Name: The 2026 Mandate for Financial Services: Building Trust in a Dynamic Threat Environment
Uploaded: 2026-03-25T18:15:44.509Z
Duration: 45 min 20 s
Description: The 2026 Mandate for Financial Services: Building Trust in a Dynamic Threat Environment

Transcript for "The 2026 Mandate for Financial Services: Building Trust in a Dynamic Threat Environment": Welcome everyone to our twenty twenty six financial services outlook webinar. I'm Justine Okarczyk, a solutions marketing manager here at Cloudflare. I'll be your host today as we look past the headlines to our architectural reality for financial services. Joining me today is a veteran who sat in the hot seat, David Jossman, the Cloudflare field CISO for financial services. A former financial services CISO himself with decades of experience navigating the intersection of legacy, stability, and modern threats. David? Yeah. Thanks, Justina. So as Justina said, I'm David Drosman. I'm field CISO with a focus on financial services here at Cloudflare. I've only been at Cloudflare since last summer. Prior to that, I spent almost twenty five years running security organizations as CISO across three different organizations, most recently at The Clearinghouse, where I was their CISO for about eight years, leading the full cybersecurity program for an organization that is critical infrastructure for The United States payment systems. Prior to that, six years as deputy CISO at the Federal Reserve Bank of New York, and before that, nine years as CISO for a trading firm in New York City. So I have an extensive background as a security practitioner and now here at Cloudflare for the last few months and ready to have a great conversation. Awesome. Excited to have you on board, David. And before we go ahead and dive in, I wanted to give some context to our conversation. So it's 2026, and as we know, the castle and moat is officially dead. AI has moved from pilot to production. In the financial sector, autonomous systems are now making decisions at a pace that human centric security can't match. Cloud here at Cloudflare, we sit in the center of the shift. We don't just see threats. We see patterns or signals before they ever reach your perimeter. So today, we're diving into our newly released twenty twenty six secondurity signals report and taking a financial service lens to it. There's the these aren't just insights. You can think of it as a road map for financial leaders like yourselves. And, let's go ahead and take a look at how you can build resilience from the core and start operating securely at machine speed. David, let's go ahead and jump straight into it, but I thought you could start with talking a bit about the priorities that financial organizations are facing in 2026. Yeah, happy to. So this first slide is one that we created just a few months ago. And really the way the way to look at this is is, you know, it's it's one of the five core themes that I'm hearing across my client base. But really at the center of it, which is why it was so important to have that center circle, is risk management. Financial services talks more than other verticals about risk management, risk mitigation, and the compliance pressure that is a demand on all financial services organizations. And it can really be crippling at times just how much pressure we get from say regulators for compliance to both new and existing frameworks that are out there. But so with the risk at the center, these are the five themes that we're seeing. You really can't start any presentation in 2026 without talking about AI. That is something that all financial services organizations are at varying stages of their implementation, and we're certainly gonna get into that during this conversation. Second there on the left is resiliency. That is something, you know, given the outages in the back half of last year combined with the pressures to ensure that you have what's on the right, which is multi cloud environments. You know, this is something that I'm hearing across financial services really for the last few months and beyond. Additionally, you know, when you think about Zero Trust SASE, that's something that's really exploding this year predominantly around technology debt and looking at how you can secure this remote workforce that you have. And that's something that I'm really seeing a lot of conversation exploding around. And then just lastly, information, data, there's so much of it out there. So how do we as financial services organizations consume and react and be proactive with threat intelligence. Another area where I'm just seeing a lot of activity and a lot more exposure than I'd ever seen before, Justina. Awesome, David. Thanks so much for sharing some of the insights from the field that you're hearing directly from prospects and our customers. Let's go ahead and jump right into our first signal. I know you alluded to this already, but we spent the last decade chasing the cloud. Right? This dream of agility in the cloud. But now it's 2026, and I think the industry is really waking up to that, concept of cloud the cloud mirage, we'll call it. The idea that moving to the cloud somehow offloads, you know, risk. With DORA deadlines hitting this year, the conversation, I think, has shifted now from how can we move to the cloud to how do we stay up if our critical provider is down? So wondering if you could kind of shed some light on that and you know what do financial services firms really need to do to ensure resilience or safe and secure operations? Yes. So so look, first of all, you know, as as I mentioned in the intro slide, you know, the the pressure to be multi cloud, the the pressure to have, you know, more than one cloud provider is actually real. But I don't want the audience to confuse being in the cloud with being resilient. You know, many financial services organizations have their cloud instance as just a piece or a part of their overall resilience strategy. So a real robust resilience strategy will not just have network