[1:11] How Technology Has Evolved

Rachael: Today, we've got Rich Itri. He is the Chief Innovation Officer at ECI, joining the podcast. We were talking before we got on, 24-ish years technology side of the financial services industry. I can't even imagine all the things that you've seen in that time, how it's evolved and changed. And it just seems like it would be really, really fascinating.

Rich: It is. It's crazy. When I think back, like when I first got out of college as a developer, working at that point, computers were still kind of trying to figure out how to align technology with the business. And it was really driving a lot of market innovation and so on, and how fast things have evolved. To look at now, computers we had back then, we had these big, trading desktops. I mean, they basically were the size of televisions. 

Now, you can probably get the same computer off of your phone. It really is amazing how things have evolved around then. And also the big monitors and stuff, but in general, just how digital technology overall has really helped drive financial markets, especially over the last 10 years. How automation, trading algorithms, being able to develop out data science programs. I remember working on large database projects and just being able to capture a terabyte worth of data, and being able to move it around. Now, a terabyte, it's nothing. But back then, to be able to analyze a terabyte worth of data could have taken six months. It's just very, very different now.

 

We Didn’t Think About Cybersecurity the Same Way Back Then

Eric: I remember I was at EMC in 2000 and we were selling symmetric storage. And a terabyte array was well over a million dollars. I have 48 terabytes on my array at home right now, which was not over a million dollars, let's put it that way. It's crazy how it has changed. And we didn't think about cybersecurity in the same way back then.

Rich: No, we didn't. I was telling someone the other day, I remember in 2008, we were replacing some firewalls at the firm I was at and they were more modern firewalls. You could log traffic and do some different things. And we replaced them more to be able to handle connectivity, increase bandwidth. And the security stuff was great. It was kind of like a side thing. And then my team comes in the office one day, like, "Rich, look at these logs." We got activity coming from China. We got activity coming from Russia. And we got activity coming from somewhere. We don't even know where this is coming

from, but they were trying to get in. And I was like, wow. Sitting at my desk, it really kind of began to resonate with me, the threats that are out there.

Back then, we used to think it was more malware. You know, emails being sent around, and not really that external perimeter was something that you saw attacked. And now I look at that and I mean, that happens almost every minute of every day. For most financial service companies, you see block traffic like that all the time. It's almost the norm. So just in the last 10 years, how that has evolved. 

 

The Cuckoos Egg

Rich: It's really crazy to see how the threat landscape has just gotten so much more complicated. So much more driving of risk for companies. The financial risk for organizations have never been greater on the cyber side.

Eric: Yes. I always picture the '90s of John McAfee running around with a shotgun over his shoulder, killing malware. Where we've gotten to, it's incredible. There's a good book. I don't know if you ever read it, The Cuckoos Egg. I think it's Cliff Stoll. He talks about the Department of Energy and how they had a nation state attack them. And nobody knew what to do. Nobody even accepted that there was a nation state attacking them. 

I want to say the timeframes are the early, mid-'90s, but it's an interesting read. But it puts you in the mindset of that era. And it's a very different time period than today. Today, I mean you meet someone on the street and they have an opinion on cybersecurity. Back then, even the experts really didn't think about it.

Rich: Yes, no, they didn't. And I think when you look at the financial markets today, the systemic risk that cybersecurity creates for everyone. We're all investors in some form. 401(k)s, pensions, and so on. That's our savings. Whether your checking accounts, whatever it might be, security has never been more paramount for us as citizens.

Eric: It's just as safe under the mattress.

 

A Little Paranoia on Security

Rachael: That's what I was about to say, because when you have an existential kind of crisis at 3:00 AM and you can't sleep. You think about everything as kind of ones and zeros, and everything could be wiped out. And then I think about my grandmother on my father's side, she had hundreds of thousands of dollars in the walls of her home. She wouldn't turn the air on, she wouldn't turn the lights on. But hundreds of thousands of dollars stuffed in the walls of her home. And I'm wondering, maybe she was onto something. I don't know. I mean, am I getting a little paranoid here?

Rich: Maybe a little paranoid. But I think the premise behind it was not wrong in that you want what's most important to you close to you. At all times, you want to be able to know where it is. You want to be able to see it and be able to get to it. I think it's because it has gotten a lot harder these days to live like that. And a lot harder to get somebody put drywall up these days to hide the money. Just to bury that kind of cash, I don't know if you could even do that. And then, they probably want you to pay via Venmo, right?

Eric: And then you're in trouble.

