FidelityConnects: Implementing leading cybersecurity tools and practices for advisors

[00:03:35] Andrea Rigobon: Hello, and welcome to Fidelity Connects. I'm Andrea Rigobon. The financial sector stands at the forefront of technological innovation, constantly adapting to new digital landscapes by enhancing the customer experience, streamlining operations, and maintaining security. However, with each technological advancement comes new challenges, and perhaps none are more pressing than the rise of artificial intelligence and deepfake technology. Joining us today to discuss how advisors can stay informed on the latest cybersecurity and deepfake trends is Imran Ahmad, partner at Northern Rose Fulbright Canada and University of Toronto professor. Welcome back to the show, Imran.

[00:04:15] Imran Ahmad: Thanks for having me.

[00:04:17] Andrea Rigobon: So good that you're back here today. I distinctly remember the last time you were on this webcast, we were coming up to time and I was thinking, I don't want this webcast to end. This is so interesting, I want to keep going and picking your brain on what's going on when it comes to cybersecurity, what advisors need to be mindful of. You know what, I really like sort of, I like it but it's scary, these stories of deepfakes and people getting duped and having to pay a lot of money out of pocket. I think the purpose of today's show is to alert advisors to new trends and give them some tips and tricks in terms of how can they identify a cybercriminal or when a cybercriminal is doing something, a deepfake and how they can protect themselves. With that said, maybe you can update us on things that we're seeing currently. AI is evolving and with that, obviously, there are benefits but there's a downside. We're seeing increased cyber fraud, what are some of the new things we're seeing and what can advisors do to protect themselves?

[00:05:23] Imran Ahmad: Really happy to be back, and a lot has changed and continues to change. One of the things I hope the audience is going to take away from today's discussion, it's going to change over the next six months, next 12 months, 18 months and onwards. This is not going away. What's interesting when we talk about cyber, generally, when we're talking about criminals or fraudsters, it's always move, counter move. You do something, they adjust. The fraud techniques, they may change but the fundamentals of a fraud, which is let's get our hands on the money, hasn't, actually, changed at all. The use of AI, the use of other types of cyber attacks becoming much more common. Let me tell you a little bit about what I'm seeing, at least, in terms of cyber trends and fraud trends using AI.

[00:06:06] I think the biggest one everybody's heard about it is deepfakes. Just for our audience's benefit, deepfakes is basically picking somebody's image, voice or persona, creating an image that looks really realistic to the naked eye by using artificial intelligence, typically. Imagine we're talking today, this is being filmed, bad person wants to take my image, they've heard my voice, they've seen how I move, they've got an image of me, they can use various tools that are out there to create a message coming from Imran saying do X, Y or Z. If you put that in the context of transfer of funds, in particular, like wire fraud, it's become much more sophisticated. What we're looking at right now are complex, high net value transactions which are, obviously, fraudulent transactions that the hackers are involved in, and they're moving at a crazy fast speed. Let me give you an example. It is common now these days to have hackers send phishing emails. You probably receive these emails saying, you've got a delivery at your home or you need to update your phone for whatever update for the software that goes along with it.

[00:07:16] Andrea Rigobon: Ignore, ignore, ignore. Do not click. I don't click on anything.

[00:07:20] Imran Ahmad: Well, there's some of them that are legit but the ones that are not, to pick them out and say, this is not the one we should be clicking on, that can be hard for the person who's busy or who is not familiar with the process that goes along with it. You get these emails, the fraudulent ones, and, regrettably, let's say you clicked on it or you entered your username and password. Now what the hacker is doing is getting into your email account or that of, maybe, your organization somehow. Once they're in they're saying, transfer funds. By the way, what I'm going to do is I'll validate this because it's such a scary cyber world we live in, I'll call you. So you get a voice message on your phone, maybe after hours, saying, hi, it's so and so, and from the voice that was captured beforehand, can you transfer the funds? The email I sent you earlier is legit. Or what we're seeing as well is even the image. So again, capturing somebody's picture on a phone call or otherwise, a video call like a Microsoft Teams or Zoom call, and say, okay, you know what, I'm going to call you and you'll see me. You see the person, the lips are moving and it's almost indiscernible when the lip movement is not synchronized.

