Understanding the Fundamentals of Cyber Risk

Megan: (silence)Hi, everyone. We're going to wait about two more minutes to get started. Thanks for joining. I dropped a comment in the chat but feel free to use the chat feature or the Q& A option to ask any questions throughout the presentation and we'll make sure to address them at the end. So...( Silence) All right. I think we can go ahead and get started. I will let our hosts go ahead and kick this off and some introductions.

Jim Goldman: Well, good morning everyone. This is Jim Goldman. I'm CEO and Co- founder of Trava Security located here in Indianapolis.

Emre Koksal: Hello. This is Emre Koksal. I'm the founder and the CEO of DAtAnchor. We are located in Columbus, Ohio. I'm also a Professor of Computer Engineering at Ohio State University.

Jim Goldman: So, let me start off by telling you a little bit about Trava, what we do and maybe how we do things a little bit differently than you may have heard about cybersecurity companies in the past. So, being a fellow former Big 10 professor, I was a professor of Network Engineering at Purdue. I have to start by saying that Trava was founded on the basis of risk management process from a conceptual standpoint. And that risk management always starts with assessment. And I think that's probably the part of cybersecurity today that is most missing. You'll hear me talk about that more as the presentation goes along. So, the approach that Trava takes is, before we start prescribing solutions for a given company we always assess. We've automated those assessments. We look at risk and vulnerability, scoring, maturity of security programs in terms of controls against industry standard frameworks. Then we start talking about mitigation and in a prioritized manner you can't eliminate all risk you'd bankrupt your company. So, our approach is always to take an organized priorities approach to risk management. You mitigate as much as you can. And then this is kind of the part that again has been missing in the past. Once you've mitigated as much as you can what you're supposed to do is take that residual risk and do a final step in the risk management process called risk transfer. And the risk transfer mechanism that we have of hand right now is cyber insurance. And so Trava is unique in the fact that we're not just a cybersecurity company but we're also a cyber insurance company.

Emre Koksal: Yeah. Let me switch with Anchor. So, Anchor is a modern solution that enables simple, transparent and affordable data security for SMBs to make it easy for them to solve difficult problems. For example being compliant, obtaining cyber insurance and so on. I mean, going back traditional IT controls focused on turning our organizations into castles, protecting our data by basically building strong walls around our networks, servers, laptops or wherever you have your data. But we live in modern times and our data is no longer inside the four walls of our organization, right? Our data is everywhere in our home offices, mobile devices, cloud and so on and so forth. So, you cannot build the walls high enough or wide enough to prevent bad things from getting in. So, you have to bake security directly into the data so it's free to travel. That's what we do. Anchors is a simple, turnkey, low- cost way to bake protection into the data to ensure your sensitive information's never viewable or usable, accessible without your consent. Anchor bakes protection into your data with our patented combination of encryption, multi- factor access controls, digital chain of custody and when you share or collaborate then the data gets out of your scope. Anchor protection stays with your data even outside of your organization, right? And Anchor empowers you to maintain control of your data while collaborating, including forensic logging and revoking access after the fact. So, Anchor's a SaaS platform at heart that provides zero trust capabilities to data on endpoints and in under 90 minutes Anchor's fully deployed empowers your business to restrict access to the data. This 90 minutes includes user training as well. Super simple. And Anchor is currently helping small to mid- size businesses, local governments, public and other private entities meet regular compliance requirements, regulation and prevent their data from being stolen via for example ransomware attacks. And we help organizations obtain affordable cyber insurance without compromising on security and help them get compliant. And all is again as I said simple as one, two, three. One, what do you want to protect? Two, who do you want to view or use the data? Three, how do you want them to get in? As simple as that.

