Podcast | Risk Advisory & Cybersecurity

LISTEN NOW

If you are unable to access the podcast below, look for PBMares AdvisoryWatch on Spotify.

Learn more about Risk Advisory on our website here.

Transcript

Andrea Sardone
In today’s world, nearly every organization faces some level of uncertainty, from cyber threats to market fluctuations to operational disruptions. The COVID-19 pandemic ushered in a new level of uncertainty, forcing businesses to not only plan for survival, but to be competitive in the face of increasing risk. Our episode today is part of a series on a burgeoning area of work called Risk Advisory.

During this series, we’ll dissect what risk means to businesses and organizations with a team of PBMares experts who will help you turn risk from a foe to a force for growth.

With us today is Antonina McEvoy, a partner at PBMares and a co-leader of the firm’s Risk Advisory Services Practice. Nina specializes in cybersecurity, data protection, privacy, and compliance frameworks. During her 14-year career, she has performed numerous cybersecurity reviews, business controls mapping, and compliance audits and readiness assessments for numerous frameworks. We will get to those later.

Nina has led the firm’s efforts in providing solutions to clients who need to strengthen their business and cyber resilience infrastructure to be competitive and thrive. Thanks for joining us today, Nina.

Antonina McAvoy
Thank you for having me.

Andrea
This is an interesting topic for those listening. Nina and I work together a lot and I’m always fascinated with the types of work that she does. I always kind of ask her all sorts of questions and we have great conversations so I’m excited about this one today. So Nina, every time I pick up the newspaper or turn on the news there’s a story about another cybersecurity on a business and I did a little research and learned that cybercrimes in 2023 rose 78% over 2022. Can you give us an idea of what’s happening? Why is there such a huge increase and it continues to increase?

Antonina McAvoy
Well, first and foremost, I think we have to really acknowledge the ever-changing digital landscape. As technology advances, so do the tactics of cybercriminals. From a sophisticated phishing scam to more of the complex ransomware attacks that we’re seeing out there, cybercriminals are constantly finding new ways to exploit any vulnerabilities in our digital systems.

And it really started, you know, with the COVID-19 pandemic playing a significant role in exacerbating this trend. We had clients in March of 2020 buying the last batch of laptops before their suppliers shut down operations. But with that rapid shift since 2020 to remote work and more online activities, more web meetings, organizations and individuals are all becoming more of a prime target for cyber attacks. And it’s this sudden transition that I believe has caught many folks off guard, not only personally, but also with their businesses. And it’s leaving gaps in cybersecurity defenses that cyber criminals are quick to exploit. I also think the rise of interconnected devices through the internet has expanded the attack surface for cyber criminals.

We’re seeing more devices connected within businesses to the internet than ever before. And each one of those representing a potential entry point for a malicious actor. Another factor we’re seeing also is contributing to more of the surge in cybercrime is an increasing sophistication of those tactics from cyber criminals. The criminals are operating really like well-oiled machines and leveraging advanced tools and techniques to bypass security measures and evade any detection. There’s from the dark web, there’s plenty of different online platforms that give folks plenty of tools to leverage for any of their attacks. And they help cyber criminals understand how to exploit the any vulnerabilities that are out there.

So you have nation state sponsored attacks to really cybercrime as a service, which means that the landscape of cyber threats is even more complex and even more challenging to combat. So with that underground economy, the cybercrime world has flourished and it’s providing cyber criminals with a thriving marketplace to really buy, sell and trade stolen data. It’s the new eBay and exploit kits.

This underground economy, it’s fueling that life cycle of cybercrime, which makes it a more lucrative endeavor for everyone involved. But that also means that there is an issue of cybersecurity awareness and preparedness. And many organizations and individuals, they just don’t, or they really underestimate the importance of cybersecurity measures, or they’re failing to prioritize them until it’s too late.

So we really tried to take a proactive approach with educating and helping organizations with what they have invested in for their defenses, where there are gaps, and where they can improve upon to become in line with best practices.

Andrea
Well, it didn’t even occur to me with these nation states, it’s big business. I found a data point here from Venture that global cybercrime is supposed to grow in the next five years to almost $10.5 trillion. And it just seems like it’s just so out of control. And so, what’s a company to do? This is what you do. So, tell us about how to get ahead of this.