Rachael: Exactly. I know, all these cashless stores now. That's a real problem.

Rich: You're in trouble.

Eric: Is that why you moved into your grandmother's house?

Rachael: It's a different grandma. It's a different grandma. I did do that.

 

[07:49] A Cyber Proposal to Do Cashless Exchanges

Rich: Look, I think everything we do revolves around some sort of digital technology. You can't really avoid it. Even the pandemic really drove everything to cashless, exchanges. You go into most stores now, they don't even take cash anymore. Most of the airports and the stores there don't even take it. We talked about Venmo, the person who walks your dog doesn't even want cash because they have a card linked to Venmo. They want to get paid via Venmo or PayPal or some of these other tools. 

So, it's hard to even operate in society today without having some touchpoints to digital technology, linking of bank accounts and credit cards, and so on. It has definitely gotten tougher, which is why it's even more important that companies really focus on cyber. And I think the new SEC regulations is a really good example of that.

Where the SEC has finally threw the gauntlet down and said, "Look, enough is enough. We've made recommendations over the years. Some of you have adopted them, a lot of you haven't. Rather than saying the recommendations, we're going to say that it's policy and we're going to be very prescriptive around what best practices are because we're here to protect the markets as well as investors." There's a lot of people have money tied up in pensions and 401(k)s that are traded through these organizations on a daily basis. And they need to be looked out for.

Eric: Yes. It's a really good point because not only was your grandmother not earning interest. Getting the ability to spend that money was becoming a lot more difficult as the economy changes, as the world changes. But as we put more electronically, I worry about it all the time. 

 

A Cyber Proposal to Manage Data Correctly

Eric: What if somebody wants to wipe out the bank records? We'll probably talk about Wipers. We've been talking about Wipers a lot, and ransomware. What happens when the bank can't restore from a backup? What happens when you didn't print something out and your latest account statement is not there. At a minimum, it's a nightmare to deal with.

Rich: Yes. Look, Wiper and some of these other kind of malwares are just getting more and more sophisticated, very challenging to counteract. A lot of this stuff comes down to good IT hygiene, like backups, you mentioned. There's ways to do good backups and there's ways to air gap things. There's ways to manage data correctly. But you got to invest in the right kind of technology and have the right people around you to build out the right framework to be able to manage it. And I think companies always take a kind of risk-based approach. 

What's the risk of this happening? And what is it going to cost me to actually close the gap? That cost factor, it's always a big deal. And they say, "Well, the chance of it happening are low, the cost is high, we're going to roll the dice." Who does that put at risk? It puts us at risk in terms of you're making those kind of risk-based decisions when it comes to costs.

Eric: Now, does the new SEC, is it a proposal or a mandate at this point? It's still in draft.

 

Cyber Proposal

Rich: It's a proposal. It's in comment period. Yes, yes, it's still in draft. I think they're going to have comments done by the end of April. But the themes in there, I don't think are going to change. I think there is a little bit of some gray areas on how they define certain terms. But it's very prescriptive in terms of what they expect organizations to be doing. 

Now, they're also trying to make it very business aligned. They're saying, "Look, some organizations you might have 10,000 employees and you might have billions of dollars under management. We're going to expect you to be doing more or different things than maybe a smaller, private wealth advisor who is managing maybe a billion dollars and has got 20 or 30 employees or so." Or you might be a firm that's trading high frequency. "We're going to expect you to be doing different things than a long-short firm with 10 people who are trading maybe 50 trades a day."

But they are very prescriptive in the things they're expecting you to do. The types of technologies they expect you to have in-house, and the types of risks they want you to mitigate. It was very interesting, reading it through. They get into concepts like identity and access management, know your data. Things that have always kind of stood around the outside of their recommendations. They've almost pulled them in there. 

And I think those are some things where organizations are really going to have to rethink. Not just technology but business processes. So who could access what data, how's that data updated, "We need to change permissions." Okay, what does that do? How does that affect systems downstream? And other types of things.

 

[13:03] The SEC Cyber Proposal Requirements

Rich: There were some other interesting things in there too. One was around third parties. Very big in financial services is to outsource things to third parties. Especially larger organizations who have grown so quickly. As we were talking about earlier, the markets have really exploded in the last five years. And firms have really grown tremendously, a lot of financial firms. They've used third parties to help gain scale and outsource, whether it be technology or services. 

In the SEC proposal, they were very clear around, look, you could outsource the function, but you can't outsource the responsibility. You are responsible for having procedures, technologies to be able to run your business away from those providers.

