2024 Security BSides // Georgia Scott

stage and thank you for joining [Applause] us hi everyone I totally recognize that I'm standing in the way of happy hour so I'm going to go through this quickly and efficiently show of hands who's in compliance in the room who's left in the room oh good okay so this will be hopefully relevant to most of you um happy to be here to speak I was at this conference last year and was blown away and so happy that I could attend and actually be a speaker I see RJ's in the back he kind of has gotten me into the swing of things and realizing the importance of cyber security and compliance and especially as it relates to AML so we'll talk a

little bit about that hopefully you learn something new today from a compliance perspective um let me see how this clicker thing works

I picked it so cyber security is not just for techies anymore it's really for everybody in the room including compliance people why is that so we have this Global digital transformation we are seeing everything change right in front of our eyes it's happening really fast and it's good for business it's streamlining processes it's streamlining efficiencies it's even enhancing customer experiences depending on who you are um and it's really good it's it's going towards progress and Innovation but with all the new technology there obviously risks um that we need to be considering and it's also a point where the criminals are also evolving and changing and moving in a rapid Pace in the same way that we are

too so it's it's a it's a problem um and it's why everybody needs to kind of think about it the evolving threat landscape so the criminals they're sophisticated they're fancy uh they are doing ransomware and data breaches and we heard a lot about ransomware today we're going to keep talking about ransomware um and this is hitting our companies it's hitting our governments it's hitting their pockets and it's hitting their reputations we see the rise of state sponsored cyber attacks we heard John earlier this morning talk about the Lazarus group this is North Koreans uh we also see organized cyber cyber crime gangs what I find very fascinating about this is they're very organized they have

businesses they have cubicles they have um offices marketing departments maybe even customer service agents they probably do a little bit of team building exercises we but seriously if you if you read in on some of these organizations and these gangs especially in Southeast Asia it's very organized they're better organized than our regulated companies right here on island and you have to T kind of take a minute to to let that resonate these are the criminals that we're trying to fight against and they're more organized than we are like that's that's sobering when you think about it um then we have regulatory pressure and so for all my compliance folks in here we're talking the same language we have SEMA we have

uh the ombuds we have John maybe if we report things CU he already told us that we're not reporting things but we have regulatory pressures where we know we have to do certain things and we maybe not be doing it and we have to stay AB breast with what's going on data protection act if you are a business that operates in multiple jurisdictions you have to think about other jurisdictional uh ramifications gdpr so these are all things that we have to kind of understand that it's affecting more than just our it folks in a business right data protection and privacy like I just said the DPA and then we think about the different sectors and some

sectors don't have full-on it cyber security teams they Outsource it but the financial services obviously is a big deal here in the Cayman Islands it's our largest pillar it's what keeps our jurisdiction going strong um and the stakes are quite high for the financial services industry it's a lot of data and information of a lot of rich people and how much assets they own don't own owe um and all of that information is right here on these Shores you think about the health care service um it impacts patient care um safety privacy we have medical tourism here Hospitality lots and lots of information at the hotel um I don't know if Gary talked about I I know he talked about the

iods and and I'm not a technical person I'm a compin person um but you see in the hotels all this fancy technology you know the wristbands to open the door and everything all of that stuff is it's more than just it people's problems it's all of our problems if we're the consumer if we're the employee at the place like it's a problem and that we all need to be aware of it so it's not just a techy thing anymore and that's the the point I'm trying to drive home and apparently we need to be guarding our Paradise from cyber threat so we have these different rise threats and it's a regional issue and a lot of folks in the

room you guys are based here in kman and we have a lot of speakers visiting from abroad but to bring it home regionally when we think about what's happening I got some stats yesterday from John Watson in 2022 we had ransomware attacks that were reported remember he says nobody reports them over 2,800 attacks in 2022 in 2023 over 5,300 this year year to date we're at 4600 with almost 500 reports in this month alone so we all know that it's happening and that's just who decided to report right so it it's definitely something that's happening right here on our Shores in the Caribbean region and Regional experts note that there is a lack of mandatory breach notifications

