Jeremy Kroll

Jeremy Kroll


(audience chatting) – Okay everyone, thank
you and welcome back for our very, very first keynote. We’re extraordinarily
pleased to have Jeremy Kroll. You know, it’s hard to
be just the only person on stage getting questions, particularly in front of regulators and some investment advisors
and compliance folks, but Jeremy’s role and vision, particularly as it pertains to some of the cutting edge, not just opportunities, but also the risks facing FinTech is singular, it’s unique,
it’s extremely interesting. He’s a trusted advisor and
a complex problem solver for both the business side
and on the public side, for business owners, boards of directors, C-Suite executives, and he works with them to mitigate different
areas of financial risk, technological risk, across corporate and
family office spheres. He advises, again, government clients, market clients, multi-national firms relating to cross-border investments, and he helps them to navigate something that is becoming central, really, to the business operations of firms, and that is the cybersecurity landscape and how to navigate that landscape, again, with as few risks and
troubles as possible. He’s also very, very active
in the investment community. He is a CEO in the C-Suite. He is an investor focusing
on emerging growth, emerging growth companies at the intersection of
technology and security, he sits on lots of advisory boards, he’s a Georgetown undergraduate,
graduate, Hoya Saxa! And also, he’s someone that
I really wanted to come, to talk to a legal audience, about again, technology, about compliance, about the 21st Century threats facing our financial
market infrastructure. And I wanted to get it from somebody who has the perspective
of someone who understands compliance, but is also
active in technology, who’s also active as a leader of a large, multi-national organization,
and also someone who’s active as an investor, and who’s looking at
new generation companies and the kinds of opportunities
that are popping up, as other firms try to tackle and approach different cyber risks and opportunities facing
the financial community. So I’m just absolutely thrilled and delighted to have Jeremy Kroll here, over at the law school and at the Institute of
International Economic Law. I think, as I did with
the previous panelists, maybe if you could just talk a little bit about K2 Intelligence. Talk a little bit about what your role is and what K2 Intelligence does, to provide a framework
for our conversation on cybersecurity and compliance. And then we’ll just move forward with our subsequent questions. – Sure, thank you, Chris. I should just drop the mic. If I had one, I would drop it, because anything more that I say
will be underwhelming. So a very generous introduction. I am Jesuit-educated,
I was in the undergrad program at Georgetown, so
I think it’s appropriate for me to make a confession
that I have sinned. (audience laughing) I never would have been able
to get into the law center, but today I hacked into the law center by being invited to come
and speak to everybody, so I want to atone for my sins, and thank you and the
organization for having us here. It is an honor, it truly is. And it’s the perfect intersection where not just the law center,
but the organization that you run, and the dialogues going on over the next few days. From our perspective,
where we are as a firm, which is really the intersection
between financial services, technology, legal and regulatory bodies, and players, and human beings grappling with, frankly,
challenges of the same coin. We think one side is mine
and the other side is yours. It’s actually the same coin,
we’re on the same side. So as a firm, we have a
legacy of over 45 years, of being in the corporate
investigations business. The original company,
founded by Jules Kroll, my business partner and father, 1972. We built that to become a
billion-dollar revenue business, sold it to Marsh & McLennan in 2004. But that business spawned out of a private investigative agency, and focused on four areas of risk, and grew dramatically through
the ’90s and early ’00s. Once we sold it, in 2009, we were free to compete and go into the field again, we did two things, one
was K2 Intelligence, the other was something
called Kroll Bond Ratings, which is a new expression of our expertise in risk management, and how do you create a disruptor in the credit agency world, credit, corporate credit,
not consumer credit, which will probably be
a topic we’ll talk about in terms of cybersecurity. So we look at risk holistically. We look at it from a
regulatory, from a legal, from a technical, from
a practice standpoint. We look at it geographically. And when we started in 2010, effectively, K2 was focused on
corporate investigations, regulatory compliance,
so anti-financial crime, sanctions, things of that nature facing both foreign and
domestic institutions, and cyber risk. If you’ve been at this
for as long as we have, cyber is a new term, effectively. It’s sort of old wine in new bottle, and information and networks
have been vulnerable for many, many years, if not decades. But we’re at a point now
where the awareness level is at an all-time high. So what are we gonna do about it? So as a firm, we really look
at these different dimensions, and as you say, we work for family offices and individuals as well as institutions, both traditional financial institutions and FinTech companies as well. – Great, so when you
think about cyber risk, where are the greatest risks coming from? I guess you can think about the question from a number of perspectives, both from a geographic perspective
to a technological perspective but when you think about cyber risk, where do you think are the
highest points of concern? – Well the targets, let’s think
about who the targets are. And it’s everybody in this room. And I’m sorry if that
feels like a scare tactic, but it’s reality. Human beings are the targets, and whether it’s a nation-state actor, it’s an economic crime in process, it is a hacktivist,
they’re all going through a lot of the same disciplines to get at information about you and through you, to develop
a base of intelligence, to then pivot off of, to affect
whatever their end goal is. So we are all the targets. I think as far as industries go, the financial services
