facebook-page-view
Security Token Academy encourages you to read our
Security Token Summit
Security Token Exchanges and Trading Organizations Take on Wall Street

STX Operations: Cybersecurity and Identity

Jor Law, Sean Franklin & Linda Lerner


 
Jor Law - Co-founder of Verify Investor, LLC

Jor Law

Co-founder of Verify Investor, LLC

Jor is a pioneer in building out the ecosystem for digitizing and trading securities on the blockchain and other distributed ledger technologies. A corporate, finance, and securities attorney, he is most well-known for his expertise in alternative finance, including EB-5, venture capital, crowdfunding, and initial coin offerings (ICOs). He is a co-founder of VerifyInvestor.com, the dominant accredited investor verification service in the world and a founding shareholder of Homeier Law PC. He is an expert on attracting and verifying accredited investors. Within the crypto space, he's most passionate about securities regulations affecting tokens, identity for regulatory purposes vs privacy and anonymity, and cross-ledger or cross-chain technologies.

LinkedIn    |    Twitter    |    Company

VerifyInvestor.com is the leading resource for verification of accredited investor status as required by federal laws.

 
Sean Franklin - Owner/Founder of Franklin Cyber Risk Consulting LLC

Sean Franklin

Owner/Founder of Franklin Cyber Risk Consulting LLC

Sean Franklin is the owner/founder of Franklin Cyber Risk Consulting LLC based in Scottsdale, Arizona helping clients develop strategies to successfully mitigate cyber risk. Sean is also chief advisor to the founder and the CEO for Cyber Strategy at NC4 focused on advancing community defense and threat management automation strategies for critical infrastructure. Sean is the former Vice President of Cyber Intelligence & Threat Management at American Express where he led an organization focused on integrated, proactive cyber threat mitigation activities including cyber threat intelligence, advanced red teaming, enterprise cyber exercises and quantified cyber risk management practices. Sean also led the industry engagements portfolio to help create and drive information security standards and policies at national level. He is currently a board member of the National Cyber Forensics & Training Alliance (NCFTA), a former board member of the Financial Services Information Sharing & Analysis Center and led efforts at the Financial Services Sector Coordinating Counsel (FSSCC) for American Express. Sean continues to be an advocate in supporting and advancing public and private sector collaboration around information security. Sean is a certified CISSP with ISC2, Six Sigma Black Belt, ISACA Certified in Risk & Information Systems Control (CRISC) and formerly a Certified Information Security Manager (CISM).

 
Linda Lerner - Partner, Crowell & Moring LLP

Linda Lerner

Partner, Crowell & Moring LLP

Linda Lerner is a Partner in the Corporate, Financial Services and White Collar & Regulatory Enforcement groups of Crowell & Moring LLP. She has extensive experience with regulatory and compliance issues relating to broker-dealer registration and compliance, municipal advisor registration, public and private securities sales, market making, and market structure issues.

Prior to joining Crowell in 2011, Ms. Lerner spent seven years at Debevoise & Plimpton as broker-dealer regulatory counsel. Ms. Lerner also served for 12 years as General Counsel at Domestic Securities, Inc., a registered broker-dealer, where she focused on a wide range of broker-dealer regulatory and compliance issues. During this time, she served on several NASD and Nasdaq committees, including the Membership Application Review Committee, the Market Operations Review Committee and the Trading Rules Subcommittee of the Quality of Markets Committee, and was a frequent lecturer on regulatory and market structure matters. Before joining Domestic Securities, she spent 15 years in private practice, working as an associate and a partner at New York law firms.

She received her J.D., magna cum laude, from Brooklyn Law School, an M.S. in Social Work from Columbia University and her B.A. from Brandeis University.