You need to have them well documented and you need to test them on a regular basis and show proof of testing. I think they're saying, look, you can't say that this provider was down and that's a good enough reason why your investors couldn't get their statements. That's not good enough. You need a way to prepare that statement away from them, and be able to give the investor information accurately to them. They need to have that documented and tested on a regular basis. And I think that's one item I saw in there, which it's known throughout the industry that you could outsource the function but not the responsibility. But I think to call it out was very interesting.

The other thing I thought was interesting, and I think this will really help drive some of these changes forward, is they're creating accountability at the board and director level.

 

The Accountability to Drive Change Through the New Cyber Proposal

Rich: So, anytime you want to implement change, you want to start with the tone from the top. Making the independent directors and the board responsible for cybersecurity now, calling it out, telling them what they need to be overseeing. The responsibilities they have as a director over cyber. I think is really going to create that accountability to drive some of this change throughout the organizations.

I think, was it 2009 when the SEC, right after the market crash, they passed some new risk regulations. They, again, filtered it through the independent directors and the board. That changed fundamentally how risk reporting analytics were done and what changed at the board and independent director level. I think now making it part of that framework is really going to help drive some of this change forward. 

Because look, I think this is a great change. When I look at what they have here, these are all the things that I talk to clients about on a regular basis that they should be doing. These are all best practices. It's all very reasonable to be asking these firms to do. And it's about time we really forced some change, and really get rid of those kind of gray areas that might have existed beforehand.

Eric: And what are you hearing, as you're consulting, as you're advising clients, how are they responding to this proposal?

 

How Clients Are Responding to the Cyber Proposal

Rich: I mean right away, a lot of people were like, "What does this mean to my business? How close do I align with it? Where are my gaps? What's the ramp-up period going to be?" Because look, there will be a ramp-up period. Once it's finalized, they're not going to walk in and say, "Okay, we're going to now audit you on all of these things." 

But I think firms are genuinely concerned now. How they line up and what gaps they might have, and how they can go about closing them. So, already talking about, "Hey, can we do an assessment?" and things like that. And I think it's something that once the comment period is over and things are finalized that we'll probably start doing a lot more of.

Eric: It's funny when the Biden executive order came out last May, they gave 60 days to have a kind of a plan together. I think this is the way they looked at it. Every agency blew through that. I bet there are very few that have a plan even today. The nice thing is they're giving time. The SEC is giving time here to get up to speed.

Rich: I think there is, but I think they're going to be less patient with this. And I think, look, if you look at the threat landscape with Russia and Ukraine, that only increased the risk by almost tenfold overnight. I think that ramp-up period is probably going to be a lot shorter than it traditionally was. 
Because I think the expectation was that they were making recommendations over the years. Firms were kind of taking them and trying to implement them.

 

The Most Critical Infrastructure

Rich: I think this change came out of one, definitely the Biden administration and trying to be tougher on cyber. I think the SEC has seen, over the last three to four years as they go in and do audits and exams, that people aren't really listening to the recommendations. I don't know if the ramp-up period is going to be as long as it was on some of the other things, but there will certainly be one.

Eric: And that's talking about financial institutions, which are reportedly the best protected out there.

Rich: Yes.

Eric: From a critical infrastructure perspective, clearly.

Rich: They are. And look, yes, I mean it is critical infrastructure when you think about it. I mean, the collective of hedge funds and financial institutions out there, the amount of money that flows through the markets every day. If that were to get disrupted in any kind of meaningful way, it could cripple the economy.

Eric: Right. Yes. To say the least. I mean to me, it is the most critical of critical infrastructure.

Rachael: Yes. 100%. I think one of the things too in this SEC proposal, there's an amendment about cyber incident reporting, which is everyone's favorite topic. What's enough time, and who do you give the report to? And I think the last number I saw was, what? Four days to report a cyber incident. I mean, how are you feeling about that number, Rich? Is that enough time for financial services organizations to have something to report or to have it together? I mean, what's the impact of something like that?

 

[19:21] The Gray Area in the New Cyber Proposal

Rich: Well, that was one of the interesting things in the proposal that I saw, which was I think there was two pieces in there, and they actually spent a lot of time in the document going through this. One was there's this gray area that has always existed around what should I report and what shouldn't I report? 

