CRC-Oyster x BW Cyber: Navigating AI Risk & Compliance in the Age of Technology Innovation

Michael Durette 0:09
Good afternoon, everybody, and thanks so much for joining. We're going to kick off the webinar in about a minute and let everybody kind of come in from the waiting room.

Michael Brice 0:14
Yeah.

Michael Durette 0:44
So thank you everybody so much for joining us today. My name is Michael Durette and I am a managing principal and CRO at CRC Oyster. And I am joined today by two of my colleagues, Ed Wegener, who is a managing principal, as well as Dan Garrett, who is the managing director and the head of our digital practice here at CRC Oyster. And we are joined by Michael Bryson, who is the founder of BW Cyber. CRC Oyster and BW Cyber have a partnership working with clients within the financial services industry on their overall policies, governance, and focus on artificial intelligence. So thank you guys for joining today. The webinar topic, which is something that we think is very important given the environment today, is focused on navigating AI risk and compliance in the age of technology innovation. As we'll walk through this webinar, You will hear more and more about the firsthand conversations that we are having with clients, given the focus of the financial services industry on all things specific to digital, specifically AI, AI use and AI adoption. Ed. Pleasure to have you. Thank you so much. Can you give a little bit of a background and an introduction to the audience?

ewegener 2:15
Sure. Well, thanks, Michael. I appreciate it. Like Michael had mentioned, I'm A managing principal here at CRC Oyster. And I'm also part of the governance risk and compliance practice within the firm. And so we help our clients deal with regulatory and compliance related issues, broker dealers, investment funds, and have been spending a tremendous amount of time around technology adoption, the impact that that has on the firm's compliance programs, and the use of innovative tools like AI. So we've been working very closely with our clients in helping them navigate these issues. I joined CRC in 2020, so I've been here for just over five years. I joined in the middle of the pandemic, which I think helped usher a lot of these new technologies on. Before I joined Oyster, I was the Midwest Regional Director for FINRA. and was responsible for their surveillance and exam programs. And part of my responsibilities there was oversight of FINRA's first cybersecurity examination program. So that was quite a while ago and things have changed quite a bit since. But it's an area that I've been Very involved with and focused on, and so really appreciate the opportunity to be here today.

Michael Brice 3:40
Ed.

Michael Durette 3:46
Excellent. Thanks so much, Ed. And Dan, quick background.

Dan Garrett 3:49
Yeah, a quick background. Dan Garrett, 34 years in the industry, financial services, operations and technology background. Joined CRC Oyster 2 years ago and I head the digital services area for the firm. We offer fractional CTO services, along with just helping firms with tech strategy, along with digital assets, and particularly of interest in today's topic is helping support strategy playing execution around AI tools and systems.

Michael Durette 4:26
Excellent. Thanks, Dan, so much. And Michael Bryson would love to hear the background for Michael and BW Cyber.

Michael Brice 4:35
Thank you, Michael. Gentlemen, very impressive. I am the president of BW Cyber. We've been in business, had a 10-year anniversary this January. BW Cyber is myopically focused in the asset wealth management industry. We have been providing cybersecurity solutions in support of regulatory compliance for NFA, CFTC, SEC, FINRA, a couple of other regulatory bodies outside that. But for today's purpose, our focus has been myopically working with clients in an agnostic manner technology perspective to ensure they're secure for what I consider to be 3 really critical areas in the asset wealth management industry. Regardless of the service offerings you see here, those areas are regulatory compliance, making sure we don't get in the way of our clients' ability to actually do their job and preventing reputational issues. That's our focus. So the perspective that I hope to bring today in support of our friends here with CRC Oyster is not a technology discussion with all the buzzwords to confuse people. I really want to simplify things and help you all that are here to understand in simple, pragmatic terms what AI is bringing to this industry. And I don't mean features and benefits. I mean the security risks and how we can address that, whether it be a reputational issue or a regulatory issue. So that at the end of this presentation today, My goal is to make sure that you, the listener, understand what kind of areas to focus on to be able to sleep better at night and to tell your investors or ODD. You got it covered. You're going to secure your client's data, and you're going to make sure that you're not on the news. That's my goal for today.