industry is and has been on the vanguard, both on the
regulatory and legal fronts as well as the industry itself. It’s a much more visceral sense of loss, and so what you’re seeing
now, the threat landscape is evolving, and where
there’s a tremendous amount of progress that’s been made, I think, between industry and private
sector, public sector, and financial services, among them the large money-center banks, the large regional players, some of the large insurers, there is a dramatically big gap between those that are in a great spot from a security perspective
and those that are not. And so I think one of the
things we do have to really focus on is closing that gap. But we are also looking
at the threat evolving, and when we see more
industries being affected through financial crime,
through account takeovers, through ransomware attacks, now it’s happening to the real estate and construction industries. It’s happening to the legal
industry, the law firms, it’s happening to companies that you would think are
more focused on security but most of their lives they’ve focused on the physical side of security,
not the digital information. So that’s a data point
that’s interesting to us. It means that the bad guys are pivoting into other industries, which
means financial services is frankly doing a better job, so they’re going to softer targets. – By going to those softer targets, is it a way of circumventing
and finding a way into the financial institutions
through the back door? – Great, great question. Yeah, so if you’re looking for money, yes, you follow the
money and then you find the soft spots. One of the really important concepts that’s turned into regulation, and best practices, is a
nice sort of friendly way of putting it, but is third-party risk. So that brought to the fore of the public’s understanding
of third-party risk, when Target was attacked
through a third-party vendor, their HVAC vendor. So someone was able to
compromise the payment systems of Target, and this is
all public, obviously, but through the HVAC vendor. So third-party risk is
a massive challenge. It is a way, if you want
to follow the money, and you wanna get, ultimately,
to a securities firm or to a bank, yeah, there’re definitely ways of going through. One of the things I think we will maybe talk more about is insider trading. And so, if you don’t want
to try to rob the bank, you just want to effectuate trades, in the old days you would, 10 years ago there was a story about
people who got advanced copies of Businessweek, and they
traded on that information. Okay, so flash-forward to a few years ago, you have more and more
targeted spearfishing activity. So I will look after the top law firms and the partners and the
associates and the admin, and I will get into their inboxes and I will figure out what
transactions are pending, and I will trade on that information. That was a few years ago. Flashing forward to the
most recent revelation is that Edgar was compromised. So you go from sort of a
small-time, small fraud, cottage industry, to a more
and more advanced effort and campaign, to the point
where machine learning and AI is taking over and helping the crooks get
to information at scale, and benefit from it. – That’s really quite interesting. So when you, from someone who’s involved in investigations, who’s
involved in cyber hygiene, and who works with, again, the public sector as well
as the private sector, what were your initial
thoughts when you saw the Edgar hack? I mean, were you surprised? Did you note, or were you
able to immediately guess what kinds of vulnerabilities
were probably in place for that to happen? – Not surprised, not
because I knew anything, but if you, again, you
look back just 10 years, what’s the evolution of financial crime, insider trading activity? And doing it from the outside, let alone the high profile cases that we know about that come from within a
investment management firm, and how people get material
on non-public information. So, surprising? No. It made me very anxious, because the best way to cripple
our national security is to go after our economic security. So being able to sow doubt
in the financial markets, being able to obviously profit, expertly or clumsily,
one way or the other, it’s getting out now,
it’s becoming more public, and that creates anxiety,
and erodes trust. That’s not good for our national security. It does beg the question
though, if I’m in industry, what’s a better way of
conveying information to the regulatory body? And it’s an opportunity
to have a conversation between the regulated and the regulator. Okay, how are we going
to exchange information in a more dependable way? How are we gonna protect it better? And again, back to your question, Chris. Surprising, no, because
again, most of cyber hygiene is really achieved through,
it’s being religious about patching your systems,
updating your software and the applications and the network. Awareness and training, and visibility, not just delegation of
this to the back office, but acceptance at a leadership level, that this stuff really matters. So that’s a pretty common
pattern, whether it’s a public or private sector, when
you hear about these hacks and where the vulnerabilities are exposed. It’s through a lot of just negligence. – Is there a sense that, and you brought up a couple of
issues that are really important, particularly in the FinTech space, when you think about
FinTech companies are small, sometimes they’re emerging,
sometimes they’re focused on just different little points. So what does cybersecurity
mean for those firms? And I’ll get to that, but one
last sort of questions was, do you see any particular countries being origins of cyber risk? And, do you see state and non-state,
particularly, I guess, the state actors being
more involved in your work? And does this change the
way in which you look at cybersecurity? – Totally does, and it depends on what the motivation of the actor is. Is it state secrets? Is it economic advantage? Is it political? And so, depending upon what region, or what specifically country
you’re from, you know, let’s think about how education
works in these countries. And how are people
educated in a formal sense or an informal sense? So what do I mean by that? If you very quickly think
about, you go on vacation, you come back to your house