The reality is many firms have had some cyber incidents. As long as it didn't affect investors directly and they can carry the cost of that on their balance sheet, they just paid. If someone wired someone money by mistake and they could just foot the cost to $2 million off of their balance sheet, they did. And they just kind of moved on. They never reported it. I think the SEC is like, no, not anymore. That has to get reported irrespective of the size.

They're really being very kind of specific now around reporting end. The time to report, I mean, it's certainly aggressive. But I think they're like, "Look, you don't have to have everything in hand. You have to report that there was an issue and share as much information that you have at the time." 

I mean, it's certainly aggressive. Because look, having been CTO for a number of years for various financial service companies, you always want to make sure before you report anything, especially to the regulators, you want to make sure you have all the facts. And you want to make sure that you've flushed everything out. You don't want it to look like you've approached this in a haphazard way, that you've checked everything.

 

Intelligence Could Be Helpful

Rich: And look, systems are complex today. They cross platforms. Everyone is probably in a hybrid cloud form, multi-cloud. There's multiple systems that could be affected. To gather and be able to do that assessment is challenging. On the other hand, if they don't throw the gauntlet down and draw a line in the sand, it can go on forever. I mean that's one area where I think there's probably some room for movement. And I think at some point, they'll probably define types of incidents and a reporting timeframe for those.

But I think it's good that they're actually forcing the issue now. To allow them to get an idea of the risk across the financial organizations, the types of risks. They could begin to pattern things and maybe over time help alert. 
There's a lot of member organizations where people could share threat intel and other things. But when it comes to incidents, no one really wants to talk about them. You're not going to share that with a professional organization, or even your peers. So, building that, intelligence could be helpful.

Eric: Rich, I'm interested, would you move the timeframe out more than four days?

Rich: I would look at the types of incidents, the size of the organization, and the complexity. And I would make it more of a scale than I would just a hard anything needs to be reported. I think also too in there, there's a little bit of ambiguity around they try and define what's a significant incident and what has to get reported. But there is still a lot of vagueness in there that I think needs to get flushed out.

 

An Event vs Normal Course of Business

Eric: That was my next question. You have some 16-year-old kid trying to break into an account or steal someone's credentials. Do you report that? Now, if you have a massive DDoS attack from the Chinese government or something, do you report that? How do delineate between an event and normal course of business? Because you have attacks, as we were talking about earlier in the day. I mean, you're probably getting hundreds of thousands of attacks, attempts, every day. So, is it a breach? Or how do they categorize that?

Rich: They use the word significant a lot. And I think they're using it in the context of how does it impact your business? Look, there's malware threats every day. Someone clicks a bad website, they open up an Excel sheet with a bad macro. As long as that is isolated and remediated, there's probably no need to report that. 

Now, if that Excel sheet opened up and sent out 1,000 emails to everyone in your contact list, even though that might have been a low-level risk to the company, like you were able to notify those individuals, it was just a malicious link, that is probably a significant event. And you need to report it. Whereas others might argue, "Well, it wasn't really significant. There was no financial loss, it didn't impact investors."

I think there's going to be a little bit of that being worked out. Certainly, anything on the DDoS side would fall into the significant bucket. Anything with a nation state would certainly fall into that as well. I think anything affecting investor data, so any of your investor information getting leaked or compromised. And not only from your systems, but systems at your third parties that you contract to use as well.

 

To Whom Should a Cybersecurity Incident Be Reported

Rich: I think that's the other key piece, is that it's going to create accountability for a lot of the third-party providers as well. Because they're always wary about reporting things and trying to find that gray area themselves. Because they don't want to get fired. And if they report that they had an issue, but no data got out, it's still going to make you second-guess the issue. You're probably going to go look before something bigger happens to move your information off of their platform.

Eric: Okay. I have a question, and my government side of my mind is going crazy right now. They have to report to the SEC, and probably CISA, right?

Rich: Yes. They have to report to the SEC, and then depending on the event, it has to go to the FBI as well.

Eric: What is the government doing with these enhanced reporting requirements to beef up their workforce to be able to handle these event reports? I just imagine massive amounts of data flowing into horribly overburdened bureaucratic organizations with very limited cybersecurity. I mean, I'll give the FBI, I don't want to give a grade because I'll probably lose business. But they're decent, but they're not staffed for American cybersecurity protection. CISA is probably the best from a capabilities and staffing perspective. And I've got to imagine the SEC is horribly unprepared for this. I hope I'm wrong.

Rich: Well, yes. Look, like everything the SEC does, they have a form for it. I forget the name of the form. It's in the document, that you'll have to fill out and file. And then the form could end up in a database, and who's actually looking at it and reviewing those.

