Why Cyber Risk Is Surging

David 0:01

Cyber threats are accelerating, and AI seems to be rewriting the rules almost every day. So are benefits advisors truly prepared to protect their clients, their data, and their businesses in this new environment? We'll find out on this episode of Shift Shapers.

Announcer 0:19

Change either energizes or paralyzes. The choice is yours. This is the Shift Shapers Podcast, bringing the employee benefits industry interviews with individuals and companies who are shaping the industry's shift. And now, here's your host, David Saltzman.

David 0:39

And to help us answer and understand all of those questions, we've invited Daniel Metcalfe. Daniel is co-founder and president of Cyberfin. He works kind of at that interesting intersection of cybersecurity, AI, and the employee benefit space, helping advisors understand emerging risks and more importantly, how to navigate them with practical real-world strategies. Welcome, Daniel.

SPEAKER_00 1:02

Hey, thanks for having me. I'm really honored to be here.

David 1:04

It's

How Criminals Target Advisor Trust

David 1:05

our pleasure. So let's let's jump right in and start with the big picture. Before we get into the actual risks and the technology, set the landscape for us. How should benefits advisors be thinking about cybersecurity and AI today?

SPEAKER_00 1:19

Yeah, absolutely. A couple things that come to mind, especially since with artificial intelligence, there's something that's coming out every single day. But the core, the core area around cybercrime and cybersecurity still remains the same. Their whole infrastructure and what they're trying to do is to fool you into giving up something that you know, like, and trust that they can go make money from, right? So whether that's um keeping you, you know, uh mainly in the in the benefit space, they want to get to your data, right? So they want to get to your data because the data is gold to them. And that data is the very sensitive data that you have to keep about every employee, about the employer itself, the you know, the medical data, because they can in the identity data, credit data, because they can use that in order to make money in other ways. And so what you have to be out in a lookout for is how are the bad guys trying to attack my agency in order to get access to that data? Or the other is how do they get access to you because you have access to a bigger fish with a lot more data. Think like a carrier, an FMO, uh, you know, a business, you know, your clients, your bit, your, you know, uh the commercial clients or the clients that you have. And so they're gonna use you as the trusted resource to you to that um bigger fish with a pH that they can start to go after uh because now they can act as you, right? And have an engineering attack that way. So what artificial intelligence has done is one, they've given cybercriminals the ability to do mass-scale attacks at once and very, very good attacks and making social engineering look even more real than ever before. We're not dealing with the Nairobian princes anymore, right? We're looking like carriers, we're looking like uh clients, we're looking like uh tech your tech stack, and specifically they even know which ones you are. On the and the uh the other area within um AI is what we're giving it access to. So giving it access to the data, giving it access to our proprietary, um, how many people are starting to go down that route of you know, creating uh uh agentic AI and giving them access to everything and making giving them connectors without even thinking about what it really has access to and where is that information being stored and going. So we're constantly, you know, especially within our organization, we're constantly working with the agencies to try to let them know both of the here's where the cyber criminal risk is coming in, and then here's the here's the data compliance and protection that you're putting yourself, that risk that you're putting yourself in using these tools and utilizing it from that standpoint.

Where Advisors Fall Behind

David 4:04

So, honest answer, you talk to an awful lot of agents, brokers, advisors, call us what we want to. Um, are most advisors ahead of the curve or behind it?

SPEAKER_00 4:14

Um, well, I wouldn't be in business if everybody was ahead of the curve. Um, I said our mission here at Cyberfin is to eliminate cybercrime and regulation fines in the independent insurance agency industry. Um, and I wish I was here to tell you, oh my gosh, we're so far ahead after six years of doing this that, you know, you know, it's it's been a great uh reckoning for everyone and we're everything's heading in the right direction, but this is not true. Um so when it comes to cyber cybersecurity, we're still a little bit behind the curve in our industry. When it comes to artificial intelligence, um, because we do help organizations implement AI, implement it safely, um, I wouldn't say the industry's behind the curve or the agencies are behind the curve. I think they're right there with what the other industries are at when this dabbling phase, and it's still just a really smart assistant, and it's just it's better, it's a better chat bot, if you will, or a better chat Google search tool than before. But really getting the return on investment that some of the other industries are are now starting to gain the benefit of, we're far behind from that standpoint of it. But part of it is the fact that we're regulated and we have very sensitive data, and there's a lot of things that we have to think about and we have to consider before we even start unleashing some of these tools. So I want to give us a good grade in our industry, especially since we have to start thinking about at all times what's what's happening with that data and who has access to it.