and the door is locked and you come in, and you
see in your living room, everything looks normal, maybe there is a book
off-kilter on the coffee table, but otherwise things look normal. You go up to your closet,
you put your clothes away, you open your safe to put
your passport back, and the only clue that someone was there. Guess who was there? Guess which country was there? It was that little book,
was slightly off-kilter, but basically you didn’t
see any obvious evidence. It was the Chinese. If you come home, same scenario. Maybe the lampshade’s a little tilted and you go to your safe and, you know, the watch you got for
your wedding, that’s gone. But the safe is still locked,
the Russians were there. You come home, third time,
there’s graffiti on the walls. Books are off-kilter. The safe looks like it’s
been attempted to hack-in, it’s the Iranians were there. So I think you’re seeing the state actor evolution sophistication. In Russia they have a wildly successful computer science and
engineering education system. A lot of that has actually
transported to Israel and the smarts, you know, associated with that education are there. I think if you are
North Korea you’re doing anything you possibly can to up your game, to get attention. And I think that is a political actor. If you’re Nigerian, your
uncle used to have a scheme or through fax he was
the prince, you know, the struggling prince who
needed to get a hold of his bank account, he just
needed a loan to get him through and he’ll repay you at 50% return. That’s now a culture that
is very good at phishing because they’re grown up with it. So I think, back to your
point about geography, clearly the important state
actors are going to be China and Russia and Iran. I would say of our allies,
India’s increasingly strong. I would say that Israel
and the UK are tops. But if you’re in Israel, you
are from grammar school tracked and cultivated and
brought into special units and educated, so I
think one of the threats that we really think about
is the K through 12 threat, and I would give credit
to Admiral Mike Mullen who’s on our advisory board. He sees this as the number
one national security threat, is our education system. You ask yourself, are we
really preparing our students to be technology facing,
tech-forward professionals in the 21st century? Are we also equipping them
with a level of awareness and understanding about the risks? Are we teaching them
about ethical behavior? Are we focusing on these
issues and preparing them for the future? Because some percentage
of them, as we know, will go off the rails. And if they have no hope for a future, then they will turn to do bad stuff. So I think we need to look,
from an education standpoint, and certainly we’re in
a legal setting here, undergrad and graduate. Let’s focus on K through 12 and let’s not overlook the youth. – You know it seems to me, just as I listen to your comments, that you can have different,
that the different risk obviously is tied to what kind of bad guy there is out there. You can have someone who just
wants to blow something up. You can have somebody who wants
to, I guess you could have a terrorist, a bank robber
and a hostile government. That’s sort of three different categories. And the targets for each
of those could be different depending on what kind of bad guy you are and then also from where in the world you may be coming from. Do most of your clients
know what questions to actually ask you when
they walk into the door, or do they say I just
don’t wanna be hacked. I don’t want to have my
name in the Financial Times as being hacked, and I
don’t want to be subject to a bunch of folks coming through the door threatening to sue me. Or are they, do they tend to be a little bit more sophisticated
and say look, you know, my folks are just getting
hit by these phishing scams or I’m really concerned, given
the nature of our business, about X, Y and Z. And the reason why I ask is when you talk about that K through 12, eventually those K through
12 grow up to be adults and what kind of awareness
do people come to you with or is it usually sort of after the fact and there’s been a hack
and there’s a problem and they need you to put out some fires? – I will disclose that most
times I’m with a client it’s they’re having a bad hair day. I mean they just, you know,
they’ve realized they’ve been victimized or hacked, and
whether they’ve detected it from within or a law-enforcement
body or a regulator has come to them and pointed it out. And I think in the last 18 to 24 months, the awareness has just
shot through the roof in terms of the issues. And so those of us in
the cyber-risk business, and I would count us as lawyers,
compliance professionals, people in government. The news is free advertising. It is every day something
new is creating that, that sort of anxiety drip
that’s just, you know, what do we do here? So I think awareness
is at an all-time high. I think that’s a good thing. When you look at the
construct, and I’ll talk first private sector, that board members are aware of the potential risks. Why? Because the large institutional investors are now knocking on the doors and saying “Where are you with your cyber protection? “What are you doing about
this hack that took place “in your industry?” They’re putting more and
more questions on the table and boards have to really
be thoughtful about that and react to it. And so the board community, frankly, has a long way to go to fill the cyber smarts gap that’s in the boardroom. And so that’s gonna be, I think,
a trend that will continue for some time. So to your point about education curve, we’re gonna need a new generation
of people in boardrooms that here to for would be
viewed as not as experienced, not as prominent, what have you, but I think that’s it. Just like after Enron,
World Com, Adelphia, and so forth, Sarbanes-Oxley drove boards to think about how do we get financial experts on our board? Lead the audit committee, or at least be on the board to give
that diverse perspective. I’ll touch on diversity
as well in a second. So you have, you have investors worried about it. I didn’t even mention the plaintiffs bar. Have you thought about the plaintiffs bar coming after you if you’re the victim of a data breach or a company? They’ve now recognized
