm like, "Oh, I'm just being paranoid." But that paranoia is oftentimes warranted. Do you think that that maybe plays a factor in seeing a lot of the uptick? You'd said in the last 90 days, is there something that also goes on top of that, that we've kind of seen this escalate over this short period of time?
Steve Robinson: Well yeah, piggybacking on that thought. When you're in the office, your company has certain things that are just basic structure that you don't even really pay attention to, that are built in naturally to a process like this for security. It might be firewalls. It might be spam filters. It might be the technical side of things. But also inherently you have colleagues all around you. And so if you get an email from someone who's purporting to be the CFO, for instance, it's not uncommon that you're passing that person in the hall. You're seeing him at the water cooler, you walk down to their office, "Hey, I got that email from you, just checking in. That was you, right?" Those types of things. Now you take us out of that environment and you don't have the same ability to connect with people.
And so you have to make a deliberate attempt to connect... My wife will ask me, "How is it that you're on the phone for eight hours in a day straight?" And I said, "Well, when I'm in the office, I have colleagues that I talked to. I walk past, they come in my office, the door's open." Now, anytime I want to speak with someone, I have to make a deliberate appointment basically to pick up the phone and call them, or to have a Zoom meeting or those types of things. And so again, with, without those natural checks and balances in place, I think that the guard goes down. So now you're having to pick up the phone and you're having to say, "Hey, I know this might sound crazy, but I got this email from you, was that you?" And they're a little nervous about how they're going to think this is silly or that sort of thing. Our team, because we're so paranoid because we see claims like this all the time, we don't apologize for it. We will always pick up the phone. And I would say it goes well beyond just money.
So if in your business, we know now user access rights for the network are done generally through automated processes now, where they'll say, "The manager needs to approve such and such of access for X, Y, Z employee." That's actually, when you think about it, more valuable than a money transfer, because now you're giving access credentials to someone. And if they have that, they've got more than just a check for whatever amount of money, they've got access to your entire system. So we do the same cautions with respect to those types of things also. We'll pick up the phone. I don't call the phone number that's in the email that I received. I look on the network of a known number for that person. I pick up the phone and I call them, "Hey Joey, this is Steve. I just want to make sure I got this email from you. This is the amount that it says, just validating that it's legit. Are we good?" "Oh yeah, that's from me." Fine. It took five seconds. And I just avoided what could have potentially been a big loss.
Joey Giangola: Yeah. What role should an agent play in this process? Because we're talking about stuff that's ultimately going to impact the end client that we're trying to protect their business from these things happening. You're only as strong as the weakest link in this case. What do you think they should be focused on helping to prevent this, helping to... Because we've all had these conversations, have cyber training, have security training, but yet obviously it continues to happen. It continues to evolve to where people keep getting fooled. Are there some simple guidelines that can be at least followed, maybe something as simple as, "When money's involved, always verify," or something like that?
Steve Robinson: Yeah. There are, there's a lot of them. In RPS, we have in our knowledge library and resource pages, some tips on this. And we're actually going to be sending out another one today about social engineering because of the spike in claims we've seen to share with our retail partners to say, "Here's what we're seeing. Here's some easily preventable ways to stop this from happening. Share this with your client." As well as a list of resources and links online, where they can get more information. But I would say the real basics are you have to look at any request for information access for... When I say that, I mean user credentials and things of that nature, for anything related to wire instructions or money or transfer of funds or authorization for things like that, you have to look at those with a very skeptical eye.
And so you have to automatically assume when you get something like that, and recognize the signs. Many times they'll come in an email with a sense of urgency. They might come at a time that's in the middle of the night. And if there're any links embedded, hover over those links and make sure that you can see at the bottom of your screen where that actually points to. Is that masking something else? Again, is it a request that you typically wouldn't get through email? We know by now that your bank is not going to send you an email and ask you to input your social security number and verify something. But you'd be surprised how many times this happens, because we're all busy in our day.
We've got a thousand emails to respond to. But it's really just slowing down, taking a look, analyzing it, and that all really does, it comes through employee training. So what's been very popular are phishing campaigns and phishing emails that are sent out from the employer to test employees. And what they found is when there's an active campaign and regular testing of employees like that, that awareness of what phishing emails are and the click rate goes dramatically down within a few months of regularly testing employees. And so there are companies that make a game out of it, that make it fun, that make it interactive, and they look super believable. And so what happens is in the very front end of that, they tell their employees, "Hey, we're going to start doing this." First campaign goes out, they have a 70% click rate or something like that.