for transparency and obligations for the different countries within our region to report these incidences luckily enough and we'll talk a little bit more later on in in in some of the slides we do have reporting obligations just that we're not doing it it's unfortunate um the financial sector vulnerabilities and this is where I think um it's really important so this is a key pillar of the Cayman Islands anybody familiar with the F the financial reporting Authority okay so the compliance look so the financial reporting Authority would be equivalent to fin Trak in Canada or finsen in the state this is when you see something suspicious unusual you report it to these authorities right so the F in 2023

they just issued their 2023 annual report business email compromise which we heard a lot about earlier today um based on the number of stars received in 2023 $3.3 million was lost right here in kman of the people that actually reported because we know that people are not reporting right um and they were able to stop a further $2.8 million of money going out just from fraudulent emails in 2022 472,000 472,000 to 3.3 million what will this year look like so it's not a decreasing problem um and again this is just people that have reported right um the F has confirmed that Cayman Islands funds which we cross the threshold of 30,000 registered funds here in these beautiful

islands which is a huge achievement but we know that there are Cayman registered domicile funds that are invested in companies that have experienced ransomware attacks so think about this from a compliance perspective if you work in the funds industry and how it's all going to start to be interconnected and you can see how that's going to affect maybe some of our clients some of our service providers yourself included we touched a little bit on the regulatory landscape I know Vlad talked about this earlier with the rule on uh the rule inog on cyber security the Cayman Islands Ombudsman which is the regulator for the data protection act um and regionally we see that Caribbean islands are kind of getting up to speed

and starting to implement and update their data protection acts so we know that it it's not that we're ignoring it I wonder to myself sometimes are we not moving fast enough because the technology and the pace of the criminals are rapid and we're just kind of like lagging behind right uh with a combination of industry and and um governments to kind of come together to move this process along Healthcare and Hospitality in the region um personally I've had my data leaked right here from a a healthcare provider in the Cayman Islands and then I emailed her and I was like hey you know we can help you with cyber security uh no no response um and I

emailed again hey by the way you know no response and it's like did you report it probably not and the legislation covers all the various sectors even though they're not a SE a regulated entity um they do have an obligation to report I didn't really see it on the ombudsman's website but you know this is the kind of uh atmosphere that we're in it's like the reputation of a being on a small island nobody wants to be the one that reports it to be on Marl Road um but it's not really helping it's not really helping anybody else right I wanted to touch a little bit on not just Healthcare and Hospitality but I got some stats from John yesterday so

technology companies manufacturing companies healthc care and construction companies all at around 11 12% of of the population that are reporting ransomware the public sector 7% and then Financial Services guess 6% does that make sense only 6% of ransomware attacks that have been reported to the police are coming from the financial services that's crazy that's not true at all that's a lie because they're not reporting it that's the point I'm trying to get across we have to report it you can't be helped if you don't report it um we'll talk about awareness and preparedness and how we can bring this all together in terms of how we protect the Cayman Islands in the jurisdiction and government initiatives

will play a big role in that we have Miss Pam Green in the room she's lovely um it's it's these public private Partnerships that I think need to be developed on island and it's something that we recognize is important and we also recognize in the industry that government plays a role in this and we have to figure out how that will look in the future um we know that there's a National Security Council and it can include cyber security measures uh that may affect the National Security of our Island and jurisdiction of the islands we have the police and John Watson they are doing a lot with training and awareness John is everywhere trying to

get the word out report report report um they have a website if you're not familiar with it cyber safe like this website is not just for businesses it's for kids kids are being targeted online with cyber security issues don't get me started on sextortion scams and pig butchering um the elderly are being targeted so it's not just small businesses and regulated entities this is a wider problem and it's a societal problem right um and to my knowledge I don't think that we have any any type of cyber security Association on island and I think that's that's the point is that we probably need to figure out how do we come together as a jurisdiction and