this as a whole new area. And in fact, one of our recent cases we helped defend a corporation who had a large hack and we
went into the dark net. We sent our undercover
operatives and our bots to go harvest information
and look for where the members of the class had been victimized or breached prior to, so therefore they would be
disqualified from the class. We could say, “Hey, wait a second, “you were hit in the LinkedIn breach “two years before, sorry.” We also use the traditional
investigative methods. You’re a regular plaintiff,
you’re a serial plaintiff. Your credibility is down here now. So I think the plaintiffs bar is gonna demand that more people are more vigilant, more responsible, and more proactive. Okay, so let’s get to management. What’s management doing
about all this stuff? They’re getting their heads
banged in by the board, they’re every time an article comes out, they get an email from a board member or an investor saying “What
are we doing about this, “are we on this?” And it’s tough. I mean, I feel sympathetic to management. And what are they doing? There’s a lot of companies that are still delegating it to the IT department. And by the way, that IT department is run by a CIO and if they have a CISO, a Chief Information Security Officer, she or he is reporting up to the CIO. Not a good practice. You want separation, you want a better governing structure, so that
information security person has the ability to go and have
independent conversations. In my company, that
person reports to my COO and Chief Legal Officer. The CIO reports to my CFO. So I think there’s a lot of changes that have to take place internally within companies to just catch up. And how easy is it to recruit
a CISO and retain her? Not easy, very difficult. And there’s so many complexities
within the private sector that you’re grappling with on this topic. – One of the complexities has to be the ever-evolving nature of cyber risk. And we had a brief conversation, and I think it would be really interesting to talk about Bitcoin and the evolving nature of cyber threats when you have cyber extortion and the payment used for extortion and maybe you can give, and provide some flavor, as to some of the new fronts and new risks that you’re seeing playing themselves out. – Sure. In our old business we
were in K and R insurance. Do you know what K and R means? Kidnap and ransom. So we would work for the insurance company who would assign or sell policies to executives and their families when they would travel or live abroad. So our job would be to go in when that executive or their family was kidnapped and we would negotiate with the kidnappers for the release of the insured. Which means we would have to negotiate, but basically there was
always gonna be a payment. And we retrieved 180 human beings. No deaths. So, that was in the ’90s and the ’00’s. And we maybe had 10 a year. Now we have digital K and R, so what we’re doing, 10 a week is for clients who have been somehow breached, and their data, if you know what ransomware is, do people, are aware? Okay. So ransomware is when you effectively lock information or lock people out of their systems or shut down operations within a company or as
we’ve heard about law firms. And so we’ve just recently
conducted a hostage negotiation on behalf of a law firm
that paid $1 million in Bitcoin to the bad guys. And let me tell you, they didn’t deliberate for more than
an hour on this one. They said, “We’re gonna pay it.” That’s what they asked
for because the exposure, the potential downside,
and the risk was just by order of magnitude,
much, much, much greater. And the saddest thing about this stuff is so much of it is preventable. And so if you read about
the WannaCry, Petya, these were kind of old antibodies
that were running around and they got free because people weren’t updating or
patching their systems. And you heard about businesses, professional services businesses, industrial companies,
they were knocked out for hours or in some cases, a week and a half. So what we look for in our staff are people who know how to deal with hostage negotiations, conduct investigations on a
forensically sound manner, go into the dark web and
know who’s a legitimate crook and who’s not. ‘Cause sometimes you know maybe the best course of action is
not to pay the ransom. So I think that’s, hopefully
answers your question. – [Chris] And generates
even more, is there, was there a reason why they
were asking for Bitcoin, as opposed to some other currency, or are you not allowed to? – I mean, it’s a dream come true. So in the old days we used to have a duffle bag full of cash, of
you know, unmarked bills. So that was then and now
it’s a dream come true to have virtual
cryptocurrency that is there to effectuate a successful
transaction between two parties that wanna remain anonymous. And so that is a. and in our research,
in our undercover work, in the dark net, this is
the currency of choice for bad actors who are looking to purchase or trade account information, frequent flier miles, you name it. And so the virtual currency
business is flourishing … – In more ways than one.
– In more ways than one. – Well, given the fact that cybersecurity is important, and given the fact that
you had mentioned that one of the possible routes of infiltrating an even mature cyber company, or a company with a mature cybersecurity system would be
through a third party venture. Lots of times, particularly in finance, and earlier we had our peer to peer panel in which we talked about the collaborative nature between
some of the FinTech firms, operating in tandem through
joint ventures with other larger, more established banks and like. You see not just a disintermediation, but you’re breaking down financial transactions into little points. And when you think about it, when I think about it at least, from your standpoint, each of those little points could be
a different business. It could be a different company, providing or working with another company. And each one of those companies could and should be secure. Because if you infiltrate one, then you end up infiltrating
the other systems in any particular transaction. But when you have these smaller firms, the upstart firms, from your experience, how costly is that cybersecurity, relative to their business? Relative either through their earnings or revenue or funding.