And then hope is within a few months of regularly doing this, we've seen those go down to in the teens, so a significant impact. When that's drilled into you over and over, you start to recognize what those signs are. Again, if there's money involved, you want to have more than one person authorized in that chain so that there's a check and balance on that as well. So I think a lot of just the simple, common sense things. And the biggest one I would say is, like we said, about a call back. Some insurance policies even require that you do that if social engineering coverage is going to kick in.
So again, you get an email, you don't take it face value what the number is on the email, you look for a known number in a contract or in your system for who that person is, you pick up the phone, you take one minute, you call them. "I know this might sound crazy. I got this invoice, or I got this request for wire transfer. Did this come from you? Here's the amount that it was." "Yes. That's from me." Perfect. Great. You've taken an extra minute out of your life to avoid, and I'll certainly share some stories later with you of some really bad things that have happened for people who didn't take the time to do that.
Joey Giangola: Yeah. Well, and the other thing too is you can always prevent it from looking at stuff that's coming in, just being more astute as to what you're looking at. But do you think there's any validity in, I guess, where I'm going with this is that I've received emails from people on my team that are actual emails that they've wanted me to interact with and they look very suspicious. I'm like, "Can you guys at least tell me what my favorite color is? Give me some sort of personalization that I know that it's coming from you." Is there some sort of training in that regards to where, "Hey, listen man, just add a little bit of a personal touch when you're sending stuff within the work environment to make it easier for people to [crosstalk 00:12:51]"
Steve Robinson: Well, that's a great point. And the answer is, while that sounds like a good idea, and it is, the problem that we're seeing now is oftentimes someone has gotten inside a network. And so there's been a breach, they're in the network and they're assuming the identity of someone's email inbox. So let's say you're the president of the company, or you're just an employee of the company, and I am the CFO. I get into the email server through some type of business email compromise. Somebody's clicked on something, I've gotten in, and now I've got a window into your entire system. The first place I'm going is to Outlook or Google Calendar or whatever. I'm looking at emails, I'm looking at calendars, so that I can craft an email that I send to you that says, "Hey Joey, this is Steve. You know I'm going on vacation next week. Before I leave, I want to make sure that we take care of this and this and this. Can you please do that? By the way..."
And they'll say something because they've read the emails, they know what's coming up, they know what's on the calendar. And they make themselves as believable as possible so that you would have no reason to doubt that in fact, if the email was from me, you hovered over it, whatever, yeah. It's the same URL because I'm in the network and I'm now someone else, right? He said things about me that maybe only he would know. And so I've no reason to question this. And we've seen numerous claims that happened because of that, because they don't walk around the corner or pick up the phone and say, "I got this email. I know it looks 100% legit, but I just need to double check with you. Is this on the up and up?"
Joey Giangola: So let's dive into some of those claims then a little bit more, and you just shot my theory straight out of the water for Steve. That's all right. But let's talk about some of the things that you do commonly see that people wouldn't realize the financial impact of, again, it generally happens in that moment of weakness when they're hurrying, when they're rushing around, when times are not perfect. What is the implication on businesses when these sort of things happen?
Steve Robinson: Well, not to sound dramatic, but it could be the difference between being able to be in business and not be in business, frankly. We're seeing these rise dramatically in dollar amount. So I'll just give you two quick examples. And they're both very similar to each other because one of them I just got today, literally. So the first one we got last month, and this is an example of the insured received an email from a contractor that they typically do business with. The name of the contractor had the word miller in it. I won't say the whole, because I don't want to betray any confidence here, but the name in the business had the word miller in it. And it was a construction company. And so the insurance frontline admin finance person gets this email.
The email basically says, "Hey Judy, or whatever the name was, this is Kim at something such and such and such miller. We're changing our payment method from... Normally you pay us via check, we're changing it to ACH. And I'm wondering if you could help me out with that?" So Judy gets the email. "Absolutely we can do that. We don't always do it that way because sometimes we want to make sure the job is finished first before we send it over. But yeah, send me the instructions and we'll do it when we're able to." Kim sends it back, "Great." They exchanged seven different emails. And the insured never realized the whole time that she was talking to a criminal. And so what happens is first payment goes out via ACH, there's a little urgency to it.