 

[26:26] Adding Quality Staff to Handle Stuff Coming In

Rich: I think at some point, they're going to have to staff up that part of their program. You could see that over the last several years, they've really been trying to add quality staff on the cyber side. So, pulling people from business, who have worked at big banks and in the alternative investment industry to help them not just with handling the volume of stuff coming in, but also around what is best practices? Is it okay to be holding people accountable for things like this? And what risk does it represent to those businesses?

Eric: Well, that's where my mind goes.

Rich: But Eric, look, you're spot on. I don't know. I'm sure they're probably staffing up for it. But there's definitely a form for it and it's going to be logged somewhere in a database.

Eric: I worked at the SEC doing database work back in the '90s. It was my first client consulting gig. And those databases are pretty long in the tooth. But they have a lot of data in them. I just don't know what they would do. "Okay, Bank of America. You've had 452 million records stolen." Where does the conversation with the SEC and Bank of America go after that? 

I can understand some of the potential risk concerns that a financial institution would have around disclosure. Because it's all downside, "Hey, we've had a breach." What was breached? "This." What are you doing about it? "Here's what we're doing about it." At that point, I suspect the conversation gets a little wonky when you're talking to the government side. Hopefully, I'm wrong.

Rich: Yes. Well look, I think when it's Bank of America, when it's something big, when it's one of the large banks and there’s a breach of size, the FBI is going to be running point on that.

Eric: Or CISA.

 

The Premise of the New Cyber Proposal

Rich: Or CISA, right. I think you're going to run into the smaller organizations by them reporting it. Well, what are they really going to do with that? Are they going to look to say, "Okay, did you notify investors?" What are they going to do with that information? 

Because again, the premise behind this is to protect investors. Part of it. The other part is the markets. Are you going to make sure firms notified their investors? They're remediating the issue, so now are you going to go in and do an audit and say, "Okay, you had this application open to the internet. Why was it open to the internet? Show me how you know this was the only data they got to. What have you done to remediate it and eliminate this issue going forward? Did you notify your investors? Did it go out in a quarterly letter?" 

To your point, Eric, that's really the follow-up. If you're going to create accountability, that's the follow-up that you need. And I'm not sure that they're staffed up to do that at volume at the moment.

Eric: Well, as a consumer, what do you do? I mean, let's take Equifax for a second. Stocks back up after a massive, massive breach. As a consumer, you don't even get to choose. Well, I guess you can sign up for credit reporting and a few other things with them. But they're doing credit reporting on you, period. What are you going to do?

Rich: Yes, whether you like it or not. There's no opt in.

Eric: You're stuck. Yes.

Rich: They had your information irrespective of if you wanted them to, yes.

 

Too Big to Fail

Eric: If you're not happy with Equifax, too bad. You're stuck. I guess you can change financial institutions. You can change where you put your money, your investments, but there is a whole tangled web here. What about third parties that they work with that may have breaches? I just don't know that the average consumer of financial services really has the ability or wherewithal to make educated decisions. I can tell you I don't. 

Some third-party organization gets breached, they disclose it. I don't even know who they're working with. They could be working with my bank. And if they are, what do I do? And do I really want to take the time to switch my payroll over, create new accounts? Not in that order, of course. So, we'll see. 

Now that being said, I think disclosure, I think understanding the risk, I think managing this is critically important. It is, in my opinion, the most critical of critical infrastructure sectors we have to protect. Great step.

Rich: Look, I think it goes back to the 2009, the Too Big to Fail. I think there's some organizations, as much as I was very frustrated with the Equifax breach. Just because look, as a technologist, you're like, look, this violates every best practice in the book. But also as a consumer, I never asked you to have my data. The reality is, you can't buy a car, you can't get a credit card, or even open up a cell phone account without one of those. Or all three of those, having your information. They're almost too big to fail and they need to be held to a different standard.

Eric: Agree.

 

What Clients Are Thinking About the Elevated Risk Level

Rich: Right. They're such a linchpin and they should be fined heavily when there is an issue. I think that change is still yet to come. But that needs to be the next level of change within the financial markets.

Eric: Let's turn to current state of events. We've got the Russians invaded Ukraine. We have a lot going on. How are your clients thinking about the elevated risk level, and what are they doing about it? Or do they not see an elevated risk?