David 5:47

Yeah. Well, and the first thing that you want to think about is PHI, and the last thing you want to think about is a PHI breach.

SPEAKER_00 5:53

Right, 100%.

David 5:54

So when you talk to advisors, where do you see the biggest gaps in understanding when it comes to cybersecurity?

Social Engineering Beats Old Defences

SPEAKER_00 6:02

The biggest gaps in understanding is, and I and I feel that, you know, other people in my in my industry have in technology have kind of led us to this, which is that multi-factor authentication and antivirus is enough in order to protect yourself. Um that that that version and that castle methodology of where we're going to protect everything inside a building, um, that will that model is now being used against our industry, right? Just by saying, hey, if I check some boxes, I'm good to go. If I have cyber liability insurance, I can use that as a cybersecurity measure, right? Um that's just not that's just not where cybercrime is at today. Social engineering tax are up 500%, right? That has nothing to do with multi-factor authentication or antivirus, right? That is them tricking you into, you know, through multiple different communication technical, you know, technology and digital communication tools, and in some instances analog, in which they're tricking you into giving up credentials or giving them access or sending them money or whatever that might look like, right? Um they are they are infiltrating people that you already work with on a regular basis and acting as them, right? So you're going to hand over your multi-factor authentication, you're going to press the button, you're going to engage with them. They are going to get a session cookie because you're you think you're interacting with somebody that you're already working with and you're not. Um so that's where I'd start at is we just we are using these old ways of of trying to protect ourselves and from cybercrimes or not really protecting ourselves and just hoping to use insurance to cover our downside. That is not where we need to be.

David 7:39

It also sounds, you know, to a certain extent, like the bad guys are always a step ahead. Sure. It's like every time we think of some way to thwart them, they come up with some new way to get around it. And it's like this constant battle up the stairs. Is is that a good analogy?

SPEAKER_00 7:54

Yeah, it's a great analogy. And and and I had the pleasure of talking to um some people within the federal government and some of the in the international um space on like how they're protecting from that level. And they say that they they gave two really good examples. One is there are entire skyscrapers in China and Russia where people put on suit and ties and and grab a backpack and they go up these skyscrapers with finding ways to try to steal money and steal identities from and and intellectual property from Americans, right? That's their whole job. Right. And there's no way of, you know, there's no extradition. There's no, there's no way of taking care of those criminals, number one. And number two, if we start looking at third world countries that have an internet connection and they happen to steal even just $25,000, that's generational wealth for, you know, three to five years. So they're gonna do whatever it takes, right? Especially if a Chat GPT account is $20, right? Or a ransomware as a service is $200 or whatever. They're gonna do whatever it takes for as long as it takes in order to, if they've got a if they've got a fish on the line, right? If they got you hooked. So there's that they are gonna continue to change. They're continued to think, and we have to be ahead of the game instead of just reactionary to what to the new items.

David 9:11

Aaron Powell, which means I think for most of us who are just, you know, insurance folks, we need to have a partner that we can trust who will be keeping up with that separate from what we're doing and and advising us. But where would you say advisors are the most exposed as we sit here today?

Email And Tool Access Weak Spots

David 9:25

Not theoretically, but what's actually happening?