Industry to get something going like that because you can see the benefits of how this will play out long term for the island in the jurisdiction especially when I start talking about AML because that's that's my thing so we'll talk a little bit about governance and board responsibilities I won't go into it too long because I know Vlad talked about that um the big thing is that the buck really stops with the board it's a big job with big responsibilities so when you're the board you need to understand uh what you're doing and you have a role in cyber security and it's not an excuse to say I'm not an IT person when you're on the board anybody

on a board in here oo so when you're on the board you have the financial and fiduciary obligation and duties to protect the organization's assets and that includes data and it infrastructure you kind of have to know what's going on with it it's not just knowing about the p&l and now because you were forced to knowing about AML you got to know about other stuff too right um board members need to be informed on cyber security risk they need to have regular briefings and training and it's excellent to see that their board members here in this room that are a part of a conference like this there should be way more like this is the type of forum and the type

of event that board members should be attending so they really understand the risk that they're facing for the organizations that they they govern um setting the tone at the top so boards in the same way that you would set the tone for AML and compliance you should be setting the tone for compliance with cyber security in the exact same way incident response and crisis management um I think that board members it's not go sort it out and figure it out the Board needs to be involved and understand what's happening in the process because again the buck stops with the board not the IT guy not the Cyber guy so they need to understand and they are essentially calling the shots

and most times signing that paper to whoever it is right um I wanted to point out just before uh board's role in responsibilities what we see in some larger organizations and I used to work for a large International Bank so you would have a subcommittee that was just for cyber security so in the same way you have a compliance audit subcommittee you'd have a cyber security subcommittee and what I see now and what I expect to see in the future is all boards are made up of accountants and lawyers because they think that they're the smart people right but you also need an IT person on a board and you're starting to see that shift where boards are becoming

more Diversified um because how can you collectively as a board be able to govern and understand the risk if everybody's a lawyer or everybody's an accountant so in the same way that you're starting to see compliance and AML professionals on Boards of um financial institutions you're starting to see subcommittees for cyber security if you're in a midsize larger institution and you're starting to see it professionals sitting on boards that's invaluable it's so important because you need to have that mix because when these problems arise you need to see it from all different perspectives and you need to have that experience on your board I have a client right now is that they're a bank we did an audit for them um they

have issues I picked up the phone I called the chairman I'm speaking in Greek because I don't know anything about it and cyber security he doesn't know anything about it and security but I know he has a problem and they had a board member that was an IT manager and I was like wow like that's smart and he was able to yes this is what we need to do this and he explained everything what happened he understood what the process was what he needed to fix and it was like yeah that's the way of boards now investing in cyber security it sucks because everybody's paying money for AML at the moment but you might want to

think about what how and what you spend on cyber security and being able to balance that and compliance and Reporting so the Board needs to understand that you have certain timelines into it of which you need to report any type of breaches so a lot of times the boards are relying on Senior Management to make sure that that's happening but you better know that your Senior Management is doing it and how what mechanism do you have in place that you know Senior Management is reporting to the Ombudsman within five you know five calendar days or if they're reporting to Sema within the 72-hour time frame like that needs to you have to have something in place

where you're holding people accountable as a board okay so hold up give me a minute Audits and right the title of my um I'll tell you it quickly the title of this talk was supposed to be oh boy give me a minute on that and I was like we can't say oh boy that's not politically correct so I had to take it out so it's just give me a minute on this so we'll talk a little bit about Audits and the regulatory framework and I already talked about the regulatory framework with sema's Rule and s OG on cyber security um and within that rule they talk about the different standards that are acceptable including the N standards

so most people on this island would be using the N standards as it relates to their cyber Security Programs which is good then that's the standard I'm more familiar with and and the people that we work with are under the N standard so the different types of audits you can have an internal audit which if you're a larger organization you'll have a third line of defense that will operate that or Outsource that or you could have a full-on external third party independent audit of your cyber security framework either or will work for the purposes of the regulator some people if you are a much larger organization you might want to get those experts in like RJ would

love to come in and do your audit because that's his thing um and that's really going to help you identify any issues before a regulator does or before you're on the news preparing for an audit Andor inspection we do know that SEMA is looking at cyber security uh programs as a part of their credential inspections for regulated entities and they did a cyber security thematic review on some licenses that they have inspected so we know that that's a possibility so in preparing for those audits Andor inspection I think what I always tell people is self-identify any issues you should have an idea of what's wrong what's not wrong be upfront let your auditor know this is what we we know is wrong no we

don't have a plan yes we have a plan and this is the plan whatever the case may be um I think it's really important to have your documentation if you have any very organized it helps an audit to go smooth in any type of audit but especially in a cyber security audit um the Auditors will love you um the next point is to designate a key person this is what I always find challenging as an auditor because sometimes that key person doesn't understand what's happening so if you're in an AML audit you would designate somebody that understands AML if you're in a cyber security audit you can't be the AML person like it need to be the cybercity