Michael Durette 6:21
I think, Michael, that's probably everyone's goal for today is not being on the news. So thank you so much. And I think when we take a look at this webinar, there has been a significant amount of inbound interest, customer conversations, client conversations in regards to AI.

Michael Brice 6:25
Bye.

Dan Garrett 6:26
Yeah.

Michael Durette 6:42
the use case, how to do it appropriately, what firms are working on, how they're operationalizing it, what they're thinking about, what the regulators are looking at. And kind of what we wanted to do today was look at a couple of different areas and focus on. But I think from a high level perspective, why are we here? Right. And I think, you know, Michael, I'll throw that first question to you. What are you hearing? What are the conversations that you're having with your clients? Why is it that AI is such a hot button issue today in this space?

Michael Brice 7:15
Yeah, so candidly speaking, there are not a lot of my clients that call me up and say they're really excited to talk cyber. As a matter of fact, I have to call two or three times before we can have the cyber compliance discussion. But I want to contrast that with the fact that it, and it really started right around January of 2026. There's been a crescendo of inbound calls from our clients who have all said the same thing. They're all saying the same thing. We are moving at near breakneck speed to implement AI. Our managing partner, our president, our founder wants us to use AI in any way we can so that we're not left behind. And we are, is what they're telling me. But at the same token, we're moving so fast. that on the technology side, we're not sure how to lock this down. We're worried about data loss prevention. We're worried about PII. We're worried about regulatory issues here. We don't want to be on the news. And parts of those conversations include calls from CCOs who are literally saying, Michael, we're moving so fast. I am starting to get to the point where I can't sleep. I don't know what to do and I need help. So that's what I want to kind of address today is what do people need to do? How can they think about locking their environment in a way that's secure and be prepared to affirmatively say to ODD and others, we've got it, we've got a program and we feel secure. That's what I'm hearing, Michael.

Michael Durette 8:43
Excellent. And Dan, from the front lines in the conversations that you're having daily with clients, what are you seeing? What are they focused on? What are their concerns? How are they trying to operationalize the use of AI within their own environments and their own firms?

Dan Garrett 9:02
Yeah, I would agree with much of what Michael said. And we're seeing the same here. We recently did a survey of AI adoption of those clients and firms that we sent the survey out to. About 20% had not yet started their journey on AI. 80% were definitely

Michael Durette 9:07
Best.
Yes.
Okay.
Yeah.

Dan Garrett 9:22
implementing and on their journey to enterprise-wide adoption. For the 20% or so, a lot of times it's just fear of getting started and concerns about not having policies and things in place for them to even implement and begin

Michael Durette 9:39
Yeah.

Dan Garrett 9:42
thinking about things. There is fears that employees are, because there isn't available adoption at the firm for clients, or sorry, employees are going outside and using applications, perhaps, you know, not under policy and taking advantage of some of the free applications that are out there, which is very scary.

Michael Durette 9:54
Okay. Okay.

Dan Garrett 10:04
Michael could probably talk more about that and concerns there. For the 80%, those that are starting their journey out, they're having a lot of questions and concerns just about locking things down. What, you know, it's the things they don't know they should be asking about or thinking about. A lot of that's just, you know, how do I change my policies and procedures? How do I get my employees to attest to, you know, doing the right things? Which vendor should we be selecting? How do we admin those vendors? What settings do we need to turn on or turn off?

Michael Durette 10:25
The.