SPEAKER_00 9:28

Um the two that we see the most is through their email and their email credentials and their connections to their carrier tools or uh insure tax. That is the place that they're the most vulnerable. Um we have to, as an industry, right? We have to use email to collect, store, analyze, and move that data in order to get paid. So we're right in the middle, and email is that that crux point of where we have to gather all that information. We have to move that data into carrier sites, quoting tools, insure tax, client tools, right? Third-party tools. We have to move that data and store it, right? Think of even the phone calls that, you know, if you're doing individual health benefits, right? And you're part of CMS and you gotta record all your phone calls and store them for seven years. There's a lot of sensitive data inside there, right? And now we're supposed to save it for seven years. So now we have to do that. So that email and that email infrastructure, your O365 or your your workspace, that is now your biggest exposure from that standpoint of it. Then you look at all those tools that you have to move that data into. That's where you're going, you know, that that connection. And then because you have to interact with them on a on a day-to-day basis, if someone just even figures out a way to fool you into that they're rule, that, that they're real, that is the next and you know, most insecure part of your organization.

A Layered Plan That Works

David 11:03

So let's move into what they what advisors and all of us can do about that. So you work with firms on broadly being more secure. What does being prepared actually look like in practical terms? What's what's the first couple of steps that any advisor should take?

SPEAKER_00 11:19

The first of all is we need to inventory what all of your devices, your connections, your access to data. You have to really take the time to inventory all of that and say, okay, these are all business computers. Let's let's get rid of personal computers. You know, I know we want to do that. Let's get, you know, no using a personal computers, business computers, knowing what everybody's internet connections are, what are their email boxes, what do they have access to, right? Is there is their credentials have access into administrative tools, whatnot, right? So start to get that inventory. And then from there, start to think how instead of it being how am I going to protect everybody inside a building, start thinking about how are we going to start protecting everybody from a bubble around each person and their most vulnerable parts. The endpoint, the device they work on, their internet connection, and their email. Having those being protected, having that protection all be consistent, and taking it to the next level of having a cybersecurity guard actually watching it 24 by 7, 365, with the ability to fix the problem instantaneously, right, and get the bad guy out of there. That is how you're going to severely lower your risk of an attack. Now, that is not the most foolproof, so I got to add a few more things that we need to put around that, right? Which is password managers with multi-factor authentication. Right. And you're saying, well, Dan, you just told me multi-factor authentication. I said don't doesn't mean that we can't use it. It means that we should at least have a password manager because that allows us the whole deny, deny, deny, right? I don't know my password. Sits in my password manager, right? I can't give you my password. I can't type it in, whatever it might be. I have to use my password manager to be able to do it, right? Um, and then you know that's constantly being updated, and it's you know, you don't have to think about password manager. And then second is employee awareness training. I can't stress enough employee security awareness training. When we do our um cybersecurity assessments for the agencies um that we that we perform, we notice at least 80% of the agencies do not incorporate employee security employee security awareness training on a regular basis, meaning like more than once a year. And it's and a lot of them are just doing the, oh, we get some training from this association and we just kind of do it ourselves. Instead of actually signing up for, you know, as as a service, right? And doing the fish phishing simulation tests and doing some vendor risk analysis, doing, you know, that that allows you to see what the multi-factor authentication antivirus can't protect from you. It helps you find out who's falling for social engineering, right? By let's put our pencils down and have cybersecurity Fridays, and let's go look to see what everybody's got on their desktops. Let's go see what, you know, if they're actually saving things to the cloud that's already being backed up. Like you'll find where your holes are just by stopping, training, and seeing what. But if we only do it once a year, man, all those bad habits are gonna continue to go on, you know, throughout the year. Um and then, and then lastly, really having backups. I think that many organizations think that um just because they put everything into the cloud, that that makes that data safe, right? That's not true. All you did with the cloud is giving them more access to more data. You need to make sure it's backuped encrypted. And encrypted means like making a complete scrambling of all the ones and zeros that turn into words, right? Into text uh and images and all those different things. It takes whole Bitcoin computers to figure out mining computers to go figure out how to unencrypt things. And bad guys are just gonna go, ah, go right by it. So all those combinations combined. And you don't and do those in those order, right? Because that is where you're gonna severely lower your risk, and then you're just going to continue to harden yourself and harden yourself and harden yourself as far as an agency is concerned.

David 15:03

So it sounds like it's kind of a layered approach. Would that be a fairer analogy?