[00:08:29] Andrea Rigobon: Wait a minute. I'm an advisor, I get on a conference call, I think, perhaps, I'm on a conference call with my client, and there's somebody there that looks like my client that's speaking but it's not my client. That's what AI can do today.

[00:08:45] Imran Ahmad: Do today and has done already. We were talking just before we went live on this case that happened back in Hong Kong. I feel for this person. Just for our audience's benefit, there's an organization, there's a person who receives a request, a legitimate looking request, from somebody within the organization who, arguably, their mailbox was compromised, saying you need to transfer not $1, $25 million. So this person's red flags go up, okay, I need to follow protocol. Let's do what is best practice in this situation which is pick up the phone, get on a call and validate that these instructions are legit. He does that. Unfortunately, the image on this call of multiple individuals and the voice that went along with it looked legit, seemed legit and he transferred the funds.

[00:09:37] Andrea Rigobon: A conference call with multiple individuals, or that appear to be multiple individuals, but it's all AI.

[00:09:46] Imran Ahmad: I'll give you another example. A lot of folks probably get this, in Canada, we get a ton of these, where you get a phone call from a number either that you recognize or don't recognize, it doesn't really matter. Pick it up and you just keep saying hello, hello, who is this? Or you get maybe a very brief conversation and then it quickly disconnects. What the hackers are doing, or the fraudsters are doing, is they're capturing the voice in the back end. If you use artificial intelligence, especially generative AI which is now relatively easy to access — there's a good generative AI, the stuff we typically see like the Chat GPTs and the Co-pilots and so on that have guardrails on it, meaning you cannot do certain bad things with it. But there are other generative tools that have no guardrails that you can get on the dark web or get access to from other sources.

[00:10:30] What they do is when they capture your voice they use these tools to create a new conversation. Take this recording of 10 seconds, 15 seconds, 40 seconds, it doesn't have to be hours on end, from this individual and create an entirely new conversation. What they go on to do on top of it is say, I'm going to ask you a question which they think the victim is going to be asking, prepare responses so it feels natural. So it's not like a recording necessarily, it feels like a live conversation. So it's quite realistic and it's happening now.

[00:11:02] Andrea Rigobon: We need to be mindful of picking up the phone to numbers that are unfamiliar, providing information or answering questions but then if you, actually, get to the place where perhaps you're on a conference call, how are you going to identify if certain individuals are not actually real?

[00:11:22] Imran Ahmad: It's funny you're asking that question because we get a lot of it. My answer, instead of being very technological is more analog than anything else. If I was to ask you, when was the first time we met? You may recall because it's memorable. The hacker won't be able to do that, necessarily. If you give a safe word, there's a chance that safe word may have been compromised because you put it in an email, you've used it elsewhere, it's stored somewhere. We're going more analog to memory or triggers that may be helpful to figure out who the actual person is. It's now not uncommon where we will put those in. Believe it or not, some of our clients actually have caught fraudulent activity that way. When was the first time we met? Do you remember what your first conversation was when this happened or that happened? Those things are actually much more realistically helpful than otherwise.

[00:12:13] Andrea Rigobon: It's interesting, I see as this is evolving, potentially and maybe we see more fraud, potentially, regulators put requirements in place to collect this type of information or ask these type of questions to mitigate some of these risks. How else do you do that when it becomes so sophisticated that you think you're speaking to your client but you're not. Why I think this is really important for advisors is because advisors are in a position of trust. You see these frauds perpetrated, they take somebody in a position of trust and then try to get something, especially because advisors are dealing with assets. I think all of this stuff is really, really important for advisors to hear. I was reading a story, they were doing this with doctors and having doctor deepfakes online trying to get people, soliciting people to buy certain things. Because the doctor is in a position of trust maybe somebody, members of the public or certain people know the doctor and now they're being told to buy something when really it's not in their interest. With financial advisors I see this, potentially, as a big issue. What are some other red flags if you're a financial advisor, things that you can identify easily or you should be mindful of or something that is common that these fraudsters sort of go out to the world with.