person that can answer the questions properly and can work with compliance or whoever that person is internally so that the flow of information goes goes smoothly and just be up front and transparent if you know there's a problem or there's information that you can't provide because you don't have it just like you don't have it let's not beat around the bush so those are some tips about preparing for the audit the type of audit findings that we see and that SEMA has seen um is in terms of findings in their thematic review control weaknesses documentation not being there or not being aligned to the N standards and or to the rules in s so on cyber security um I've seen

challenges where access control is an issue password settings I know people talked about that not being changed frequently enough when people leave an organization they still have access to system or people change a rule within an organization so they sit in a different group so they should have limited access but they still have access to everything those are the type of things that you'll see as a common um finding um documented and tested incident response plans so people think they have a response plan it may or may not be adequately documented and even if it is documented they never tested it so they actually don't know if it even works so you can have something dou umented is it

robust enough based on your nature size and complexity and did you test it did you do like a trial run did you do a round table exercise training insufficient employee training I love the annual trainings where you click through and it doesn't make any sense you just click click click click click and you get the certificate that said it took 45.5 seconds and you're like okay I learned about cyber security um is that really adequate and I sometimes when when I see these audit findings I'm like and people like question it but we had the training and I'm like yeah but it wasn't that good if I asked a person in the room about what you know what the rules were

or how many characters for their their password like they they aren't unable to tell you anything so sometimes the training is not robust enough it you can't evidence that the the employee understood or or can take anything from it and so those are the type of uh findings that we see I wanted to talk a little bit about the role of compliance and audits because compliance is second line and you have some compliance professionals that will say well I don't have anything to do with third line audits or I don't have anything to do with cyber security you know I'm just AML and then you have some people in organizations that feel compliant should be involved in

everything and it's a fine line it is a fine line my personal stance is I think compliant should be in the room we might not necessarily lead and charge the way but compliant really are the influencers in the organization a second line we the glue that keeps everything going so we need to know what going on pretty much we might not need to be in control of everything and in charge of everything but we need to understand if there is a problem don't tell me about the problem six months later I can't help you then and then I'm going to lose sleep and I'm going to have to be working late and it's a problem just tell me up front

keep me in the room when things are happening and decisions are being made so I can raise my hand and say hey this is a challenge you know think about this before you move forward so in in in in the case of an audit and in anything um I would always tell people keep compliance upfront in the process because if you find a breakdown in the audit or you're your self identifying an issue and compliance doesn't know like compliance can remedy that for you or support you in remedying that lead you in the right direction especially if it has to do with rags and the rule in the S so that's that's our thing so just let

us know uppr front so we can help you before the Auditors come or before the inspection comes because they're going to run the inspection anyway so keep us in the loop so we understand if there's an issue and the main message here is compliance and it yeah they're separate departments but they really should be best friends like they really should be best friends because they will help each other and help the organization as a whole we talked about regulatory reporting requirements so the fun part now we're going to talk a little bit about ransomware they said I have 26 minutes so ransomware I think everybody understands what ransomware is we heard a lot about it earlier um John had a

really good example the fishing emails they're good there are no typos in it like five years ago they use chat GPT and they say hey make it make it sound funny make it sound clever make it be perfect they're really good um and so these are some of the things that we need to be aware of right um what I learned in preparing for this did you know they have ransomware as a service that's wild did you know you can be a ready-made criminal for $5.99 that is crazy you literally can just click on a button and they'll give you all the tools to deploy ransomware and I can be a criminal just like that

that's crazy and so these These are the type of things that we as businesses and in the financial industry this is what we're facing right so it's not just like the big bad criminals you have all the rookie nickel and dime criminals too right so you're being attacked Every Which Way um now my challenge with ransomware when you pay this money to these people who are they we already know that the predicate offense is money laundering but you're paying it to Lazarus and John said that is North Korea that's proliferation Finance did y'all hear me that's crazy we just got off the gy list y'all think about that think about that terrorist financing so when you pay that

