Plan, Optimize, Protect: Strategies to Develop Business Resilience

- Certainly know where to begin.

The entire business world is assessing the potential for AI.

What can it do—so the question, what can it do for middle market companies? Where does it fit, and to what extent does it help, or potentially, what extent is it a threat or could it potentially hurt?

- Hi, Brendan, everybody. Thank you for having me. I am honored to be here, and I hope that by the time we're done, I demystify a little bit what's happening with the marketplace today.

You can't turn on the TV, you can't touch a newspaper, you can't go online without hearing a little bit about what artificial intelligence is, how it works, and how people can apply it. And what I would like to do is just tell you some stories, give you some ideas so that you can understand conceptually how to apply this technology within your business environment.

And the way that I look at this is if organizations are successful in what they're doing and they follow the model of how to successfully implement this type of technology, what we've seen is those organizations are those that thrive.

They tend to be the organizations that basically go out and buy other organizations, like our successful customer, First Citizens Bank, just acquired Silicon Valley Bank. And I think that in general, the nice thing about it is their employees are more appreciative because instead of focusing on the granular work, they're focused that they can accomplish—they're focused on the mission critical thought leadership areas. So I hope that today we can talk a little bit about where we started, how we got rolling, and where it is.

So if you don't mind, Brendan, I probably could give a little bit of background as to where this industry started, and Carlos could probably chime in as well, and we could get rolling with this. Would that be all right?

- That'd be great, Jim. We'd really appreciate it.

- So if you think about it, in the past—I'll just fill you in on who I am. I'm the CEO of KeyMark—and we got started in this industry about 20 some years ago. And originally, we were the first company to implement semi-structured invoice processing successfully in the United States of America. That, generally speaking, is something that people are now considered to be more mainstream, and everybody's trying to automate their accounts payable area as well.

We were so successful in that area, companies were coming after us and trying to work with us, and the next thing you know, we were involved in some of the first machine learning systems in the world. And ultimately, we did the first artificial intelligence solution using machine learning that was ever done in a mailroom operation, and that was actually the second one ever accomplished successfully in the world, up in Michigan.

So when I heard about IBM's Watson and they were playing a little game of Jeopardy, I was intrigued, and I wanted to know how a computer could actually defeat a human being. It was one of the most fascinating things. And I'm not a game show watcher, so for me, this was big news.

So I watched the whole thing and I saw this machine destroy these two people who were basically the best at Jeopardy in the world. And I thought to myself, gee, if Watson can beat a human being in a game that it doesn't have any idea what's coming at it, I got to learn more about this.

So we're traveling down in the Virgin Islands, and I just happened to be sitting next to a woman who happened to introduce me to her husband who, believe it or not, was in charge of IBM's Watson's program.

- [LAUGHS] There you go.

- Oh, yeah. You talk about a small world. And I couldn't help myself, I was so excited, I wanted to chat with him and just learn more, and I wanted to figure out exactly what was behind Watson and what the technology was.

And he looks at me straight in the face and he goes, well, Jim, the technology we're using is called optical character recognition. Have you ever heard of it? So he's telling the guy who did the first accounts payable system and the second machine learning system in the world that he's using the exact same technology to do this artificial intelligence.

So I immediately realized that this space that we're talking about now is really something more of an evolution that's something that just happened with what you're reading about in the press. And I want everybody to understand that the nice thing about it is, in general, the great thing is that this—most of these platforms are really built on solid foundations.

So a mid-market organization might be scared that this is new technology, that this is something that basically they're adopting something that has never been true and tried and tested, and I just want to alleviate everybody's anxiety to let them know that there is a solid foundation that this has been built on in the past, and they can take advantage of that and evolve and basically improve their overall ability to either serve constituents, if they happen to be a government entity, or if they're a public entity, obviously improve their customer relationships. So, thank you for having me.

- I appreciate it, Jim. That's fascinating, and it's good to know. I would have thought it was just brand new technology, but it's interesting to know that it's been around forever and it's just a different way of applying it. Thank you.

- Yes. Yep.

- Appreciate the background. All right, let me transition to Carlos from Agile Cybersecurity Solutions. Carlos, we just heard Jim describe some exciting things that technology and AI will be doing for businesses in the future.

I look forward to hearing from you a little bit about how you leverage this and continuing to be mindful about potential risks that could be created here. But first, can you tell us a little bit about how you got into cybersecurity and the nature of the business and the clients that you work with today?

- Absolutely. Well, once again, I'm excited to be here as well and excited to be part of this conversation.

So I've been in the cybersecurity business before it was called cybersecurity. I've spent my whole adult life focused on what we now call cybersecurity. Started out as an Air Force Intelligence officer, graduated from VMI back in 1990, and then transitioned into a tactical mission as an Air Force officer.

And back then, it was the beginnings of the internet, and so most people had no idea what the internet was going to be. And most folks are more interested in functionality than security, so I wasn't a very popular person.