– Reputation. – Or reputation. Exactly. And have you seen a challenge getting those smaller
companies up to speed? – Yeah, I think on the spectrum, and we do operate, we don’t just serve money center banks, we serve brand new companies in the financial technology and regulatory,
RegTech, FinTech, InsurTech. My wife is an entrepreneur as well, so FemmeTech, if you’ve
heard of that expression. It’s very cool. She was just published
in the Washington Post a couple weeks ago, I’m very proud of her. Apres is her company. It helps women who wanna
pivot in their career or return to work and connect them to employers who want to increase their brilliance and competitiveness. So FemmeTech, but look up Apres. She’s gonna kill me for that, but anyway. – [Chris] No, no that’s
totally interesting. – A lot of recovering
lawyers on that site, looking to come back and
kick butt in the workplace. So I’ll put one of our clients on one end of the spectrum, and then I’ll anonymize another one. But to kind of get to the point, it’s game over if you’re a young company and your systems are viewed,
or your data is viewed, or how you transact business
is viewed as fragile or not dependable. Yet, in the real world,
every incremental dollar that you make via revenue
or you raise via investors, goes towards engineers, business development people, marketing. That’s where the money’s going. Unfortunately for most. And it’s not going to, upping the regulatory
risk management framework, it’s not going to upping
the cybersecurity framework. And it’s not going to sort of recruiting people who specialize in these areas, and that I think is a big problem. It’s a people problem, you
know, people, people, people. And so I think the young companies, what are they good at? They’re good at innovating or sort of creating a new way of
transacting, payments, lending. Figuring out how to trade virtual currency in a lucrative way, in a responsible way. And they focus on customer experience, user experience, you know
that’s their strength. What we would like to see is a lot quicker coexistence and deepening partnerships with traditional financial institutions who have got a lot of the scar tissue, who are good at management
practices and disciplines. And that there needs
to be more coexistence. Unfortunately we see a number
of these young companies, and I can blame the CEO. That’s the person that’s responsible for not making these investments. I could blame the board, but at the end of the day the board is saying “We’ve given you our money, now “we buy into the vision, make it happen.” Every quarter of that
board has to be asking, “Where are we on security? “Where are we on our
regulatory framework?” I’ll give you a specific example that I think is worth noting. Has anyone heard of Gemini? Two. So two, interesting. – No, one, two, three, four. – So can you explain what it is? – [Audience Member] The
Winklevice twins, is that it? – Winklevoss, yes, but yeah. – [Audience Member] It
was our understanding, it had to do with the Bitcoin exchange. I don’t know if they changed that. – So it’s Bitcoin and now Ether. And so they called us when
they heard from a large money center bank. This is about four years ago. “We would feel comfortable
trading with you “if you had an AML program in place.” You know, AML, KYC, people
know those acronyms right? I mean, in the traditional
financial institution world, extremely well known. And there’s a lot of people applied to them in
technology and so forth. But the bank’s like that’s great, guys, but I can’t do business with you unless you have this in place. And thankfully, they recommended us. And then they also said, these guys and girls will
come with you to DFS. So if you build it right,
you then go to DFS. You have your third party consultants who have set up a KYC program, who have put in compliance systems, who have done the training. You need to give those
regulators assurance. And if they buy in, then we will buy in. So it’s this virtuous circle. And I have to say that Tyler and Cameron invested a lot of money in
security and compliance. Much, much, much, much
more and by the way, the traditional financial
institutions have a lot to learn from them because of
how they have dealt with really thorny security challenges. In a world where you’re
trading virtual currency, the whole idea is you celebrate anonymity and you’re operating at
such a feverish pace, and it does eventually
come back to this need for deep coexistence
between the new companies and the traditional. – I think from a, and we’re just talking about crowdfunding in the previous panel, but it gets also to
this question which is, what kind of appropriate response or regulatory approach do you take for early stage companies? Or do you instead, from
a regulatory perspective, you tell the more established companies, hey look, we’re expecting
you to help out so the smaller companies that
you’re partnering with? And you know, do you create a glide path? Or do you have to have
different kinds of expectations for smaller companies versus larger ones? – Yes. Absolutely and I think
the regulatory community has done a remarkable job
of the following things. Information sharing,
they have been pushing it for years and years, and you know what? It freaking works. As long as people have a level
of trust and they can share, there are patterns to divine
out of this information that help firms stay in business. They also have dos and
don’ts on their websites that address really the kind of fundamental cyber hygiene needs of firms. So they’re doing their job
in terms of putting out information sharing requirements, putting out dos and
don’ts, best practices. And they are working, if you pay attention to law enforcement and sit with law enforcement, you’re gonna learn where
the threat is coming from a year or two years from now,
it’s happening right now. The early days of it
are happening right now. And so that the fostering of
dialogue that you’re doing here and that need to take place
formally and informally between the regulated and
the regulators is so crucial. I’ll give you an example. Recently we created a
company led by Jim Rosenthal, former Chief Operating
Officer at Morgan Stanley, former chairman of SIFMA. And he and Phil Venables
from Goldman Sachs said, “We’re worried about systemic