Bitcoin that's supposedly traceable on chainalysis I don't understand that and that's okay I'm going to figure it out but I ask questions and I ask questions I'm like well if it is traceable I don't understand why we don't get the bit coin back and that might be way too technical for my little brain to understand but I do understand that when you send money to a terrorist or to North Korea that's a breach and I do understand that we're coming up to the fifth round of the fat fat Mutual evaluations and I do understand that I would not like to see the Cayman Islands back on the gray list because that's my bread and butter and

pretty much everybody's bread and butter in here so when I think about how cyber security ties into AML I'm like I don't think other people understand that and I had that light bulb moment last year when I was at this conference I was like but where's that money going and people need their data so they pay their Ransom and when you're paying your Ransom do you tell anybody did you report it to the F did you file a CRF compliance reporting form for those that are not compliant in here are are you the mlro when you paid that money how does that work with transaction monitoring like these are questions I'm throwing out because I'm so thankful to God that

I've never been in a company that paid ransomware because I don't know how I would handle it as an mlro because you really don't know where you're sending the money so you send that money because you need your data but then what do you do you file a s and then what do you say and do you report it to the police and we already established that we're not reporting it to the police remember and we know that people are not reporting it to the Ombudsman and we know that people are not reporting it to SEMA nobody's reporting it because we see we hear about it and we know it's being paid and we it's just not

happening so are we really funding terrorist financing proliferation financing I don't know I'm just throwing it out there to think about and if you are an mlro or compliance in this room how do you manage that I don't know just throwing it out there which is why I think it's important to have these public private Partnerships and Industry associations like we need to be talking about this stuff I don't know who's talking about it because when I talk about it in little circles people are like oh I'm like you didn't think about that but surely other people are thinking about it but are we coming together to talk about it and how are we going to solve

that preventative measures for the technologically inclined people they say that um that system updates and patches I know about system updates I don't know what the patch thing means but I know that if you are working in a corporation and you don't see any kind of updates on your computer in 6 months you need to ask a question hi it I haven't seen any updates because I get updates like every month all kinds of stuff happen and I'm like oh they must be doing something good so I'm getting the updates and I'm happy right so those are the type of things the employee training and it's not just the click click click like the training has to be meaningful useful

because the stakes are really high in our industry so while we're ticking the box to say we're delivering employee training is it useful so that employees really understand like seriously understand what's happening and they don't have to be experts at it like they should be sensible enough to say oh wow like I need to not click on this and this is what people are doing in the background and again Miss Pam collaboration and information sharing we have to figure out a way as a jurisdiction to come together create an association we have an association for everything else I don't understand why we don't have an association for this and if it's something that needs to be

piggyback under the compliance Association which I've already thrown out there um because I can see how we are interconnected so we'll talk a little bit about a couple of cases that happen the colonial pipeline case I'm sure everybody is familiar with it all the gas in the east coast in the states the infrastructure got hacked people couldn't get gas everything was shut down like that's crazy that's infrastructure imagine if that happened here in the Cayman Islands that's wild rans somewhere um and from the Dark Side group they say they're Russians W to cry Cyber attack this was the Lazareth North Koreans shut down the UK's Health Care System that's wild Shipping Company shut down for

weeks Terminals and ports everything get shipped into this island the other day they said there was a strike from some shipping company and everybody went out and panic shopped I mean at least we could have prepared for that we had like a couple days but a ransomware attack you would just be like oh right and a little bit closer to home ransomware reports reveal um carom W Wyatt attacks so Trinidad is in the lead with the most number of attacks there was a a report in 2023 by ransomware roundhouse 32 known breaches amongst the nation so this like government in infrastructures Barbados Revenue Authority files listed for sale did y'all know that the government of Martinique was shut

down that is [Music] wild Caribbean faced 144 million Cyber attack attempts in six months like I hope that it's not to scare people but like it's happening and I just don't want us to have our head in the sand to think that it's not happening and it's not affecting us in the Cayman Islands because we live in a bubble and trust me I believe that we do live in a bubble but like this bubble can be popped right and this one is as recent as two months ago the insurance company and this one I'm I'm waiting to hear more about it because it's still so new but icwi was attacked um hot off the press they stole a bunch of sensitive

information personal details of the chairman and CEO the president employee records Financial records so even the insurance companies are are being attacked so it's it's fair game for everybody John mentioned that there was an attack attempted attack to the Cayman Islands government earlier this year thankfully that was thed very good um um Bermuda was under attack last year the whole government infrastructure was attacked Bermuda government was shut down for a good while it took them months to get back up and running fully I mean it's not far-fetched that something like this could happen even closer to home or right here so with that being said when we bring it back to we know what can happen and now we