Antonina McAvoy
Well, the financial toll on businesses just can’t be overstated here. Cyber attacks can result in significant financial losses due to data breaches, and not just data breaches, but also theft of intellectual property, disruption of operations, and any remediation efforts that have to go into remediation, building back, disaster recovery. So when you think about the small or medium-sized enterprises, or the mom and pop shops in particular, these financial setbacks are devastating, potentially even leading to bankruptcy or closure. So it’s not just about the bottom line.

The reputational damage that is inflicted by cyber-attacks can be equally, if not more, detrimental than the financial loss. So, a breach of sensitive customer data really erodes the trust factor, the confidence in that brand that the business has built over the years. And it leads to a loss of customers, and it tarnishes their reputation for years to come. If a customer can choose between a company that’s been breached and another company that has strong security measures in place, they’re most likely going to pick the company that has strong security measures in place.

One could argue though that if someone has been breached, you would think that they’ve then put in a slew of different internal controls and cybersecurity measures and are even more secure. But certainly, cyber insurance companies don’t always think that way and the premiums go up. So, it’s rebuilding that trust once there’s been a breach that many businesses struggle to achieve.

So first we have that bottom line, the significant loss, and then we have the reputational damage. So, the ripple effects of cybercrime extend beyond just individual businesses to even a broader economy. And when businesses are targeted and they’re compromised, the repercussions are felt throughout supply chains, impacting suppliers and their partners and their customers. And that interconnectedness really underscores that urgency for collective action to fortify the cybersecurity defenses and mitigate the risk of cyber-attacks. So there is also that human cost to consider because beyond just financial and reputational implications, we have to look at the cyber-attacks and how they have such a profound personal consequence for individuals.

Because if I am the individual whose data has been compromised inside of one of these big company data losses or data breaches, or even small and medium-sized data breaches. Those individuals whose personal and their sensitive information is compromised, they have to deal with identity theft and potentially even emotional distress. So, the human toll of cybercrime can’t be overlooked – either global cybercrime costs that you mentioned for 10.5 trillion over the next five years, it’s an important reminder of really a huge impact of cyber-attacks, not only on businesses, not only on organizations, but society at large.

It’s imperative for businesses to prioritize cybersecurity because it’s a strategic imperative. It’s an investment in robust defenses the ability to continue to collaborate with stakeholders, with customers, with investors, to really build that resilient and more secure digital ecosystem that everyone benefits from, except for the cyber criminals.

Andrea
Yeah, we don’t want them to benefit. So we are fortunate at the firm. You have partnered with two others, JJ Edmonds, another partner, and Bronach Brannon. Both have been on the podcast and will be dropping those episodes. So you work with both of them in this whole area of risk advisory.

So those services are meant to deal with the threats you just mentioned. Your area, in particular, cybersecurity, it’s a really big umbrella. And in the intro, I mentioned these frameworks. So I want you to give us a quick summary or quick explanation of these frameworks and a little bit more about specifically what you do with your other two colleagues.

Antonina McAvoy
Sure, so cybersecurity is definitely a vast and multifaceted domain. We look at a wide array of different services and specialties. And at the heart of our work in risk advisory services is really that mission to identify, analyze and mitigate cybersecurity risks to protect our clients’ assets and sensitive data. So, we do that in a number of different ways through compliance.

We help companies meet their contractual compliance obligations with their customers. We also help them meet any compliance with any regulatory frameworks or industry standards. That is really through a number of different types of frameworks. We look at HIPAA, we look at HITRUST, we look at PCI. With some of the Department of Defense contractors and subcontractors, we look at CMMC, which is the Cybersecurity Maturity Model Certification.

We also look at NIST and COVID and FFIEC for some of those financial organizations. But every single day there’s different frameworks that are popping up. And so we expect more and more frameworks to continue to come to light, to address different risks in different industries. These frameworks all provide essential guidelines and requirements for safeguarding data privacy or protecting against cyber threats.

And so they’re really helpful to companies to help get into best practices and maintain that regulatory compliance.

Andrea
So HIPAA HITRUST, our healthcare information, is secure. So these are sort of those reassurances that the companies that we transact with every day have the necessary securities in place so our data is safe, right? I mean we use a credit card so all of those things that we’re doing digitally, or in person, you’re giving data away. This is what this is what you do you go to ensure that the right Securities the right Controls are in place to take care of this. Am I right about that?

