Good morning, good afternoon, or depending on where you are, or even good evening if you're watching this on catch up later. Thank you very much for joining us today. Really appreciate it. We know everyone is really busy. So, we appreciate you taking time out of your busy schedule to join us today to talk about a topic that's quite hot in financial services at the moment, DORA, Digital Operational Resilience Act. So, first of all, just a couple of housekeeping things. If you have any questions, please feel free to drop them in the Q&A section. That's really handy for a number of reasons. One, because it means we can keep a track of the questions. If we struggle to get round to it today, it means we can get back to you later. But also, if have multiple people have the same questions, you can start to like it and we can see that that's actually quite a prominent topic. So, we can make sure we try and answer that one as soon as we can. We're going to go through a number of slides today. Um, presenting is myself, Steve Rakom, and Adam Gale. So Adam is a business cloud architect at NAT NetApp and I'm the CTO for financial services here at NetApp. And this is part of a series of webinars. You'll see over the next few months and we'll talk about it later. We'll have a number of webinars deep diving on different parts of Dora. But today we wanted to do more like alevel set or base set. This will be covering what Dora is, a couple of things on the individual article, some of the articles and where NetUP can help and then just reminding everyone of the series moving forward. So without further ado, we'll get going. What we're going to talk about today cover a number of different things. We're going to briefly touch on legislation regulation generally. We're going to talk about what is DORA, who does it apply to, and what are objectives and fundamentals of DORA. Then we're going to look about why are people going to care about even doing this? What is the motivation? If there's no motivation, why are people going to do it in the first place? Then we're going to briefly touch on how NetUP can help in some of the areas we think we have solutions that can help you look at your Dora journey and then what next. So legislation regulation financial services is arguably the most regulated industry in the world. I'm biased. I work in the financial services industry for NetApp. I'm the CTO for financial services so I think it's probably the most regulated but it's a heavily regulated industry. So regulation isn't new andAdam who's a cloud architect as a business architect has got a big fascination about regulation and compliance haven't you Adam? And it's something you're you look into very heavily. >> It is um I'm very fond of regulation. So that makes me very popular at parties. Um and the reason why regulation is so important is because it touches everybody. Good regulation can really make a change in an industry. You can look to the European Union's changes in things like Apple.being forced to change their proprietary charging mechanism on their phone and open up their wall garden app store to third party app stores. And no,one thought this was going to happen. People thought no one can change a billion dollar organization. But through good regulation, we can. And generally what we find is we invent a technology and then it takes us about five years to catch up to that technology and start making laws and writing rules and writing regulation. You can see this in um social media. Social media was invented and did arguably quite a lot of damage before we could start controlling it. And only now we're seeing some huge fines being uh being placed on companies like Meta. So it generally takes us five years. But the European Union is getting much better at this and it's getting quicker. And in today's financial sector, we can break down regulation into four areas. Data and AI regulation. And there's some really good stuff being written here in the EU artificial intelligence act. And privacy and security, which is the area we'll be dealing with today. Oh jeez. And you're probably familiar with things like NIS or the coming NIS 2. And then there's digital economy enablement, which is things like the EU chips act. That's a fascinating bit of regulation and I encourage everyone tolook into it.will enable billions of euros of economy as we build and design our own chips in the European Union securing that pipeline. And then we have the other cap sort of brackets but today we're discussing DORA and that is firmly in the privacy and security sector and it's roughly about a year away from going into force but it has been available for viewing and we should been preparing for it uh for about a year now. So what is Dora? I'll hand back to Steve here for this. >> Thank you, Adam. So it's a really good question. What is Dora? What are we all here for? And the reason why it's a good question is because I speak to a number of customers and some people have never heard of it and some people are very far on the journey. So DOR is the digital operational resilience act and it's something that's been written by the EBA the European banking authority and theirkind of slant on it or their comment on it is it's an attempt to harmonize and bolster security across the EU finance sector. That's a really high level fluffy statement. I kind of start to look at it and what is it trying to address and it for me it's trying to address two big areas and it's very much cloud focused. One is around cyber resiliency, ransomware