Most of the conversations that I was having were very confrontational because we were dealing with a lot of vendors as—at one point, I was at the Pentagon and I was advising some of the senior leaders at the Office of the Secretary of Defense that were acquiring new technologies. Many of them had no idea what these technologies did, they just knew that we had to have them in order to be competitive in the global scheme of things from a military perspective.

So I was in meetings with many individuals, vendors that all they were interested in is putting the technology into the hands of the warfighter, not so much doing it securely, and much of that now has come to haunt us—and I could talk a little bit about that. But we talked about risks, and there were significant risks that a lot of folks didn't really think about because most folks are looking for productivity gains and—you know, like Jim mentioned—artificial intelligence provides tremendous productivity gains, but there's also a dark side.

And so I was—because I was trained in a military environment with a military mindset, those are things that were important to me, and so I was always interested in what if scenarios, and that's something that has served me well over my career. And so I started Air Force Intelligence. Intelligence is an important part of what we do today as well.

One of the things that we focus on at ACS is this whole concept of predict, prevent, and persist versus just responding after an incident occurs, which is critical to next generation of cybersecurity capabilities.

- That's great. And so, what—just ask a little bit of a follow on here—so what's the easiest—how do you predict? Like, as you think through that, what's the best way, or how do you—how do you suggest people use that?

- Yeah, that's a great question. I get asked that all the time.

I know I'm—I love history, I'm a student of history, especially military history, and I don't know if this quote was actually—actually came from George Marshall, but it's been attributed to George C. Marshall that help with the restoration of Europe after World War Two, and he's also a VMI graduate. But George Marshall allegedly said that no plan—no plan survives first contact with the enemy.

So I look at that, as far as predicting, you have to just always be thinking of what the enemy is doing, and most of our adversaries in cyberspace, the nation state actors and other individuals that are looking to satisfy whatever motivations that they have, whether it be financial or otherwise.

So those are the things that we do. The predictive aspect is more thinking about what is possible, and then putting measures in place to counter those things, and making sure that we stay one step ahead of what we call the advanced and persistent threats.

- Awesome. Super helpful, and I look forward to asking some other follow on questions as we get more into the discussion today. Thank you very much, Carlos.

All right, we'll come back to you for a little bit more on those very cyber—very real cyber threats in just a moment, but first let me turn it over to Tim with First Citizens Insurance Services. Tim, thanks again for joining us.

As we've just heard from Jim and Carlos, there's a whole lot of risk and reward associated with online systems and technology, right? But as with any risk, there's an insurance product to help protect against it. So what can you tell us about the recent history of cyber insurance and how you see clients deploying that in their business?

- Yeah, well, thank you, Brendan. I appreciate the opportunity to be with my esteemed colleagues, like Carlos and Jim. Certainly, they've got a lot of wisdom that they can share with our clients, and I look forward to hearing more from them.

A little bit of level set for us, for me and for the group. I manage our commercial insurance team here, and so we have a bunch of commercial risk advisors. And Carlos kind of alluded to being predictive and really consulting with the client, and really that's our job. On behalf of an organization or a business, we're going out, talking with a carrier that can provide, and in this case, specific coverage for any type of cyber breach.

So a little bit of the origin behind that.

If you think about—Jim alluded to this as well—in '94, the Internet.com started to take off, and that was really the first time that that carrier started to offer that cyber product.

It was really a third party, which really means coverage. It wasn't first party where it was business incurred that, but the third party was really anybody that they did business with a vendor or customer, or if there was some type of data breach, the liability for that would be covered.

You fast forward it—it was pretty easy to get at the time. You go into the 2000s and businesses, as technology evolves, and the folks like Jim creating systems for businesses, how they use it efficiently, you start to have folks out there in the cyber world, kind of what Carlos had spoke to, on the dark side, and they start to realize that there's an opportunity to really navigate into systems and use it in a nefarious way.

So at that point, carriers start to create a more robust product first party, where any type of business that incurs that at a place where it's going to affect them financially or any type of business interruption, that comes into place.

So really, the first three things, up to five years ago, it was really easy to get the things that they would ask for. In a carrier, really, it was a questionnaire would ask them questions of, hey, tell me what systems you're using?

How do you use the internet? How do your folks use the email?

They'd also ask things like—you'd have a carrier underwrite things. They want to know who your systems are being run through, a third party—those types of things—and it was really, really relatively low cost.

Well, fast forward to the next five years, and really, the last two years, Carlos had spoke a little bit about this—again, the nefarious part of it—some of these bad actors, some of these claims are starting to show up, some of the losses of the business are starting to show up, so somebody that didn't have a standalone cyber type of product or policy, the underwriting parts of attaining that, if you didn't have that before, they're starting to ask for more from our clients.

So some of those things—obviously MFA would be one. I'm sure a lot of folks on the call today are familiar with that—multifactor authentication—it's not just having it, but how are you using it at the end ports? How are those things, are you protecting yourself?