resiliency, but would also incorporate other parts of your organization like your applications or your data. Right? And cloud providers like Cloudflare provide network uptime. We provide resilience at scale. And it's really important to think about that as you're doing your cloud migrations. And, you know, to survive the loss of an entire cloud provider, you must move away from the data center thinking to region earth thinking, right? A global network strategy that avoids single points of failure. I personally, as CISO spent a lot of time developing our cyber resiliency strategy. And what that strategy needed to do was incorporate and merge together the concepts of operational and cyber resilience. It's really critical that organizations incorporate scenario planning into it. So when you start to think deeply about, you know, where you're building your resilience and how you're building the plan, think about how might a threat actor infiltrate your organization and be honest with yourself about that, right? And think about what your tactical and strategic steps would be in a situation where a threat actor maybe infiltrated you. And not just how you'd respond and recover, but also how do you communicate and how do you ensure continuity of your business operations? Within financial services, these trends are real, Right? Organizations are focused on things like consolidation of their providers. Right? Standardization. While they're really taking, I feel, a step back and redesigning their architecture around their platforms so that they can perform and deliver at a global scale and ensure that resilience is a core component and a part of this new architecture that these firms are building. I think as you were talking, I was thinking about how we mentioned DORA. The Federal Reserve also made mandates now treating third party outages as internal failures. How are you seeing or how do you think leading firms should be meeting these mandates and resilience bars without blowing out their operational budgets? Yeah. So look, I mean, it's impossible to avoid, you know, with regulators demanding a dual vendor strategy or active active resilience. You know, as as we've been talking about, as we've been thinking about, ensuring your multi cloud strategy has to be one of your priorities in 2026. But beyond the multi cloud strategy, because maybe you're not gonna be there yet, maybe it's something you're simply just planning for, There's automation out there that can help alleviate a lot of this pressure. So AI is gonna come up in a bit, but I'm seeing a fair share of my clients working to alleviate what we call the audit tax that is attached to complying with these new or expanded, you know, regulations. Right? So trying to leverage automation to get into the systems to ensure that you're getting the information you need and not just doing some point in time assessments. And then, you know, look, lastly, you know, a way to not blow up your budget is to make sure that you take the scenarios that I just talked about and actually test them. And not just on paper, right, not just a tabletop exercise, which has its own value, has a lot of value, but actually look at your failovers, look at it and action them to ensure that your testing meets the demands that you have both of your own risk posture, but also of your regulatory bodies. I think, you know, when we talk about resilience and building resilience, you know, might seem very straightforward when it comes to like a brand new cloud environment, but most financial service firms we know obviously are weighed and built on systems that were here for twenty years, which really brings us to our next signal around legacy architecture, right? Legacy systems have been for long been viewed as a cost center. But I think now we're seeing them more as, you know, that kill chain. CISA has been issuing emergency directives around, old perimeter technology like VPNs. And I'm curious, you know, with with some of this these warnings from CISA and how you see financial service organizations approaching kind of legacy infrastructure on the perimeter. Is it becoming a death sentence for them? And when it comes to security, do you see it as a death sentence for organizations? What's your take? Yeah. I mean, I personally wouldn't necessarily use the term death sentence, but at the same time, I would liability. Right? I I I think it's a massive, massive issue to have old technology that is maybe not supported in the same way that some, you know, newer tech is anywhere on an Internet facing perimeter. You know, look, VPNs, you know, now are a primary entry point for attackers. We're seeing more attacks, you know, coming in that way than than many other avenues. It has been this way for a while, but this is one that I would implore financial services organizations to think about replacing the molten castle you know, infrastructure or, you know, architecture is probably a better word for that with an identity first zero trust perimeter. It's I was on a call with a couple CISOs recently discussing the topic of tech debt. And I told them, you know, one thing that I think is okay is to have some measure of legacy technology that, you know, one thing I see definitely for financial services is for things like back office, whether it's payment or transaction processing, there is older technology that's in there, sort of that mantra, not broke, don't fix. And I said, look, maybe it's okay. And one of these CISOs just took the complete contrarian view of it and was like, you have to modernize. It's a non negotiable. You know, especially in today's world where, you know, there's new messaging specs, You know, AI is is is taking over. And if sister systems are evolving, then these legacy systems might not be able to keep up or even communicate, with some of the more modern systems. So, you know, while I don't fully buy in, I think there still is a place, sometimes for the ain't broke, don't fix, mantra. I do think that, you know, even back office