Dan Garrett 10:43
when we're implementing AI, you know, of the use cases, you know, which ones are concerning, how much do we need to be reviewing uses and how the system's being used. So there's just a lot of questions that I think people have at all levels. I think one of the things that the survey pointed out is there's very little education that's occurring within organizations. So like Michael had said, everybody's kind of pushing, leadership's pushing to get these things out there and letting people run. And I think a lot of it's a little bit concerning because there isn't a really conscious effort to say, let's get folks trained up on these tools. Let's make sure they understand the rules of engagement and getting those applications in place. And having a true strategy about what we're implementing, why we're implementing it. And I think, you know, again, in our survey, we were looking at firms that, you know, are really looking at, is it adding value? So that's another area is their return on investment. Firms aren't looking at that right now, to be honest. They feel like there is value there. There's opportunities there. They feel like they don't want to get lost or left behind in all of this. And so they're just having folks run as fast as you can. To start implementing and using these tools.

Michael Durette 12:11
I think, Ed, when you think about firms operating in the financial services industry with the regulatory component to it, when firms operate hard and fast, that's typically where the gaps and issues are, right? And if you kind of take a look at it, you know, what do firms, from a regulatory standpoint, What do you see in the conversations that you're having, Ed, with the clients? What do they need to focus on? What are some of the high level areas or even kind of in the weeds that firms need to make sure that they're addressing and looking at from a regulatory perspective?

ewegener 12:45
Yeah, no, it's a great question. And I echo what everybody's been saying. You know, this is probably the number one issue that we've had clients coming to us with. And, you know, you talk about, you know, firms moving too fast. I think, you know, on one side of the spectrum, there's that. On the other side, it's moving too slow, right? And so I think that you're at risk. either way. And, you know, so I've been kind of thinking about that and I think this is evolving, but the way I've been seeing it, I kind of look at it like, you know, the three bears, right? On one end, you have firms that are just really nervous and worried and scared about this. And they either aren't adopting these tools or they're making the process for adopting the tools so onerous that they just can't take advantage of, you know, all the efficiencies that you can get from using this kind of technology. On the other side, you have firms that are going cowboy and people are just using all sorts of tools and there's no structure, there's no approval, there's no controls. And so where we see where firms should be, and this is where we're working with our clients together internally with Dan and his group on the technology side, but then also partnering with firms like BW is to really develop a thoughtful approach so that you can start embracing these technologies because there's a tremendous amount that these tools can do to not only make you more efficient, but to make you more effective in what you do. And that the tools just keep coming. And I, this, you know, the horses have left the barn and it's not going back and you have to get in front of it, but to do so in a thoughtful and controlled way. And so that's really where we've been focused. But it is challenging because regulators have said this is a priority for them. But one of the challenges is there is no specific rule related to AI and how firms need to be compliant with AI. The SEC had put out a proposal for predictive analytics, which covered a lot of these types of things, but that proposal's been rescinded. And regulators are looking at this more from the perspective of how is AI impacting their existing rules, right? And so I think that's a very sound approach, but it does leave firms trying to figure out, okay, we're going to adopt this tool now, which rules do we need to be thinking about? How does it impact these? And one of the other challenges is that AI in general is going to impact certain rules every time you implement AI, you know, things like data protection. And then there are certain rules that are going to be impacted based on the specific use case that you're using AI for. And so you have to think about it both in terms of, you know, what do we need to be thinking about just using AI in general? And then as we start thinking about different use cases and scenarios, what do we need to be focused on there? And so I think the regulators have been doing a good job in terms of providing guidance on how they're approaching this. FINRA puts out a regulatory oversight report every year, and this has been front and center. The SEC has talked about this in their priorities and other guidance that they put out. We're going to the FINRA conference next week, and this is an area that they're focusing on. But some of the areas that they've identified just generally around AI, and I don't think any of these things are going to be a surprise, but data protection and privacy, clearly, the things that Michael was talking about, supervision and how you supervise the use, and also if you have AI involved in supervision through some of these tools, making sure that there's

Michael Durette 16:20
Best.

ewegener 16:20
humans that are in the loop there. A vendor management and due diligence, ensuring inaccuracies or biased output are identified and addressed. There have been cases around AI washing or over stressing that the use and health firms are using AI.

Michael Durette 16:24
The.