Jim Goldman: So, just for a little context some of you may be well aware of this. You don't have to do much more than just read the headlines on a day- to- day basis and know that cyber risk is an increasing threat. And what's interesting is world events sometimes influence this as well. So, things are certainly getting more and more intense in terms of cyber crime and ransomware and things like that. Here's just a few statistics and we cite the sources down below as Emre and I our passion is to help small and medium- sized businesses. And certainly it seems like small medium- sized businesses are less prepared than enterprises in many cases. But the sad truth is that they're just as likely to be attacked as an enterprise. And if you look at these numbers it's a higher likelihood a cost that could be potentially devastating to a small medium- sized business. And there's a high likelihood and high awareness of principles and owners of small medium- sized businesses that they are vulnerable. And a staff that's not on here is despite all this a very small portion of small and medium- sized businesses even know whether or not they have cyber insurance. So, we're going to go over some basic vocabulary. We didn't want to make assumptions about knowledge of risk management or term analogy. And so we're going to try to take this in the context of kind of non- technical terms. So, it really starts with threats. So, what we have to understand is that threats come from very many sources. They may be inside threats, outside threats. They may be intentional, unintentional. That they may be natural- type disasters that have to do with business continuity and disaster recovery. But it all starts with being aware of where the threats are. In other words, what are the weaknesses if you will and what we sometimes call the attack vectors that could potentially bring harm to your business And threats can be out there. But it's kind of like to Emre's analogy before the castle, if you castle walls are thick enough, does it really matter what's outside the castle walls? And so it's this combination of threats and vulnerabilities that you have to understand. Vulnerabilities of the weaknesses in your hardware, software procedures. We should know people as well. People's behavior. And that's the gap through which this threat can gain access to your assets. And so as we say here threats exploit vulnerabilities in order to gain entry to your assets. In this case, we're really talking about data. Data is the most valuable asset that a company has and that they're under obligation in many cases, legal obligation to protect. So, what's risk then? So cyber risk is really this intersection of assets, the things we're trying to protect, your data, the threats that are out there and the vulnerabilities through which these threats can manifest themselves. That's where the damage and destruction comes from. That's where the cost comes from. And so as we say you put together threat with the vulnerability there's that opportunity. That's what leads to risk. Risk can actually be measured. And Emre's going to talk a lot more about that. It's kind of the second half of the presentation.