SPEAKER_00 15:08

Yes. And we, and that is where we came up with our philosophy. We we used to do the CASA methodology just like everyone else did, until we found out that that was out of date and the bad guys were actually using that against us. And now we have adopted what um companies like Optimum and some of these other enterprises did, which is this multi-layered user-based protection. And it's just a fancy way of saying, let's put bubbles around everybody where their most invulnerable parts are. And everybody has the same cybersecurity, everyone has the same, you know, protocol, no matter where they are, in the office, out of the office, in Bermuda, right? Um, whatever device they're using, Mac or Windows, doesn't matter. And it's all being managed by a cybersecurity guard. Because if you think of the best analogy I can come up with is, you know, we call them cul-de-sacs here in Minnesota or circles, wherever you're from, right? Which is if you have a house that has the lights off, the garage doors open, and bikes are hanging out of the back of it, you got the second house that has the ring camera with the floodlights that pop on when you get close to the door. And then you have the ADT or the cyber or the security system, the house with the security system. The one with the security system has layers. The one with the ring camera and the floodlights, it has kind of layers, but they don't talk to each other, right? They have to work independently. And then the other one has nothing, it is, is the bare minimum at all. You have a garage or you're not even really closing in, right? Which one do you think the bad guy is gonna go after? First house, no problem, right? Second house, no problem. Third house, that's layers. Why would I bother? Because I can go to the next street and I can find two more houses. I don't need to bother with this one. So even by putting in those layers alone, that just signals to the bad guys you're taking it seriously and most likely you're gonna be left

AI Use Is Already Happening

SPEAKER_00 16:42

alone.

David 16:43

So we touched on AI a little bit earlier. Let's kind of dive into it a little bit more. Sure. How is AI already changing the way benefits advisors operate, whether they realize it or not?

SPEAKER_00 16:53

Oh wow, it's um well, let's let's start from the risk standpoint first. I I could go and survey 99 out of 100 agencies and advisories, and I'm telling you, you've already adopted AI. Someone has taken an email, copied the text, pasted it into ChatGPT or Cloud or Gemini or Grok or whatever, got the results, copied and pasted the results, put it in an email, and sent it out to somebody. They've adopted AI.

unknown 17:20

Right?

SPEAKER_00 17:21

Because they're using their business email address, right? That you own, right? That you own the business email address, it's part of the entity, right? So you as a business have adopted AI. Um, that's the risk of you're not, you don't already have the policies in place to say, what can we use it for? What can we not use it for? What are approved tools? What is the data it should have access to? What you know, how do we review everything? That's number one. The other way that I've seen it from a pop from now from a uh operational efficiency and from an return on investment standpoint that they might not even know about is your staff is using it as a very powerful assistant in order to help them make them make their jobs more efficient, more effective, spend more time better time with it. Um, just as an assistant when it comes to emails and analysis and um training and expertise from that standpoint of it. If you want to take it to the next level, now you need to look at what are some of the manual tasks that happen in my organization that we can automatically do. Again, as long as it doesn't have access to sensitive data, that's where I would start, right? And what are some of those things that we can do from a and I break them into three buckets from a revenue generating standpoint, like demand generation, marketing, um lead lists, follow-up, sentiment, those kind of things, right? Looking at from a RevOps, like, hey, are these the right, you know, what are our ideal clients? How do we know who the um people we should be talking to? Can I reach out to them and make them connections, whatever it might be? Then we've got the service aspect of it. What happens after someone agrees to allow us to insure them? What are all the steps that have to happen afterwards from certificates of insurance or any types of other analysis that we have to do or whatever that service is to make sure that now that they have that we're providing them insurance and benefits, what are the next steps have to go after that? And then we look at the finance, and not finance the way you think of it, but finance like how do we collect money? How do we, you know, how do we how do we have to collect money? How do we um rectify our QuickBooks? How do we um pay commissions? Things like that, right? All those different types of financial admin type roles. Agencies are using this already to make their jobs better. Now, back to the risk side of it. If your your um accounting team decides that, or your HR team decides that they want to look at somebody's commissions and they put it into a free Chat GPT account because you haven't agreed to let them use ChatGPT from an enterprise perspective or a business licensing, right? They've just put that out there and then in into the ether that anybody can go and pull down a bunch of that information. So those are the that's the risk side of it too. So someone's doing that to make their their lives better.