systems at this point need to find their path to modernization. You know, you mentioned Zero Trust, and I'm curious if, you know, you think Zero Trust can realistically reduce, any daily firefighting that engineering teams have have to do that can't move, you know, to the cloud fully yet with these massive legacy estates. Yeah. I mean, look, zero trust or these SASE solutions are at the edge. They're on the perimeter. I think it is ripe for modernization and it should be at the forefront of your plans for how you're gonna handle any internet facing part of your infrastructure. And look, there's another trend that I'm hearing more and more from CISOs is you don't need a multi year migration to do this anymore. It used to take years to do a tech turn. You'd plan for it for six months, you'd test for it, you'd architect it. It would take another six months to actually get the implementation done. But something I've been talking to CSOs more and more about is, you know, going with these SaaS or cloud based solutions can be done really in a fraction of the time at a fraction of the cost while improving your resiliency. So, you know, when I sit with CISOs for the most part, I'm seeing that trend shift. And I don't think that you should be scared of making a change if a solution isn't working. It is no longer a multi year migration. The friction of moving to a solution like a Cloudflare, you know, I believe has really significantly been reduced and especially for something like your Edge, I think it's something that, you know, should be done way sooner than later. Alright. I think, you know, there's a big elephant in the room we haven't touched upon briefly, but we're going to now move to our third signal, which is, you know, head on hitting hitting that the the trend that everyone's talking about. Right? Which is AI. We've officially moved to this phase where AI is no longer experimental. Right? And EU the EU AI Act is has some deadlines looming later this year, which means that a lot of people are focusing on, you know, not what can AI do for us, but how do we govern it, right, at scale to meet those deadlines? So curious if you could talk a little bit about what is, you know, what are some of the most important guardrails or that FSI leaders need to implement to satisfy some of these mandates? What are some of the considerations? Where do they start, really? Yeah. So it's a great place to head into that AI discussion, right? Is, you know, first off, you know, it's no longer okay to have those static PDFs, right? That you're gonna generate once a year, right? These regulations are pushing for more continuous assurance, right? They want live evidence, right? Logs showing that your guardrails are in action. But if you ask me, you know, look, I I think a lot of organizations, most organizations are well into their AI journey. If you're not right, the place to start is ensuring that you have those initial guardrails, which is have a policy. Right? You know, put together some sort of like an AI council that you might, wanna build, you know, a governing body that is a place for your employees to go in order to ask the questions that they want. And these don't have to be built from scratch even, right? If you already have a good governance and policy organization, it can be an extension of those. Just add it to those and add it to the policy and make sure that it just meets the needs of the regulations. I personally, whenever I created any policy or anything like this, I tried to anchor it in a framework. And there are some good ones out there. You mentioned the EU AI act. CRI has a good one as well. But, you know, when I think about what's the most important guardrail for financial services specifically is ensuring that you have inventory and risk classification. Under the EUAI Act, compliance is entirely dependent on how a system is tiered. So for financial services firms, it is particularly high stakes to ensure that your core business functions, which are generally be considered high risk, you know, meet and you've done that inventory and you've done your risk classification. So, you know, you can meet the requirements that are set forth in anything that is considered high risk. You know, when we talk about governments and AI, I always think about how organizations, especially highly regulated organizations, we face this ourselves at CloutClick. How do organizations prevent proprietary, you know, data from leaking without really stifling the productivity gains of AI, of Gen AI tools? Yeah. Yeah. I mean, so look, you know, I I think we're we're gonna talk in a minute about, you know, AgenTic, but, you know, when it comes to generative AI, generative AI is here. Every organization is trying to figure out what to do with it. And I think a lot are struggling with it. I've noticed, I've talked to my clients, especially the ones that say, utilize M365, they defaulted to Copilot, right? Simply because it's integrated, you could rely on a lot of the Microsoft security tools and it just was a natural way to, let's say dip your toes into this generative AI space. But employees are doing what they wanna do, right? They're learning that they happen to like, or they like what is coming out of ChatGPT or Gemini or Perplexity, or they wanna build in Claude, right? So using edge based security logic to process data closer to the user and ensuring that PII doesn't leak out onto unauthorized public LLMs. What it does is it's gonna require you to think differently about your DLP implementation. It's gonna require you to ensure that you are implementing concepts like least privilege. You only should give your LLM access to tools and data that it absolutely needs. You know, for example, if you have a model that's summarizing public news, it should have zero access to your internal, you know, databases. You know, this is again where, you know, I mentioned, you know, Cloudflare SaaSy Zero Trust, but, you know, we also have AI gateway is another great solution. You