protection, all that side ofvery much where people are going with the cloud. So looking at potential threats, are you protected? Have you got documentation to show what you're going to do if you're attacked? If you are attacked, how you going to recover? Are you able to recover? How you report out once you recover from that? Both to the regulators, the EBA, but also to your counterparts and your peers. So how do you communicate with other financial service organizations? The other side is the cloud concentration risk. So there's an industry financial services that five, six, seven years ago most people were saying why on earth are we going to put financial service data in the cloud? Is that ever going to happen? Are we really going to do that? Fast forward to today and just about every financial service organization out there, all of you are using cloud in some way, shape or form. And that's great. It's a great way to see advancements in innovation. But the EBA are acknowledging this, which is good, but they want to put some guidelines, some guard rails around it. The reason being is ifa if a bank goes down or an insurance company goes down, that's bad for that organization and its customers. But if all of the financial institutions or majority of the financial institutions in one country are using the same cloud provider and something happens to that provider, that's a country's economy at risk. And we have seen things where nation states have made attempts at another nation state's financial institutions as a preemptive strike. So the EBA are trying to minimize the risk, understand what could be happening and try and reduce that risk should something happen. So who does it apply to? Again, it's when we talk about financial services, it's a very broad term and a lot of people just think of banks or think of insurance companies, but it's much wider than that. NetApp uses um a third party for a payroll that is classed as a financial service organization that will also have to abide by DORA. So there are a lot of different organizations andno doubt you as a financial service organization will fit in one of these areas. But it also goes beyond this which is another great thing. A lot of regulation focuses on the companies themselves within that vertical.What this is also focusing on is ICT. information communication technology companies. So the third party service providersand the EBA are pulling up a list of what they class as third party service providers but also critical providers who will also have to abide by DORA. Now as of May last year I was at a conference and the list at that time was approximately 18,000 approximately 18,000 approximately 18,000 ICT third party service providers of which about 6,000 were classed as critical. I'd imagine that list has grown now and we're still waiting for that list to be released, but that's a lot of organizations that will also need to look at what they're doing around Dora to support you as our customers. The other side of it is it's very much written by the EBA for EU institutions, but it does go beyond that. It might be that you're a US or an Australian bank, but if you have services and data based in the EU, you also have to abide by DORA. Similar to GDPR, it doesn't matter whether you're based whether your HQ is in the EU or not. If you do dealings within the EU, you have to abide. So again, we're seeing this in a lot of other countries starting to take note of this. And this also is a precursor for a lot of other countries doing their own version of DORA. Canada also has their version called B10. There's a version in Singapore, but we're seeing things like the US coming up with their own version and starting to discuss it. So, this will also be a precursor if you're a large organization, a multinational organization, you'll see this coming up in other countries and other areas as well.So, what are the main objectives? Adam, I know this is something you've been focused on quite heavily. >> Yeah, thank you Steve. So um building on what Steve said there,are some key objectives here and we've kind of already highlighted some of them such as strengthening the financial sector's resiliency and we'll do that by providing robust measures and systems and controls within DORA and there is a detailed set of criteria here. It's a really well-ritten document. I do encourage anyone who has the time to have a read of it. It's about 112 pages long. um it's verywell written and it will also provide detailed guidance to the critical ICT providers the third parties you know so think of things like Amazon here or those providers that Steve mentioned earlier and we have some fundamentalsso the fundamentals of Dora are roughly these it's a common set of standards which are used in attempt to reduce risk of cyber threats and a robust security cyber sorry a robust security framework If any of you are familiar with the NIS cyber security uh protocol or framework which is the protect detect respond um you will see elements of that in this it's a very good framework and door have taken that and they've built upon it they built upon it with areas such as reporting which Steve alluded to earlier there is a requirement for financials to report on attacks so if you are attacked and say for example the encrypt your production data you have to report that into the EBA in a timely manner And you have to also report it internally. So you need to document yourkey people and report internally and say we've had an attack. And this also applies to the third party and the