"I'm wondering if you could get me this today," this type of thing. "Oh sure." Money goes out the door. About two weeks later, another one comes in. And this is not unusual in terms of their payment timeline of when they would typically be paying this contractor. Next one comes out. "Yep, would you mind taking care of that? Send me an email when it's been done, if you don't mind." "Sure, absolutely." So there's all this back and forth. There's trust being built. Well, after more than $500,000 goes out the door, they realize. They get a call from the real contractor saying, "Hey, I'm just checking on the status of our payments. You owe us two payments on this." "Oh, we've already paid them." "No you haven't." Okay, now you've got law enforcement involved and everything else.
We're not able to call back the money from the bank. It was done. It was gone. And the criminal was long gone. So what could they have done differently? Obviously a phone call after the first email, just like what we're saying. Pick up the phone, don't call the number on the email. We have had situations where the insured has tried to do the right thing. They've gotten the email. "I better make sure this is right. I'm going to call this number that's on the email." Well, they call the number and the criminals on the other end of the phone. "Yep. That's me. Go ahead and send that out." So this happens. So that's why it's important to make sure you go back to your records to say, "What is the known number that we have on file for them?" And validate it.
That's one thing. Now, the exact same scenario just came in today, another claim. This one, different type of insured, but same story. They get an email, they request to get changed in payment terms. They don't question it. They just go ahead and do it. In this case, there were $300,000 in payments that went out. They were able to go back to the bank. The receiving bank said something seemed a little suspicious, but not before a good portion of it went out the door. So the claim is going to be somewhere in the $175,000 range that they're out. We've had other instances that we have a manufacturer that we insure a similar type of situation, got an invoice for something that wasn't legitimate paid at $250,000. So again, relying on email channel only to execute these transactions is never the right way to go.
So the other thing is we have some clients that have implemented some type of secure portal that they communicate those types of things through. Email is among the least secure methods of communication that you can have, believe it or not. So they will have a secure portal that's encrypted and you need a password and it changes every time. And there's dual multifactor authentication. It's a pain in the neck, but it's a whole lot better in terms of security in having those checks and balances than just simply getting an email and sending out a payment.
Joey Giangola: Yeah. And I think that's probably on the other end of it, the added complexity to the transactions, to the communication. And how do you talk a company through striking that balance to where it's like, "Listen, I know you got to do things safely and efficiently." What's the kind of maybe the first step to enter into taking safer steps around security and communication transactions.
Steve Robinson: It's kind of like you said at the beginning, there's not a great awareness of social engineering in general. So you kind of start, I think with the basics and say, "Hey, this kind of thing happens. Here's a few examples and here's how much money it costs. Our business can't afford to lose that kind of money to our P&L, make it more real." People have lost jobs over doing this. Again, making it a little more relatable to the person. This is how important this is. And so it really becomes about changing the culture in the business of being more aware of these types of things. You might say paranoid, I would say more well-informed. Because again, if you think about it and you relate it to, "If we lost $500,000, that's revenue, how much would we have to sell? How many calls did we have to make?"
Make it a little more relatable to them of, "This is what this means and the impact it has on our business and why it's that important." And it really starts with employee training. And I think it just starts with, "You might not even be aware of what social engineering is. This is what it is. Here are some examples. We're going to change the culture in our business to make sure that we're not going to fall victim to this because we have peers in our same industry you have, and part of that is going to be teaching you how to recognize what the warning signs are of communications like that. And we're going to use a platform where we're going to implement this. We're going to test you. We'll have a little fun with it, but it's going to be different around here from the way it used to be with lax controls before. And it's really important.
Joey Giangola: A little paranoia certainly goes a long ways too. And personally, I think tying it to the individual even more. Because yeah, they're after the company they're looking at, but a lot of what started the paranoia for me, or just the awareness is identity theft. Because then you don't want to go through that hassle. That's possible along this process as well, too. Right? Do you think maybe that's on people's radar of saying, "Yeah, the company is at jeopardy, but so is my information," and things like that?
Steve Robinson: Honestly Joey, I think unfortunately people are becoming a little bit numb to that. And the reason I say that is we're all getting notifications from healthcare providers, from financial institutions all the time about a compromise that's happened. Right? And they're all offering us credit monitoring and and all that. So I think there has been a sort of identity theft, whatever, kind of a fatigue to it. And so I think maybe people are a little less worried about their own stuff. I think the more we can relate it to your position within this business and what those potential ramifications could have, that might get their attention a little bit more.