know, these are the solutions that organizations need to look at and think about as they're looking to secure their AI implementations. Yeah, I think that's a great transition into kind of our next topic as well, continuing on the AI front, but getting into AgenTic a little bit more. In an era where, you know, AI driven attacks can compromise a network in milliseconds, how do those, you know, human SLAs for patching hold up? Know, why are we still in an era where attacks move at machine speed? Why does the industry still rely on human speed SLAs for critical patching? Yeah. No, Justina. I think I think that you you kinda nailed it. I can make a a pretty strong argument that in financial services, the gap between machine speed exploits and human speed patching is the greatest systemic risk that we face. You know, it's it's one of those where, you know, patching, patching, patching is the core foundation of a cyber program. And in this world where things are getting faster, I really can probably make an argument it's the biggest risk we face. Systems aren't isolated anymore. They're deeply interconnected, whether it's through APIs, through middleware, through legacy cores. And, you know, I think the industry as a whole clings to these legacy SLAs, but it's not really out of ignorance. It's, due to the fact that there's just a complex infrastructure and it makes agility kind of difficult. For my entire life as a CISO, me and my CISO peers, we mostly followed the traditional thirty, sixty, ninety day patch cycles that govern the industry. And we were more aggressive, of course, on the perimeter. If something was internet facing and there was an exploit, we would get super But aggressive about I think threat actors now, they don't need any level of sophistication anymore. The path from finding a vulnerability to creating and exploiting it has actually shrunk to next to nothing. I think the industry is beginning to realize that human speed is a failing strategy. We're seeing much more shift towards a couple things. One is virtual patching. Right? So utilizing web application firewalls or WAFs or intrusion prevention systems to block exploits at the network level instantly is really growing in popularity. And what you do with that is you actually buy yourself time to fix the underlying issues, right? Whether it's implementing a patch on the inside or a hot fix or a workaround or whatever it might be, stopping and doing patching on the perimeter. Sure, you're still, you know, need to make sure that you're doing the internal patching because there's insider risk and the like, but, you know, if you're able to really do the blocking at the network level, you're reducing attack surface tremendously. And second, in immutable infrastructure, right? Cloud banking, cloud native banking, you know, so instead of patching a server, you know, simply killing an old instance and deploying a new one, you know, of pre patch services within cloud providers is another path and a strong path that organizations are going with. All really great, like insight, sage advice that that, you know, I'm just starting to learn about with you. So but keeping on the the sort of the the topic of, you know, machine speed exploits. Right? How about, you know, this new wave of hyper sophisticated AI generated spear phishing? I've heard of something called mirror matching to defend against email perimeter. Can you talk more about that and how firms are, you know, defending against this machine speed exploit? Yeah. So look, the concept of mirror matching, which is, you know, using AI to protect AI, right? So, you know, you're fighting it, you know, you're fighting these threat actors, you're fighting these, you know, advanced tools with advanced tools. You know, when I think about when you start talking about things like AI generated spear phishing, you know, I think, you know, I have I have kids that are around college, high school age, and they can't write a single paper anymore without their teachers or professors running them through AI detectors. So why aren't we as organizations doing the same thing? We've been scanning email, we've been checking email and a lot of vendors out there are implementing stronger AI into their email detections. But, you know, using defensive AI like something like Cloudflare One to intercept, you know, things like business email compromise that might, you know, mimic an executive voice or do, you know, different types of compromise attacks is something that we really need to expand. There's this concept of zero trust for email where your identity is verified differently. I think that the days of just simply you know, utilizing a sender's address and saying, all right, that is that person just because, you know, it's at company dot com email address. You know, we have to move beyond that. We need to start thinking more like the adversaries do that are building these AI attacks on us and matching that attack with more advanced capabilities. I think, you know, as we're talking a lot about AI, right, where we're talking about speed and autonomy requires more than just speed, right? It requires data. We have to be able to tell the signal from the noise before AI can take action on some of the stuff that we're talking about. So most financial service firms today are drowning in threat feeds and dashboards and data. And the challenge for 2026 isn't a lack of data. Of course, it's how do we move from hoarding signals to actually driving responses on the data? Yeah. So look, the two places I'm seeing the most activity as it relates to how security teams are using AI to improve their own processes, I would say is one in vulnerability management, and two would be right here what we're talking about, which is how to manage and process threat intelligence. Sometimes it's actually a bridge between the two where they're taking threat intel, using the threat intel to determine if there's a risk to their organization, which then can determine if there's a vulnerability, which