are as compliance Professionals in the boardroom try to convince and influence our boards of what they need to be concerned with um I'll talk a little bit about some things that you could be helpful and when you're trying to explain to your boards especially boards that are how do I put it like professional board directors that sit on funds or sit on smaller regulated entities and they're not a part of a larger organization sometimes it's just you know dollars and cents and these are the accountants and the lawyer boards and nothing's wrong with that I work a lot with them but this is to how do you get them to understand and see the risk here

and how it implicates the the sector and the and the industry within these islands so effective board reporting um it's important that you're clear and concise obviously but we have to take out the tech language so that they can understand and I can understand too as compliance right I also think that it's important that compliance kind of helps seos break it down and that's where I see more of a partnership with compliance in it and cyber security instead of a board receiving individual reports from every Tom Dick and Harry I I really believe that compliance is the glue and they kind of add in a touch of everything he's smiling do you think that too we're the police officers in in the

entity I get it and we're not liked as compliance professionals most people hate us except in the banks I see your face depends on your industry comp I'm compliance too and they always hated me um but but what I think is when compliance has an eye on certain things especially in cyber security um I used to look at the other reports and be like why don't we do it this way we can come together see he he knows what I'm saying because he's looking at the compliance report and it's risk and he's looking at the cyber security report and it's risk and they're two separate reports and they look different they talk different and he's like

ah what the hell but this is all risk and because compliance is siloed and an it is siloed they're not coming together and this is again where I think that there's an intersection that needs to come together and that's how you tell a better story because it's all risk it's all risk and the risks are becoming more and more similar and merging into each other and we're still separated he seem happy so I think that those reporting it's good to collaborate and I know that that's not a school of thought in our in our industry but it's something to consider because compliance already has the air of the director and now you can come together and compliance as the

influencer whether we like it or not and they can tell the story a little bit better than the IT guy not that the IT guy can't tell the story but when they come together they can tell a more compelling story so that that director understands the real risk and how to allocate resources and then how to show them the metrics and the indicators and list the number of of incidents and what the incidents were and what the risk is and how many of those incidents could also touch on AML you know and then you can see how it all comes together as a risk report and not necessarily a cyber it report versus a compliance EML

report so the role of compliance in the Strategic IC alignment I just explained that building a cyber aware culture it's still like from the top down type of approach so everybody needs to think in the same way that we had this big wave of AML AML AML compliance the same thing needs to happen for cyber security because I don't think that that's really the general consensus in in firms it's kind of like it will sort us we don't even worry about that oh yeah oops I clicked on that but there needs to be more Awareness on that resource allocation I wanted to talk about um board engagement if you have a board as a compliance professional or a

cyber security professional that you're reporting to and your board don't ask no questions that's a problem so and if they're not asking questions you should be asking them questions what do you think about that because that Bo that's how you know if they understand or they're just glazed over and they really don't even understand and they're just kind of like waiting for you to finish and move on to the next thing that they do understand so you need to engage with your board in a way that you're having a conversation about the risk and putting it all together so give me a minute to talk about how we learn developing training programs so I talked about the typical

tick boox training programs um and there was a question earlier in the audience I think while Vlad was talking about training for boards and stuff um I think that nowadays these online training and and I work for o and we provide online training nothing beats inperson training I think there's a place for online training but for boards I think there there needs to be that interaction people are very busy they think they're multitasking and they're not um and they're just not getting the content and they're not understanding it so you need to develop programs for most people it's not a one-size fits all it's a one-size fits most and then you need to have options for the other other people that

don't fit into that most right right so and I think um training in my mind they talk about annual training if the criminals are changing on a weekly basis I don't understand how annual training is going to support your staff help me understand I like this director in the front here because it it doesn't make sense so everything is happening so instead of rolling out a big fancy click through the box training answer these multiple choice questions once a year and toss it away and forget about it I think that training generally needs to be reimagined redeveloped um I think there's ways where that it needs to be more interactive speaking of which fishing simulation so when I worked at a bank