Joey Giangola: So now let's bring it back to the actual coverage. In terms of, what should agents be talking about to make sure that, again, if something like this does happen, that the business is in as good a position as possible. Obviously we don't want it to happen. The whole goal of this conversation is to make sure it doesn't happen, but they want to make sure that they have sort of a fail safes in place. What are the things that they need to be talking to them about coverage wise to make sure that [crosstalk 00:23:00].
Steve Robinson: Yeah, great question. So again, they want to talk to them about what's the culture there? Are you doing employee training in phishing simulations, in social engineering awareness and things like that. How regularly? They're wanting to know, "What are the controls in place that you have for the transfer of money?" So we kind of get back to some of the old crime questions that they would ask in fidelity coverage. "What are those processes? Do you have more than one person that's authorized to do it? What are the checks and balances that you're putting in place for email communications? Do you utilize multifactor authentication?" All of those things. Relating it more to insurance, the carriers are wanting to know those types of things. And they're wanting to know also, "What means of authentication do you utilize, particularly for the transfer of money requests?"
And so you'll hear different terms used by different carriers. Some will say dual authentication, some will say... Let's see, I'm trying to think. Now there's so many different forms of what they're calling it. But basically they're saying, "Are you utilizing a method to validate the authenticity of that request that's different from the original means at which it came in?" In other words, you get an email that says, "Send me money." Do you try to authenticate that that's for real through email? Don't do that. You want to use... Some will call it an out of band authentication. And what that means is you get it via email. You pick up the phone. Those are two means. It's kind of like multifactor authentication, right? You're doing something through a website, you're putting a pin in that you get through your cell phone, it's all the same.
It's any extra step that you can make it more difficult for a criminal that involves some type of unique security to that transaction. That's what you want to do. A phone call really accomplishes that. Again, you're calling the number that you have on file. So depending on the insurance carrier, some will have a requirement in their social engineering, some call it cyber deception coverage, where they will say, "You have to first make an out of band authentication attempt before coverage will kick in." Well, my pushback on that is, if everyone did that, we'd have very few claims like this. I have seen a claim paid where, remember what we talked about earlier, where someone got an email, they tried their best to validate the authenticity by calling the phone number that was in the email, they call the number and that's exactly what happened. They were talking to someone in another country and didn't even know it. And they validated that, "Yep. That was it."
They made an attempt to validate that through a means outside of the original ask. The claim was actually paid because they at least had some culture of double-checking. That's not how we want to do it. All right. That's not the best way to do it. I think they were fortunate to get that claim paid. But again, they're going to want to know that. Now other carriers are saying, "We're not going to ask that question." Because they realize that's kind of a gotcha type of thing. So it's tough. We've had insurers that have had a callback provision like that on their policy, they've suffered a loss. We talked to the retail agent, the retail agent had told them before, they just didn't remember, coverage has declined. You never want to have that conversation if you can avoid it, that's not good for anyone.
So we're seeing more carriers take that requirement off and being a little more selective with which types of industries that are offering the coverage to. So many of them won't want to offer it to a finance, banking, stockbrokers, mortgage companies, that sort of thing, because they're thinking there's just more propensity for that to happen. A lot of them won't offer it to public entities also, because what they're finding is, again, the controls have been a little more lax in some cases in those, and they're getting a lot more claims out of those industries. So I think what we're seeing trend wise is we're seeing more are taking the requirement off, but yet being more selective and underwriting more specifically to, "Let's make sure we're on the same page here with our protecting this."
Joey Giangola: All right, Steve, we got two more questions for you. And I'm kind of curious as to what you think, looking ahead for cyber coverage, where your excitement is in terms of insurance, what is the thing that's right around the corner for you that we should really be paying attention to that maybe just has escaped us up until this point?
Steve Robinson: That's a great question. So you mean outside the realm of social engineering?
Joey Giangola: Social engineering, cyber, your pick Steve, whatever you want. There are no rules here.
Steve Robinson: Well, the exciting part of it is you don't know what's coming next. And that's both exciting, it provides for job security and it's incredibly frustrating all at the same time. It's so different cyber than typical, let's say, property, right? We've had wind and water and fire and theft occurring in very similar patterns for hundreds of years. This is apparel that's changing daily. And so it is hard to keep up with. So you start looking at things out ahead, different things that you hear. I think one thing that's particularly intriguing becomes in the area of video manipulation and deep fake videos and things like this that you hear about where someone is impersonating now, not only a digital persona, but they're manipulating video files.