Dan Garrett 16:34
Oh.

ewegener 16:41
And record keeping is also another big one that cuts across. But then when you start to think about use case types, and again, this is going to vary depending on how you're using the AI, but things like regulation, best interest, and the fiduciary obligations, insider trading, how you're handling confidential information, marketing, performance calculations and reviews. fraud, misrepresentation. There's a number of things that are very specific to the use case. And so you have to think about that as well. So that's kind of how we've been approaching it from the regulatory side. But you can't think of this just as a regulatory issue or a compliance issue. You have to partner with technology and cyber. and other components within the organization to do this effectively.

Michael Durette 17:29
And I think to that point, Ed, right, and Michael, for you, you know, the larger firms have plenty of staff and they've thought about this and they're trying to figure out how to operationalize it. But when you start to look at the mid-market and the emerging managers, why did they not just go ask their IT MSP to secure their organization?

Michael Brice 17:52
Some of them do. And, you know, I don't want to disparage the ITMSPs. We work with them. What I would say, though, is first off, what we're seeing is most of our clients have at least two, if not three or four LLMs that they're using. I mean, most people, if they're a Microsoft shop, They're using Co-Pilot because the IT MSP is selling it. Then they might be using ChatGPT because that's what they're comfortable with. And then they're probably exploring Claude because people think that's really good. And then we're seeing some other lesser used models that are just for the asset management industry that people are embracing. And what we're finding is the MSPs generally are having experience setting up Co-Pilot or Gemini, if it's a Google Shop. And then from there, kind of putting people the ability to have ops, because that's what an IT MSP does. It helps you to operate. What we're finding, though, is the more holistic process. approach. And the way I would kind of outlay that holistic approach, because I always believe in keeping things simple. Eating this elephant starts with one bite at a time. And the first bite should be, I think, Ed, as you were mentioning, maybe you as well, Dan, just have a policy. We have a lot of clients that have started on policies. And many of them have a piece of paper and it's to file, unfortunately. We're working with them because we're saying, gosh, you need to have a policy. It needs to be very prescriptive. And in some ways, it needs to be a bit technical with control settings. And a good example here is if you're saying you can only use co-pilot or you can only use Claude, And yet from a company issued computer, I can go to ChatGPT and put in an investment report with my client's PII on the open web. Oh my gosh, we have a problem. And right off the bat, that's the kind of thing that should be locked down. So I just want to make clear, you start with a policy. From there, you've got to create and turn that policy into a training program.

Dan Garrett 19:46
Mm.

Michael Brice 19:55
And these are things that the IT MSPs don't do. That's not their bread and butter. You've got to make sure your team actually understands what your policy is and the do's and don'ts. Probably record it so you can give it to your interns and your new hires later in the year. The next step, and this is the real takeaway from what I would say a cyber perspective, and that is Every firm out there should either be doing or planning to do an AI security assessment. It is the elixir that says, here's the big picture. These are some tools we might want to do. These are the settings you need to be in place. These are the threats you have right now because you haven't locked down what we call your shadow AI or your AI leakage areas, things like that. And then lastly, we would recommend that you do some testing. At the end of the day, all of this stuff works great, but you want to test and just do some simple things internally to make sure that your tools aren't set up in a way that... might allow people to do things you don't want them to do. So the point I'm making here is, you know, when you look at just getting, I'll say, the licenses and getting set up, the MSPs are great at that. But there's a whole programmatic perspective here from policy, from regulatory compliance, from understanding the critical issues that Ed and Dan were addressing, that the way, you know, investors and the regulators are going to look at this. And ultimately being able to say affirmatively, whether it's a SEC audit or it's an ODD activity, yes, I have policy. I have program. We've trained to it. And we have a program of continuous improvement to protect ourselves from this thing that's this beast of AI. That's the way I would, I would have our viewers think about that.

Michael Durette 21:43
And then, to go, go ahead, Evan.

Dan Garrett 21:43
I'll add, Michael, if I could just add a little bit to that. The other consideration here is AI is being put into almost every application. So, and a lot of times the MSP has no clue about our industry specific tools that we use, whether that's a CRM or a financial planning tool or

Michael Brice 21:43
Good morning.