LinkedIn    |    Company

Related Videos


Transcript


 

Linda Lerner:

Good afternoon everyone. We’re here to talk about some operational issues involved in selling tokens and in trading tokens on the secondary market, but before we get to the operational issues, I want to give you all a little basic vocabulary. What’s an exchange? According to Securities Exchange Act definition, an exchange is a venue where multiple buyers and sellers can meet to buy and sell securities. So, if you only have one person on the buy side you don’t have an exchange you have a market maker. Exchanges can be registered or unregistered. So, for example the Boston Stock Exchange is a registered exchange. An unregistered exchange is an alternative trading system. I’m trying to give you this secret vocabulary. What’s the difference between the two? Other than you have to go through a big registration process with the SEC. A registered exchange governs all behavior of its members or subscribers. Whether on or off the exchange. And all of its rules are subject to SEC approval. All. Every time they change a rule, they have to go to the SEC, it has to be published for notice-and-comment and eventually it gets approved.

An alternative trading system has an easier life, in a way. Because it only governs the exchange of its members or subscribers. It only covers the behavior of its subscribers on the exchange. Not off the exchange. So, if a subscriber’s employee is doing something crazy but not on the ATS, the ATS doesn’t have to worry about it. Also, an ATS does not need SEC approval for minor rule changes. Only if they materially change the operation of the ATS. Why are we involved in all of this compliance business? Because an alternative trading system has to be operated, and I think most except for Ralph’s, are going to be alternative trading systems. Because they can only be operated by broker-dealers. And when you ... So, the first thing you have to do is become a broker-dealer. Which immediately subjects you to a ton of rules and regulations. You can expect ... The process itself to become a broker-dealer is lengthy. FINRA which governs the process, and gives the approval, has 180 days from the time you submit your application to approve it or disapprove it. It takes at least two or three months to prepare the application properly. If you send in an application that is not substantially complete, it’s missing lots of stuff, FINRA is going to tell you it’s not substantially complete. You’re out the door and you’re going to have start all over again.

What does that mean? That means you need very competent council to help you with this process. I know we ... All the panelists keep talking about get good help. You need to get good help. It’s a complicated process. With tokens the process was changed a little bit. Usually the SEC approval happens automatically. Not with tokens. With tokens, FINRA sends you immediately to trading in markets at the SEC. Which will have a ton of its own comments on your application. And SEC is going to worry, not just about the normal things that broker-dealers have to worry about like supervision and good compliance policies, and record retention, and surveillance to detect manipulative activity. Which, using Bitcoin as an example, where most of the activity is controlled by 12 people, is a problem. But they’re also going to look at special things, uniquely difficult in the token world. One of those is cyber-security. And I will tell you from my personal knowledge, that there is no one at the SEC or FINRA who is tasked with worrying about what specifically about cybersecurity, with a token overlay has to be paid attention to.

So, we are going to set the best practices for the regulators. We’re all going to work hard at that. To get them to be reasonable and right. Every broker-dealers is required to have a robust cybersecurity policy. And Sean is going to tell you what one looks like. In a primary offering or a secondary offering, in many of the exemptions from registration, the investor has to be an accredited investor. An accredited investor means the person meets certain financial tests. More or less knows what they’re doing. And Jor is going to tell you more about what Verify Investor does, and what he thinks about when he goes through the process of figuring out whether or not someone’s an accredited investor. You are in ... If you got the ATS route, or even just apply to be a broker-dealer so you can collect commissions on offerings. You’re in for a wild ride. And you’re in for much more regulation than I think you imagine could be possible. And you’ve heard about that all morning. So now I’m going to turn to you Sean. And we’re going to start by talking about two things. What is a regular robust cyber security policy look like? Starting with risk assessment through the incident response team. And all the steps in between. And then I’d like you to address what’s special in the token world?

Sean Franklin:

First of all, thank you. For that, I will do my best, see if I can’t package all of that up, right into something pithy, but from an information security program perspective, I think one of the most important things that I could say to kind of distill it down to the essences, is companies are responsible for protecting the confidentiality, the integrity, and the availability of the information and the assets, that you have a fiduciary responsibility to protect. That means your clients information, your company’s information, your employees information, your customers information. So that CIA triad is probably the easiest way to describe what an Information Security Programs responsibility is. Confidentiality, integrity, and availability of the information and the assets that you’re responsible for. Now, how do you do that? There are all kinds of frameworks and controls standards and things to kind of pick from, use, and build into a comprehensive information security program. But in the financial services industry, or the sector, I think the most complete expression of what’s required or what’s recommended in terms of information securities in the FFIEC’s handbook, that expresses all of the expectations around what financial services companies operating in the sector are supposed to be doing from an information security perspective.