they would have random fake emails sent out to people in different departments to test you and and it was good because then you got your name got listed on a leaderboard if you clicked on it or didn't click on it and every time you clicked when you weren't supposed to click you would pop up on Management's report and that was an opportunity to train you identify that you weren't understanding right um it was an opportunity to highlight especially depending on what department you were working in like if you were working in wires where money is going out and you keep clicking maybe that's not the job for you but this is the kind of the kind of data

and training that can lead to operational efficiencies and save you money this is the type of data and information that should show up in a board report to your board to say you know what this department they need more training because they keep click in and you work at a bank and they're click click click click click and they're sending the money out and that actually does happen because we've heard many stories where people in finance departments are sending out the money from fake emails business email compromise so they're not not able to spot and identify it so the annual training as you can see wouldn't really work right so the people that have access to money bank accounts they

should be getting more specialized training to really understand maybe more frequent training so you need to be developing training programs make it interactive have a leaderboard um again creating that culture of cyber security awareness I think measuring Effectiveness is important so again in my experience we used to get a report of all of our staff and we can see how they were developing in their training so we would know okay they've reached the max they no longer are clicking on the fake emails they're good they finally learned that kind of way um and creating that culture we also used to have things all over the office in the break room you know watch out for fake emails look

at this so it it's it becomes in the same way when you think about all the things that we did for AML we have to do the same thing for cyber security having a champion a cyber security Champion encouraging reporting so like if you did click on something and made a mistake are you too afraid to raise your hand to say crap like clicked on something and made a mistake because if if you are in an office environment where you can't make a mistake that's also a challenge and it can cost your company I won't talk too much about incident responses but I want to talk about third party risk so small businesses you you can't afford

to have a full-on cyber security it team you Outsource it but you're still responsible if something goes wrong so how do you manage those third party risk and this is where compliance becomes very important because they typically are part of that process for vendor due diligence making sure that they are who they say they are they're going to do what they say they're going to do their SLA is right it makes sense how do we test that how do we know that they're going to live up to their bargain uh of the agreement um monitoring them do they do audits can I audit them can I see what they're doing um and if there is an

incident are they going to reply to me in what time are they going to reply to me is it going to be quick am I going to get the information I need do they do backups how do I know that do they got a report when was their last audit ask them 101 questions because you're paying them good money to do it so we know that the nature of the the industry here on island with a lot of the small and midsize firm they have to Outsource it and we have some fantastic Outsourcing providers here in this room um and on island but you got to make sure you holding them accountable ask them the

tough questions you should be getting reports they should be reporting to the board and the board can ask for that and they should be asking for that because the board the buck stops with them and they're ultimately accountable if they mess up or screw up something as their as a third party Outsource provider and again you see this General theme is Tam collaboration and information sharing so all these things if you're having a problem with your vendor it's a small island if we had an association let's nip that in the bud this vendor ain't doing what they supposed to be doing I had an incident and they couldn't come through now you know that vendor gets better we're

holding people accountable this builds the whole jurisdiction reputation if you see what I mean bigger picture home stretch six minutes to go this part what we looking forward in in the future threats now I had a nice talk with a gentleman at lunch named Angus he's from Washington DC he's going to be talking remotely on um AI attacks on some conference in Vietnam I have a personal issue with these deep fakes so I work in AML compliance and I was all gung-ho about you know SEMA updated the AML guidance notes and we can have ekyc yeah we're going to do this ekyc assessment I'm ready for it and then I see deep fakes where a person thinks they're

talking to their mother on their phone and it's not their mother it's the Yahoo Boys in Nigeria but it's real and I've seen it with my own two eyes and I'm like oh my God I don't know how we're going to get around it I don't know what the solution is but the Deep fakes are serious it and I wouldn't believe it unless I didn't see it for myself so now you have if you think about a compliance person collecting kyc to open a bank account and we all know what it is to open up a bank account here and you're relying on I'm going to use a video video conferencing which the guidance notes allows for but of course you have

to do a risk assessment on the technology that you're using how can you trust anything with deep fake AI now that blows my mind I don't even know what the answer is to that and that's why I have to stay friends with the Cyber Security Professionals in this room because we have to stay aware of what's happening because this is changing so quickly you have people that are able to sound just like you they're using technology so it sounds just like Georgia Scott and they're calling my mom and telling her I'm in trouble and she needs money the pig butchering scams the sextortion scams with kids all through AI deep fakes is wild how do we manage