[00:13:41] Imran Ahmad: So I'm not here to scare, we'll talk about positive and measures we can take to mitigate but let me give you another example of how AI is being used by fraudsters. The phishing piece, which is so common, you just get an email and it's a click through and you want to be quick about stuff, maybe something, like I said, got delivered to your home, you click on the link, you put your username and password in and it goes to a dead page and you make the assumption, maybe it was a bad link, maybe in a bad reception area, I'll get a reminder and I'll deal with it then. Well, what's happening on the back end is they're using that username and password to get into your mailbox. Now, this is why it's important, especially for advisors. Advisors have a trust relationship. They know exactly what the client is doing longer term. They may even have a very good cordial relation where they're like, well, what are you doing this weekend, what's your plan? What the hackers will do is they get into the mailbox, and imagine you've got thousands of emails.

[00:14:38] Andrea Rigobon: How do they get into the mailbox? Somebody clicked something?

[00:14:41] Imran Ahmad: It's interesting, we're going to probably talk about this but we should touch on multi-factor authentication. You've got your username and password and then there's a code that's generated. The problem with that was a lot of people complained. They said, oh gosh, every time I log into my iPad or into my mailbox I have to put in this ridiculous code, takes so much time, I'm not happy about it. So they got these things called tokens. You log in once, you put in the code and you're good for a while if you use the same machine. For example, when you're logging in it says, do you want to continue using this machine, is this a safe machine? Do you trust this machine?

[00:15:16] Andrea Rigobon: And I click yes, yes, yes. I don't want to do that annoying code thing anymore.

[00:15:19] Imran Ahmad: Sometimes the hackers will try to compromise by saying, give me the code and they'll steal that token and get around the mailbox security piece. Once they're in the mailbox what they'll do is say, instead of just looking at one or two emails for one client they'll say, let me pull every single email you have. You have 10,000 emails, argument's sake, you have 100 that belong to communications between you and I over the last whatever a number of weeks or months. Then you can just ask the AI tool, the bad one that you're asking and working with, saying take all these emails, draft an email that flows in terms of tone, in terms of references that may have been about vacations and time off or whatever, and draft a request that would be realistic within the time frame that this person typically operates and responds to me. When they get this email, the legitimate victim of these kind of attacks or phishing emails, they look at it and goes, coming from a legit email address, the tone is right, they reference the fact I went to a bake sale last week, I'll probably click on this or do what they're asking me to do, and they'll put extreme time pressure. Do this quickly, unique opportunity, move quickly, otherwise we'll be X, Y and Z.

[00:16:32] Andrea Rigobon: Time pressure, that seems like a red flag.

[00:16:34] Imran Ahmad: That's a red flag, exactly. Time pressure on that piece, your multi-factor authentication, we often get this where you get a phone call that says, oh, click yes or no for authentication. You may assume this is a legitimate reset but it's not. Double check, refuse, see what happens. There's all these techniques that you can pick up very quickly. The other piece is, and if we're talking about solutions that advisors should be thinking about, educate your broader team. A lot of advisors will have delegates in their organization, their assistant or another colleague who has access to the mailbox, you may want to stop doing that for all kinds of — or restricting the access to just calendars or other things, not the entirety of the mailbox because they can also be duped as a result of it.

[00:17:18] Another example in addition to that would be all the updates. You mentioned updates of software. Some of them are critical. You really do want to move quickly on installing them where they're legit. Do your diligence first, is it legit? If it's not you, the IT person, talk to your IT person. If you don't have an IT person talk to your IT service provider. There's somebody who knows what you're doing, how your IT environment is set up. Validate with them if it's critical and if you should install it right away or not. Another piece, you have probably a lot of devices, laptops, iPads, cell phone, other, make sure across the board you have the same level of security that's installed in it.

[00:17:58] Andrea Rigobon: That's so important. I assume with an advisor that the dealer would manage these systems so if they are working through the dealer's provision systems there should be a level of safety within those systems. But again, it seems like what you're saying is the best defence against a lot of this is hypervigilance. Although we shouldn't be scared we really do have to be proactive and be vigilant around this and really question almost every communication we're receiving, which is unfortunate because there's a huge burden to that. I wonder, do you think we'll see some tools that will come and help mitigate some of these risks or identify fraud or counteract some of this?

[00:18:46] Imran Ahmad: Yes and no. There's tools that are out there, there are tools that can be tweaked and reconfigured and there are others that are coming out that'll be really interesting to see how they get implemented. Again, it depends how big or small the organization is because there's typically a cost associated with it. In no particular order, where I start with our clients is start with the basic analog, cheapest solutions that you have all the way up to the more complex ones. What is cheap and easy, or as my wife says, cheap and cheery, make sure you have multi-factor authentication. Sounds obvious but make sure it's properly configured and reset regularly. Second piece, make sure you've got complex passwords which get reset, if not every month certainly no later than every 90 days.