Antonina McAvoy
Yes, our work really is offering a comprehensive range of different cybersecurity and risk advisory services that are tailored to understand a company’s goals. Where is the company trying to get to in the next three to five to ten years and how do they achieve that? If it’s through making sure that they are able to provide, for example, SOC 2 reports over the security of the controls in their ecosystem so that more and more of potential customers are comfortable with the data inside of their organization, which then helps them meet their business growth objectives.

That’s where we want to help our clients. If it’s a new company that’s coming to us because they’ve just encountered a cyber security breach or there’s a threat that they’ve identified internally, we help them identify those different deficiencies or gaps they have in their environment that they can focus their attention to because a lot of the times it’s just there needs to be a third party that comes into play where you’re able to identify the issues, communicate those effectively and help stakeholders make the right decisions.

Andrea
So you mentioned the word compliance. There are certain laws people have to follow. That’s what you mean when you say compliance. And there are regulations. Is it fair for me to say that you ensure that people are in compliance, but you also are getting a business into a more competitive space? Like you said earlier, if I have a choice between a company that doesn’t really protect data and a company that does, I would most likely go to the company that does. So your role is both defense, but then also offense, right?

Antonina McAvoy
Right. And I would say our goal is to really empower organizations to meet their business goals and also build resilient cybersecurity postures that protect against current threats, but also anticipate and adapt to any emerging threats in an ever-changing digital landscape. We see a lot of times companies that come to us and there’s always a lot of discussion around what is the need? What are they trying to achieve? One story I would love to tell is with one of the newest frameworks, cybersecurity maturity model certification that the Department of Defense put out there. It’s not new, it’s built upon NIST and it has a lot of the same controls. It’s separated into three different levels. The premise of it is still the same as the NIST special publication 800171, which has been around for years now. And the difference is the old publication, which is still around so it’s not really old, allowed companies to self-assess themselves.

And then what you had is two companies, Company A and Company B, coming with their own self-assessments. And Company A might have had a lot of deficiencies identified in the control framework. And their plan of action and milestones, which we consider the plan of the future, what are your issues and how are you going to target remediating them? They might have a very large plan of action and a lot of deficiencies.

Whereas Company B might not have many. And if you actually did a third-party assessment, you might find that Company A was in much better shape from a cybersecurity perspective than Company B. But on paper, it looked like Company B was much better and stronger from a cybersecurity perspective. So we’re seeing a lot of frameworks now that are out there and they’re available to companies to help them get into minimum best practices, but we’re also seeing more stringent requirements from regulatory bodies that are saying, hey, look, in some regards, you can do self-assessments, but when it becomes even more impactful to other organizations, we need to see those third-party assessments. We need to see a third-party independent assessor do a review. We cannot just use a self-assessment anymore.

And so that’s where our team is coming into play. And we’re really able to help companies do that third party independent assessment, give those observations and recommendations, and help them become in compliance so that they can go after contracts or RFPs that they are looking to win to further their growth.

Andrea
So that I had a question about that, you know, sometimes self-assessment is not enough. And so companies have kind of an internal secure IT security departments. And so what’s the difference? I mean, is that sort of the self-policing mechanism, but then you really need you guys to come in as that sort of independent third party that steps back and looks at things with a completely different lens.

Antonina McAvoy
Yes, I would say cyber risk advisory consulting and internal IT security teams within a business serve very distinct roles in managing cybersecurity risks. The cybersecurity advisory risk consulting firms like ours offer that external expertise, provide unbiased assessments and strategic guidance and specialized services that are tailored to industry best practices and regulatory requirements.

And we bring that broad perspective and access to specialized resources that may not be available internally within a business. And in contrast, the internal IT security group will focus on the day-to-day security operations. They’re maintaining the security of the organization’s IT infrastructure and ensuring the compliance with any internal policies.

And while they possess an intimate knowledge of the organization’s systems and the culture, they may face resource constraints or lack of the broader industry perspective that are offered by a team of cyber risk advisory consultants that are external.

Andrea
Okay. I’m following that. So you mentioned CMMC. That is for businesses that want to do business with the government.

Antonina McAvoy
Department of Defense specifically.

Andrea
Is it a requirement yet? I know it’s been sort of a long time coming. If you want to do business with the Department of Defense, you must be in compliance with the CMMC guidelines or framework? Where are things there?