The other part of that is, what does your incident response plan look like?

And that's, to Carlos's point, that involves the carrier, it involves—it could involve a breach attorney—it could also involve somebody like Carlos that's doing forensics, trying to understand where some of those losses may be occurring. So again, you can see where that's kind of evolved. And over the last two years, really, some of our clients have seen an increase of anywhere from 30% to 300% in coverages because of some of these losses.

- Tim, isn't it true that if you do the right stuff, like Carlos was talking about, you can reduce your cost as well?

- Absolutely, and that's—I think on the front end, Carlos put it really well, it's a team approach that [INAUDIBLE] wants to see how the network's built, how folks like Carlos, in terms of cybersecurity, how you're managing some of those potential issues. So it's really important that it's a team approach.

- Let me chime in on this as well because we work with a lot of middle market companies that have seen their cybersecurity insurance rates increase 200% over the last two years—

- At least.

- —so they're very, very concerned looking at ways to minimize that. One of the things that they have been able to do is when we go into an assessment of penetration test, provide them with a remediation recommendations, they go in and do those remediations. Then we run another scan and they have a clean bill of health, then they can take that revised report that we put together that explains that they had some vulnerabilities, those vulnerabilities were remediated, here's what it looks like today, there are lower risks, and they could take that report and negotiate lower rates with their vendors.

- Ah. OK. That's really—I appreciate hearing that, Carlos. That's great to know.

I'm sure that comes into play. And I know I just from, obviously, spending time with a lot of different clients over the years, as Tim alluded to, the requirements for—that you've got—it used to be pretty easy, but now it continues to get harder and harder and harder to actually obtain the coverage for it.

- Yeah.

- Thank you, Tim. Appreciate it.

All right, I'm going to turn it back to Jim for a minute here. You touched on Ai earlier, and we're certainly seeing lots of headlines right now about ChatGPT and AI applications—given all the AI history and potential, what are clients really talking to you about right now? What are they looking to KeyMark to provide them with, or how are they—what kind of solutions are you suggesting, given the advances in the technology?

- There sure is a lot of marketing out there right now, Brendan, so you can help yourself.

It's interesting that some people think of the OpenAI technology as something that they could apply in a business setting. The realities of the situation are a little bit different than that, and even OpenAI itself suggests that there could be hallucinations that their systems develop.

So if you think about it in the business world—we'll talk about financial services, public sector, insurance, or whatever, health care, where it might be not only mission critical, but life and death—you can't have a hallucination that you roll out there. You just can't.

It's not a feasible way of rolling out these types of systems. So a ChatGPT sounds like a business use when you're listening to a reporter on CNN or some other broadcast out there, but the reality of the situation is you have to apply these technologies in a mission critical application and basically make sure that what you're doing is you're applying them in a general sense, trying to automate as much as possible, getting accurate information, but the key is that you always have to have a human in the loop, that you don't necessarily let these systems run amok.

So we talked a little bit earlier about machine learning, for example, and the situation is if the machine keeps learning, generally speaking, as it keeps going, it's going to eventually start making mistakes, and the last thing that you want—let's say you're doing a mortgage loan—you definitely don't want to have mistakes in your loan origination process ever.

- Of course.

- So that would be an absolute disaster.

So the end result is you can use these technologies, you can apply these technologies, but typically speaking, what you do is you take AI and you match it up with other solutions, and then you have a human in the loop that does the heavy lifting, they still are involved, they still make sure that there's no errors before the actual process is completed.

And that's one of the key components associated with rolling out some of these applications. You never ever just go fully automated, you always make sure that there's a chance and an opportunity for a human to review before you go full bore.

- Great advice and feedback. So you mentioned the word hallucination, so do you mean that the technology basically takes on a life of its own?

- Well—

- Can you explain that a little bit more?

- Yeah, it's funny you say that. I was chatting with a friend of mine who's actually working on coming up with a standardization for artificial intelligence, and one of the standardizations is to make sure you understand what the actual data element is that is being used to actually produce the result.

So if you think about it, if you have different data coming—because right now, if you think about it over the last 500 years, we produced more data last year than we did in the last 500 years. But of that, how much of that data can be accessed and can actually be retrieved by an artificial intelligence system? And generally speaking, it's less than about 2%.

So you have to understand what the basis is for whatever the results might be coming back, and if you don't have control over those overall results, then you really can't actually understand what those results might point to. So a hallucination could be a bad response, a false positive is what—generally speaking. What we call it, and the last thing you want to do is in a mission typical type of environment, especially in the health care space, is have a false positive out there.

So that's why, when we look at these systems and when we're trying to apply it, especially with somebody that is trying to make sure that they have their core systems—because if you think about it, somebody's either paying for something, somebody's either buying something and paying—and processing it, or there's a compliance issue. In all three of those situations, you want to make sure that the data is always accurate before it gets processed, and that's the key.