failure of the financial “services industry.” The top 10 banks have got
security pretty well in hand, but what about the 8,990 other, you know, regional banks, community
banks, securities firms? So they created something
called Sheltered Harbor, which is, in effect, a place to help structure an environment
where if a bank fails because of a cyber attack, the resiliency is there,
the customer data’s there, you know, the porting of
it, and it’s preparedness at such a high level industry-wide. Why’re they doing that? Because you go back to
your questions about where is the weakest link in the chain? If I wanna get, either as a nation state or as just a crook, I wanna go
to the mid and smaller sized, the less resourced. So I think if we can see
this happen in Europe and in Asia, that’s gonna be
really critical next steps. – So you sort of talked about this before, but you’re obviously also a CEO. And as a CEO, you have
certain kinds of expectations that you’re gonna want
within your company, even from K2’s perspective, you wanna make sure that
your company is secure from all kinds of folks who would like, in particular, to have the
information that you have. – Don’t get any ideas out there. – So how do you go about thinking through, from
a CEO’s perspective, security in your firm? And obviously, K2 is a
particularly interesting and sensitive case study, but how generalizable are
all those best practices across industry? – Well I’m also an owner of the company, so I think if the average CEO
owned enough of a company, they would think. They’d wake up in the middle of the night, not just thinking about a product launch or entering a new market, but they would think about
the fragility of the asset. So we do devote an extraordinary amount of our IT budget to security. We have a team that specializes internally in both the technical sides of security, but also behavioral. So I can’t stress enough the importance of awareness and training. And you make certain
training modules mandatory, and then you also add, as incentives, other training modules. For example, some of our most popular, not required training modules
have to do with home security, personal device and home security. Because people respond to that. They think, okay how does this affect me? How does this affect my
significant other or my family? And so I think a big part
of what we’ve tried to do is put in place simulations of being hacked. We run hacking attempts on our own people. And we see what the results
are, we educate them more if there are people who
have failed those tests. So that ultimately, they
don’t make a bad decision. Are we gonna minimize it to zero? No, but I think awareness
and training, and by the way, I don’t think that ultimately
smacking them in the face or firing them is the right way to go. We have to come up with incentives. Incentives drive behavior. And rewarding people for
making the right decisions is really important
and I would say, again, if CEOs think of this as an owner, realize the fragility, and
if you ask your CEO like, so how’re you dealing with security? And he says well, I got this really great. I didn’t even mention
the fact that we have a Chief Information Security Officer, or a Head of Training, or a CIO. They’re not responsible
at the end of the day. So to say I’ve got, you know, the team tells me it’s taken care of and we’re in good shape. The days of that CEO are numbered. So it’s really getting in the weeds, it’s really understanding
what the risks are real time. We have a whole
external-facing security team, so it’s knowledge sharing. It’s investing in education
for our technology folks, but it’s also specialized training for your finance department,
for your HR department, for your legal department. Because I’m not gonna
try to hack the CISO. I’m gonna try to hack the General Counsel. Because he has got some
really juicy information and is probably very susceptible to oh clicking the wrong link
or opening the attach– not necessarily thinking. I’m not, sorry to pick
on lawyers but, you know, non-technical people who may
not be aware of the threats. So, I don’t know if that
fully answers the question. – When it comes to crisis response when the person does inevitably sort of, mistakenly clicks and
you’ve now been compromised, what do you see as particularly
poor crisis response? Some responses that you’ve
seen market participants make and then what do you think
is the better response once your security or your cybersecurity has been compromised? – So you know, number one is they’re swimming in that river in Egypt. Denial. I remember going to, I
met with 25 different GCs of hedge funds during the course of the insider trading spree going on. And I said, look we have Palantir, we have our social media investigators, we have behavioral analytics. We have the perfect killer app for you to identify the next rogue
trader in your operation. So they’d say, that’s really interesting. There was one person who was
honest with me and she said, “Wait a second, you’re giving
me all this information. “Now I gotta do something about it.” So there is a mentality out
there that I think over time, and I hope will change. And I do feel like if you deny or deflect or you stick your head in the sand, those are leading indicators
of you’re screwed. But this is where I think
private sector, public sector need to come together and
create a safe space to sandbox, to allow for security prevention, to allow for data analytics exercise, to allow for pattern recognition, and to basically create an
environment where people are trusting each other that
they’re not gonna get, again, punished for sharing,
for self-reporting or saying, I can’t, I don’t know how to monitor a million transactions a
week and look for, you know, things that would constitute a SAR when you have this integration of cyber attacks and traditional money
laundering techniques. I don’t know what to do here, I need help. So there needs to be a
safe place for people to game these things out, work together. And so, I think, I can’t
stop pitching education. And I think the awareness, if it’s delegated down to
mid- and junior-level people, you actually see the
greatest number of offenders are the senior people. They’re unaware of what