Antonina McAvoy
It’s a good question. It’s certainly an evolving question within that framework. The CMMC 2.0 had some additional updates in Q4 of 2023. So we have not yet seen any direct clients that have had CMMC 2.0 listed within their contracts.

However, we continue to see NIST’s special publication 800.171, which is the basis of CMMC. And so both of them still require a company to have a system security plan, otherwise termed acronym as SSP, or a plan of action, and a plan of action milestones, a POAM.

So we continue to see that requirement inside of many of the DOD contractor and subcontractor contracts. So that is still an area where we continue to assist companies who may not have documented or might need to update their documentation, or maybe they documented it internally and they want a third party to come in and assess. But we continue to do that as a foundation level. And then on top of that, we build on it and do CMMC readiness assessments to determine whether they are in line with the Level 1, 2, or 3 requirements.

Andrea
Are these services only for public companies or private companies? Do you get in trouble if you blow them off, like, oh, we don’t need to worry about that. Or, that won’t happen to us. I mean, are there fines or issues? I would assume if you have a data breach, you could be sued by your customers. But, what happens if you don’t pay attention to this risk?

Antonina McAvoy
It really depends based off of the industry and the framework. So for PCI, the payment card industry, there can be fines. SOC 2 is not a regulatory, it’s more of a contractual requirement from customers and industry best practices. So the risk there is that you’re going to miss out on not having a customer choose to continue to work with you, and if they can choose a competitor that also has a SOC 2, type 2, or other similar framework. So really, if you’re in the healthcare industry and you have the requirement to follow HIPAA or even HITRUST, then there are certainly fines that come along with not adhering to those healthcare regulatory requirements. So it really depends on what space you’re in, but really, it’s following the data, what type of data it is and determining based off the data and industry, what is the applicable framework? And then based off of that, there are specific fines that are out there.

Andrea
Yeah, I would imagine that the cost associated with these protections are kind of pale in comparison to the losses that you’ve listed earlier, the financial reputational brand risk. Is that the right assumption?

Antonina McAvoy
Oh yeah, it’s the proactive versus the reactionary response and within the cyber world. It’s not, I think we hear it all the time, but it’s not a matter of if, but when, and making sure that you’ve put in place the appropriate defenses upfront to mitigate the risk are really important.

One of the areas we see from a number of companies is they will certainly look at cyber insurance policies to help mitigate some of the risk and the impact of any financial losses, but it’s also important to recognize that the cyber insurance policy providers include some minimum best practices within policies and those are crucial to look at to make sure that your company is in compliance with those minimum best practices.

And also to take a look at the limits and the sublimits pages, because you might think you have a $3 million policy, but the sublimits around the cybersecurity, ransomware, some of those other social engineering exclusions potentially, or smaller sublimits would not help cover the impact of a loss.

So it’s really important to look at cyber insurance policies closely to ensure they align with the risk you’re willing to take and that you have the best practices in place so that you’re not deemed negligent.

Andrea
Yeah. So one of the things that you do is actually look at a cyber insurance policy and advise.

Antonina McAvoy
Yes, we will ask a lot of our prospective and current clients to take a look at their cyber insurance policy. Sometimes we’re surprised to find out that there isn’t a cyber insurance policy, more of a general policy that doesn’t really have specific considerations over cybersecurity.

But if there is a cyber insurance policy, we don’t just look at the front cover page or the limits page. We really look at the exclusions and the totality of the policy coverage to better understand what is, or is not, a red flag that we would consider bringing up to management and identifying any of those follow-up questions that we would recommend management ask. And also any considerations where we see minimum best practices that they’re requiring in the policy. Either we’re not sure if they actually have them in place, and just make sure that management’s aware if they’re calling for an incident response plan that they do actually have a formally documented incident response plan and other similar examples to that.

Andrea
So just one more question about cyber insurance. Any sort of guideline of who should have one? Whether you’re a sole proprietor or have a few employees that maybe don’t deal with a lot of data, should you have one? And I don’t want to put you on the spot .

I mean, every situation is unique, but if you’re a $5 million business, $10 million business, and if you don’t have a cyber insurance policy, you need to get one soon. I mean, can you just give kind of a gauge who should really be looking into these and having them?

Antonina McAvoy
Well, any company with higher revenue to really guard against any financial damages that could be brought on by cyber-attacks and data breaches, organizations with high revenue certainly should consider purchasing cyber insurance. But it doesn’t stop at just companies with higher revenue values. Any business that stores or processes any sensitive information should consider cyber liability insurance and consider coverage if necessary.