And it forms the basis for the Regulatory Agencies handbook about what they’re going to come in an audit you against. And that’s one important thing. At the state level you’ve got the Department of Financial Services, which has introduced additional, I would say recommendations and requirements, around information security. One of the things that was unique about what the New York DFS actually recommended was a company must have a chief information security officer. And that Chief Information Security Officer must attest annually to the fact that the information security program exists. That the resources that are hired are qualified resources. That they get additional certification and training. To try to maintain their proficiency of executing their tasks under an information security program. And then attestation and certification then come from the leaders above the CISO as well, the Chief Information Security Officer. So yeah, there’s a lot of things that you’re expected to do. It’s impossible to cover them all right now. But one of the things that I wanted to express here, when it comes to security tokens, I’m not an expert in the space. I feel like a foreigner. And I’ve been learning a lot of new language today.

Even though I’ve worked in the financial industry for about 20 plus years. It’s been in information security mostly. And so, the question I had, as I’m listening to this and learning all of this new language and really being wowed by the quality and expertise of the panelists so far, which has been terrific is, you know, why is this important? I think everybody intuitively knows why this is important. But one of the things that I wanted to kind of highlight, this is something new, and I’ve heard today many times that this particular space is expected to really explode. And the amount of money flowing into this and the amount of money involved is also going to explode. And I will tell you, that cyber criminals and rogue nations love you. When you talk about the types of dollars, the amount of money that you’re talking about. I’ve heard the T word used, you know trillions of dollars. You’re well-loved and you are a juicy ripe target for actors that are very bad, who also want to be a part of your success, right?

I’ll give you three quick examples and then I’ll explain why I think these three examples will highlight the importance of this community understanding the threats and attacks that are likely to be stacked against you, that already are stacked against parts of this ecosystem. In 2009, the Royal Bank of Scotland lost $10 million in an ATM, automated teller machine cash out attack. The attack took place in 20 different countries. Over a 72-hour period. Using I think, 28 accounts that were compromised. And the attackers had modified the ATM withdrawal limits to set them really high. So that a lot of money could be taken out in such a short amount of time. And then restored those limits back like nothing ever happened. And then tried to wipe logs and things to basically erase the fact that they were ever inside RBS Worldpay Systems. So that’s in 2009. In 2013, Bank of Muscat, out of Oman, suffered a $40 million ATM cash-out attack. Again, in about 25 to 28 different countries, in a 10-hour period. So, this is four times the amount of money lost in the RBS Worldpay attack. And they did it in a fraction of the time. So those are two examples of the same type of attack relatively speaking. Where their attackers got very good increasing the scale and decreasing the amount of time that it took to actually execute what they executed and get the money out.

The last attack I want to point out briefly is the Bank of Bangladesh was about to lose a billion dollars. Except for a particular error that was caught by somebody at treasury. They limited the losses to $81 million Supposedly it was North Korea. So, this is a rogue nation potentially behind this attack. It could have been a billion dollars is what the instructions were. In terms of moving money out of the Bank of Bangladesh into a whole series of banks globally they were being staged for that purpose. The speed and sophistication of that is something that leaves you hopefully not scared, but challenged to say, how does a company not become a part of an information-sharing ecosystem to understand what’s happening to other peers in their industry and use that knowledge to be able to do the things that they need to do to protect their company.

Protect their brand. Protect their clients or their customers and their assets. So, you heard Aubrey talk about this morning about the creation of a working group for the security token academy, to really understand and flush out what is the right form for operators in this space to understand the threats that they have. To share information about the things that they’re discovering. Ad then use that knowledge to protect yourselves in a way that you’re trying to get ahead of the threat as much as you can. In addition to all the other things that you’re going to be compelled to do for information security.