links they’re clicking and what attachments they’re opening up, and they don’t know the
damage that they’re doing and yet they’re the ones who don’t show up for the freaking training sessions ’cause they think the
rules don’t apply to them. So I think tone from the
top, really critical. Integration of newest and
greatest technologies, and experimenting with new methodologies, teaming with the public
sector are all important things to be doing right. – No, and that is certainly
something that I know a lot of people in the room are looking and thinking about. Our next session will be
on regulatory sandboxes and what kind of
experimentation you can have with the public and private sector. But looking forwards
there are also some folks who are in investment. You are an investor, for sure. Where do you see some
of the more interesting investment opportunities? In cybersecurity but also
FinTech more generally. Are there things that
excite you more than others? Are there things that you tend to view a little more skeptically? What’s your vision like
when you think about the world of potential investments? – I mean, we’re at such an
exciting juncture overall because people are getting, they’ve got enough education
to know what the risks and the issues are. There’s enough capital
looking for great teams and technological solutions to solve for. You have large, old
economy players who are innovating from within and
putting serious money to work. And look, there is a high cost to be a licensed insurance company, or to be a regulated business
in the financial sector. And so there’s a felt need to like, we can do a better job here. So I think one of the
exciting things that I see is, you know, emerging is, and this sounds a little
geeky, but entity resolution. So if you’re gonna have
an effective AML program or an anti-financial crime program and you’re being told you gotta now take all this structured
and unstructured data, bring it into a view, and figure out is this Chris Brummer or
is this Chris Brummer? And without harming your business, you’ve gotta figure that
out on such a rapid basis and that’s entity resolution. And so, I think there’s
data analytic tools that are emerging. I think there are opportunities
for homespun technologies built out of large financial
institutions, for example, that are gonna come to the fore. And so that’s one area. Workflow, workflow and compliance. Again, sounds pretty thrilling, right? It’s not as cool as Snapchat, but if you can improve
workflow and compliance, apply machine learning, improve
the integrity of the data, understand the true legacy of the data, and create a much better
environment for compliance and legal professionals to work within, then you’re leveraging, you’re
harnessing their training, you’re harnessing their judgment, you’re actually getting
to a better answer. Do I de-risk and get rid of this customer? Or do I keep ’em? And so I think these are a couple areas that are interesting. Look, and cybersecurity. Every four minutes there’s a
new cyber company in Israel. We have an office in Israel. They’re trained from the
cradle to be in security. And so, whether it’s in
Israel or in Scandinavia or here in the States,
in the last six years, something like 1,300 cyber
companies have been funded. For the most part by, and I would say, 95% of them have been
funded by people who, oh I need a security company,
I’m gonna tick the box. So specialized investing in security, but doing it not just as a pure, sort of, financial investor, but
partnering with industry, I think is also an exciting area because industry is where
the problems are, they exist, the felt need is. And so if you have a place to do R&D and you have a place to figure out what’s the next IOT hack on a home, a smart home thermostat system, you’re gonna want to understand
how to deal with that, but you need access to
innovation, technology, and teams. So I think that will be an advancement in the investment space,
which means companies and investors and principles
of both work together on this issue. – We’ve had a really
interesting phone call earlier, and I just want to have you share the slot to this particular crowd ’cause
I think it’s fascinating. But we had talked a little
bit about automation, the challenges of automation. There are certain kinds of
questions about source code, as in intellectual property and
questions about source code. But also how do you make sure that, when you think about automation, when you think about algorithms, getting back to your original
phishing observation, a lot of times even when
it comes to the RegTech, you have to figure out
whether or not there’s enough machine learning to comply with new rules on the RegTech world, to the extent to which people
are executing transactions. You have to know, well,
what’re those algorithms programmed to do. And you had mentioned the idea of, well one day there may be
some kind of development of compliance source code, where you could sort of track regulatory
environments of algorithms. I mean, I know it’s
just a futuristic idea, but I think it’s pretty cool. And that’s why I want you to maybe share what you meant by that concept. – I have no idea what I meant. No, I came up with it on
the spot because it was in response to your point that the regulatory community
really wants to try to get at the source code of trading algorithms, so that they can do a better job. That ain’t gonna happen. I mean, if I’m a investment fund, this is my crown jewel,
my intellectual property, and frankly, working
investigations like we do, we just did one recently a few
months ago that was public, where an internal technology person at a very large hedge fund, we figured out that he was
using steganography to hide trading code in images, images that he was then
emailing to himself. It was Susquehanna, it was in the news. And so, these firms, they’re also worried like well
what happens if I give you my source code and then you get hacked? So I just feel like it’s a
Gordian knot you can’t untie, but why’re they looking
for the source code? And if you’re the regulated body, what do you gain from interacting? And it’s really around trust. So the notion that there can be a set of risk controls and rules
built into machines to help establish transparency
and how compliance is being rolled out and followed, whether it’s transaction monitoring, or it’s KYC onboarding,