You store data such as customer names, addresses, social security numbers, medical records, any financial information such as credit card information. It really depends on the data that’s in the environment and also how you’re looking to leverage the policy to mitigate your financial loss because the policy doesn’t help you with reputational loss. That’s something that the company needs to build back up on its own, but the financial loss is what the aim of the policy is looking to mitigate.

Andrea
Okay. So I just want to tell our listeners that on our website, there are several services, several frameworks. We only got into maybe three or four of them right here. So definitely check out our website here on Risk Advisory services if you’re a business that might need some of this guidance. So Nina, the risk advisory services team looks at risk in sort of five different dimensions. What are those five different dimensions?

Antonina McAvoy
Yes, so we approach risk from a holistic perspective and view the world through a lens that really encompasses those five different types of risks, which is the strategic, financial, operational compliance and IT. And each of these risks plays a really crucial role in shaping the overall risk landscape for organizations across different industries. The strategic risk really pertains to the uncertainty surrounding any strategic decisions and the potential impact on the organization’s long-term goals and objectives, whereas with the financial risk is relating to the possibility of any financial loss or any adverse financial outcomes, such as from market volatility or economic downturns.

And the operational risk then looks at risks associated with those day-to-day operations. It could be processing failures or human error or any supply chain disruptions. We then also look at the compliance risk, which focuses on the organization’s adherence to any regulations or laws or industry standards, making sure that there is compliance with those requirements. And then the IT risk is where my expertise also lies just dealing with the threats and the vulnerabilities associated with any information technology systems, data security, and cybersecurity. You might be wondering how all of those fit into the broader risk landscape. From a cyber perspective, it’s not just an isolated concern, but it’s a component of the overall risk management.

Technology is in every aspect of business operations along with financial, operational, strategic risks. And they’re all intertwined. So breaches and other impacts within the market can have far-reaching implications. Helping companies and stakeholders understand the impact of any strategic initiatives or financial stability or instability, their operational resilience, and any regulatory compliance, that’s where we come into play. So as part of that, our holistic risk advisory team, my colleagues and I work to assess and analyze and address any risk within that broader enterprise risk management landscape. But at the core, it’s really listening to the clients needs and helping with the goal and the advisement to provide any of our clients with opportunities to manage the risk proactively.

Andrea
Thank you, it just seems like it’s just such a complete solution. You say holistic. It’s almost like you have a team of doctors, you know, I think we’ve all been in situations where one doctor says this or one doctor says that. And it’s like, can’t they just all talk together? It seems like we bring that comprehensive solution to clients and that’s just really cool the way you overlap and work together.

Antonina McAvoy
Well, one of the areas that I always find fascinating is whenever there’s a company that wants to have a conversation, it’s never the same conversation with any company. Every business owner, stakeholder has a different set of concerns that is facing their organization. And those concerns change from day to day, month to month, or year to year.

And it’s that continuous advisory where companies do well on a day-to-day basis, and they benefit substantially from having that third party that has the industry experience that they’re seeing from many other organizations to come in, assess the needs, the challenges, the risks that they’re currently seeing and work through those, whether it be financial, strategic, operational, cyber, any of the different risk areas.

Andrea
You mentioned something. It’s a continuous process. I mean, it’s not like you fix it and forget it. And like you said at the top of the podcast, these cyber criminals continue to adapt and figure things out. And it’s just a constant kind of pressure that companies  and organizations have to keep an eye on. And that’s where you help them, guide them and you’re on top of things for them.

Antonina McAvoy
Yes. And I think in the coming years, we’re going to see businesses are going to continue to encounter a lot of challenges as the digital landscape evolves. One of those significant challenges is going to be the increasing sophistication of cyber threats and what that means as far as ransomware, phishing attacks, and supply chain vulnerabilities.

And all of those are going to demand defense measures and proactive threat capabilities and a better understanding of how to address those attacks. Whether it be from cloud services because a business has decided to put their systems into a hosted provider or remote work environments, there’s a lot of different ways that threats can evolve and vulnerabilities can come into play.

Andrea
In my research, which is also known as Googling, I’ve found some threats. And one in particular that didn’t even occur to me was this kind of insider threats. So is that a big deal? I mean, like disgruntled employees. I guess I just didn’t even consider the threat there. Is that a thing?