- Gotcha. Gotcha, gotcha. OK, that makes complete sense. Thank you. Appreciate it.

All right, I wanted to maybe shift over to Carlos here. And really, Carlos, I know you spent a lot of time working with companies, similar to the ones we work with every day, so what are the biggest cybersecurity needs you see amongst kind of your middle market clientele?

- Yeah, absolutely. Before I do that, let me just answer something that Jim said—and I'm very impressed with Jim's response regards to information—or artificial intelligence because from a cybersecurity perspective, I talk to a lot of companies that are pushing artificial intelligence into security systems, and one of the things that I've always believed is this concept that he talked about, having a human involved. We call it adult supervision. We believe that the machine has to have some adult supervision or else it's going to end up doing whatever it chooses to do. You may set it on a path, but it will start creating things that could potentially create some messes.

And a lot of these technologies have a tendency, from a cybersecurity perspective, they could conflict and interfere with each other. If you have different types of capabilities within an environment, that there could be the possibility of them interfering with each other, creating a real—instead of a better security environment, it creates an opportunity for an adversary to exploit the chaos that it creates.

But with regards to the middle market businesses and things that we see that they're looking for is they're looking for individuals that can come in and help them maximize their existing investments. Many of them have already made a lot of investments in cybersecurity, they've been sold from vendors of technologies, that the vendor has convinced them is the best that there is, and every technology has strengths and weaknesses.

And what we end up going into an environment and doing is that we do an overall assessment of the organization, we understand what it is that their vision, the mission is for their cybersecurity, and then we take a look at what they've already invested in. And when we go, we go in there and we tweak their capabilities and help them to maximize their existing investment.

A lot of companies like us may go in and tell them, oh, you did everything wrong, you need to buy all new capabilities.

That's one of the reasons that we stay vendor agnostic and product agnostic. We don't have any horse in the race when it comes to technology.

We make general recommendations to our customers, we don't get into specific products, if they need multifactor authentication, we explain what that is, but we don't suggest a particular product. They have to go out there in the marketplace and evaluate all the different products.

If they want us to help them to do that, we certainly could help them to do that, but we are not playing favorites. We're looking at what they have, and most of the times, the middle market companies have already invested in enough technology to get them to 80% to 90%.

And then the one thing that many of them don't have because it's expensive and there's a shortage of cybersecurity professionals, and many of them complain that they're overworked and overtasked and underworked—or whatever. You know what I'm saying.

They've got a lot more work than they have people to do it—and so we want to help them and do it smartly, by going in there, assessing what needs to be done, and helping them focus on the things that are priorities. We prioritize things from a cybersecurity perspective and help them to focus on the things that are going to give them the best results for the investment of time and resources.

- That makes complete sense.

- Can I step in there for a quick question?

- Yes, sir.

- Yeah, please.

- So Carlos, our clients hear a lot on the front end, or even our prospects, about MFA, multifactor authentication, right? So when you see that or you hear that, how are you testing that for clients? I mean, can you share a little bit about that process and where it's used, how it's used, and where some of those holes might be, and what your recommendations are?

- Yeah. So multifactor authentication is just like any other capability. If it's done correctly, it's very effective. But sometimes, there's misconfigurations that occur during the deployment, and those are the things that I get concerned about. I want to go into the environment. I want to assess that they've already deployed a technology.

What we love to do is we ask them to give us an opportunity to test the cybersecurity of the capabilities that they already have because oftentimes, if they're depending on a third party, the third party's going to tell them everything's great, and most of them don't know the difference. They're just depending on somebody to tell them that everything is working as designed.

What we want to do, we want to go in there and test it to see, OK, you've got this deployed, let's see if it's going to withstand a cyber attack from an advance and persistent threat because all of our guys are elite. They're world class. Many of them were trained at the National Security Agency or the CIA or other organizations. They know how to exploit systems that have exploitable vulnerabilities. So we go in there looking for those and see how the capabilities that they've already deployed, how do they respond. If they have endpoint protection, how does that system respond to a potential exploitation?

So those are some of the things that I think are critically important. And that's, from an insurance perspective, that's what insurance want—they want to understand what the risks are so that you want to decrease the risk so that there's less of a possibility where they're going to have to file a claim, right? Because every time that you have a claim, there's an expense. And what we want to do, we want to make sure that we do everything we can.

And we don't—many customers are looking for compliance. They want to just be in compliance. What we tell them is that we're going to help you be secure, and by default, you will become compliant because if you're just compliant, you're doing usually the minimums. If you're secure, you're going to do everything that you need to do that will achieve compliance and then some.

- Right. Yeah, that makes perfect sense, right? Rather than just check the box, actually make sure you're doing what you need to do to protect yourself.

Carlos, that's great. Thank you very, very much. And we'll come back to you shortly because we really want to ask how cybersecurity—how companies can avoid some pitfalls associated with it.