or whatever it might be, that maybe that’s a way of establishing, kinda getting to the
ultimate objective, which is how can we trust each other A that, I’m doing what you tell me I need to do? B, you are doing what
I’m telling you to do? And knowing that this source
code is gonna change over time, but transparency within
that exchange is I think going to help establish greater trust. And I know you have a panel
later in the next couple of days around this convergence of cybersecurity and money laundering. And so there needs to
be constant evolution and the machines need to
constantly be tuned and updated. And you go back to entity resolution, and the quality of the data. ‘Cause if your data lacks integrity, you are gonna get crushed
by the regulatory community. You have no excuse. Now, you could sensitize
them to your challenges. You just acquired a business, you’ve got a lot of legacy
issues through that acquisition, you need time to clean things up. Or you’re a young
company, FinTech company, and that regulator needs
to be sensitized to look, there’s only so much
time and money you can apply to risk controls, regulatory
risk management, security, so can you just think,
Mrs. or Mr. Regulator, about how we could have a little bit more of a sensitive version of
what you want to achieve, but again, put yourself in my shoes and affecting dialogue, so. – I think that’s just fascinating. Cybersecurity can be a
little bit intimidating, particularly for regulators,
frankly, and policy makers. And we’ve, at the Institute,
we’ve tried to engage not just regulators and
not just the market, but increasingly we’ll have
discussions with people on the Hill, who are also
trying to get their arms around these kinds of issues. Right now, in DC, there is
an enormous push to educate, not just K through 12,
but the people who are already making those decisions in-house within the regulatory bodies. And I think, I guess my last
sort of question for you, as someone who thinks about training. Is the training process
different when you get to a, I mean you haven’t been a regulator, but when you look and when
you talk to different folks, I’m sure you see a varying
level of sophistication But yet, you do need partners, again, in the regulatory
community as well as in the legislative community
who have a requisite amount so that you could figure out some kind of thoughtful policy solution. What are the impediments
to getting that training up to speed, given your
own leadership as a CEO, you have to train your people. Any thoughts for a lot of leaders here who are thinking about getting
their own folks up to speed. How do you make that happen
as quickly as possible? And how do you improve that human capital? Particularly where, frankly,
it’s not going to be as easy to just acquire new people. It means also sort of
retooling and training some of the people who are
already in your agency. – Well I just asked the group here. Has anyone gone through an effective, what you felt was an effective, cybersecurity training exercise? – Raise your hand if you have. Okay, that is a growth
industry right here. – So, did I mention that
that’s an area of focus for us from an investment standpoint? (laughing) You know, look, and I think the Law Center among other institutions, be they law schools, business schools. Something interesting’s
going on in Roosevelt Island in Manhattan where Cornell and Technion created an applied
sciences graduate school. Applied is the operative word. And so I think one key dimension is the existing educational framework, the amount of sophistication
already resident here at Georgetown, for example, because across town, where
I went on the Hilltop, you have the greatest
thinkers around national and economic security. You also have people who study languages, and linguistics, and
fine arts, like myself. But you have human beings
who have a lot to contribute, combined with the legal acumen here, and this is a safe space. So I think there’s repurposing existing educational framework and that’s key. I think that look, at the end of the day, our view is that if you’re
gonna be properly educated, it’s through a sustained effort that you feel you’re incentivized
to continue that training. So whether it’s through entertainment. There’s a company I’m
looking at right now where they provide cybersecurity
training and the lead, not the CEO, but the lead
person on the content side is the former head
writer of The West Wing. Pretty cool, right? So they create videos that are topical and interesting and entertaining. Getting emails in your inbox
with some static newsletter, not super helpful. So I think you want interactivity, I think you want engagement, I
think you want entertainment. It certainly helps to
focus on the human being, herself or himself. How do I protect myself? When Equifax or other breaches
of that matter happen, there’s a hell of a lot of anxiety. So I think the regulation community, the bodies themselves, there has to be, at the leadership level, a recognition. Like we have human beings
in our organization. We need to think of them as human beings. And their families, and we
need to help protect ’em and arm them, on a personal basis. So I think incentives are so
key in getting this better. And I do think if there’s
ways for industry and public and private sector
to work together in forums, where they get a chance to
just get out of their shoes and step into somebody
else’s shoes and vice versa, they’re sensitized to
what the challenges are. And again, fostering more trust. – Well I will end there, although I will note that the theme, ultimately for all the
technology and cybersecurity and cyber hacking and cyber
extortion that we talked about, it’s actually an enlightenment. Rousseau said, “To entertain and instruct” was one of Sir Rousseau’s
great ideas in terms of how do you be a great educator. And I guess the more things change, the more they ultimately stay the same. But thank you, Jeremy. This was fantastic. Told you he’d be great,
and we’ll have a break, and then return to our regulatory sandbox and Gregg Phillips in the afternoon. But thank you so very much. (audience applauding)

Leave a Response

Your email address will not be published. Required fields are marked *