[00:19:31] Andrea Rigobon: I get so annoyed at these things because I'm forgetting my passwords and I'm putting in the same password I use and it's saying it's not complex enough and I don't want to do the multi-factor authentication but it sounds like this is the best way to protect yourself. Irrespective of how annoying it might be or how much extra time it might take, these are things that we really should do.

[00:19:52] Imran Ahmad: Should do and will significantly mitigate the risk profile for the advisor.

[00:20:00] Andrea Rigobon: What else?

[00:20:01] Imran Ahmad: Your digital footprint, just the example I gave earlier, the example of 10,000 emails in a mailbox, not uncommon, unfortunately. You should reduce that. There's ways you can set your configurations and doesn't cost you a cent saying after every three months purge my mailbox. What it does, it doesn't delete everything, it moves it into an archive. Imagine a hacker who is trying to get into your home and you've got two, three doors that are all locked. He may, or she may, be able to get through door one but door two and three, they'll just give up and move on. You want to be able to reduce that footprint. Again, a lot of advisors are going to have a ton of sensitive information. It's not uncommon for them to get a driver's licence scan or a variety of other documentation for knowing your client and so on. Purge it if you don't need it. Once you've put it in the dealer, let's say portal or other validation software you're using, you do not need to keep a physical copy in an email account. Super important.

[00:20:56] Andrea Rigobon: That's really important, I think.

[00:20:58] Imran Ahmad: Sorry to...

[00:20:58] Andrea Rigobon: No, go ahead, go ahead. I'm so interested in all of this.

[00:21:01] Imran Ahmad: There is technology out there now that monitors exactly what has happened in your mailbox. Just using the example of Outlook, a lot of people use Microsoft Outlook. They're probably using the web version which is preferred over the on-premise one. You have this opportunity to get a higher level licence. You have the base licence everybody gets because it's more affordable and it's good but the higher one actually tells you who got into your mailbox, when and what did they look at. If you are ever discovering an incident, oh gosh, despite everything I did somebody got in, instead of notifying all of your clients, with that additional licence piece you may be able to say, oh no, the hacker only got in for a few minutes, it gives me all the details, they only looked at three emails, the three emails did not have any attachments, does not have any sensitive information, we're in a good place. Think about having that level of licencing in place as well.

[00:21:52] Andrea Rigobon: But if you know that, let's say, some information was compromised the best thing to do is to tell the client, correct?

[00:21:59] Imran Ahmad: Yes, but there's more.

[00:22:02] Andrea Rigobon: Tell me about it.

[00:22:04] Imran Ahmad: Our privacy laws in Canada are changing but they're pretty clear as to what the requirements are. Without boring you with the details of it, any information that can be used to identify you would be considered personal but there's sensitivity level. If I had your social insurance number, a credit card information or banking details, or if I had, for example, a driver's licence or government issued ID like a passport or a health card, those are super sensitive because I can easily conduct identity fraud with that. You have to notify the person. Not only that, you've got to notify the regulators too.

[00:22:38] Andrea Rigobon: That's right.

[00:22:38] Imran Ahmad: The privacy commissioner federally, in some case if you're operating across multiple jurisdictions across different provinces, you have to notify them as well. In some cases your clients are not going to be happy about it, obviously, because financial and health information is considered to be the most sensitive information you have. They'll want some form of credit monitoring so they can actually protect themselves. So yes, you have to communicate. One point I will mention, no matter how quickly you move there will be clients who feel you took too long. You have to be ready for the irate client coming back to say, how come it took you a week to tell me after this occurred?

[00:23:12] Andrea Rigobon: But it's reasonable to conduct some sort of investigation, I would think, and then notify clients. I believe under privacy laws there is an amount of time you have, a reasonable amount of time to notify clients, but in the case of an advisor I would right away go to compliance within the dealer if there was some sort of breach. I'm sure there's a policy within the dealer that specifies sort of the escalation procedure around any kind of potential security breach that an advisor has. It's definitely something to be mindful of because you do have regulatory obligations.