David 20:09

And I mean, not to go all HR on you, and I I want to stay on the subject, but this is all stuff that should be in your employee handbook, isn't it?

SPEAKER_00 20:16

Well, yeah, and everyone has a written information security policy, and then it's in a response policy, right? Um David, right? Because they the law says the HIPAA law says I have to have it. And depending on what state you're in, like you have to have that. And um, and I know I'm being facetious, but that that is, it should be. And now that you've adopted AI, you need to make sure that those AI protocols should be in the handbook, should be included in the WISP and the in the um instant response policy.

David 20:42

So for advisors who maybe want to start using AI, uh, what are some responsible practical use cases?

Safer AI Wins Without PHI

SPEAKER_00 20:49

Um I always look at starting with your strategic coach, right? So training, you know, getting your AI digital brain, right? Uh chief of staff, sort of right. Everything about your agency that um makes you unique, makes you different, you know, the kind of the products that you sell, the carriers, anything that's public information that's out there. Um maybe want to, you know, give it to a strategic advisor to help you make quicker decisions or allow you to um have a conversation with somebody that has more experience than you, right? Um at your fingertips instead of uh and you can even talk into it now. Um that's where I that's a very safe way to start to integrate it. And then each role within your agency, do the same thing for them. What makes your position unique? What are your responsibilities? What, right, what what are the and and other trainings that you'd want to do? So think about how many times you have to train a new person in, right? And your standing operating procedures, put those in there so that you can train faster, you can be more efficient. They have a question, they don't have to come to you as the as the bottleneck, they can go to the digital AI brain and they can start you know getting trained from that. Um, starting to do policy reviews, you know, start thinking about things, you know, policy reviews, other things about analysis. That need to go faster, where if you're looking at two documents with 200 pages at it versus some in artificial intelligence that can look at 200 pages in a matter of instance and tell you what the differences are, those are ways that you can start to use it safely and get a benefit right off the bat. I always go back to marketing too. Marketing's really easy, you know, a little more simple as far as like helping you write copy, uh, understanding what you know the next um ad that you want to put out there, measurements, right? I love the analysis and marketing. Figuring out here, you know, here's our SEO scores, here's our uh, you know, how many leads we're getting from here, how many we're converting, things like that. Like that's so many tools that you can or uh use cases without it actually touching sensitive data that you could get a benefit from.

David 22:41

Well, and it it doesn't have to be one of the LLMs. I mean, uh, the example that I I would give you is um not too long ago, Adobe Acrobat started having a built-in AI piece. And so you could input a set of bylaws and look for a keyword, and it would pop up instantly all the instances and it would analyze it for you. Correct. And and and I just heard a couple of days ago that Adobe who sells a suite of different products is going to be coming out in the very near future, as in the next month or so, with an AI front end where you won't have to think about which one of their products you need to do to use something. You'll just tell it what you want it to do, and it will go across the entire suite and do them for you.

SPEAKER_00 23:22

Yep. Yeah, similar with with uh Microsoft Copilot or um, and and there's gonna be domain-specific tools coming out in droves in our industry. They're in the property casually and the commercial industry, these are already out there quite a bit where they're called domain-specific tools. And what that means is that they're specific to the insurance domain. And because they know all the regulations and what are ness with sensitive data, they are socked to, they have a place to put this data safely, or they don't keep the data, they just analyze the data that you've already collected and you've already protected. These are these are um my recommendation on tools you should start to be looking at for your operations, you know, that might be touching sensitive data. That's where I'd start pointing people in that direction. Because, like you said, you don't have to put them in the LLMs. These are already built and they're already, they've already been trained and they've already been up to date and and they already know a lot of what's going on in your in the industry. So you don't have to spend so much time training it, right? And they've already have workflows, agentec workflows already built out that you can just tell it and prompt it to say, yes, I want you to, you know, um, I'll give an example in the in the personal line side is like, yeah, send the certificate of insurance, right? Make sure that that gets created and sent out. Um, take these after hour phone calls from us and and find out what they what what they want, create a ticket for me. And so that when my team gets in there in the morning, they can see all the people that called in after hours and what they needed, instead of someone listening to a voicemail and having to set a ticket up and do all those different pieces of it. Um have it go through my email and tell me all the different um tasks I have to do today that came in from the support box, things like that.