Rich: Well, I think everyone sees an elevated risk. I mean, we see data to prove that there's an elevated risk. I think there were some, somewhere, they're like, "Okay, I need to now really hunker down. And I might have been relying on just a basic cyber program. But I need to understand if I have gaps, like where are their holes? What does this mean for me?" I hear all of this. "I read the paper and I listen to the news, and there's all this increased cyber activity, but what does that mean to my organization? 

Because I'm small. Who's really going to want to come after me?" That's a line you hear a lot of. If you think about it, there's a grandma and grandpa in the Midwest that gets hacked. Why do you think your $2 billion asset management firm is not a threat? Of course you're at risk, more so than most.

There's that group of people that go, "Okay, maybe I need to beef things up. What can I do to close the gaps?" Others really want to understand the risk to their organization. Then I think others are really being a little more proactive. And maybe have taken a stronger stance.

 

Everyone Wants Intelligence

Rich: Maybe they had an override group for MFA. They're like, "Okay, forget about that. We're not doing anything like that anymore. No more override groups for multifactor." And they're really tightening their belt. But I think everyone is a little on edge and everyone wants intelligence. So, what's going on? How is it impacting me? And what can I do to close the gaps?

Eric: Yes. Makes sense. 

Rich: Indirectly now with a lot of these new malware packages out there, there's so much. The threat landscape is always rich. There's always a number of things that you got to be worried about and prevent. Now the Russians released several new malware packages, which are just complex packages that are being repurposed now by threat actors around the world, whether it be nation states or gangs. And it has just taken something that was already at a 9.5 and it has just put it at a 10. The risk level now is, I don't think it can get at any higher.

Eric: Always get higher. I hope I'm wrong. 

Rich: Could always get higher. But I don't think there's any more attention that you can now give it. I think that it's there now. And if you haven't decided to strengthen things, then you're kind of misreading the market.

Eric: Yes, okay. Rachael, you were going to ask a question.

 

[35:03] The Role of the New Cyber Proposal in Cryptocurrency

Rachael: Well, it is kind of tangential. I keep coming back to cryptocurrency. And cryptocurrency versus, I guess what? Traditional financial, paper money, or whatever. And is there a role in that here? Does that potentially offer a more secure pathway for protecting assets? Clearly, I'm not a crypto expert. I don't know. But when we start looking at how do you diversify, protecting your assets, is that something that's going to be a play here coming up? Or what's your point of view on that, Rich?

Rich: I mean, I think there's some really great concepts that crypto has brought to the table. There's also a lot of ambiguity that surrounds the crypto markets. And I mean essentially, it's not really backed by anything. It's a buyer and a seller. I can only sell it because someone else wants to buy it. And if one day there was no one who wanted to buy it, then I wouldn't be able to sell it. 

So there's that kind of concept, which I think makes people feel a little uneasy. But the technology behind it, the open ledgers and blockchain, that type of thing I think really forced some financial companies to reassess encrypting data at rest, but what do I do with my keys? Where do I store them? Who has access to them?

A lot of third parties now are kind of focused on, look, blockchain is a little too slow, I think, to be pervasive in the overall financial system. Just because look, transactions happen. You go to the store now and you go to Starbucks, you get that approved notification back within seconds.

Rich: And in the US, I think a lot of the merchants and others are really worried about adopting increased technology because it's going to slow things down. You're going to be like, "I can't go to Starbucks anymore. Takes too long. Takes four seconds instead of two to get it." And they're worried that that overall experience is just going to be too slow.

But I think it has driven a little bit of change in rethinking the way that data is stored and how data is transmitted, how data is encrypted. But crypto, I think, certainly has a place in the economy and it's here to stay. And I think the underlying technology is very elegant in the way that they've thought about it.

Eric: That's a good point though. It does change the target set with your keys. I mean, I protect my cryptocurrency keys. They're written down in a safe, I've got them digitally, but I protect them. They're offline. But if something happened to me, I don't think there's a member of my family who could figure them out and what to do with them. 

At the financial level, just pick any type of financial institution, you've got to make them accessible so people can leverage and trade. But at the same time, imagine somebody coming in with a Wiper and wiping all your keys. That's a bad day. Or ransomware. Same thing, ransomware. "Hey, we've got all your keys. Good luck. Have a nice day." It's a different risk equation.

Rich: Yes. Well, that's why there's a lot of frameworks out there now for firms that are trading crypto, like hot versus cold storage. What do you keep hot? What do you keep offline, air-gapped?