[00:23:41] Imran Ahmad: It's a good point, talk to your compliance specialist or colleague or partner who can help you with this for the following reason, not all privacy breaches are notifiable. There has to be under our statute or statutes across the country a real risk of significant harm. That's the terminology, it's real and significant, not hypothetical and maybe, it has to be real, and it has three parts to it. One, has to relate to a human being. Sounds silly to say but sometimes there's corporate information that's sensitive as well, has to relate to a person. Two, has to be sensitive in nature so, typically, name, address, telephone number not so much  but everything else that we talked about earlier probably, if not other types of information in addition to it. Third, and this is the hardest part, this is where really a compliance expert or a legal expert can help the advisor, is there a risk, or is there evidence that the information has or can be misused. If it's really unlikely based on the investigation or other factors that were considered, you don't necessarily have to notify, or maybe you do, it depends on each case.

[00:24:43] Andrea Rigobon: I hear that in Canada the threshold there is pretty low so that you could have date of birth and a person's address, potentially, but you have a malicious actor involved in retrieving that information, the threshold might be met even though the sensitivity of the information is not that high. Something to think about but there's a self-reporting tool on the OPC's website.

[00:25:07] Imran Ahmad: On the OPC's website, the Office of the Privacy Commissioner. Actually, it's interesting you mentioned that example. Name, address, telephone number on the face of it, probably not, maybe a date of birth, who knows? But you know what hackers do? They're on the dark web and they take your information, they go, well, from this organization or this advisor I stole only name, address, telephone number and date of birth but from another one I have all this other information, let me put them together by using, believe it or not, AI tools, and let me build a more proper profile to be able to compromise and, arguably, conduct identity fraud.

[00:25:40] Andrea Rigobon: So scary. We have a question from the audience. Are there password managers that you trust and are better than others?

[00:25:47] Imran Ahmad: Yes. I'm not endorsing any particular tool.

[00:25:50] Andrea Rigobon: No endorsement but ...

[00:25:51] Imran Ahmad: There are password tools, you can google them. Don't look at the sponsored ones that come up in your rankings. What I typically do is I go to PC Magazine or other publications which rank each and every one of them. Some of them are free. Candidly, the more enterprise ones are the safer ones because you are paying a little bit but it is much more safe. What I have seen on the other hand, which I would not recommend, is using free tools that are not designed for passwords. For example, Google Keep, I don't know if you've heard of that, great tool maybe as an aide-mémoire or as a cheat sheet but don't put your passwords there because that can also be compromised once your email is compromised.

[00:26:26] Andrea Rigobon: I think that's really helpful advice. No other questions for now. Let's talk about the consequences. Why should advisors really care about this? There are some significant consequences to getting this wrong, not to scare anyone again.

[00:26:41] Imran Ahmad: Well, we started off by talking about trends and we talked about the cyber and the fraud trends that are happening, but what's more important is what is happening from a regulatory standpoint because there's what the hackers do and then there's a response to it. As I mentioned, health and financial information are considered to be the most sensitive that are out there. As a result, most regulators, not just the privacy commissioners, could be CIRA, could be a variety of others, could OSFI, could be a variety them that are going to say, we need to be informed. These folks have very sophisticated internal teams. For example, for OSFI, just as an illustration, they have within OSFI a division called a TRD, the Technology Risk Division. What they're looking at is the overall stability of the financial system. Even a small little incident has to be reported up based on the criteria they released and then they take certain actions to make sure it's been properly dealt with. That trickles all the way down to the advisor as well. If you have a breach, maybe you're just thinking, ah, not a big deal. I'm in a local community, got a number of clients, I'll let them know and I'm done. Well, actually it's not that simple, unfortunately. You've got to notify them, certainly the privacy commissioner if the threshold is met. You may have to tell, obviously, your other partners and business partners including the dealers that this has occurred, potentially, and a variety of others that may kick in depending on which industry you may be dealing with.

[00:28:04] Andrea Rigobon: That's definitely something to be mindful of there. I want to go back to deepfakes because I'm so interested in this whole deep thing. I have an avatar. My avatar is created through some technology where it uses my voice and my mannerisms and my talking right now. Potentially, somebody could take this feed and I don't know what they could do with it. Aside from you mentioned that it's very easy if somebody calls me to take a snippet of my voice but how are they going to get the rest of it to make it look exactly like me? When I look at my avatar, it's really good but I can tell it's my avatar.