David 25:01

Or even, you know, go through all the customer support calls that are recorded and tell us in order with the frequency of particular questions being asked, so maybe we can get ahead of them and ask them you know sooner.

VPNs And Secure Portals Explained

David 25:12

It it's really, you know, amazing. For a while, VPNs were the thing. Everybody talked about VPNs, VPNs, VPNs. What does a VPN do and why is it important?

SPEAKER_00 25:23

Yeah, so there's there's there are VPNs, virtual private networks, that scramble the signals or they make you look invisible on the internet. So if you think of the internet, right, you got the high internet highway, and everybody's driving down the internet, and if you use with a VPN, you will just your car will be invisible as you're going down the internet, right? And um, the next level is it could be scrambling what your car looks like, right? And everything inside that vehicle. Um, and they they have to take a lot of time for it to unscramble as it's going through through the internet or through email or whatever it might be. Then there are secure internet portals that act as firewalls on your devices that will give you your own tunnel into the internet that's that is both masking and encrypted that allow you to, just like having a firewall in a building, would allow you to be able to use the internet without somebody looking into what you're what you're doing, um, recording all the stuff that you're that you're interacting with, um, trying to divert your your internet usage to their bad guy uh internet tunnel.

David 26:32

It's

Faster Clients Still Need Humans

David 26:33

fun and game. So from a client perspective, how are cybersecurity and AI changing expectations of advisors?

SPEAKER_00 26:42

Well, it's I think it's the same in um in any industry right now. They're expecting that you're working longer hours, that you're working, that you can do double the amount of clients that you're able to manage before, that you're able to get them the answers faster than ever before, that you should be no reason why you don't have somebody answering the phone uh when they want to call when they call in or have an ability to talk to you on the uh through text message or through a chat bot or whatever it might be, because this all this is just standard operating procedure up to this point with artificial intelligence, right? Everybody should have it at this particular so um from a client perspective and from a from a um even from a leadership perspective, if you will, you should be able to do more with more, right? And the whole promise, and I we we just had a long conversation with a bunch of other um leaders in the space about how the promise was we were gonna have less work, we're gonna have more time, we were gonna be more efficient. And what happens is we can do so much more, we're just adding more.

David 27:50

We're adding more to the more.

SPEAKER_00 27:51

More to the more, right? Before where I could shut my brain off at 11 o'clock or 10 o'clock the next day, I caught myself standing up till three o'clock in the morning now because of all the cool things I can do with artificial intelligence that I couldn't do before. And there's a lot of testing and there's a lot of refining, and there's a lot of, oh, well, now I got to be able to do this or make this connection, or that didn't work, or hey, a lot of hallucinations, so I can't send that out, right? So yes, I can do more, but it's taking more. And on the flip side, clients are thinking that we should be able to do more and be faster and and and respond at all, you know, 24 by seven, because we have all these these tools.

David 28:26

Yeah, but you know, we all we all have to remember that AI can't read the room. Right. Um, AI doesn't take the place of personal experiences and personal connections that you make. I guess in one sense, we're lucky because our business has always been a business about personal connections.

SPEAKER_00 28:41

Exactly.

David 28:42

And um, I remember talking to some agents when um when uh the uh Obamacare, when ACA was first coming out, and the navigators, remember them, were gonna be part of the government. And oh my gosh, the navigators are gonna take away my business, they're gonna eat my children, it's gonna be terrible. Right. And you know, my answer was you you can't think that way because if you do, you need to check up from the neck up.

