Cybersecurity: Safeguarding the Digital Frontier

Cybersecurity: Safeguarding the Digital Frontier

Tony Roth, Chief Investment Officer
Eric Trexler, Senior Vice President, Palo Alto Networks

Tony Roth: This is Tony Roth, and you are listening to Wilmington Trust’s Capital Considerations. Today we're going to talk about a topic that rears its ugly head periodically in very scary ways, and that is the topic of cybersecurity.

And as always, I'd like to remind our listeners that nothing that we say should be construed as a political view in any way, certainly not one in favor or against any political party or political actor here in the United States.

So today we have a very qualified guest to help us negotiate this complicated topic and that is Eric Trexler, who is a senior vice president at Palo Alto Networks, which is a leading cybersecurity company. And Eric is responsible specifically for the U.S. public sector business of Palo Alto Networks.

He has over 30 years of experience in technology across public and private sectors. I also think it's really great that Eric prior to his career in the private sector was an Airborne Ranger with the U.S. Army specializing in communications. So, Eric, welcome and thanks for your service to the country.

Eric Trexler: Thank you, Tony.

Tony Roth: Eric, when I think about cyber security, I typically think about the various categories of victims and I think about us as private actors, individually

I think about the government whether it be appropriation of government secrets, or whether it be impairment of government systems, because they're subject to some type of activity that disenables their systems. And then lastly, we have all the whole world of private companies, which are probably your clients that are paying you guys to help keep them free of these this kind of interference.

Are you guys most concerned about one of those areas today? And where is the most concerning activity occurring right now?

Eric Trexler: Cyber security is national security for not just America, the countries across the globe. Whether you're on the offensive or the defensive, it is infused in everything we do public and private.

So, at Palo Alto Networks, our main goal is to make the world a safer place. I run the U.S. public sector business of state, local education and federal. My peers run commercial. They'll run the largest to the smallest organizations across America and across the globe. As an organization, though, the adversary is always coming after us, and we need to defend regardless of the organization we represent. And as individuals, there's a lot we have to do to protect ourselves also.

I just read a stat last night. Social security numbers are going for 25 cents right now in bulk on the dark web. I mean, think about that. What do you do with that information? I mean, you know what the adversary may do, but how do you protect yourself?

So cybersecurity is a national security problem, but I think it is a global problem.

Tony Roth: How has it changed and evolved, let's say in the last decade? Is the situation improving? Is the situation becoming more perilous. It's a constant fight, right? Between the good guys and the bad guys. And from a technology standpoint, very naively, I would have thought that, okay, the technology would learn how to close off the back doors and the approaches as new software comes out, but it doesn't seem to be the case.

It seems like either we're falling even further behind from a cybersecurity standpoint, or the tools of the bad actors seem to be potentially improving faster than we can keep up. How do you assess the overall situation?

Eric Trexler: You're reminding me of a famous quote, somewhat famous in our industry, at least from a gentleman, Bruce Schneier, who's a famous cryptologist, and he would say for cybersecurity, we're getting better, but we're getting worse faster.

We are getting better. We're talking about technology here. It can be used for good or for evil. And that's what we're experiencing right now in the space. People are using technology for evil purposes. We see a lot in the space. We see ransomware. Seventy percent of the cases we deal with are either business email compromise, which usually lead to intellectual property theft or ransomware for cash. Somebody's trying to make money.

When we look at the industry, ransomware has grown to a 30 billion industry that caught the average cost per incidents up over $5 million right now. So we've got some indications that the problem is growing worse.

Ever hear of a small company called Colonial Pipeline? They paid $4.4 million in ransom. I don't think they got a whole lot for doing that. The data I've seen shows somewhere in upwards of 80% of ransomware cases we pay the ransom with different levels of success in getting your data back, getting accessibility to your data.

Most companies from that data I just gave you, the stat I gave you, think that this is a way they have to go.

Tony Roth: Are there actors that refuse to pay ransomware as a policy? The U.S. government. Let's start with the U.S. government.

Eric Trexler: Well, the U. S. government's a great example, right?

You really don't want the U.S. government on your back if you're a bad actor. Once you get the United States government on your back, the president of the United States is talking about you, that group is disbanded.

The actors have come back in different forms, but that group disbanded because you don't want that. Additionally, you know that the U.S. government is highly unlikely to pay ransom. It's not an opportune target. And why go after the U.S. government anyway, Tony, when you can pick anybody else out there commercially.

Tony Roth: How do you assess the walls around companies today in the U.S., for example? Is it so totally company dependent?

Is it sector dependent? We work for a financial company here at Wilmington Trust, part of the M&T Group. There's lots of other regional banks. Are we all about the same, you think? Or is it widely varying depending on the company?

How do you characterize the state of the current threat from the perspective of the defenses that we have, is it totally company dependent? Or is it more different kinds of companies are better than others?