I think this could have an impact on elections, it could have an impact on more public companies where they will make forward looking statements from people and make it appear to be real that that person actually said that. It could actually have an effect on a stock price or on a transaction or an election or things like that. So that's one area that it's not really a quote unquote cyber coverage area per se, but that's one to look out for. I think the more we get... Obviously cryptocurrencies, my big concern and the concern of most cyber underwriters becomes, because we're seeing this more, cloud breach. So what happened? That's basically the big hurricane on the horizon for the cyber industry. Is what happens when one particular holder of thousands, hundreds of thousands, or millions of policy holders who all have cyber insurance policies, what happens if and when they get hacked?
And as a result, you've got much more of a horizontal event that affects simultaneously thousands and thousands of clients who then make claims on their cyber policy. So we just saw this last month and it's all in the news. So it's not proprietary. Blackbaud is a cloud provider that specializes in nonprofits and education predominantly. And they're a software as a service platform cloud, so a lot of schools or nonprofits will use it for their nonprofits, maybe for their philanthropical tracking or things like that, or schools for their grade systems and stuff like that. Well, Blackbaud got hit by a ransomware attack. And as a result, they had adequate backups and all of that. And they said, "No, we're not paying the ransom." Great.
The bad guys came back and said, "Oh yes, we think you will. Because while we were in there executing this ransom, this malware on your system, we got access to a lot of private data as well. And if you don't pay us a ransom, we are going to post this data online and that's going to be really harmful to you." So they paid the ransom. So what's the downstream effect of that? Well, now Blackbaud has to contact their customers, which are the schools and the nonprofits, and say, "Hey, this happened, we're letting you know. We have no reason to suspect this and this and this. But it is possible that they had eyes on this private information of yours." Which in turn triggers their, in some cases, duty to notify their customers. And if it happens that that school district or that private school or that university or that nonprofit had cyber insurance, that's the kind of thing that a cyber insurance policy will help them with.
"Is there any legal expertise that needs to be taken on this? Do we need to notify our affected customers?" And it really depends on the individual nature of each of these breaches. Some of them felt that notification wasn't necessarily, some of them felt that it was. But what I do know is our phones were ringing off the hook for a good month now, of events tied back to that. With clients saying, "I know I have cyber insurance, I rely on this vendor. They had a breach, my customer's information might've been compromised. I need some advice here." So the big concern becomes, "What happens if it's even bigger than a Blackbaud? And what happens if it's an AWS or Rackspace or one of these large, large companies? That's a real concern." So that's something to look out for is really in the area of cloud security and what happens there.
Joey Giangola: Steve, I know about you, but I'm pretty excited for the deep fake version of this conversation we're having, where we tell people the exact opposite of what we just spent the last 30 minutes talking about.
Steve Robinson: Both people who watched will see that, right? No, I'm kidding.
Joey Giangola: Last question, Steve. So if you could have, let's maybe call it a mind control device, to sort of elevate the level of awareness or urgency around cyber and things like that, what's the thing that's standing in the way that's blocking this adoption of wanting to take it more seriously across the board and really stressing it within that renewal, that conversation within the client?
Steve Robinson: I think agents are tuned into risk management from more traditional levels. And what I mean by that is we talk to our clients about avoiding sexual harassment, avoiding discrimination, avoiding workplace violence. We put fire alarms in the buildings. We do safety training about lifting and about all of these things that we need to be doing that are all very important. This hasn't made it into the conversation at that level of urgency yet. And I think that's the big thing, is we need to consider information security on par with all of those other things.
Now forgetting about the fact that we're not talking generally about life or death here. So I'm not saying the relevance in terms of tragedy or disaster, but the relevance in terms of fiscally and operationally and reputationally and financially to their business, this could be even worse than many of those things. And so it needs to be at the very front end of those conversations and taken with the same degree of seriousness that all of those other traditional risk management things that have taken so many years to kind of get there on, we've got to get there more quickly with respect to information security training.
Joey Giangola: Steve, this has been fantastic. I'm going to leave it right there, sir.
Steve Robinson: Well, thanks, Joey. Appreciate it. It's good talking to you.