SPEAKER_00 29:03

Right.

David 29:04

The good the government's never gonna have the relationships that you have with your clients. But that's why it's important to have folks like you safeguarding a lot of that stuff, because we all know it takes forever to build trust and it takes a nanosecond to lose it.

SPEAKER_00 29:17

To lose it, 100%.

David 29:18

So let's let's

One Move Now And The Future

David 29:19

close by looking ahead. Sure. If someone just takes one action after this conversation, besides calling you guys it's Cyberfin, to better protect their business and their clients, what should it be?

SPEAKER_00 29:30

The first thing that I would do is I would start to adopt a password manager with multi-factor authentication and make sure everybody's using a password manager and multi-factor authentication for their business. Um, our favorite's Bitwarden, and again, selfishly because that's one that we manage, but there's good ones like keeper and dash lane and one password that that's available. And you, but you want to centrally control it. So, what I mean by that is you got to pick somebody in the organization that's gonna be whose whole responsibility it is to manage these types of security for you, right? Get your password manager, have it multi-factor ticket, have it centrally controlled. Here are the rules, here's how it needs, you know, set up the administration of it so that it's updated every 90 days, people only know their master passwords, right? Um you have access to those things. You're gonna have to manage it from centrally controlled. The second thing I do is I would look at your email security and make sure that it is locked down and somebody's monitoring it and managing it 24 by 7, 365. Um, and then lastly, what I would do is I would start to look at all my policies and make sure that I have all my policies up to up to up to snuff. Um, because talked to a few DOIs and and departments of commerce recently, and they're all saying the same thing. We're not gonna do a witch hunt, but if we find out about a breach that you were that you were the one that that gave up the credentials or you're the one that gave up the the sensitive data, right? It came from from your act at all, we're coming down like a and the consumer turns you in before you turn yourself in, we're coming down like a hammer. And so the best thing is to say, hey, let's not have this problem, first of all. And second of all, hey, we're able to report. Here's our root and information security policies. So if anything happens, we know exactly what to do, report on time, make sure we know exactly what we're collecting, and and just be ready for the fire plan, right? Remember, I don't know if you remember in your in your school, we always did the fire plan, right? Same idea. You want to be prepared if you have a fire. You want to be prepared if and when you get hit with a cyber attack.

David 31:31

I I'm I'm so old that we did the in case of nuclear attack hide under your desk.

SPEAKER_00 31:36

Sure, sure.

David 31:37

Which was brilliant advice if you think about it.

SPEAKER_00 31:39

The desk would definitely protect us.

David 31:40

One last question. What is the next what do you think the next three to five years looks like if they get this right or if they get it wrong? On artificial intelligence? No, on on all the cybersecurity that we've talked about. What is what does it look like?

SPEAKER_00 31:53

I see a world in which we go passwordless. I see a world in which we um have artificial intelligence being our cybersecurity guards for 99% of everything that we do, and everything's cohesive and controlled, where it's not just 9,000 different companies that all have their own flavor of cybersecurity, that we all follow a cybersecurity protocol, especially in our industry, and that it becomes a requirement if you are going to have access to the sense of data. It makes a requirement that everybody has one of these three flavors of cybersecurity. Um, and that artificial intelligence is the cybersecurity guard that's going to do it. That's what I think is going to be the future here in the next five years. And that's that would severely lower the risk of an attack. Now, does that mean cyber criminals go away? No, I think they just go find a different industry. But if we can do it in our industry, that, you know, so we can go from the number two most attacked industry in the country, second only to manufacturing, to, you know, hopefully not even on the list.

David 32:54

That would be great. And that's a great place to end our conversation for today. Daniel Metcalfe, co-founder and president of Cyberfin. Daniel, thanks for a really fascinating conversation.

SPEAKER_00 33:03

Yeah, thanks for having me again. Honored to be here.

Announcer 33:06

The Shift Shapers podcast is a production of Shift Shaper strategies and may not be reproduced or quoted in whole or in part without our express written permission. Copyright 2020, all rights reserved.