Emre Koksal: So, thanks Jim. Let me share my screen and please let me know if you can view and it's clear. So, I'm coming from a quantitative background and I would like to give very simple quantitative examples to achieve our goal. Jim and you made a great start in making all these terminologies so clear. I would like to draw a mental picture. So, everything is on the slide and we have a good start here. So, at the core of things is an asset, right? This is the thing that you value. You don't want to lose and it's valuable for your business. But as you mentioned Jim there are all these threats coming into your asset. The problem is when the threat meets a vulnerability and exploit happens. And an exploit means your asset is either captured or loses a significant portion of its value, right? So, you have defined risk as threats meeting vulnerabilities on your asset. So, there are two components to risk, threat and vulnerability. Threat is typically exogenous. You don't have much control over it but vulnerability you have the chance to address quite a bit. So, I am going to talk about the quantitative nature of risk. Not just identifying what your risks are but how actually for example Jim when he does assessment or your cyber insurance provider when they do assessment, go through a thought process when they evaluate your risks, right? So, this talk is about quantifying and mitigating risk. And obviously the focus is going to be on data. Your most valuable asset, right? So, we should start with the information system. I mean, modern information systems are combinations of protocols and channels connecting you to your data. So, there's a user and there's data. It's all about meeting the two. It's a very complex problem. Why? Because in as I have mentioned in the modern era users are everywhere. They access their data from home, wherever they're and data is also distributed on the cloud, on server, on mobile everywhere, right? So, what do we do when we have a difficult problem? We divide and conquer. So, we basically put this problem into multiple layers and in each layer we solve a subproblem toward the end goal of building a stable system, meeting users with data. And for example these layers include authentication, networking to route data, transport to stabilize and access the last mile where data is provided to the user and these layers are connected with channels. Think of these as bit pipes connecting you to the data. Now the problem is I mean you as a user can pick a path between yourself and the data depending on the need and the application you're using but the same works for the attacker. Why? Because it's so complicated. The interplay between these different layers become again very complicated and sophisticated that this opens up doors for multiple vulnerabilities leading threats to turn into exploits actually in the system. And this notion that you keep hearing about the attack surface can be simply defined as the set of these possible vulnerabilities. And this is a large set. It's a huge set, right? So, obviously the reason why it's huge is it grows with system complexity. So, toward quantifying risk the most important question is, how long can I go until a threat to my system turns into an exploit? High risk means short time, low risk means long time. So, here is where I switched to a little bit of quantitative picture of things. I mean back in high school you asked your math teacher," Hey, how are all of these going to be useful in real life?" This is where it's going to be useful in real life. So, I'm going to start with the tool that we use to model uncertainty which is probability. And we typically use an example of a fair coin which is I toss a coin it's heads with probability one health or 50%, right? Now let's think of a problem where tails is the unwanted event. I don't want tails, right? I toss, 50% I'm good 50% it's not good. The problem begins when I start tossing many coins at once or the same coin over and over again, right? So, to eliminate the possibility of seeing it tails the chances decay so- called geometrically to zero. So, for example if you have two coins the probability of not seeing a tail grows down to a 25% and so on and so forth. This is like an exponential decay here. Now here comes the analogy. You have your surface, your attack surface and there are all these exploit attempts coming in, right? They come in sequence. Not just in time but in space. So, this is your attack surface. The set of vulnerabilities are being exploited. Many of these exploit attempts will be unsuccessful. In fact, the probability of a successful exploit namely an attack turning into finding the vulnerability may be low but there exists specific attacks that exploit will happen. I mean, think of this as the offensive line in football, it doesn't matter whether all the offensive linemen is good, if one of them fails the task is over, there's an exploit, right? And the probability of no exploit decays geometrically to zero as the attack surface grows. This is the core problem of your information system. And this is what changes things in reality. To that end, I define risk as the probability of a successful attack across the entire surface. And I define value at risk if I have to put a dollar value to risk, suppose you have a dollar value of your data this is the amount you lose if you lose data and there's probability of that being successful. The average value at risk is the product of these two. Let me give an example, a specific numerical example to make these things clear. It always helps to see a numerical example, right? And also make perhaps some of these notions more tangible. So, suppose you are an organization, a 10- employee organization, small business and you have this spreadsheet that contains highly sensitive information about your customers. The value that you associate to this is$ 500,000 for example just for the sake of the example. Now, let's look at two different possible vulnerabilities. The first one is your subject to phishing attacks. All 10 employees receive emails trying to capture their user credentials. And if the phishing attack is successful, it is sufficient that one of the users lose their credentials, right? And in the second dimension, suppose there's a server that you don't patch, it houses this spreadsheet and there's a zero the attack that exploits that vulnerability. Namely there's another way, another path toward reaching this data. Now let's put numbers to this example. The probability that a specific user's password is hacked is one person, very small. But once you put 10 users together trust my math on it, the phishing attack success probability grows by almost a factor of 10 slightly less to 9.6%, right? And let the probability of a breach exploiting a zero- day vulnerability be 20% slightly higher because it's there. It's sitting and it's there. It's not patched. Now let's do some math as per the previous slide. The probability of exploit namely one of the two, right? Phishing or zero- day being successful when you combine the two is close to 30% slightly lower it's 27. 6%. See how it grows. I mean, from 1%, 20% when everything is put together your risk scales significantly, right? And now let's encrypt the file. Let's do something to address that risk. Let me just encrypt that file at risk. What happens when you encrypted that risk is that without credentials you eliminate the possibility of that data being taken away. And that reduces the probability of zero- day attack even though it's successful to end with the data to zero. And when the two events combined in this realm the probability of zero- day becomes zero because it's reduced to zero probability of overall exploit becomes 9.6% which is reduced down to the phishing attack. So, value at risk. Your value at risk is$ 140, 000 originally with this high- risk profile. And once you start reducing your risk it went down to$ 50, 000. Why is this important? Because this is what Jim does. This is what your assessor does. They calculate your exposures. They put you in a pool depending on your cyber maturity. And they say," Hey, the value at risk for this organization is X dollars." And that X is what you're supposed to insure. And obviously as that X increases, your policy grows. As that X decreases you start being able to get policies, right? And how do they calculate these probabilities? They calculate these risk probabilities values at risk based on statistics based, based on past observations experience. When experience is put together in a smart way it forms the statistics that they need to calculate the stress, right? So, next question. What's happened in the last few years so that it became so difficult for you to obtain cyber policies? It's very simple. The number of attacks per month grew from a few to 10s to 100s. So, what happens if that happens? I mean, so go back to the probabilistic picture what happens is instead of tossing one coin where tails means you lose your data, now you're tossing 10s of them and all of them should be heads for you to eliminate the possibility of a successful attack. So, even when the individual attack probability is as low as one in 1000, when many of them combine it means it's a matter of time that you lose the data. There's ever growing risk and now your data is common commodity unless you take certain measures, right? And because the average value at risk, the probability goes to one, the loss probability becomes identical to the whole dollar value of your data. You can forget about cyber insurance. So, providers started saying not until you get specific things covered, not until you mitigate specific risks that you have. I mean, what kind of measures you can take for example it starts with multi- factor. So, multi- factor you keep hearing about it and you have to be careful, there are specific ways of doing it correctly but what is multi- factor? Multi- factor is this idea of associating access to your data, to some physical attributes or factors for example. So, it's also sometimes referred to as versions of it as attribute- based access control but you have to be for example giving an okay through your phone or you have to be in a specific geography, specific IP ranges, say you have to be in a location to access your files. These are all factors that are required on top of your classical credentials to access your data. Now what happens if you have multi- factor? What happens is a bunch of nice things. So, first off each attack is successful with a lower probability because physical context unlike virtual is in most times less vulnerable. A tax surface decays significantly because not only the IT is in picture but these physical contexts need to be broken. And attack frequency is decreased because not all the attackers are sophisticated enough to address multi- factor, right? And if you look at the exogenous attacks statistics says 99% of a possible external exploits are eliminated by MFA. And as a result your cyber insurance provider requires MFA as a prerequisite for almost all policies. Now you're guaranteed to build this before you can even obtain a policy, right? My last slide is about what is the best way or what's ideal for MFA? Let's make it simple. Let's make MFA integrated down to the file down to the level of your data rather than just protecting your access to a specific system, access to a network perimeter. Why? Because traditional security, the perimeter- centric security if you just follow MFA for traditional security, the attack surface and the attack windows is large. And if you in the modern approach, bake MFA combined with strong encryption down to your data, it is called zero trust, all right? And zero trust is basically advocated by NSA right now. It's the next wave. Bake zero trust down to your file. And it is simpler. That's the reason why you do it rather than baking it into your network perimeter. If you bake MFA into your file, it's simpler, seamless, transparent. You can achieve it in the matter of hours as opposed to this. It becomes a simple project. It's because your focus is much narrower with the data as opposed to the entire network or IT infrastructure. So, to wrap things up Jim, I would like to say two things that we have said. It all starts with assessments. You have to start assessing your risks and you have to understand where you're exposed and what your vulnerabilities are so that you can have a good plan of addressing them and preferably mitigating them so that some nice things happen toward the end of getting cyber insurance. Would you like to add something Jim to this final slide before we close it?