But first, Tim, I thought that was a very timely question. What are you seeing—what are the most common claims that insurers are seeing today related to cybersecurity?

- Yeah, it's a great question, and I was fortunate enough about two weeks ago to be part of a symposium down in Charlotte where we had director of CISA for Region 4, which is a part of the Department of Homeland Security. He was able to share some of those breaches, what they're seeing in terms of some of the key targets, but also what some of the folks, regular businesses are seeing as well.

We also had a breach attorney, which is specific to how a carrier would use, when there is a claim that's used, it's part of that team, right? They specialize in everything from the kind of project management of seeing who the actor is, what they're asking for, what does the policy call for—all of those things, the negotiation. And then finally, we had one of the top carriers that write the insurance for cyber, and he was the lead on that.

But what they had shared in that meeting, Brendan, was really twofold. It was the two types of—two types of cyber threats that they're seeing—ransomware. So when somebody, a nefarious criminal, cyber criminals somehow or another getting a hold of an organization's data and locking it down and asking for some type of, whether it's Bitcoin or some other type of wire transfer of money, that's number one. And then number two is the social engineering or business email compromise.

And ransomware has really—they talk about in a carrier perspective—there's twofold. That's frequency and severity. Frequency means it happens a lot. Severity is it can happen once, but it's very costly. And ransomware has really been twofold of that.

Whereas business email compromise and the social engineering, which is—that's somebody's sending within the bank. They get a hold of one of our associate's email addresses. They send an email saying that our CEO needs a wire transfer to—this looks legitimate and we end up doing that, and now the funds are sent, and what does that look like after?

As much as—what they had shared, as much as it is can be a severity, it's really a frequency. It's a low dollar, they want to move it quickly—they move quickly from organization to organization on that.

Couple other neat kind of things there I thought that were important. In 2021, the US Treasury, about $2.1 billion was paid in ransom, essentially.

- Wow.

- Yeah. And for the breach attorney herself, for their—if you think about it, they've got customers that they work with—obviously, the carriers are those customers—roughly 3,000 to 4,000 cases in 2022, the average payout, median payout was about $150 to $200,000 and roughly a high of $1.2 out of all of those.

So you can see it's very costly to a business. If it's a smaller business, they can shut your doors, and many times that's what happens. For a middle market type company, obviously, they might have the wherewithal to kind of work through that a little bit.

And then one last thing I wanted to share. Right now currently, the cyber market, per se, that line of coverage is about a $2 trillion market.

It's grown exponentially over the last three years. By 2030, they expect that to grow five times to a $10 trillion market, and most of that is because of the losses and the increased premium that now—that the insurers are going to now charge clients, but it's also people are waking up, organizations are waking up to the fact that we have some type of cyber coverage. We don't know what it is. It might be in another type of liability policy, but we need a standalone policy.

So really, the carriers are trying to figure out how to charge for that cyber policy, that standalone cyber policy. That's going to be the tough part, is going to—really underwriting it. So again, it goes back to things Carlos talked about. What are those—what's your incident response plan? What are those folks that are in there for cybersecurity doing those things? But yeah, the market's going to continue to grow, and it's going to get harder to attain that coverage.

- So do you see—when you go to meet with clients, do you see that most of them have existing coverage, or do you find a lot of people that don't have coverage at all?

- Oh, you're getting a little ahead of yourself about what people wish that they would have done, right? So—or organizations.

So what we see a lot of times is it's a very small part of coverage. It might be $50,000 on another type of liability policy, right? But the standalone that really has the teeth to it, the first party and the third party coverage that really protect that client, people have been hesitant to buy because there hasn't really been a need, right? They don't think there's a need. They think they're covered. Or they think in a banking situation, that the bank is going to take care of any type of nefarious wire transfer, or any of those other types of thing. That would be an example of it.

But what we find out, probably, Brendan, 30% to 40% of the time, they're not covered the right way.

They don't understand it. And in that meeting, 88% of folks—these are business organizations. They were polled in the business community in Charlotte—say they have some type of coverage, but they don't understand it and they want to know more about it.

And that's really our role, is to work with the carrier—our advisors really sit down with them. We also sit down with folks like Carlos to understand what they're going to try to do to mitigate some of that risk.

- That's great. Thank you, Tim. Very, very helpful and eye opening. Thank you.

Coming back to you, Jim, if that's OK? Lots of companies are seeing advantages from robotic process automation and related technologies. Can you explain what it is, and whether it's really a good time for businesses to jump in and test the waters around those solutions?

- Absolutely. So first, before I jump into this, I just want to share just one thing—that if anybody is thinking that they don't want to buy insurance or have somebody like Carlos check it out, we currently have a friend of ours, a customer who's a very large institution in South Carolina, they're locked down now to the point that they're actually sending their customers to their major competitor to process orders.

So this isn't a situation where you joke about. You got to do it. So just to give everybody a heads up on that one.