 

Put It Someplace Physical

Rich: How do you even keep the cold? Where do you put it? I run across clients every now and then that are still doing tape backups. I'm like, "You don't need to be doing that. You could back up to the cloud. Very easy to do." But we've been trying to move people away from all this on-prem solutions, having servers in a closet, and worrying about the air conditioner. Everything is in the cloud, with connectivity out. On the flip side, crypto, which is probably the most advanced concept in digital and digital currency, to really keep it safe, we got to put it someplace physical.

Eric: It is a little bizarre.

Rich: Not on the internet. It's there's a lot of irony in that.

Eric: Yes. I've got some keys. I've got keys stored physically.

Rich: Yes. There's a lot of irony in that.

Eric: Like hardware, do we call them tokens or keys? I can't remember even. I haven't looked at them in probably five years, but they're stored.

Rich: Well, they're cash right? Whoever has them, it's like a bearer bond. Whoever has them is the owner. And look, there's a lot of custody platforms that are out there now to help keep track of the keys. Because look, people who are investing in those funds need some assurance like that. Like, where are the keys being held? 

Similar to what you need when you trade a stock. You have a custodian. There's brokers who are transferring assets, settling trades. While in the crypto space, you need that same concept. Because I need to feel comfortable as an investor that my security is with someone.

Eric: What's old is new again, Rachael. You have to know which walls the cash is in.

Rachael: Exactly.

 

What’s Old Is New

Eric: It's not in all of them. Is it in the kitchen wall or the upstairs bathroom wall? Same thing with the crypto keys.

Rich: You could put it on a thumb drive, much easier to hide. What's old is new.

Eric: Much easier to lose.

Rachael: Yes. I don't know. I'm really fascinated by crypto and I haven't dipped my toe in that water yet. I just keep thinking about it more and more, especially when you can go on PayPal and pay people in crypto. So convenient.

Rich: Yes. That was big when PayPal allowed that integration. That really kind of legitimized the currency.

Eric: Yes. It absolutely does. It's so unstable though. It bounces so much. You struggle timing. I've bought a few things just in testing, and it's like, this is too much work for me. 

So, Rich, I want to go back though. Four days to disclose is what we're looking at at this point. What about detection? Are there any numbers around? Because disclosure is one thing, and I understand the risk aversion to, "Hey, let me tell the government what I know. It's not enough. I want to give them the whole picture. And before I tell them anything, I want to understand the picture." We may not have that in four days, but what about time to detection? Are there any metrics around that? When you're working with financial organizations, how do they think about that?

Rich: I think most companies now see it as real time. You need a managed detection and response platform. And I think when you look at the SEC proposal, they call it out pretty clearly in there. Well basically, they don't say you should be running a platform. But they call out that you need that functionality. So essentially, they're calling out the technology that you need that. They also want to see that you're keeping log history. 

I think most firms are really running some sort of MDR solution to be able to aggregate data, analyze all the devices and traffic going across the network real time. Correlate that to threat feeds, known areas of compromise, indicators of compromise, alert immediately. And then have eyes on glass 24/7, 365, that are looking for those alerts, and they have a customized runbook and when they get it, they know exactly what to do.

Rich: Is it isolate the computers, shut the port down? Notify the networking group? Whatever it might be. But I see that has been really a big shift where that kind of framework maybe back in 2014 is really unheard of. I think you start seeing it more in '15, '16. By '18, it became popular. 
Now, if you don't have it and you're a financial service company, you're going to be lagging behind and you're going to be out of regulation. I think firms really see the value in that.

 

[43:35] It’s Recommended to Leverage Third-Parties According to New Cyber Proposal

Rich: That's really where you could leverage third parties as well. Especially for smaller companies where hiring a 24/7, 365 team to be able to monitor and manage alerts is hard now. Even for large companies. I can tell you, having run enterprise technology for a number of years, these things never happen at Monday at 12 o'clock. They happen on Saturday, 3 o'clock in the morning, you're on vacation. You've turned off your phone, the charger is not available, whatever it is, it always happens.

It's the perfect storm. It always happens. I've had issues on Christmas Eve when power is lost. And these things happen when you're not expecting it. If you don't have that framework in place, it doesn't matter that you detected the issue. If you can't respond and remediate quickly, it's kind of useless. I think firms are starting to see the value of that. And also too, I think you want your security team to focus more on the business risks, and managing that risk, and less around staring at a computer all day, waiting for alerts to come through. I think that's the other reason they've really embraced some of these kind of platforms and technologies.