Jim Goldman: Yeah. Actually it was on the previous slide. I just love the genius of the model. I mean, it's so obvious and so simple yet so genius at the same time. It's like the bottom line that we're all trying to protect is the data, right? Data is the asset. That's where we started talking about this. The asset we're trying to protect is the data. It only makes sense that the protection we provide should be as close to that asset, as close to that data as possible with every layer you go higher than that you're one step removed from protecting the asset.

Emre Koksal: Correct. Yeah. Thanks for the nice clarification. So, at this point Megan I guess we can switch to the Q& A. Please feel free to share your screen and we can take it from there.

Megan: Yeah. We just have and again anybody we have a couple of questions that have come through but if anyone has any questions so far from the presentation, please feel free to drop them in either the chat or the Q& A option at the bottom of your screen as well. But so I guess this one's for you Emre but the data protection sounds interesting. But what does this mean from a compliance standpoint?

Emre Koksal: Sure. So, very good question because I mean secure so what? Right? That's the obvious question. So, compliance is about being cyber mature. So, you have to have a specific maturity level in terms of your cyber hygiene in order to obtain for example contracts from the government, from the Department of Defense or to be able to run your business, right? If you're for example handling PHI. So, that is of critical importance and there are some very difficult problems that you need to solve toward being compliance including for example control of the flow of information in and out of your organization. That is arguably one of the most difficult problems because we have really small visibility of what's going on especially as the data is everywhere, as it's downloaded to your desktop, as it's accessed from your mobile devices, the visibility is really small, right? So, this a problem of controlling the flow of information is very difficult. And that's one thing that you can solve arguably the most difficult problem toward compliance by getting your data protected. Other thing's incident response. So, you need an incident response plan to become compliant. And that incident response plan starts and I don't want to call ends but the most important component of it is, where is the chain of custody? Who access data when and where? So, that chain of custody should be there for you to say build procedures toward meeting compliance, right? And building your incident response compliance. And there are other problems that you cannot think of right now that are maybe thought of as second order such as the split tunnel issue for example. And if you inject protection down to your data, you directly address those second order problems so that they don't pose and a big deal for you subsequently. Why is this important? Because it's simple. Because if you go down to the data level and if you protect your data, some of those high- level problems solve themselves. High- level meaning around the perimeter. And if you try the traditional way of addressing everything at the perimeter, there will always be the next vulnerability that you need to address and compliance becomes very difficult. So, going back to your question data protection and integrating security all the way down to the data is the first step and perhaps the most important step toward becoming compliant which is a big business problem, right? Because you have to sign contracts, you have to do business and it makes it simple and scalable.