then can determine if the patch needs to go in and then actually potentially using an agent to implement said patch. But the data has just become truly overwhelming. Here at Cloudflare, we see over 20% of all internet traffic. So our visibility into what is happening out there is tremendous. And without automation, it would be really, really tough to find those needles in haystacks, right? So the most common implementation I have seen clients utilizing is moving away from basic scripts and instead using autonomous agents that can reason through a sequence of tasks. So, for example, in the old way, a dashboard would show what, like 4,000 alerts and a human analyst would have to manually go through the log, verify identity, decide whether or not it's a threat and whether decide whether or not to take action. But now in a defensive posture of being proactive, an AI agent detects an issue, it detects a pattern and it can correlate the ISP login, the privilege token creation and the API call. Right? It can do all that together. And then it doesn't necessarily it's up to you, but it can actually it doesn't just create an alert unless you wanted to. It can quarantine that identity and generate a forensic summary for a human to review, potentially after the threat has been contained. Now, I get it. Not all organizations are gonna have the risk tolerance to implement a solution that takes this type of proactive action, but it's great to know it's out there. And I am seeing it being implemented out there in the wild. I I I think that it's great that we're able to help, you know, our customers and and prospects out there navigate kind of the AI AI landscape in in some of the ways you've been describing and and leverage AI to their advantage, especially from a security standpoint. But we also are seeing something else happening, and this is a a a total totally different topic now is we're seeing that there's sometimes our biggest risks are not even inside our own walls. Right? They're hidden in connections we don't even know exist. So one example is a breach that happened last year with Salesforce and Drift. You might trust your direct vendor, but you don't know what third party plug ins or chat bots they're using. And it seems like in 2026, one of the biggest financial service risks is the concept of shadow supply chain, that mess mesh of SaaS to SaaS connections. Right? How can financial services as an industry move away from like a compliance checkbox towards a more continuous visibility into that complex mesh? Yeah. Like I said earlier, you can't just do a point in time compliance anymore. Right? I mean, days have to evolve. Those have to they have to be over. And because look, your risk isn't just your vendor. It's the vendors they use. Right? So in this type of an environment where it's changing all the time, you know, these point in time audits need to evolve. You need to do real time posture checks, you know, and enter into, you know, a connectivity cloud to, you know, maintain a single security front door. And it's really incredibly important to make sure you have the right SaaS security controls in place, especially around posture management. Posture management will provide continuous visibility into issues such as drift detection, which could be when an admin changes the security setting, right? And we've talked a couple of times about least privilege as it relates to users, but you know, you can also do least privilege as it relates to applications as well or your apps. So like, for example, if a marketing tool only needs access to leads, it shouldn't have system administrator API access, right? The twenty twenty five breaches that you talked about succeeded because tokens often had over permissive scopes that allowed attackers to basically go from one database at one provider to another database at another provider. Quick note, we need to make sure that we know what our non human identities are up to. Modern tools, there are tools out there now that map the NHIs or non human identities, the service accounts that, you know, and tokens that connect an app to an app, these must be configured with least privilege as well. It is very, very, very common for threat actors to use this as an attack vector to leverage these accounts as MFA is incredibly difficult to implement on these types of non human accounts. So, you know, just another area where we really need to make sure we're implementing the right controls. Awesome, thanks. Thank you, David. I know we've had a chat, you know, a talk full of lots of topics covered. I do see some Q and A coming in already. For those of you who haven't asked a question but have one, please take the time right now under the Q and A box on your platform to submit a question, and we'll try to get through a couple of them. We have some time. I'm going to go ahead and, before we move to Q and A, as you're submitting more questions, wanted to go through a few resources that we have for you. I mentioned that security signals report that just got released today. That is under your Docs tab on this portal, you can download it directly within here. You can also find it on our website. That's the signals report that was the inspiration for conversation today with David. And if you would like to learn more about our financial service solutions, you can visit us at cloudclare.com/industries/financialservices, where you'll find more resources. And finally, we will put together be putting together an executive summary based on David's talk with us today, which will be coming soon. So look out for that on our website as well. So without further ado, I'm going to move on to Q and A as I see some questions coming in. I'm going to cherry pick a little bit here on some topics that we might have not touched on. I hope that's okay, David. Sure. But one of which is post quantum. I know that has been coming up a lot with our customers asking about the 2,030 NIS deadlines that are coming up, hearing about regional mandates that are