Michael Durette 21:46
Yeah.

Michael Brice 21:53
Yeah. Yep.

Dan Garrett 22:03
You name it, everything that we are using, especially even our compliance tools, AI is now getting embedded in there. And I think it's, you know, back to Ed's point, there isn't specific rules out there that are mandating this. And what we're leveraging is just the old rules, which is

Michael Brice 22:08
No.

Dan Garrett 22:23
We need to be doing third party risk assessment and due diligence on all of our vendors, including our LLMs that we are subscribing to. But more importantly now, each one of these new vendors, our old vendors, are now starting to embed AI into their applications. And we need to be aware of the settings and how they're using it and do more due diligence.

Michael Brice 22:26
Yeah.

Dan Garrett 22:45
on those third-party vendors now, more than ever.

Michael Brice 22:45
Yeah. Yeah, it's a good point.

Michael Durette 22:50
Yeah.

ewegener 22:50
Yeah, and just to, you know, reiterate that, you know, when you think about our industry, and you know, we talked about, you know, it's not just the tools, it's how those tools interact with the rules and requirements. And so it's important to engage your MSP in this process, but you also need to be able to map those technologies to the impacted rules and regulations, to your policies and procedures. And to follow on what Michael was saying, just in terms of having policies and procedures, what that should really do is lay out a governance and a governance process. And as part of that, you need to have, you know, some sort of centralized review of

Michael Brice 23:23
Yeah. Okay.

ewegener 23:31
the technologies that you're using, the tools that you're using, as well as the use cases. And there should be input, whether it's a committee or just, you know, some type of involvement and input by all the impacted stakeholders, the business that wants to use these tools, compliance, legal and risk, finance, you know, technology. Everybody who's impacted should be part of this governance. And the important part is that anytime somebody wants to either use a particular tool or use a tool for a particular use case, that it should go through this so that it can be reviewed and reviewed from the sense of risk, right? So there might be some use cases that are really low risk. going out and doing regulatory research, you want to make sure that the input is accurate that you get, or the output is accurate that you get back, but it's pretty low risk compared to using client-facing use cases. And so understanding the different risks, understanding which rules are impacted, and then approving or prohibiting certain types of uses or certain, you know, things like utilizing PII in models and how they're trained. So making sure that that's done because that creates the inventory. To Dan's point, you don't want to, you know, have people using things that you don't know about. That training is important. It is a critical piece, but then also probably, you know, questionnaires periodically to go out and say,

Michael Brice 24:35
Clint.

ewegener 24:54
Hey, here's a list of approved tools and use cases. Let us know if you're using something else. Here's the process so that people understand and you can inventory what's being used. But all the other things that were talked about, that ongoing testing, training, But one of the factors, and Dan, you touched on this a little bit, is just the vendor due diligence is to, as you're going through your vendor due diligence process, both initial engagements with vendors, but also ongoing is to ask the question, how are they using AI? What sort of controls do they have in place?

Dan Garrett 25:30
Mm-hmm.

Michael Brice 25:32
I worry about free AI that it's just like the free VPN where, you know, if it's free, you're the money, if you know, that concerns me.

ewegener 25:32
I've seen. Yeah. Exactly. And one of the challenges though I've seen with firms that their vendor due diligence process is that they make that process so onerous that nobody can get through that and pass. And so then you lose the opportunity to start working with tools that can be really helpful. So having that vendor management process, but making sure that it's reasonable, it addresses all the risks and

Dan Garrett 25:42 Yep.

Michael Brice 25:50
Sam.

ewegener 26:02
areas that you have to cover, but not making it so onerous that you're missing the opportunity to utilize these tools.