concentration risk. Because as Steve said, what we're trying to agitate against here, what they're trying to migate against here is large organizations placing all their critical workloads in thirdparty cloud providers and then that third party cloud provider going away. We'll look at some of the tech shortly and you'll see the specific requirements here. So these pillars have detailed guidance within them and I won't go into all the details here because it's quite a lengthy document but I'll call out some of the really good bits which I've discussed with customers and it's getting a lot of traction. So I mentioned earlier the collaboration but also collecting and monitoring your logs. This is key because when an attacker attacks the only way to find out where they've come in or what's happened is to look through your logs. So there is requirements to back up your logs securely, keep them, make them immutable, and there's also a requirement to do advanced threat penetration testing. So that could be through an a third party external provider or youdo it yourself, but you must pentest your own environment. And there is also a requirement to document your business continuity plans. I can't stress this one enough because um as we walk around the financial industry and we talk to people, Steve and I, we are finding that the documentations uh is isn't there. They aren't documenting theirbusiness continuity plans in depth enough. So Dora talks about that at great length. So what's the motivation here? Why you're listening to me? Why is this important? What why does Financial care about this? They care because there is fines involved. And as Steve alluded to earlier, a lot of people think these fines aren't uh aren't applied, but the European Union is very good at applying fines. You can look to some of the fines at Meta recently, which run into the hundreds of millions, or H&M, which I think was fined 44 million only last year for keeping um customer records. This was a GDPR fine. So, the EU will fine, and it's 1% of your average daily wide world turnover. Now, I'll say that again. That's 1% of your average daily worldwide turnover. If you're a large financial organization, this could get big very,quickly. And they've used this mechanism in other legislation and it's worked because what it isit's not just a speed bump or a speeding fine. It's an accumulative fine that people sit up and notice. So, what are some of the things that you could be fined on? And this is building from previous fines. So, we've looked to the past to see what we could get pulled up on. And one of the things that they have fined on previously is failure to provide documentation. So if we talked about that, you know, that business continuity plan earlier, if you don't have one of those and they request it, then you could be fined. Um, also not allowing investigation and control. Now, that sounds like an obvious one. Who wouldn't allow investigation and control when the audit has come? Well, you'd be surprised. Uh, either for it's malicious or whether or not you just don't have the answers. Sometimes investigations are impeded and they could find you for that. It could be as simple as not giving access to your data centers or knowing who has access to them. So all these things should be documented or a failure to submit remediation reports. This is twofold. So if you are audited and they find a gap that needs plugging, maybe uh running user behavior analytics on your main environment, seeing what people are doing, and you don't do that, you could be fined. or if you are subject to a threat and you're attacked and you don't report into the EBA, you could be fined for that, too. So, that's a twofold one. [clears throat] [clears throat] [clears throat] But now, I've thoroughly scared everybody. Don't worry, we are in a grace period. Um, at the moment, you can't be fined and it's not until 2025 that the enforcement starts. What I mean by that is January 2025 the auditors can come and look at your environment and they can start asking questions and fines can be applied and generally we find that the customers we speak to are in one of these six phases. They're either generally building awareness and assigning roles which is something that call Dora calls for [clears throat] and we'll discuss that later on in the presentation or they're doing something like a gap analysis looking at what is required and where they're missing and then planning and collaborating and executing to fill those gaps. So if you're any of these stages and you're required require some help feel free to reach out to us. But having said that how can NetApp help? We have a number of tools and services where we can help here. And what we're going to do now is dive into legislation itself. And this is really exciting stuff. Uh what I've done there is copied some pages for Dora. And you can see there like those are the actual pages and those are the titles. It's broken down into articles and the articles are very easily named. You have general principles which covers the cloud concentration risk and uh the ICT providers and then you have 8 9 and 101 which starts with protection and prevention. And if you do protection and prevention right, hopefully you'll never get to 9, 10, or 11. And then you have things like 11 covering backup policies and recovery methods. And these are exceptionally well written and they're all there. Even if you aren't in the financial sector, this is a good document to read because it lays out how to build a good recovery