Linda Lerner:

And you will be examined on them by FINRA. So not only do you have to have a plan, but you have to have implemented the plan.

Sean Franklin:

Right, so you can’t escape it. But you can embrace it, right? And so, this is where I think in this community, you’ve got a number of peers that are very sophisticated operators both on the technology side as well as the financial side. You do have a unique capability I think to create a community where the information about potential attacks that you can service and share with each other, can be turned into practices that could be innovative and leading in and of themselves. In order to protect the sanctity and the integrity of this ecosystem.

Linda Lerner:

You’ve talked about threats from bad actors and rogue nations, but what about the stupid human problem?

Sean Franklin:

I will put myself in that category. I’ve done things I probably shouldn’t have done from a cyber perspective, that have cost me at some point. I don’t like to say stupid human, but I would say the human that isn’t on guard at some point in time right. And so, whether these are individuals within your company that are trying to do the right thing, but they’re not paying attention to something where they’re being asked to do an illegitimate function, that appears to be legitimate. A recent example of this phenomenon is called business email compromise. And this is where an employee is apparently told by the CEO or the CFO to transfer money from our account to this account in order to pay this vendor. Turns out that’s a fraudulent request. It doesn’t come from the CSO or the CFO or some other real person in the company. But their email account has been compromised and now somebody’s being instructed to perform a wire transfer, right? So, the human, I wouldn’t call them stupid, but they’re being duped and they’re not paying attention I think to subtle cues that might say that’s not really a legitimate request, or maybe I should ask.

Linda Lerner:

So, staff training is one of the most important things that you can do. And you can’t make it boring because people won’t pay attention to it if you do. What kind of assessment do you have to do initially? What things do you have to look at?

Sean Franklin:

So there a number of great tools and frameworks to use in terms of assessing what your risk landscape looks like from a cyber perspective, right. So National Institute of Standards and Technology, NIST, really has a lot of great tools that can be taken right off the shelf and deployed for these purposes. So, doing a risk assessment, about the types of threats and where those threats are really directed towards your business. Understanding your business, how it operates. And most importantly the things that you consider to be your proverbial crown jewels. What is our most important data? Where does that data reside? Who has access to that data? Who’s allowed to do something with that information? And are we protecting all of the parts of the chain where that data, the most important information, starts and ends and each in between. Understanding and mapping out the information flows for your company and your operational processes is critical to understand where you might be vulnerable. And the technology that is used for those purposes might be most vulnerable. And ensuring that you’ve got the right set of controls in place to make sure that you can either detect, prevent or recover, restore and recover, from things that actually threaten or compromise the information that you’re trying to protect.

Linda Lerner:

What about outside vendors who often have your information?? FINRA requires that you do due diligence on your outside vendors. What kind of due diligence should you be doing?

Sean Franklin:

Right. So, third party risk management continues to be I think, a very challenging space terms of understanding and managing risk. Because if you’re, especially if you’re ... Like when I worked at American Express for 20-plus years at some point we had 10,000 plus vendors, right. And so, understanding the risk that any one of them represents can be challenging. Understand the individual and Collective risk that all of them might represent. It’s damn near impossible, right.

Linda Lerner:

But FINRA thinks if your vendor messes up, it’s your problem, not the vendors problem. You’re going to be held responsible as a firm.

Sean Franklin:

Right. When really, I think it’s a shared accountability right. And so, there are a number of things and solutions that have come into the marketplace to try to address third party risk. So, you have services like Bit9 and SecurityScorecard and CyberGRX. That are trying to provide scale in assessing all of the third parties that you might use. Whether they scan their environments and determine the presence of vulnerabilities and say they’re not securing all their stuff. You should flog them some way right. Because you’re buying stuff from them. CyberGRX is a slightly different model, where they’re trying to create a common assessment baseline for how third parties or the largest third parties that pools of companies actually are buying services or products from.