Eric Trexler: So, are you trying to assess the threat or the ability to defend against the threat?

Tony Roth: Well, both, I suppose. Ultimately, what is the risk?

Eric Trexler: So the risk is high. Lots of weak points and access points across organizations, things like outdated software, failure to patch. Things like that. Unsecured network connections, human error. You may have critical systems open to the internet.

We've got supply chain challenges. Think about things like solar winds or storm 0558 that just hit the State Department and Department of Commerce this past summer of ‘23. So there are a ton of threats. And it really depends on what the adversaries are trying to go after.

Are they nation states trying to steal intellectual property? Are they launching a wiper and trying to wipe systems? Are they trying to cause some disruption, some sabotage because they're going to launch an attack on a nation like Ukraine? Or are they ransomware actors looking for treasure? I want to make five million dollars, let me go out after that.

What we observe and what I've seen over my career, is there is a somewhat of a correlation by industry. Industries that have better profit margins. They’re typically richer. They might be more IT savvy, tend to be a little better protected.

And then there are others when you look at things like critical infrastructure, where you have a lot of legacy equipment that was never meant to be on the Internet, that’s on the Internet. And those are unique challenges of their own,

One observation I've made over the last 10 years or so is there are too many players in the industry. We have to consolidate. There are over 4,000 vendors in the cybersecurity industry. If you're a bank, how do you decide what tools you need to use to protect your organization when you have to look at up to 4,000 companies?

How do you get them to integrate and work well together in a timely and cost-efficient manner? Unlike anywhere else in information technology, cybersecurity is the wild, wild west in many cases.

Tony Roth: Are banks spending more? Are companies in general spending more today?

Eric Trexler: Everybody's spending more. If you look…

Tony Roth: Not on an absolute basis, but as a percent of their free cash flow, are company spending more on this issue of cybersecurity than they were three years ago.

Eric Trexler: The data I've seen shows that companies are spending about 3% on average, some much more, some much less, and it does vary by industry, about 3% of their information technology budgets on cybersecurity.

So many will go up towards 8%, 10% depending on, and it depends by year too, depending on what you're trying to do, but it's not an insignificant expense.

The entire industry right now is looking at about—I think the latest I saw was about $212 billion, is kind of what the cyber security industry is looking at from a market opportunity, if you will. That's what companies are spending to protect themselves.

Tony Roth: So what are they getting for their money? Are they as a whole still less safe than they were two years ago, or are they getting safer in certain cases?

Eric Trexler: It’s hard to answer. We have advanced our capabilities from a defensive perspective. We've advanced our capabilities from a knowledge perspective.

We're having this conversation. Five years ago, you and I probably wouldn't even have had this conversation.

Tony Roth: Right.

Eric Trexler: So we're getting much better. But so is the adversary. When you look at things like artificial intelligence. Well, we're using that to get better, to be faster.

We don't have enough people. The workforce is missing. In America alone, about 700, 000 jobs are unfilled right now in the cybersecurity field. We’re using technology such as artificial intelligence and machine learning to make up for areas where humans are not. We're also looking at using it to be faster.

When you look at the attack surface, a machine can look at that and evaluate and make decisions faster than a human. Make the hard decisions go to the human, let the machine use it. But the adversaries are using it in the very same way. So, you've heard of ChatGPT, right?

Tony Roth: Of course.

Eric Trexler: Have you heard of WormGPT?

Tony Roth: Nope, that I have not heard of that.

Eric Trexler: That's the adversary coming after you using AI, generative AI. So, you've seen phishing emails, haven't you?

Imagine an email that is a phishing email, so it has ill intent. The purpose is to get you to take some action, to give them credentials, to click on a link, to send money somewhere.

If I'm in a foreign country and English is not my first language, I'm going to write that email, but there’s a high probability that I'm going to make a mistake in that email that indicates to you, this is not coming from my bank.

Tony Roth: Right.

Eric Trexler: Well with chat GPT and AI, I can now craft emails in native tongue of English…

Tony Roth: Sure.

Eric Trexler: …even though that's not my native tongue, that read pretty darn close to the way you or I would write the email.

Tony Roth: Right.

Eric Trexler: Much more convincing. A very simple way that I think most people can say, oh, okay, I see how the adversary may be using some of these advanced tools…

Tony Roth: Right.

Eric Trexler: …to better attack our, our, our businesses, our personal lives, whatever it may be.

Tony Roth: Right, so we need to be increasingly paranoid in order to protect.

Eric Trexler: Paranoia in this case is very good. Have corresponding data. Call the bank if you're unsure. Log in not through the link that was sent in that phishing email, or that email.

I've gotten four emails this week from eBay saying that they're going to deduct 9.95 dollars from my account. It hasn't happened. I didn't touch the email. I just deleted them all. But when I log into eBay, I know that that email is inaccurate.