strategy for your organization. So let's dive straight in and look at some of these things. on the right hand side there what I've done is copied a quote directly from the text and then uh we'll discuss how we might meet these requirements. So this one general principles article 25 talks about entity shop put in place exit strategies from the cloud and I've written that in full disclosure in brackets I've written from the cloud just for ease of read in order to take into account risks that may have made basically from a failure. Entities also identify alternative solutions and develop transition plans. So what they're calling for here is look around your environment. Go around it. Assess where you are using the cloud or third party ICT providers and you have to be quite strict with this because as Steve mentioned you could be using for example a payroll provider like ADP who I'm assuming have an element of workloads in the cloud. Now what happens if that provider goes away? How would you pay your howwould you pay your employees? So you have to look at these and then you have to identify alternative solutions. It could be as simple as going back to using paper and pen or doing batch transfers. In this case, what we would recommend here is cloud volumes. This is the ability not just only to move a workload but sorry not move data but move an entire workload either from one cloud to another or back on premise and that answers the requirements of article 25 of being able to do this. More importantly, it proves it too. You will need to be able to verify, test and prove you can do these things on a regular basis. Not just to the auditors but to yourself internally too. So when we use cloud volumes we can automate it and we can do proof of concepts and we can do test failovers or test repatriating data and services back onto your on-prem solutions. So that's article 25. And as Steve said earlier, in the coming series, we will be going into each individual article and deep diving. So this is just a little bit of an idea of 25. We will go into greater depth.Article eight, protection and prevention. Now this is great because it really lays the groundwork. It really sets the foundation for [clears throat] the buildup for the rest of your environment. But it talks about minimizing the risk of corruption and loss of data through unauthorized access and preventing information leakage. It also talks about implementing policies and protocols for strong authentication. Not to be confused with authorization. Authentication or authorization are different things but we will touch on both of these at the moment uh as we come along. So how do we answer this question because that that's a big ask. Well first off you need to understand what you've got. You need to know where you've come from, what your data is so you can apply the right protection policies. We would do this by scanning your environment. All your data carries metadata and carries identifiers. For example, PPI, personal identifier information. This is quite easily categorized. We would scan that, place that into buckets because I would try I would treat PPI data very different from how I would treat financial records. And we scan permissions. And this answers a lot of the requirement of article 8 because if you look on the bottom right hand side there you can see we've scanned an environment and 80 sorry 73% of the data is open to the entire organization. That's not a good position to be in. For example, Adam me doesn't need to access 7% of all of NetApp's data. I shouldn't I should be given access just to the data that I want. That's more of a zero trust environment. And once we've placed all this data in the right buckets and we've scanned it, you've checked it for compliance, we can then start adding the core tools to really protect your environment such as malicious file blocking. Now this is great. This stops an attacker for creating known extensions in your environment through our f policy engine. So for example, an attacker might start encrypting your data and they're known to use certain encryption types and they're known to put dot for example encryption or something at the end of it. We can block all these. We can go one step further and just create a white list and say you can only create these types of files in our environment and that stops the event. Also we have active directory monitoring and again this answers the requirements of eight about authorization and that sort of thing. Now active directory is the holy grail for an attacker. If they can compromise this, they pretty much got your entire environment at their behest. And what they'll do is they'll compromise one account and then they'll compromise another and they can even use it to jump off into other organizations because as you see we're all becoming way more connected. Organizations are becoming veryconnected. So we can monitor [clears throat] active directory and if you see somebody adding themselves to an administrator group or one example a real world example is someone corrupting a backup account and from there they deleted the backups and were able to encrypt the production data. So when we finally found out when we came to restore the backups they weren't there they'd corrupted them. So active directory monitoring answers those requirements. We also have things like math. Now this is one of my favorites. If you think of this as the nuclear launch keys on a submarine in like a Hollywood movie, it takes two people to launch that nuclear missile. Same with