[00:28:37] Imran Ahmad: It's getting better. Unfortunately, these AI tools, especially for deepfakes, are getting better and better. I remember there was a Netflix show I was watching, it was about boy bands or something like that. They had Ron Perlman who was one of the managers for these groups. He's been dead for several years but the video they were showing was him talking about that documentary almost like in real time. I was like, this doesn't make any sense. And this is not long ago, it's a year ago. This doesn't make any sense at all. How could they have done this? The recording was legitimate but if you paid really, really, really close attention and focused you could see the lips were not properly aligned with the messaging, but the voice was exactly the same.

[00:29:18] Andrea Rigobon: So look at the lips.

[00:29:20] Imran Ahmad: Look at the lips, look at other pieces like the background, look at shadows, you can see those red flags in those deepfakes in some cases. The mannerisms are there for sure. Look at the skin complexion, for example, skin complexion which is completely smooth is likely artificial intelligence generated in most cases. I'm old, I'm almost 50 so--

[00:29:41] Andrea Rigobon: You look great.

[00:29:41] Imran Ahmad: --I have wrinkles. If you don't see wrinkles on my avatar or my image, arguably, maybe it's been photoshopped or it's been some form of AI generated. You have to be able to identify those kind of cues. It's a shame we have to live in this kind of world now, it could be on social media, it could on Instagram, you see these feeds and go, this cannot be real because it just seems so out of whack. That's what you should be looking for, those flags. Somebody can get most of your mannerisms but, again, they won't know everything, so the memorable question when you're interacting with any of these deepfakes, those key elements that are unique to you that don't come up that often. Remember, what the AI is doing is taking historical information that they got from you, so whatever snippets or voices or images they got, and creating something for the future. It cannot necessarily create everything that doesn't exist. If you do something which is unique, let's say you touch your earlobe from time to time, every 10 minutes, but it wasn't captured in that video that was actually stolen of you to create this new AI, whatever, generated video, it won't be in it. Those could be the kind of cues you're looking for.

[00:30:48] Andrea Rigobon: So interesting. We have another question from the audience. Is it still considered safe to have a profile photo and phone number on my company website?

[00:30:56] Imran Ahmad: Totally safe. Definitely do it.

[00:31:00] Andrea Rigobon: Totally safe?

[00:31:02] Imran Ahmad: Pictures can be taken from anyone. This is really the key fundamental, it's not to go completely dark and off the grid. We are professionals, we need to continue doing business. It's picking up the hypervigilance piece that we talked about earlier, those red flags. So take off your picture? No, keep your picture there. Clients will feel more trusting if they see you. Is there a possibility your image could be taken and a whole video created from it? Possibly, but, again, if you tell your clients, look, there's a lot of fraud going on, there's a lot of use of AI and deepfakes. Warn them, I will never call or text you for a transfer. I will never call you to transfer funds.

[00:31:41] Andrea Rigobon: That is so important, setting up the rules of engagement so they know what's outside of that.

[00:31:46] Imran Ahmad: Exactly.

[00:31:47] Andrea Rigobon: This was so, so enlightening today, Imran.

[00:31:50] Imran Ahmad: Hopefully, it wasn't too scary.

[00:31:53] Andrea Rigobon: The topic is scary but I think you've provided some really good insights in what we can do to protect ourselves and catch some of this before it has a real consequence to individuals that we service and to ourselves in our practice.

[00:32:09] Imran Ahmad: Just one last point before we wrap up. If your audience is looking for resources that they can access for free, and there are a ton of them that are out there, go to the Canadian Anti-Fraud Centre. They have some great content that's out there and they're pretty agnostic in terms of the technology. The practices they're going to share are easy to implement, doesn't typically cost much, if anything at all, and are really effective.

[00:32:35] Andrea Rigobon: So great. Thank you again for being here today.

[00:32:37] Imran Ahmad: Thanks for having me. It was great.

[00:32:39] Andrea Rigobon: Tomorrow on the show, Audrey Kim and Francois Jack, investment analysts for ETF capital markets will be here to share the latest ETF trends, insights and developments in Canada, plus helpful ETF trading practices. Thursday's show will be aired in English with French audio interpretation for our viewers.

[00:32:56] On Friday, equity research associate, Connor McGrath, explores the latest developments shaping Canada's insurance and real estate sectors. Thanks for watching and we'll see you next time.