So as far as the technology and applying this, and is it a good time to do this, I think that in general, when you think about what you should be doing, you should be focused and you should have a strategic plan as to how to implement what I'll call hyperautomation.

You mentioned RPA, Brendan. RPA, robotic process automation, is a part of hyperautomation, as is artificial intelligence. And the reason why I'm talking about hyperautomation and the need for it is because if you are not doing this, I can promise you that your competitors are, and your competitors are using this to improve their ability to deliver faster, cheaper, better solutions to the customers.

So it is a requirement now of every organization to have a strategic plan for implementing a true hyperautomated solution that will include some form of artificial intelligence and machine learning that we chatted about, some form of robotic process automation to minimize the amount of work that, generally speaking, a human can do.

So think about over the next five years, there's an estimate that 31 million jobs are going to be replaced by digital workers, software workers that are doing repeating tasks. So if you think of somebody who's sitting in a cube today, if they are doing the same thing time and time and time again, those tasks can usually be operated by a robotic process automation or a digital worker.

There's a lot of customers, for example, in the state of South Carolina, I was meeting with the Department of Social Services, the head of DSS, and he literally said, I don't have a choice, Jim. I have to automate, specifically because the vast majority of my workforce is going to retire soon.

So when you think about replacing people, when you think about how you're going to go to the next level with your organization, it is in a situation where you have to think about, OK, I can wait five years. We don't really have five years to wait to do these types of things. You've got to be putting a plan in place today, especially if you have a desire to thrive over the next five to 10 years.

So if you think about it, you're a middle market organization and you basically want to sell your company in five years, they're not going to just buy your company off for your revenue and your EBITDA. They're going to by your organization based upon the processes that you put in place to improve the overall efficiencies for your customers to buy from you. That's going to entail using artificial intelligence, using robotic process automation, and using a hyperautomation solution to increase your enterprise value so that you can actually put yourself in a situation to sell in the future.

So I hope that everybody thinks this through and does spend some time on it. I think that in general, there are a lot of IT people that basically are trying to fly by the seat of their pants when they're implementing these types of systems because they're not quite sure where to go.

So I think that if you can sit down and try to think about how you could implement and put a team of experts within your organization to apply this technology, I think that's going to be the key to success. And the overall result is your enterprise value goes up, you're in a better position to take on net new business, and you basically are the organization that thrives and buys everybody else.

- Great feedback. Let me ask you a question—I hope it's a fair one because I know y'all put a lot of these systems in place. What's the typical ROI for something like that? What kind of—what's a typical break even time period where people tend to get the investment back?

- You know, it was for a while running about 18 to 24 months, but because of some of the artificial intelligence tools that are out there, we were able to deploy systems faster, better, cheaper than we used to.

So there's a lot of low code development—which really, low code development means that you have citizen developers, and when I think of citizen developers, I think of the best people within an organization that can apply technology or can make modifications within the organization, rather than going back to the IT department to get a job done.

And with these technologies being able to be deployed at your fingertips, you—especially somebody—I think it's a golden opportunity for people within the mid-market to jump up into a higher market, specifically because in the past, you'd have to have dozens of programmers doing a task, and now—and if you think about it, you had a specific rule—I call them world engines—that are important, and those are the brains of the organization—and you'd have to have lines and lines of code to be able to do this.

Well, with today's technology, you don't need lines and lines of code, you basically need an application and you need a very smart person to make sure they're applying the correct rules to whatever your business might be so that way, you can differentiate yourself.

So now you're looking at an ROI. Instead of going 12, 18, 24 months, you can pretty much roll out these systems in less than—in a short period of time, so you don't have a huge upfront cost with less people. They're not as expensive as they used to be, so now you can get your ROI down to less than one year.

- Wow, that's incredible. I would have never guessed that you could make it back that fast. Thank you, Jim. I appreciate it.

- Yep.

- Carlos, you described earlier the situation where companies have really good cybersecurity equipment and budgets, but maybe not necessarily the in-house personnel or know-how to make them work effectively and have the right impact. So how does your business and others like it with middle market companies really get them fortified against cyber threats? What's the process there look like?

- Thanks for that question. That really is something that we focus on.

When we first started—when I started ACD back a little over 11 years ago, we focused more on the Department of Defense and the Intelligence community because that's the area that I came out of, and these were all very expensive systems—multimillion dollar opportunities, multi-year contracts. We recognized that there was a segment of the cyber ecosystem that was immature, and many of them were also doing business with the government. And so we're only as strong as our weakest link, so we wanted to create—continue to support our Department of Defense and the Intelligence community, but also provide support to the middle market companies that also work within the military industrial complex.

And one of the things—there's two capabilities that we came up with because there's such a shortage of cybersecurity professionals, and everybody during the COVID was talking about working from home and a whole different mindset, and many people thought that productivity gains would go down—except that productivity actually went up. People were working from home and that was unexpected.