this. If you want to do a big event change in your environment like a mass delete, a mass copy or an admin task, it takes two admins to do it through MAV. And the idea here is that it takes away that risk of one compromised administrator. You need two to do something. It also protects against just genuine mistakes because we're human beings and we all make mistakes and to get two people to verify something is just good practice. And we also talk about endto-end encryption here answering some of the requirements in Dora. And again, end to-end encryption is one I'll touch on later, but you'll be very surprised to find how many organizations don't encrypt their data at rest. And this is a very easy win. It's something that we can do just by turning, you know, the flip of a switch or turning on. We can encrypt your data and meet those requirements. I would argue that to not encrypt your data at rest should be an exception. You should be able to say I am not encrypting this data because it should be default to uh to encrypt your data at rest. So moving on to article nine detection and this is where we get into the morereally advanced stuff. Um we look at detection mechanisms with multiple layers of uh control and automating alerts. And what they also ask for here and this is really quite important mechanisms to promptly attack uh detect anomalous activities and financial entities shall devote sufficient resources and capabilities. Now this they have used this in other regulation and directives that they have passed. What they're saying here is that you can't ignore this. You must devote sufficient resources to protect your environment.And talking about anonymous detection and um using automation for this is because the EU realized that we literally can't employ enough people. We can't scale up enough people to do this for us. So we need to use software. We need to use tools. And what we would do here is use things like user and detection. Now what this isit runs a training period on your environment. It watches people. Like me for example, what I do on a day-to-day basis is present, create documents, um that sort of thing. And if tomorrow Adam started doing something that I don't normally do, like creating financial records or deleting financial records or dipping into HR things, that would be out of my normal sort of remit. This would flag it. And what we're looking for here is people doing things they shouldn't normally be doing and that can be the precursor to attacks. And then we can automate responses. Now, this is really key and really quite cool. So if Adam stepped out of his bounds and started deleting financial records, um we all know Adam makes a lot of mistakes. So maybe we don't just, you know, block him. We just snap our environment, which means that we have a roll back window like Sky Plus. I can go back to a time when that data wasn't corrupted if Adam was doing something or I can go full force and just completely lock Adam out from doing anything else. And we can take this one step further. We can monitor for those encryption events. Now this is quite interesting because there is a number of encrypted data in your environment. So I might send you a paylip for example which is generally encrypted or you might have a database like Oracle databases are generally encrypted. But what we're looking for here is big spikes. So if someone is nefariously attacking your environment generally they'll slowly pick through and encrypt it or they'll go whole hog and just encrypt the thing in one go. And we should monitor for thoseslow trickles or those big spikes and then automate responses after. So stopping it locking out that user or creating a snap or automatic. These are the tools we'd use to re uh to meet the requirements of article 9 and they're really advanced stuff. We then move on to article 10 which is response and recovery. And this is great. It talks about containment measures and processes and technologies suited to each individual type of threat and stopping the damage. It also says that entity shall have a crisis management function. So what they're talking about here is literally name a team. Get a team together in your organization. Name them, write their names down and then start preparing them. And they should be our crisis management function. All large organizations should have a crisis management function and a war room which to rely on when we have a threat. And then we should have documented processes and procedures of how to deal with that. For example, communications. Do I need to communicate to my seuite or do I need to communicate externally outside the business and say we're subject to a threat right now. We're integrated services. All these things should be documented along with your disaster recovery plan and your business continuity plan. And this is where NetApp can help with professional services. We have a number of people in myself included who are very well verssed in this sort of area and develop business continuity plans on a day-to-day basis. We also have immutable copies and this is one of the first things we end up recommending. An immutable copy is a really quick way to ensure some defense in your environment. What it isbasically a copy of your data that cannot be deleted either for a certain amount of time or forever. depends how you want to set it for your business requirements and this is one of the first things we get to and say let's do an immutable copy of a data so at least you've got something to go back to if you have a problem so