Megan: We have a couple more. Can you talk about the relationship probably Jim between cyber risk assessments and cyber insurance?

Jim Goldman: Absolutely. So, traditionally the two have really been divorced from each other as crazy as that sounds. Even within many organizations that have a good cyber risk management and cybersecurity program especially in a larger organization, the cyber insurance was handled by the Finance Department or the Legal Department. And the cybersecurity team or the IT team may not have even been involved in acquiring that cyber insurance. So, there's what we describe as a chasm literally like a canyon without a bridge across it between the cyber risk management program and the cyber insurance program. And so what we do at Trava is we take the data again this is why Emre and I are kind of on the same page while we're having this seminar today, it's all about the data layer what we take as the risk assessment data that's the snapshot of the current maturity of the risk management program of company. That is the measurement that we use, the data that we use to do the underwriting for the cyber insurance policy. The way it's done now know is you have to fill out a 14- page application with 200 questions or whatever many of which the people that are filling them out don't understand or they get their managed service provider to fill it out for them. What we're trying to do is make a direct connection at the data layer between the real risk posture, cyber risk posture of a company and the amount and even types of cyber insurance that are needed. What a lot of people understand is that there is no standard cyber insurance policy. There's a very small amount of standard coverage. And then there's 13 or 14 endorsements which are additional coverages that could be added. Not every company needs all 13 or 14 of them but some companies desperately need one or two of them because of the nature of the business they're in and your standard policy isn't going to include what may be the most important kind of coverage for that particular company. Case in point social engineering coverage, ACH fraud coverage, third- party liability coverage, that kind of thing.

Megan: A kind of a follow- up to that question. It says many of the large insurance companies that do offer cyber insurance are now requiring risk assessments. Is Trava doing this for any of the large insurers?

Jim Goldman: So, yes. Absolutely. Because we are able to write, we not only write our own insurance literally the policy says Trava cyber insurance but we also have the ability to write for about eight or 10 other carriers. And we do the risk assessments for those customers and then pass that data onto those carriers.

Megan: Question that says the biggest challenge that I have encountered with the SMB space is the lack of ongoing training for employees. Most business owners and leaders seem to believe that they can do initial training or annual training and that will be good enough. How do you respond to this?

Jim Goldman: So, in a couple of ways my quick answer is it goes back to our initial slide about threats and vulnerabilities. The most vulnerable aspect of any cybersecurity program is people. And so whoever wrote this question is absolutely right that we should be concerned about training. So, the people vulnerability is the fact that they click on emails and click on links that they shouldn't. As simple as it sounds if you look at the statistics of all the ransomware attacks and everything else lately, they start with a phishing email. And so the most effective thing we can do is an ongoing program of phishing testing and it can't be once a year that's the thing. And so part of the Trava platform is we have built in there a whole phishing engine where they can send out nine or 10 or 13 or 16 different possible phishing schemes to their employees. And they can send out different ones to different employees and so forth. I think that's the most effective thing they can do. The more broad kind of typical security awareness training that happens annually. Yes, that's still good but I think there's nothing more effective than ongoing phishing testing and education. We're not trying to embarrass people. It's not a got you kind of thing. It's an education thing, all right? Here's what you should have been able to see in this phishing email that would have given you a clue that it's not legitimate and you shouldn't click on it. That kind of thing.

Emre Koksal: Megan, if I may add another parallel idea to the question. So, indeed training is important in the language that I try to develop, what training does is its reduces the probability of a single attack and exploit attempt to get it to a lower amount. But one thing that we should be careful about is it doesn't get it down to zero. And as Jim mentioned, this is a sequential thing. It keeps happening. Another thing that's happening inside of an organization is you train employees but ultimately in time they choose the least resistant path towards solving their problems, right? If they find some friction they solve the friction by for example going over to a different direction that they're not supposed to do opening up a vulnerability in your surface. Your attack surface becomes wider in that case. So, ultimately when you fully rely on trust to solve this problem, it doesn't work. So, the only point that I want to add to this is you should also add technical and technological mechanisms to eliminate the trust. I mean, training is super important but if you can also on top of it eliminate trust or use technology to train the users to build habit of accessing for example their data subject to the rules on specific places, that is the best solution because that gets the probability of exposure or probability of the exploit being successful to almost close to zero.