And then asses them once, and use that assessment across the multitude of buyers, to give them a sense of their proficiency in managing their own Information Security Programs. But these are nascent. It is still a challenge. And the best that I could say is when you’re contracting with a third-party you do have leverage there in terms of determining what the consequences of failing to secure the environment and protect the information that is yours, that they’re responsible for interacting with in some way shape or form. And creating those disincentives from a contractual perspective. Those conversations have tended to be, I think, fruitful. They may be painful but again you have positive and negative levers that you can employ through the contract and face potentially to try to reduce your risk with third parties.

Linda Lerner:

What advice would you give to firms starting down this venture, and a second question is, tell us about information sharing. NC4 has a special interest in information sharing. Could you talk a little bit about that?

Sean Franklin:

Well NC4 has provided technology and services and capabilities to a number of different information sharing communities. And matter of fact, in some of the information from regulators there’s this recommendation to be part of an information sharing community. So that you understand what’s going on with your peers and you can share what’s going on with you with them. So that this community defense concept is, if we’re all talking to each other about the things that are hitting us and that we’re dealing with, then somebody’s pain point can become somebody else’s prevention. So, the financial services information sharing analysis center, is it mention repeatedly in a number of recommendations. Whether it’s from the FFIC, even the New York DFS identifies the FSISAC as one potential information sharing community. There are others like the national cyber forensic training alliance. NC4 has provided capabilities for information sharing communities to be able to collaborate and share information.

Linda Lerner:

Why is it important?

Sean Franklin:

Well the information sharing analysis centers were originally kind of codified in a presidential policy directive in ‘98 or ‘99. And the FSISAC’s were focused on critical sectors. Critical infrastructure sectors. Like energy, defense, financial, power, right? So, the FSISAC’S were kind of established and codified there as critical infrastructure sectors. And why it’s important is because those sectors represent the engines of economic opportunity for the United States, but they also represent potentially the points of greatest vulnerability. And so NC4 being a provider of capabilities and solutions to these critical infrastructure sectors, to allow them to understand, find, share, and take action on those threats that are attacking some peers in your community, is important. You have to have something that powers that conversation, that dialogue, and that collaboration. But NC4’s been very focused on protecting critical infrastructure now for a number of years. And they’ve been an important part of the technology landscape for, again some of the most important sectors out there.

Linda Lerner:

So, before we turn to identification, are there any last points you want to make?

Sean Franklin:

Again, I use the RBS Worldpay, the Bank of Muscat, and Bank of Bangladesh, really as just examples to say why it’s important. Everybody understands why it’s important, but really more importantly, what’s at stake. And the fact that attacks, and the attackers are very capable. They’re very sophisticated. And they’ve got entire criminal infrastructures and national infrastructures to be able to do a lot of damage and capitalize off of that fairly rapidly. And so, the speed at which an attack could be conducted, and the gains taken by the attackers is unprecedented. And so, the way you try to get ahead of that and understand that is really by understanding and talking and collaborating with your peers. And your peers will tell you more, I promise this, your peers will tell you more about what they’re seeing and the types of threats that they’re facing, than any government agency will be able to do.

This I promise. So, the last thing I would leave you is, where government agencies come into play here, is when you’ve got a threat, or you’ve experienced some very real painful attack. There are tremendous resources in law enforcement that can be drawn upon to help you through that process. Now all of you may, potentially may be required to file suspicious activity reports, when there’s money laundering and other things that are taking place. But through treasury, through the FBI, through US secret service and other entities there’s a tremendous amount of capabilities when it’s time to pursue and prosecute.

Linda Lerner:

I would particularly emphasize the FBI. Which is always ready to hear your story about what happened to you, and to jump in and do investigations. Not like you’re going to find out exactly what they’re finding out, but they’re on it.

Sean Franklin:

Right.

Linda Lerner:

So, let’s turn to identification. Jor, tell us what you do and why it’s important.