But we've been doing work from home before it was popular, you know? I started doing work from home when we first started ACS because most of our folks liked doing things on their own time. Many of these are very creative people that sometimes are up all night doing things.

So the two capabilities that we have really focused on to help middle market companies, or virtual CISO services—which are a capability that, instead of a company having to hire a full time chief information security officer, they could hire one of our category 50 virtual CISOs, and they could do it just like if you were hiring an attorney. If you need 120 hours retainer, you could retain a virtual CISO for 120 hours, and you use that an average—that virtual system on average of 10 hours a month to do whatever it is that you need that virtual system to help you with to supplement your existing team.

And that way, it helps you to better manage your resources, your limited resources, and have access to world class talent that you were—most middle market companies, or some of the small/medium sized businesses that we deal with, they just don't have the budget to hire somebody that you would have to pay $300, $350,000 a year to have on staff because of the shortage—you know, the economies of scale. So that's the virtual CISO.

And once they—if they hire that virtual assistant for 120 hours and they need more hours, they can just add in 10 hour increments—so as many as they need. And so we made it very easy for them to be able to access world class talent on their own terms and within their own budget.

And then the other capability that we've developed is something that is along the lines of what Jim does—because a component of it is artificial intelligence—and is having a security operations center that clients could access. Versus them building their own SOC, we have two SOCs that we deploy what we call manage detection and response, or extended detection and response MDR and XDR solutions, and these are sold per endpoint, per month or per endpoint per year where the customer knows exactly what they're going to be paying for these services.

And what does this do for them? This provides them with a near real time continuous monitoring capability of their assets. Whereas most companies are there 9:00 to 5:00, and then what happens after 5:00 when everybody goes home? Their systems are unprotected.

What we do, we protect their systems and monitor systems 24 hours a day, seven days a week, 365 days out of the year. And what we have been able to do is that we've been able to take the capabilities that we've developed over the years within the Department of Defense and the Intelligence community and scaled them down, made them affordable—in essence, we now provide DOD and Intelligence community-grade cybersecurity to the middle market at affordable prices.

- That's great, and super, super helpful, I think, Carlos, as we think about, again, how to make sure our businesses have the right kinds of protection and are leveraging the solutions, but also have the right know-how and power behind those solutions to make sure they're being impactful. Thank you.

- Yes, sir.

- All right, Tim, our last question goes to you. And I know you've dealt with companies that have been victimized by hackers and cyber criminals in the past. And kind of looking backwards in hindsight, what are the biggest regrets that you've seen come out of that after they've been compromised, or what are the lessons learned there?

Tim, I think you might be on mute.

- Sorry about that. Unfortunately, we hate to hear that. And there's often times our approach as advisors is to offer it. It's just as important as property, it's just as important as work comp and auto and all those other things. The losses that are being created by these cyber breaches, again, can really cripple a business.

So I think the biggest regret is when we had, time and time again, if it is a client of ours and we had had that conversation—we've even benchmarked where they would be with their industry and what it would look like, the cost of it, with the coverage of it, we've educated them on that—it's just a matter of them now regretting that they didn't put that into place.

The other part, and I think the two things that are really important, the incident response plan that I've talked about a couple of different times is how are you actively assessing that on a regular basis yearly? So is it just sitting there, but you haven't had your employees be part of continuing education, or phishing email training? Or, if there is some type of cyber breach, what are those protocols? How do you get in touch with the carrier and make a claim? Practicing some of that type of stuff, I think that's important.

And then lastly, I think—Carlos, you alluded to this a little bit—it's nice to have backups. A lot of companies, middle market have that opportunity to do that, but a majority, 90% of small businesses don't. So their incident response plan, you have a paper file or something of a backup so when it does happen, you're able to really use that and look at it and call the appropriate people.

Obviously, we're part of that. We want to be part of that solution. A lot of times, we just tell them to have us—have them reach out to us to help them.

- That's great. Thank you, Tim.

I appreciate that. I know you've seen a lot, so thanks for sharing some of those tidbits.

Well, that was really some great, very thought-provoking stuff, and I really appreciate the insights from all three of you and sharing them with our audience has been extremely, extremely helpful.

We do have a couple of minutes to take some questions. So as a reminder, to ask a question, please click Q&A at the bottom right hand corner of the screen. If you type your question in the box that pops up and then hit send, that would be very much appreciated.

And as we gather them, just a couple of things. Let me just say that First Citizens middle market bankers are deeply engaged with our clients in a lot of conversations outside of just those about banking solutions.

We really pride ourselves in thinking outside of the box, looking at the macro environment that you're operating in, and trying to make sure that we're asking the right questions and bringing the right solutions and introductions to the table to help make sure that you're positioning your business for success well into the future. So we see that as part of our job and we really enjoy that part of the role we play with each and every one of you.

So obviously, we've got a very wide range of financial solutions and we can help midsize companies in all stages of their lifecycle. And again, very much appreciate the client relationships that we have with you.