Megan: Great. Do you recommend that SMBs should be using an MSSP or MSP for cybersecurity?

Jim Goldman: I guess I'll go first and then Emre please join in. I hate to use the classic answer but it depends. And it depends large SMB can be everything from a two or three person organization up to whatever several 100 or that type of thing. I would give a qualified yes as the answer. However, I would also say that all MSPs and MSSPs are not created equal. And so you have to shop carefully because what this is really about is vigilance as Emre said too. It's the ongoing training. It's the ongoing risk monitoring and so forth. So, just having an MSP come in one time, do a bunch of work and then that's it, that's not really protection, right? And so what you really want is someone that has a more comprehensive offering. Right back to the beginning where Emre was talking about multi- factor authentication, if that's something you need help implementing absolutely hire a well- qualified MSP or MSSP to put that in place. That would be my number one thing. If I don't have multi- factor authentication working right now that would be the biggest return on investment you could possibly do in terms of improving your security posture.

Emre Koksal: So, yeah. I would like to add something that's I mean pretty much summarized my response to the question as well Jim but obviously it is good, right? Because these guys have experience, they see cases and they have judgment if you pick the right one. So, again I love analogies. So, I'd like to build an analogy here as well. So, it's like having a doctor for your health. Do you rely only on the doctor for your health? The answer is no. You have to eat healthy, you have to exercise. I mean, you have to do all a bunch of other things not just go to the doctor every once in a while and follow their advice. It's a similar thing here. There's no way around as an organization you becoming mature but having said that having an MSSP is also a significant step toward achieving your goal especially if you pick the right MSSP. And just as a side note, we at Anchor work closely with our partners. We have a bunch, a significant number of MSSP partners and if needed we would love to help recommend partners that know what they're doing to anybody who is interested in finding out more.

Jim Goldman: And I think just one other point that may be obvious but we should articulate it is, it's cost effective, right? For the average small medium- sized business, it should be way more cost effective to hiring MSSP to do this than to hire the three or four full- time head count that you would need in order to bring it in house. That's the point.

Megan: What role do you see AI playing in the cyber defense space?

Emre Koksal: So, yeah. Let me give it a shot. So, AI is again using the technical term, AI is nothing but functional approximation. What it means is that it's good for, for example, building matching patterns. And as a result it can be helpful in say detecting some attacks, some anomalies because it's going out of the specific pattern that you train your machine learning algorithms for example. So, it's good. It's definitely promising but by norm it's just because you have the AI detection system for your attacks, you have solved your problem. Why? Because I mean so whenever there's detection you have to measure," Hey, how much do I miss?" Because it's not zero, it's never zero. I guarantee you. And what's the fraction of say false alarms. That's also important because that's not zero. And it also impedes your business, impedes your ability to do business. So, to understand that and there are good ones, there are bad ones but there's a trade- off between the two, right? You have to definitely understand that but more importantly you cannot avoid building a separate program for mitigation. So, if an attack is detected you have to go to the first principles, how do I protect my data? How do I do my incident response so that the attack that I detected using AI or other means is addressed properly?

Jim Goldman: And what I would add is AI as Emre correctly points out is great at looking and identifying patterns from past data in an effort to predict future. That breaks down unfortunately in the cybersecurity world because future exploits could have never been seen before. So, it doesn't matter how much the AI digs through past exploit data and root causes and so forth because of the nature of cybersecurity and the exploit. So, that's a key point and this is also one of the difficulties with cyber insurance. People will say," Well, the problem with cyber insurance is there's no actuarial tables yet. And as soon as we get actuarial tables, we'll be all set." That's not true. Because actuarial tables are nothing but a recording of what has happened in the past and using that to predict the future. Unfortunately that's not necessarily possible in the cyber realm.

Megan: Great. Doesn't look like we have any more questions unless anyone has anything they're holding back at this time. I will just go ahead and share my screen again and... We do... Thank you everyone for joining us. We have two free resources here that you can choose to download now if that's something you want to do. If not I will be sending a follow- up email with the recording of this presentation as well as links to these free resources. So, we have a free e- book here for a buyer's guide to cyber risk management and then also a quick guide for compliance. Again I'll send a link for these in a follow- up email so watch your inbox. And that is the conclusion of our presentation. Thank you so much for joining us. Thank you to both Jim and Emre for your insight on cyber risk. So, have a great day.

Jim Goldman: Thank you Megan for hosting. Great job.

Emre Koksal: Thanks Megan. Thanks Jim.