Jor Law:

Yeah so Verify Investor plays into an accredited investor verification space. So, when investors are investing these securities offerings, they may be required to be verified as credit investors. And that’s kind of a painful process. So, Verify Investor is one of the dominant providers of this service. Now in addition to the accredited investor verification service, of course there’s AML KYC which we do not do, but we’ve kind of had to enter into those discussions because anytime you talk about identity, you know on a blockchain, there’s a couple ways you could break it down, right? There’s the identification of the person being who they say they are, right? If someone online is investing in your offering, and they say they are you know John Doe, you have to verify you know, is this actually John Doe, right?

That’s one form of identification. Than beyond that there’s knowing who John Doe is and whether John Doe is on some sort of sanctions list or prohibited list, or bad actor list, and things like that. And that’s another form of AML KYC. And then you’re looking at qualifications that might be imposed either by the issuer themselves or by securities laws, such as the accredited investor verification. So, when you’re looking at identity ... When people talk about identity in this space, they’re really talking about all three of those things, wrapped up together as one concept. But they’re actually, sometimes done by multiple different parties. So that’s kind of the space that we’re talking about with identification.

Linda Lerner:

And what kinds of things do you look at? And how do you figure out if somebody’s an accredited investor or they aren’t?

Jor Law:

This is interesting, right? Because you know, in this space you’re always trying to balance some respectable amount of privacy with regulation and compliance. And frankly in regulated space you can forget about the privacy. The regulators are going to want you to know who you’re doing business with. There’s just no getting around that right now. Maybe in the future there’ll be other options, but today they really want to know who you are, who you’re doing business with, and things like that. Now one of the common requests we get, and anyone in this space has probably dealt with this, is that everyone loves to do business with just an Ethereum address. I can’t tell you how many hundreds of times I’ve heard someone say here’s an ethereum address. Tell me if it’s white listed. Can this person buy or not? I don’t know what person that is. And it’s important to understand the difference between like Ethereum address, and something like a bank account number, right? When I go to a bank, it’s centralized. If I go to a bank, first thing they do, after they get my application, they get my ID, they check who I am, they run me through all the screens. Then they assign me a centralized bank account number. They know that that bank account number is mine. Short of the account getting compromise.

And in the background, they’re consistently running checks on me so that they know, if I end up on some prohibited lists, right? With ethereum, it’s not quite the same thing, right? Like I can go and create an account, and just later say, oh this is my account. But you can’t guarantee that that’s always my account. So, when you’re talking about identity verification. You’re looking at ... Really what the regulations want, is they want people to know the person that they’re dealing with is business worth. That a person or the legal entity ... Not an address, right? At some point someone can say like, okay I verified this person and this person has shown me reasonable evidence that this address is registered to them. Or they say it’s registered to them. But you can never really at this moment eliminate the personal identity away from that. And that’s really important, because I think a lot of people are trying to get to this Holy Grail, where if you have this one address, then suddenly everything’s fine. And right now, the way ethereum is designed, just you can’t get there. There’s ways maybe you could develop a new protocol that might make that easier, but you can’t really get around that. And I’m not sure if you have ... I know we talked about this. I don’t know if you have additional thoughts about that?

Linda Lerner:

Yes, well, when you get into the world of anti-money laundering, it’s not possible to do what you’re required to do by the Treasury Department and all broker-dealers and certain other financial institutions must follow Treasury Department rules about knowing whom they’re dealing with. So, for example, there are lists that are published, specially designated nationals. You can’t deal with them, or if you get their honey, you may have to hold on to it, and won’t be able to give it back to them. There are certain countries that you can’t deal with citizens or residents of those countries. There are other countries where you have to have heightened due diligence on people from those countries. If you deal with somebody who’s on a list, that you’re not supposed to deal with, there is absolute liability. No excuses whatsoever, are acceptable. And you will be sanctioned very heavily for having that person as a customer. So, no, an ethereum address just won’t work. Because if that person is on a list, you won’t have found out if the person is anonymized.

Jor Law:

Yeah.