article 11 which is backup policies and recovery methods now this is a welltrodden path a lot of organizations have been there and we are one of the leaders in this area but Dora has some very interesting things to say about this it says we should have an operating environment different from the main that is not directly connected with the latter and is securely protected from unauthorized access or ICT corruption. Now, that for me is pointing towards clean rooms or vaults. So, we'll discuss those shortly, but it goes one step further. Recovery plan should enable the recovery of all transactions at the time of disruption. That is key. What they're saying there is if I'm paying you and you're paying me, we're a financial organization or we're doing critical transactions and there is a threat and that is broken. That chain is broken. How do I authenticate and say Adam paid you or you paid me? Because if we take away the legitimacy of this uh transactional chain, the whole thing falls apart. So what they're calling for here is the ability to restore and prove that chain is correct. So how would we go about doing that? Well, we would use things like metro cluster with synchronous replication. This is where you have two data centers or two data sets that are completely in step with each other. And then we would use air gaps and clean rooms to answer the first part of the question. Now, what that is here is literally a third site. So it could be in the cloud, it could be a physical location, abroom closet or another data center where you have a copy of your data that is immutable and you've scanned it going in to prove that it's not been compromised and you have all your minimal viable business there. So things like your gold images, your IP, uh your authentication methods, uh who you needs to pay, you who you need to pay, the bare minimum it takes to run your business should be in this air gap clean room copy, your minimal viable business. And then you rely on that as your last resort. And what you can also do is use this as a place to run your business should something go wrong. If your production and your DR completely out, everything's gone, you can then run back to this and go at least I've got this. And also, as I mentioned earlier about your logs, this is where I'd keep a copy of my logs because what we have seen in the industry is people restore copies when they think they fixed the issue, but they don't have a clean copy of their logs and they've not fixed the issue. So what's happened is they've restored the threat back into production and recompromised themselves. And this is a situation you really don't want to be in. So this is the way we'd attack article 8. And by no means is this all the tools and services we have to meet the requirements of these articles. It's just a few that I have time to show you today. And we will be diving much deeper in the future. But as I draw to a close here, I've got one bonus article. Aren't you very lucky? I've got article four and this is one of my favorites to discuss because article four literally talks about who is accountable in your organization. It says the management body of the financial entity shall define, approve and oversee and be accountable. So Dora is asking some people in your organization, the management body specifically to put their name to paper and say I am held responsible for Dora whether we don't meet it or whether we are subject to a threat. And this is great because it really places the emphasis and it's been used in previous directives and legislations to really hold people accountable and to get people to sit up and listen. So feel free to read through that bit because it's a really strong piece of legislation which I think is verywell written. So I've covered a real lot of detail there and I've gone quite fast. Um so if you are struggling and you want to reach out feel free. Uh we're going to share our link uh our links later to our website where you can find all this information. But one of the first and most viable things we generally do with our customers is a data protection and assessment. This is where we run through your environment. We look at it holistic point of view and say, "Oh, your backup is doing this. We should change it to this." Or, "Your security in your file system is open. Change it to this." And you get a lovely little um security analysis there with a detailed document backing it up. So, it's one of the first things I would go to if you are stuck and you don't know where to start. But what next? So, now I'm going to hand back over to Steve and Steve. What next? >> Thank you, Adam. Appreciate that. Thank you very much for listening so far. Um, hopefully that was of interest. One thing I'll point out is Adam talked about a lot of different solutions that NetApp has to offer there. That by all means is not the full breadth of our portfolio when it comes to this. These are just some of the areas that we've seen that we believe can help in some of these articles. There are a number of articles, there's over 60 articles when you include amendments and additions. Um, but these articles are ones that we've picked up and highlighted. And these are some of the solutions. We talked about cloud volumes. It might be that we use something like a first party service. We talked about metrocluster. It might be look at using something like our snap mirror capabilities. So these are just some of the potential solutions that we think we can help with in these different articles. And just putting it back in