coming as early as April potentially. What are your thoughts around post quantum? Is this a real, you know, are quantum computers a real threat to our industry and where should this fall on the priority list for CSOs and financial services? Yeah. So first off, it it it definitely is, something that's being that that needs to have a focus. One thing I am noticing, is if you're asking me where it lives on a priority list, most organizations have it on the list. It's just not necessarily as close to the top as a lot of the other topics that I've already talked about. I'll notice that, you know, when I'm talking to people, it's something that would come up a bit later in the conversation, but it is definitely something to think about, especially the threat of harvest now, decrypt later. I think that is something that is real within financial services. Financial service data has a long shelf life. So the sooner you solve for it, the less likely you're gonna have a severe impact. And look, truth is updating your cryptography algorithms is gonna take a while. So one thing we here at Cloudflare advise is to tunnel your traffic through, you know, something like our PQC enabled network so that you minimize the risk from day one. But even if you do that, I highly recommend that in parallel, you build an inventory of all the areas that you're gonna have to update in the near future. I know a lot of organizations have already started that process. It's been something that organizations have been doing now for the last couple of years is to just really figure out the full inventory of what they have and what needs to be upgraded. But I also do recommend, you know, doing, like I said, and routing through someone like Cloudflare. Awesome. I know this is a hot topic that's been coming up a lot, especially with some of those deadlines looming from a regulatory perspective. And we've recently had our first end to end post quantum SASE solution launched a couple of weeks ago. So I highly encourage everyone, if you're looking for more information on it, visit our website and a demo of our SASE solution for this, which helps you minimize that risk as Dave had implied from the first day you tunnel your traffic through us. The second topic, which we haven't touched on, but I think, you know, people are interested in as well is fraud, right? I know it comes in many shapes and sizes. You know, we've seen deep fakes being used to impersonate executives. And there's also even the case of elder fraud and many others. But where do you see this going, particularly when it comes to our industry and how to defend against it? Yeah. Great question. I mean, it's it's one that is also popping up, more and more. You know, every single financial institution is thinking about fraud, how to reduce fraud, how to even dent it in a lot of ways. And look, fraudsters are using generative AI to scale attacks that really previously required manual effort. The most popular ones that we're hearing about is executive impersonation, where a threat actor might impersonate a CEO or a CFO, and criminals are using AI generated videos to get past some know your customer, right? There's threats of, on the onboarding and the interview process, creating synthetic IDs that look like perfect customers. What I would suggest on that specific use case is to go back to something we talked about earlier, which is use AI to detect microscopic inconsistencies, right? So I know organizations are now using AI to look for skin texture changes or light reflections that might signal that something was AI generated. Another issue I'm seeing with fraudsters are using social engineering to convince legitimate customers to move their money. The customer is you know, since the customer's using their own device and password, the transaction looks good. Right? It's getting past a lot of security systems. And social engineering is being used in a lot of different ways. There were the attacks on the casinos a couple years ago where fraudsters were breaching help desks to reset passwords for legitimate users. You know, and as we start moving into a place where agentic commerce is taking off and AI agents are making purchases for us, you know, fraudsters are gonna be deploying more malicious bots to mimic human like behavior, making it harder and harder to, distinguish between what's a bot and what's not. Now look, financial institutions are doing more. They're sharing data. They're trying to determine and share information about if an account is determined to be a money mule at one bank, can it inform its partners about it so that bank B doesn't necessarily get hit with the same issue. But one thing I'd also push and you mentioned the Cloudflare website or Cloudflare blog is we did have a post earlier this month about a complete new set of capabilities called Cloudflare Account Abuse Protection, preventing fraudulent accounts from say bots or humans. And this suite is actually kinda cool. It has a number of different capabilities for, organizations to explore. You know, I highly recommend go and just look up the Cloudflare blog and you'll be able to see it from earlier in March. It's a really cool, interesting new resource for potential clients. Awesome. Thanks. Thanks for that comprehensive answer and some more resources for us, David. I can't wait to kind of dig into that. I don't think I've read that blog myself, so looking forward to it. Well, I I know we're out of time. I think we covered a lot of topics. I hope everyone found this super useful. I know I did. David, thanks for your time and your insights, your invaluable insights. And David's information as well as my own is on the screen right now, so if you ever want to reach out to us, follow-up on it, have specific questions that you weren't able to cover today on our Q and A, we're happy to address them. And if we weren't able to address your question and you did put it in there, we'll follow-up by email. So thank you again, everyone, and have a great day. Thank you.