Antonina McAvoy
Yeah, I mean, you could have an example of somebody who’s mistyping an email address and accidentally sending sensitive business documents to another business, or unknowingly or inadvertently just clicking on a hyperlink and opening an attachment in a phishing email that could contain a virus or improperly disposing of any sensitive documents that can be an inadvertent insider threat. But there’s also insider threats of, like your example, where it’s purposeful with folks that have certain access within systems that leverage that access to sensitive information and either exfiltrate it or send it to bad actors potentially selling the information.

There’s a lot of different ways. If there’s a disgruntled employee, we’ve seen examples of customers who will contact us about a disgruntled employee that might’ve just left and they’re concerned about the system access they had and want to know what did they do during those last few days. And so that’s where we then take a look at what is the system access that they had? What should they have had?

Taking a look at the configurations around audit logs, which no one really ever cares about until something goes wrong, whether it be a backup failed and you want to look at the audit log or system access, wanting to understand where somebody went within a system and what did they do, what files did they access, taking a look at the logging configurations and better understanding the path that was followed, the digital trail, we like to call it, is really important in some of those post-incident investigations.

Andrea
Yeah, I think if any listeners and me included, we get kind of irritated when we have to change our passwords to log in, but that’s all part of this, right? Keeping those passwords up to date, changing them. So that periodicity of those changes, those are all part of these controls, right? Those are making sure that you know, you’re following the guidelines, following the frameworks.

Antonina McAvoy
Yes, and we also see a lot of organizations start leveraging different password tools, and also of course, multifactor authentication tools that can help reinforce strong authentication methods.

Andrea
I’m reminded of this almost every day when I log into Google and then I get something on my phone that says, was that you? So I think this is something that’s just going to be with us now. This is just what we do now. We understand this. These are the rules of the game. And ultimately, it’s just to keep us safe. Are there any other types of challenges that you see coming down the pike? I guess COVID was a threat that nobody saw coming and hopefully never comes back. I know that you are very diligent and know what’s going on in the in this space. Anything that you see out there that concerns you or worries you?

Antonina McAvoy
Well, compliance with evolving regulatory requirements like GDPR, CCPA, some of the privacy frameworks, we see a lot of requests for security, but there’s not so many requests all the time about privacy and privacy is becoming pretty big. So I’d say privacy, making sure that companies understand their privacy requirements based on where they are, as well as any industry-specific standards. That’s all adding complexity to cybersecurity efforts. It’s putting resource constraints on already taxed IT internal departments.

So it’s requiring organizations to stay ahead of those challenging legal landscapes and adherence to any stringent data protection mandates. This really starts to call into question the need for a third party who’s independent to help organizations with those compliance frameworks. That’s what they live and breathe. But I’d say the global shortage of any cybersecurity talent is certainly another challenge, making sure that folks have the right people in the right roles. That is very, very important in investing in a work force that is developing and growing across potentially not just only the US market, but also into international markets.

Andrea
So any parent out there that wants their children to have a job, I’d say that it’s probably a good bet to go into cybersecurity. Okay, well, this has been great, Nina. I’m gonna try to summarize – we talked about a lot here and I know that we just scratched the surface of the things that you can do.

Antonina McAvoy
Oh, definitely.

Andrea
And what you and your team can do for clients and prospective clients. But, you know, risk has just exploded everywhere. The good news is that we have a team that really looks at this and takes this very seriously with the five dimensions of risk and strategic financial, operational compliance and IT. And being able to address these things holistically really provides a defense, and puts companies in a more offensive posture to be more competitive. And the more trust your customers have in your company and services, the more growth you can achieve and be competitive. Did I summarize what we’re talking about here?

Antonina McAvoy
Absolutely. I think today’s conversation has definitely shed that light on the importance of risk advisory and safeguarding businesses against evolving threats. It can start with sophistication of cyber-attacks to challenges that are posed in day-to-day business and regulatory compliance, shortage of any cybersecurity talent that organizations are facing and leveraging expertise of the PBMares Cyber Risk Advisory Team to embrace that proactive defense strategy.

Andrea
All right, great. So again, check out our website and learn all about Nina and Nina’s team and Risk Advisory Services. Nina, thank you so much for your time today. This has been fun. As always, talking to you is fun. Have a great weekend and thanks a lot.

Antonina
Thank you for tuning in. Stay secure.