context, as Adam said, it's 1% of the daily revenue. So 1% of the revenue daily for 6 months is the fine. So this isn't a one-off fine. This can continue for 6 months. Every day, 1% of a company's turnover, which is a large fine. And as Adam alluded to, people question and we've had a few customers say to us, "Are C arethey going to really find us?" Well, GDPR, there's a very public website. If you type in GDPR and fines, you'll see it. Adam mentioned Meta. Last year, they were fined $1.2 billion for GDRP GDPR breaches. The year before they were fined $500 million for GDPR breaches. The expectation is organizations will be fined. And as Adam mentioned, it's not just are you totally abiding by Dora. It's are you looking like you're trying to abide. So accepting from a proportionality point of view that you may not have everything covered now, but you're trying to. This covers the whole of the EU and financial services. This is going to have a big wide reaching impact and this will be a bit of a snowball for other areas as well. We'll see other countries. So these are definitely things to be looking at and focusing on. So what next from a NetApp point of view? Well, this is something that we're quite passionate about that we believe we can really help you within your journey when you're looking at Dora. There's a couple of questions. I know Andy will we'll get to your question in a sec because there are tools we have um that we can absolutely look at your data that's on NetApp, but also other people's data. So we we'd love to think we're the only vendor you deal with, but we're not that naive. So we also have tools that can also look at other vendorsdata as well. And that could be on the cloud or on prem. So blue XP classification can go across platform across vendors. There was also a question from Marco and I'll just reply do the response again asked about who will be receiving and collecting the penalties. This isn't quite as straightforward aswe would like to think. Um there's an article 46 that talks about something called competent authorities. I love the use of the term competent. Who defines who's competent? But it's if you look in that article, it starts pulling out the different types of financial service organizations and it says who the competent authorities are for those organizations and there's a whole long list of if you're a credit agency, if you're a crypto company, all of this sort of thing and it defines who looks after them. They're the organizations that the EBA say have the authority to investigate um and in uh issue fines and penalties. The deck will be available. If you get in contact, we can definitely get the deck to you. There will also be a short questionnaire once we have finished this as well. Um, just to get some feedback on what your thoughts are and whether you're going to looking at attending because this is the first in a series. So, we are now we have got a door landing page on netapp.com. On there, you'll find information such as an ebook, an infographic. There should be some video short video clips just to kind of go through some of the areas that Adam has covered today around the different articles. We'll just briefly mention those. These might be useful if you need to go back internally to start talking to people in the organization to get them to notice what's going on because again we've seen a lot of organizations where I was in a conversation last week at a round table and I was speaking to someone and the conversation was literally I work in IT and we're arguing with the compliance team who needs to be looking at this. Truthfully the answer is both of you. This isn't an IT problem. This is a business problem that it is a part of. This needs to be a companywide thing. So then you might find some resources on our web page that you can then take back internally to help go get that conversation going. We're also, as we mentioned, this is the first in a series. We're going to have a number of um webinars over the next few months looking at these different articles that Adam touched on today in more detail. We'll have other experts on those different calls to really delve into some of the solutions we can help with. So, please feel free to register. As you've registered for this, you'll get aan invite for the next one. We hope to see you. If you think there's someone else within your organization that would benefit, absolutely, please share that around. And if you have got any questions, please feel free. This again, this will be made available thisemail address. There's Adam is on the line today. There's myself. There's also a gentleman called Peter Dean you may have seen on the line. Peter is another member of the team. He's our financial services lead. Um he comes from a very strong background in financial services. He worked for 20 28 years at Wells Fargo. So absolutely understands financial services. So we've got a breadth of experience that we can help here to help you and support you on your journey because we appreciate this is a journey. This is an iterative process. This isn't a one-off thing. So, anything we can do to help, any questions you have, please get in touch and we're more than happy to have a conversation with you. Thank you very much all for joining. We've gone through fairly quick after all. Like we said, we'll be able to get the slides. If you get in touch, we can get the slides to you. And if there are any questions, please feel free to ask. Thank you for taking your time out of your day today. Thank you very much.