Now, what I'll tell you is, that email looks a heck of a lot more convincing than it did five years ago.

Tony Roth: Right.

Eric Trexler: So that's something we all need to be mindful about.

Tony Roth: Yeah, I, um, decided to sell a bed that I have. So, I went on to Facebook marketplace.

My wife told me that was better than Craigslist. Put the pictures up there, posted the ad of the bed and within about five minutes, I had 30 people interested in this bed. I said, wow. Well, it became clear to me over time that none of those 30 people were actually real individuals.

Eric Trexler: I was going to ask you how many were human.

Tony Roth: They were trying to get me to somehow communicate with them using Venmo in some way that I would, they would probably be able to compromise my Venmo account.

I suppose that's what they were trying to do, but I realized, wow, this is really weird that so many people are interested in this bed in the first five minutes and I deleted all the emails and eventually I found somebody who replied, you know, in the middle of the business day, no one replied before or after.

It seemed like a real human being. I asked him questions that only a person could answer and then eventually decided it was worth a shot. But boy, if I hadn't been paranoid in the 1st instance, I probably would have got burned.

Eric Trexler: So I think that's a great way to handle it. Go validate the sources, cross reference it, or you're buying something. Exact same thing. Maybe you call them up, get a phone number and call them and actually talk to them.

Use an alternate mechanism to validate what you're seeing and hearing. The challenge we have in 2023 is the velocity problem. It is so easy and there's so much out there and we're moving so fast. People don't take the time to validate, verify the sources. It goes back to the fundamentals of the earliest parts of society, trust. Do you trust what you're doing or what you're seeing and then do you take an appropriate action? You've got to validate trust.

Tony Roth: So let's talk about different actors and different targets for a moment. I’m really interested to understand who would attack the U.S. government who wants the U.S. government on their backs? From a ransomware perspective.

Let's say the Department of Defense or you're the Army or you're the, you know, one of these other components of the government, how much pressure are they under these days in terms of pressure from China and Russia and are they well protected do you think?

Eric Trexler: It's massive. It's absolutely massive. When you think about espionage, when you think about sabotage, when you think about IP theft. That's what our adversaries in America are going after. And we see evidence of that in aircraft and ships and other things that have obviously evolved from American designs.

So, we spent a lot of time in the government trying to protect the on the DOD side, we call it the DODIN, right? The DOD information networks on the civilian side with civilian agencies. And there are there's a tremendous amount of resourcing put into that.

Tony Roth: And what's our payback on it?

In other words, our taxpayer dollars are going into this. I have no idea what percentage of my taxpayer dollars go into this, but some percentage does. Do you think that, um, the, the DODIN network was compromised less in the last 12 months than in the prior 12 months?

Or do you think that it's just getting worse?

Eric Trexler: What I will tell you is our adversaries are all over us and there are some rules in cybersecurity that I think are really important to be mindful of. The adversary has very little risk. What’s the penalty to somebody trying to attack the DOD?

It's low. They get as many chances as they want because there isn't a lot of risk. You can just attack and attack and attack. Once you break in, you're good. The other rule I like to look at is the adversary only has to be right once.

Tony Roth: Right.

Eric Trexler: So they can launch a million attacks and be successful once.

We need to move the time to detect what we call meantime to detect in the industry we need to shrink that from days, months to minutes.

If an adversary is successful, how quickly can we detect that? And then how do we remediate? How do we stop it? How do we take action quickly? And that's a great example where automation, artificial intelligence, integrated systems. It allows us to be faster in the defense, recognizing you're not always going to be perfect.

We can't be. How do we handle it when something happens? We are getting much better at that, but the adversary is getting faster, the volumes are growing massively. So that's a challenge.

Tony Roth: So why is it that I inherently sense, not from talking to you per se, the focus of our conversation, Eric, but just in general, from my awareness of this space and the phenomenon, that for every, dollar or penny that that I put as a taxpayer into helping to the DODIN, there’s probably only a tiny fraction of that that I'm putting into some offensive capability within the Department of Defense to go after Iran or China or Russia's systems.

Am I wrong about that?

Eric Trexler: So, we are the best in the world at offensive and defensive cyber operations.

Tony Roth: So that means that for every account that we hear of, of a incursion, if you will, into our call it national cyber space/scape, there's probably one or two that we've made into the Chinese or into the Russians that it's not reported. But we're doing the same thing and we're getting information from them at even a more rapid pace.

Eric Trexler: I think you can know we're the most talented organization or country in the world when it comes to cyber operations, offensive and defensive.

We also have the largest attack surface. We're the most involved, most connected country in the world which makes us highly vulnerable. We have a lot of treasure. We are the most lucrative target in the world because of our advanced technology, our advanced society, the freedoms that we have.