Linda Lerner:

You could rely, if you have a reliance letter, on some other regulated entity to say to you, well Mr. Smith, we ran him through all of the checks and they’re okay. And that’s called third-party reliance, and you’re allowed to do that, but it’s got to be documented.

Jor Law:

Yeah and one of the problems is that you know, when you’re looking at these identification programs and standards, you have to think about what’s standardized or not, right? I happen to be fortunate that Verify Investor plays in a fairly standardized methodology, right? The 506C and SEC has released reasonably defined guidance on what would qualify as a safe harbor. So, if one person does it correctly and there’s evidence they’ve done it correctly, now there’s no need to kind of repeat that process. But you’ll noticed like right now, if you go and open up an account with E-Trade or you go open up an account with Fidelity, and you open up an account with Citibank, then you go to Wells Fargo. They’re all going to kind of do their AML KYC on you. They’re not going to share their data unnecessarily with each other, and say okay well Well’s did it, now it’s fine for us. And part of the reason for that, is each institution may have their own methodology as to what they believe is their standard for AML KYC, and that hasn’t been standardized across the industry quite as much. So that’s something to look at, because it goes back to the whole, you know can your white list my ethereum address?

It comes back to ... Well there is the industry player that has the primary responsibility and the liability. Are they going to be comfortable with the fact that someone else has done that or not? And for those of you who are doing STO’s, and you’re going to be looking at AML KYC, what you’ll find out is if you use any of the traditional players that you see in the ICO space, like on Confido, Trulio, IdentityMind, these types of folks. They won’t tell you what screens to run. They’ll say, hey talk to your lawyers, or talk to your AML KYC BSA compliance provider. And they’ll tell you what you should run. They will run the screens for you. You tell us which ones you want to run. So, it’s possible that two different issuers with the same lawyer and the same KYC AML kind of software provider, end up with completely different results.

So that’s something to understand. And depending on which service you use also, if you’re running 10,000 people through that program, you’re going to get a certain percentage, or yes, a certain percentage or high, or no, and then a bunch of grays, where you’re really going to have to look at them closely and come to your own determination. Whether they are approved or not. Unless of course you just trust your third party to say yes or no, throughout all the grays. So that’s a real problem, because if you’re getting such different results among so many different issuers, it’s hard to kind of have one system that’s centralized that everybody kind of says oh, they’ve passed here, therefore they’re always going to keep passing.

Linda Lerner:

Before we close, Sean we didn’t talk about encryption. So, you’re going to get intruded on, people are going to cross your moat and get in. They’re just going to. If you think they’re not, you’re wrong. Let’s talk about locking up the crown jewels.

Sean Franklin:

Good proper encryption and also all of the management that comes along with encryption. Key management right, and what is your key management strategy, your key generation archival and deletion strategy. That’s key. And so just having a big long strong key, isn’t enough, right? But encryption, absolutely is one of the most useful tools to protecting information that is taken because if it’s encrypted, and in a format that is unusable to a nation-state or criminal actor, it’s of no use, right?

Linda Lerner:

Imagine if you had one key for everything and somebody got it.

Sean Franklin:

Yeah, don’t do that.

Linda Lerner:

Don’t do that. One of the things I was going to touch on just to get back to Jor’s comment on identity. Just knowing the types of criminal actors that I’ve followed and paid attention to over the years. It would not surprise me to see a criminal actually represent themselves fraudulently as two different individuals in this ecosystem. One as a buyer or maybe a set of buyers, and one as a seller. A buyer and seller, and understand how your transaction life cycle and every step that takes place is actually done. And what it’s done on. So, I can find weak spots in how this buying and selling and everything that happens in between, is actually done, so that I can figure out a way to exploit it. I think that’s a very real possibility.

Jor Law:

Yeah.

Linda Lerner:

So, we’re out of time and I’m sorry that there’s no Q&A, but we’re all available after the panel if you want to approach us and ask us any questions.

Sean Franklin:

Definitely.

Linda Lerner:

Thank you for your time.

Sean Franklin:

Thank you.