So if we don't get to a question, or if you have just a question you don't want to ask in a public forum, please feel free to drop us a line or give us a call. Easy way to do that it's just Google First Citizens middle market banking and click the first link that comes up, and obviously we'll get right back to you and have a conversation.

So we do have a couple of questions and we've got a few minutes, so I'm going to get right into those. The first one—we'll kind of go back to Carlos, if that's OK—would you say security threats for businesses are growing, or has it kind of normalized at some level at this point, or what do you see?

- Yeah. Wish I didn't have to tell you this, but I think we all know the answer to that question.

- Right.

- There's been tremendous exponential growth in security threats, and they're getting bigger and more sophisticated every year. With some of the geopolitical issues that we're dealing with, they're in Europe where I'm at—I'm dialing in from Lisbon, Portugal—and there's a lot of things going on.

A lot of individuals that are—whether they be corporate employees that are disgruntled, insider threats, or nation state actors that are looking to get an advantage in the marketplace and using cyber because it's fairly inexpensive to deploy cyber weapons in cyberspace—and we talk about these cyber weapons, but they're real. There's been examples of digital weapons deployed that actually cause physical harm. And so these things are real, and they're growing exponentially.

So yeah, it is an area where not only are the threats significant, but the costs to organizations are increasing. The cybersecurity market—the analysts that I talk to are telling me that the cybersecurity industry is going to grow from where it's currently at about a $250 billion global business to about a trillion dollars within the next five years.

- Wow. Four to four-fold. That's incredible. Thank you, Carlos. Appreciate that.

Jim, I think I might know the answer to this one, but we had a question come in about what you see as the potential for workforce disruption and dislocation from AI and some of the other solutions that are out there.

- It's going to be substantial, Brendan.

So if you think about it, you're going to have a whole situation of organizations that are going to be deploying the types of solutions we talked about a couple of minutes ago, and the end result of that is you're going to have a workforce that is probably going to be more engaged because they're going to be focused on the mission critical applications, the knowledge working applications, instead of the repetitive tasks.

So I think there's going to be a high degree of emphasis on being skilled in these areas, so I'm hoping that there's some education that happens within our k-12, and then hopefully our technical college and college systems, that gets people up to speed on how to apply these technologies.

Because the one thing that I've learned, and it's kind of interesting—I'll chime in on Carlos being over in Europe—we were in Amsterdam, and literally I didn't know the power of the windmills. And basically, what I learned was the reason that Amsterdam and the Netherlands was the most effective organization or effective country in the 1600s is because they could produce 24 ships a year, right? England could only produce two.

So if you think about it, my point here is that the reason that Amsterdam thrived, the reason it was the most effective city in the world is because they adopted technology. They applied the technology. They knew how to use the technology within their environment.

And the reason that everybody else—and then we flew to Africa and I saw places that never adopted technology, ultimately. And I think that if you look at it, it's not just that it's going to change the market, but it's going to be the way that everybody has to go to market. And those that adopt it, those that apply it, are going to be successful, and those that do not could end up being in one of the 31 million people that are going to lose their jobs. So it's going to be a major disruptor, but I would encourage everybody to be Amsterdam, be the Netherlands, and not be England and hold yourself back. Take the technology and run with it.

- That's awesome. Thank you, Jim.

One last question here, and this is a good one. It was on the top of my mind, too, that came in. Tim, how do you figure out how much cybersecurity insurance you need?

- That's a great question. And I think right now, the way that carriers look at it, they're struggling a little bit with it as well. They're trying to put a cost on what that looks like.

I think it really, though, where it starts is it starts with a good risk assessment, right? With your risk advisor. It's sitting down with them, it's sitting down with somebody like Carlos and his group, and understanding what the potential risks are, what type of industry they're in, what type of data is driven from there—what would be the likely output of if something was to happen and there was a business interruption, right?

So it's all dependent upon all of those factors, and really it's a joint effort between the carrier, carrier-underwriter, the folks on IT of an organization, and then ourselves as advisors, of really asking those questions to understand and really try to put a number on that of what does that look like if all of those things were to happen and you were compromised in some way? How do we keep you functioning as a business?

- Thank you. That's helpful. So it sounds like it's not a one-size-fits-all, but needs some inspection and some modeling to help figure it out. Appreciate that.

All right, well, we've reached our conclusion here. And I just want to say that this has been a wonderful discussion as we continue our middle market webinar series.

My sincere thanks to our three panelists who did a great job; for sharing their time and expertise with us. To our audience, please watch our website and your email for more information about our next webinar a little bit later here in 2023. We'll have more to share as we get closer, but you can be sure that it'll be worth your time to listen in.

Thanks again for coming, and have a great rest of the week. And again, thanks to our panelists. Very much appreciate it.

Have a good rest of the day. Thank you, guys.

- Thank you.

- Thank you, everybody.

- Thank you. you.