Michael Brice 26:04
Yeah. Yeah, Michael, I'd like to give a little anecdote on how this all comes together as an example. In my personal life, I had the wonderful experience of watching my wife almost put my passport into ChatGPT right before we went on some travel recently. And of course, my head almost blew up and And then it kind of made me think, well, we didn't have a policy on the house on how we take care of PII. We didn't have any training on please, for goodness sake, don't put my passport into ChatGPT for the world to see. And then lastly, we didn't have any technical controls to prevent it. So on a personal note, that is how it all could come together and apply, you know, to our clients as well.

Michael Durette 26:51
Yeah, and I think, right, and you look at financial services industry as it is right now, right? And Dan touched about it at the beginning, which is, you know, artificial intelligence, digital assets, right? There's a couple of these secular themes that are really starting to kind of play into the industry and the space. You know, and Dan, for you, you know, when you think about today's webinar and you think about everything that that you and Michael and Ed have talked about. What's the one big takeaway that you would that you would provide to the to the group here on the webinar? You know, what's something that you think that they should take away as either foundational that they need to think about or just overall in general as they start to operationalize or even think about the AI policy and usage within the firm?

Dan Garrett 27:38
You know, Ed touched on it a little bit. I think it's really important that firms are identifying somebody at the firm or a committee at the firm that's taking in consideration all the stakeholders how this could be transformative to the entire organization. and is leading that effort of making sure we're checking all the boxes, whether that's updating policies or training, doing the third party risk assessment. So to me, it's really about making a conscious effort that this is something that we want to get into. We're serious about this from an organization. We're going to put effort into it. And, you know, if you don't have the expertise, go hire somebody or bring in somebody that can help and support you in those areas where you have weaknesses. And so it's just being conscious about that and having an organizational plan for adoption, I think, is really what I would say is my critical takeaway.

Michael Durette 28:43
And Ed, from your lens, you know, high level advice or perspective that the viewers can take away.

ewegener 28:51
Yeah, you know, I mean, part of this is reiteration, you know, but just having that governance structure in place and making sure that everything goes through that. But there's a lot of components that come with that. And but I think the biggest thing is to make sure that, you know, Michael had mentioned this, it's training is critical. So once you get this in place, make sure that you're training people so that they know what the firm's policies and procedures are.

Michael Durette 28:59
Yeah.

ewegener 29:15
so that they know how, if there's an incident, how to escalate that and who to escalate it to, so that the firm can implement, you know, its incident response program as needed, making sure that they're trained on, you know, just what is approved and what is prohibited. And then checking periodically. This can't be a set it and forget it type thing. So you really need to have a pulse on what people are doing. And so checking regularly, making sure supervisors understand they need to be looking for any unapproved usages.

Michael Durette 29:50
S.

ewegener 29:53
Um, just that that training component is critical.

Michael Durette 29:59
Excellent. Thanks, Ed. And Michael, kind of high level overview. What's one thing that you would like the audience to remember and take away from this webinar?

Michael Brice 30:08
Yeah, and I'm going to come at it from the lens of cybersecurity. The regulations, in essence, say that they expect you to protect your data, keep your clients' information protected, and have a program of continuous improvement. I think almost synthesizing what both Dan and Ed said, is I believe there should be a purposeful approach to what you do. And that approach ultimately should be when you have an ODD question, which we're seeing a lot now, more so than any other pressure other than CCOs saying they can't sleep at night, is how do you respond to an ODD question when it says, what's your AI program and how you're protecting your data. And the simplest way to do that is to have an approach in which you start with, from my perspective, an AI security assessment. It looks at it for the gaps. It says, do you have the policy we've talked about? Do you have the training? Do you have the controls in place? Have you set up and prevented your employees from doing stupid things, you know, from taking Michael Price's passport and putting it into ChatGPT for the world to see? And then can you show that you've actually then made corrective actions to move that program forward? Because guys, spoiler alert, AI is not going away. I believe 2026 is going to be the year where we have what we call AI compromise, AI data poisoning, and AI shutdown. And when those things happen, and they will, it's not so much, what did you do? It's so much, how did you do it? And I think those organizations that show how they've approached this are going to be doing okay. Those organizations that either stuck their head in the sand or tried to do point solutions, put a piece of paper on the file or something like that, I think are going to assume higher risk than they should.