that as compliance how do we manage that with the cybercity threats I don't know the answer to that but these are the type of things that we have to think about going forward as we protect our industry and our jurisdiction The Internet of Things Gary talked about that I won't talk too much all I will say is I don't have any of those things in my house because I'm afraid of it I don't have Cyrus Cirus Alexa I'm an old lady I don't have an iPhone because I'm actually afraid of it I don't have a ring doorbell I have small children and I've seen enough um crazy stuff on the internet where I'm just like no I can't even deal but H

eventually I'm gonna I'm gonna have to deal I don't know what the solution is but these are the type of things that we have to think about um in the future because it's happening it's not stopping Cloud security challenges everything is in the cloud now which is great it's fantastic we don't have to worry about the big server rooms and salt water getting in them but when it's in the cloud I don't even understand my head can't wrap around that every everybody's in the cloud how do I protect everything I don't know and everybody's in the one Cloud I I don't but these are the type of things we have to think about and I see the it

guys in here like yeah we can help you with that but break that down to me as a compliance person and protecting data and and DPA and making sure that I'm not in the news when there's a breach because I'm pretty sure all the big breaches in all these fancy companies we in the cloud I don't I'm not a technical person but break that down to me to the general population like it's still the cloud and there's still risks and challenges and this is where I think that compliance and and cyber security have to come together to understand that right supply chain attacks we talked about the shipping company I suspect that this is something that we need to

be thinking about and understanding infrastructure and Supply chains I definitely think that this is something that's going to be more prevalent in the future and these are the type of things we have to think about now this one is interesting Quantum computing threats when I had to look this one up the computer is going to get so good that they're going to crack all the codes before we can figure it out so you encrypt your data but the the computer is so fast and they're so fancy and Gavin's looking at me and he understands but they're going to be able to decrypt everything that we work so hard to encrypt because the computers are getting better that's wild to me I

don't know what the solution is to that because we're we're trying to protect our client data we're trying to protect our personal data and Hospital data and all the sort of things but the bad guys are still moving quicker and this zero trust architecture RJ said not to say it because nobody understands it so I said it anyway zero trust architecture it's a security model based on the principle that no entity either inside or outside the network is trusted by default so you work for the company the system doesn't trust you you're outside of the company the system doesn't trust you and there's lots of layers and layers and layers and layers and layers of security and passwords and protection

and is this the way forward I'm not sure but these are the things that I think are going to start to become more commonplace we're going to hear more about it and we're going to have to figure out how do we stay compliant as these new technologies and threats keep coming at us so I think the takeaways today and we'll recap um for me is compliance is your friend we need to work together compliance and it really should be best friends um and we need to lean on each other I think that Financial crime is bigger than most people understand and realize and we need to talk more about that especially from a cyber security perspective and

coming together to understand that these threats are not just data breaches but it's a bigger implication uh another takeaway is the reputation of our industry and the jurisdiction is very important it's our livelihood it's our bread and butter it's why most of us are on this rock so all these things tie into that um and then the final takeaway that I want everybody to understand is collaboration I hope I drove it home Miss Pam but we need to figure out a way if we develop an association something we have associations for everything else I just there's I don't know who's going to take the lead but we should come together because it's not it shouldn't

be that just once a year at this forum we're talking about it so I was at a conference two weeks ago it's the regional compliance Association conference so every jurisdiction has a compliance Association and they meet once a year and everybody comes with what's happening in their country in their Island and they come together and all the associations stay in touch and they connect and it's great we should talking about cyber security why don't we have something similar in the region um and then in terms of what's next we talked about a bunch of stuff so I think what's next is for you to go back make sure you get an audit if you haven't make sure your docs

are organized make sure you test your incident response plan because it's not if it's when um and get some decent training going on so people really understand the risk because I don't think they understand like I think the training are just the tick boox training is just not cutting it in my mind because I I mean yeah I think that's those are the key takeaways I think of what you should do next and those are easy wins it shouldn't cost you too much money to be compliant that's it I let you out one minute [Applause] over I could take a question if you want I think you guys know how to find me though no

questions I tried all right thank you too thank you too