Eric: I hope it's changing because I still see in the industry, and I have a lot of coworkers and friends who say the same thing. People are still buying technology. Automation is still hard to get across to people in the SOC or the lower and mid-level, more early in their career. People who feel they have to put their hands on every, single event, they have to be involved and see every, single event. It's just not fathomable in 2022 anymore. So, I hope that is changing.

 

Is There Automation Involved in the New Cyber Proposal?

Rich: No, it's not. It's not. Yes. I mean I think, look, if you build really good runbooks, you can really handle a lot of things in an automated way. Look, every phishing email that someone reports, there's a standard process you follow to do that. So, somewhat what you were saying, Eric, you could automate that. Now when that phishing email comes in, someone forwards it to the security team. It's picked up by a process. They run it through the various kind of workflow. And then if something kicks out, it gets escalated to the SOC. Otherwise, a response goes back to the person, "Thank you for reporting this. It was just spam." 

Versus having someone sit at a desk, looking at 100 of these a day. That gets really boring, and no one wants to do that. And it just doesn't scale well, because the volume only increases. It doesn't go down.

Eric: Right. They don't want to do it, but they almost do. I mean, I do a lot of work on the government side. But we really run into a ton of resistance around automation and it's funny. We don't get a lot. You don't have a lot of clients who talk in terms of risk, risk management, understanding of risk. But they do want to put their hands on everything. 

They don't think about automation almost from a risk perspective. "If I didn't touch it and something happens, I'm responsible." And I want to change that conversation to, what do you need to protect? How are you spending your time and resources protecting your most critical assets? 

 

There Is Resistance to Automation

Eric: They want to touch everything, but it's almost risk from their career perspective. "If I'm not on it, we could have a problem." It's bizarre as you watch it in action. Like I said, I'm not in the financial services business. I can't speak to that. But on the government side, there is a resistance there.

Rich: Yes. There is always a little resistance to automation I see. I also work on the digital side where we do a lot of workflow automation, and there's a lot of pushback in the beginning around it. Like, "Oh, there's no way that you could do that. I own this. I'm responsible for that report going out. I'm not going to rely on you to kind of load this information and run it and process it." And then we always try and strike a balance. We say, "Look, we'll finalize the information. You approve it before it goes out, so it doesn't go straight out. You still have some control," but even then, they're still skeptical. And it's hard.

Eric: Okay, as we're wrapping up, I have one last question or comment for you. I mean, we're focusing a lot on Russia right now, based on the world events. Are you advising and how are your clients thinking about China, Iran and the others who I personally believe have an amazing amount of incentive to operate in this challenge space right now? All eyes are in Russia and the Ukraine, but we do see reconnaissance and activity around China, Iran, and some of the others at this point. Are your clients thinking about that? Or it's just, "Bring it on. We'll take on anybody"?

 

An Opportunity to Get a Little More Active

Rich: No, I mean, look, I think that they're aware that the overall threat landscape has increased, not just because of Russia. But everyone else sees this as an opportunity to get a little more active. Maybe firms are distracted, hyper focused on Russia, especially the United States government. Is this an opportunity for us to fly under the radar? And while everyone's looking at Russia, we can kind of come in on the side. 

I think people are just generally a little pensive about everything right now in the marketplace, just given the risks that it represents. As soon as the Russians released Wiper, there was variants out I think already being used by other nation states the next day, next two days. They're also leveraging like,

"Oh, okay, thanks for sharing this zero-day vulnerability with us. We'll take it from here."

Eric: Oh so accommodating, the industry. It's great.

Rich: Yes. 

Eric: Very friendly. Okay. Well, that's good news at least.

Rachael: Yes, definitely.

Eric: From a defensive perspective, not the sharing.

Rachael: Well Rich, thank you so much. Everyone, thanks again for joining us for yet another To The Point podcast. And again, don't forget, don't forget, don't forget. Smash that subscription button. Smash it and you'll get a fresh episode every single Tuesday.

 

About Our Guest

Rich Itri is the Chief Innovation Officer at ECI. He has over 22 years of IT executive experience, spending his entire career managing IT within the financial services industry. Prior to joining ECI, Rich was Managing Director and Chief Technology Officer for PJT Partners, a boutique investment bank, Principal and Chief Information Officer for Sky Road, and held Chief Information Officer positions at Arrowhawk Capital Partners and Arbalet Capital Partners. Over the years, Rich has developed and managed innovative, business-aligned platforms, that drive revenue and operational efficiencies. Rich holds positions on several Advisory Boards and volunteers his time to help non-profits leverage technology.