Michael Durette 32:03
And I think it brings up a good point that maybe we want to kind of wrap up with and kind of, you know, Dan, for you and Ed as well, when you look at your kind of Michael talking about 2026 and, you know, what could happen or what might happen or what is going to happen in that regards, you know, Dan, for you, when you're talking to the clients and you're helping them operationalize and think about this, You know, what do you see as the industry kind of moving forward over the next 12 to 24 months in the adoption of these technologies? You know, what are firms using these for outside of what kind of we normally know today? Anything, any conversations that you're having with clients that you want to share in terms of, you know, how firms are thinking about operationalizing? and how you're helping them.

Dan Garrett 32:50
Yeah, you know, the areas, and this came out in our survey too, is the areas that it's being most used for is in marketing. We're seeing a lot of around operational and operational efficiencies is the other area. So there's lots of, there's lots of opportunities out there, I think. What we're going to be seeing in the very near future is really the adoption of Agentic AI. And this is, you know, the ability for not just these chat bots that are getting, you know, these amazing responses, but they're actually acting and they're actually doing things. They're replicating what a person might be doing in an operational process, let's say. And I think that that is going to add a whole other area of interest and focus in terms of safety and risk and those types of things. You know, we are very focused on, you know, making sure firms have human in the loop. And most of our firms that we survey and talk to, they are not having their AI interact directly with clients in any way or a very limited way. There is human in the loop in processes, but I think over time what we're going to see is that kind of pull back a little bit. We're going to see Agentic AI doing more things, not just answering our questions, but actually acting thinking about something that's happened and reacting to that and doing something with that information, which I think adds a lot of value. It's kind of taking robotic processing to a whole nother level, a very smart level. But again, it opens up a lot of risk and concerns that we need to focus on.

Michael Durette 34:32
And I think, you know, Ed, what are your thoughts there?

ewegener 34:35
Well, you know, I... I think, I don't know the timeframe on this, but you're already starting to see it. I don't think that there's a function that is happening within our industry that isn't going to be impacted by that by AI in some significant fashion. I mean, you look at like different tools that you're seeing people using, Dan, you mentioned marketing reviews,

Dan Garrett 34:52
I agree. Absolutely.

ewegener 35:01
e-com reviews, the ability for these tools to be able to reduce the number of false positives and it gets better over time, I think is really transformational. And I think it's really going to make firms more effective in doing those types of reviews. We've seen it used in AML type reviews, reviews for suspicious activities, and trade reviews. I could see applications taking unstructured data like information and prospectuses and offering memorandums for alternative investments and making sense out of them, summarizing that information, identifying where key risks are to help in the due diligence process. You just go on and on. And I think that It's going to impact every aspect of our industry. And if you don't start embracing it now to some extent, you're going to be way behind. And I think you're going to be left behind. So I think the important thing is to really start thinking about, okay, this is coming or it's already here. How do we do this in a way so that we can be prepared? So if something happens next year where there's an issue, it's not staying away from it. It's how do we be prepared for something like that? And that's part of that governance process that you really have to focus on.

Michael Durette 36:17
Excellent. And I think that I want to take an interesting question that was posed. So there it looks like there was an article in April about AI agents that were operating outside of the enterprise and sharing corporate data without oversight. And the question is, how do you manage that? Anyone, anyone want to, anyone want to tackle that question?

ewegener 36:40
I think from the compliance perspective, it's manage it. You know, I'll let the technology people discuss how.

Michael Durette 36:46
Yeah.

Michael Brice 36:48
I will just say, separate from AI, one of the biggest challenges our clients have is just asset visibility, just knowing what equipment and software and things like that that you have in your business. That's going to become more complicated with AI, what your AI is doing. because now you're going to see AI being utilized outside the IT professionals. But a slight segue here, the biggest... Other activity I see with AI is actually the external threat to our clients and the simplification of attacking by individuals that no longer actually need to be sophisticated cyber criminals. That's the sort of stuff we're seeing. And it's...

Dan Garrett 37:29
Mhm.

Michael Brice 37:35
Pretty impressive and pretty scary. The quick example here is, you know, Dan, I call you, it's caller ID from Michael Durette, and you hear Michael Durette's voice, but it's actually me calling you and I trick you into doing something. That's what we're seeing happening in 2026.

Dan Garrett 37:48
Okay.

ewegener 37:53
I do think with respect to that question too, you know, I mean, it's not much different than I would say you'd have with humans, but it's access control. What sort of access controls do you have over your data, whether that's individuals with access or AI related tools with access? You need to know what data you have. who or what has access to it and making sure that if there's vulnerabilities and controls that those are in place. So being able to map all of that is a critical part of that governance when you're assessing and implementing new tools.

Michael Durette 38:29
Excellent. And I think, Dan, any comment on that, agents stepping outside their lanes on the governance structure?

Dan Garrett 38:37
Yeah, no, Michael's point is like, Well taken. These tools are so easy to use and, you know, people are able to do things that they wouldn't ordinarily be able to do, positive and negative. And, you know, we've been talking about a lot of risk and concerns with this call, but there's a lot of promise and opportunity. for improving operations, for finding fraud, for, you know, helping more clients out who might financial advice, something that, you know, we should as an industry need to be focused on. So there's great opportunity, there's great risk on both sides of it. And, you know, it's an interesting time that we're in, for sure.

Michael Brice 39:25
Yeah, Michael, there's one other area that I would like to mention here. It's for our larger clients, generally over 100 seats into the thousands especially. AI will significantly enable potentially, especially in the early phases here, malicious insiders to have somewhat potentially unfettered access to do things that previously would have been difficult. I'll give you an example. We'd like to think that any client we have, they've locked down how much employees make or executive bonuses or things like that. But every now and then there might be a mistake that somebody made where there's a an authorized access to something that shouldn't. That stuff is really hard to find when you're doing it by yourself. You're at not, whatever it is. But if you've got AI and you can just ask that AI tool, hey, search everybody's desktop for me or email and tell me if you see what executives make or this or that. That sort of internal activity and malicious activity, it's going to be simplified exponentially. And so we want our larger clients to be aware that as they implement AI, they should absolutely also think about putting guardrails on malicious insiders.

Michael Durette 40:42
I.

Michael Brice 40:56
Yeah.

Dan Garrett 40:56
And so if you don't have a good handle on your data and the governance around that data, it's very concerning to start implementing AI and having it sit on and have access to that information.

Michael Durette 41:01
I. I think it's a good segue as we're coming kind of to the end of the webinar is to, you know, CRC Oyster and BW Cyber work together with firms to be able to help on the training, on the policy development, on the testing, right? And if there are any questions or any takeaways, There was Dan, Ed, and Michael's contact information that was up there. But really what we wanted to do today was kind of talk about what we're hearing, given the fact that we're seeing significant amount of inbound inquiries, clients, prospects talking about AI, everything specific to AI, how to be able to put it in their tenant, how to be able to operationalize it. and working with, you know, 1000 plus clients on the CRC Oyster side. You know, Dan and Ed and our team are having really interesting conversations and discussions with our clients as this is a relatively new technology and financial services, but definitely something that's going to be moving at breakneck speed, as Michael had put it earlier on in the webinar. So If anyone has any questions or will look for any support, please feel free to reach out to anybody on this webinar. But with that, I wanted to say thank you for everyone that joined. Michael, Ed, Dan, thanks so much for being a part of the webinar. And thank you to the audience for jumping on at 2:00 on a Friday. Clearly, with the turnout that was here, People have a lot of interest, people have a lot of questions, and we're here to help in any way that we can. So with that, I hope everybody has a great weekend, and we'll be looking forward to our next webinar specific to the digital asset and digital space. So with that, thank you so much, and have a great weekend.

ewegener 42:55
Take care.

Michael Brice 42:55
Thank you.

Dan Garrett 42:56
Q.