So you will see disinformation attacks trying to disrupt society. We've seen that around the elections over the past couple of elections, right? It's in many people's interest to disrupt American society. To add friction to it. The problem with cybersecurity is we're all connected.

We're globally connected. So it's really easy. If you wanted to attack the United States of America 50 years ago, you had to actually go to or launch a weapon at the United States of America from somewhere, and I guess you could talk about an intercontinental ballistic missile, but we can see that we knew, you know, mutually assured destruction was, was pretty helpful in that case, right?

Today, you could be a 16-year-old kid in Ghana. And you could attack the Department of Defense or the U.S. Treasury.

Tony Roth: In today's landscape, you'd have to be pretty sophisticated with some pretty powerful software behind you to have any hope of success in something like that.

Eric Trexler: Not necessarily. You've got to have an open system on the Internet. Somebody made a mistake. Maybe they didn't protect their cloud resources.

Tony Roth: What is an open system? In other words, if I was to put together, the Tony Roth army, and I had my own Air Force, and I had my own Marines and Army Rangers and really cool things like that, I wouldn't even put it on the Internet.

I would just create my own node-to-node network that wasn't attached to the Internet so that nobody could actually attack me.

Eric Trexler: You can say that, but I can tell you whether it's industrial control systems that were never designed for the Internet or it's classified government networks, we're not perfect. And they oftentimes due to mission requirements or mistakes or something else, get connected at least temporarily to the Internet.

Think about an air gap network where someone's using a thumb drive to move a file from one to another, a patched file, a patch file, whatever it may be. And in that file is a piece of malware.

Tony Roth: Right, which opens you to the internet.

Eric Trexler: Yeah, so I was talking to a friend a couple of years ago, because I used to do a lot in cross domain work, which was really how to deal with air gap networks.

And we were looking at it for industrial control systems, so critical infrastructure. And we were having a discussion about, if we just keep those systems off the internet, and we can pass data up and we can pass logs out in secure ways—we know how to do that - that’d be ideal. And his deadpan response to me, Tony was that horse left the barn a long time ago.

We're too connected. It's too convenient. As humans, we like convenience over security in many cases, especially when we don't understand the costs to limited security. You've got to look at incentive. The incentive to the adversary is just to get right one time and they meet their goals. The incentive to the defender or you and I as just citizens trying to login on our bank account is to do something that's easier and more beneficial to our work or to our lives and we aren't perfect and we don't always think about it.

So I think incentive is a really, really important thing. I also think what we're missing in the space, you want to talk about fixing the space, is cost. The cost to the adversary, we’re thinking risk now, is really low. What happens if somebody steals your identity? You're probably not going to get a whole lot of love from the FBI.

If somebody steals your identity and they're in Eastern Europe, that's a you problem.

Tony Roth: One of my family members had a situation, I don't think they really fully got her identity. Well, we called our insurance company because we actually had some protection under our homeowner's policy for cyber theft.

Eric Trexler: Yeah.

Tony Roth: And they said, well, first thing you have to do is you have to report it to your police, your local police.

So I sort of laughed at that.

Eric Trexler: I bet the local police laughed too.

Tony Roth: Well, you know, strangely enough, the local police actually assigned the case to somebody, to a local detective, and the guy was well intended and he actually did some work and try to figure something out. I don't know what he did behind the scenes, but followed up with us a couple of times.

And I was thinking to myself, you know, nice enough guy, but what could he possibly accomplish with the tools of our local municipality?

Eric Trexler: Let's assume that he caught somebody or he found out who it was, but they were in Bolivia.

Tony Roth: Right.

Eric Trexler: What's his jurisdiction?

Tony Roth: And the chances of even arriving at that conclusion is just so remote. It is really very interesting to think about it in those terms.

So what do you do as a very aware actor in our world to protect yourself, other than exercise a heightened degree of common sense?

Eric Trexler: The extra level of cautiousness. I use a password manager. Highly encrypted. Don't put it online, and I always use complex passwords. I change them periodically. I use multi factor authentication whenever I can. I used to run a podcast for about four years and my co-host, the multi factor authentication was just too much for her.

She didn't like it. It was, it slowed her down and we're running a cybersecurity podcast. So, I mean, we each look at what we do in different ways. I consistently look at the source and then I try to find additional ways to assure that that source is a valid source.

Somebody wants to buy something from me, I might say, give me a call. Or give me your number and I will call you. So you need to be aware, and I think that's really important. Multi factor authentication is probably one of the most important things you can do. Having good backups offline, in your house and off site of your systems.

But I don't worry about things like my social security number because the Chinese have it. It's on the dark web.That horse left the barn years ago. So there's certain things I don't worry about as much. I worry more when an application asked me for my social security number. I don't worry about that too much, but when it asked me what school I went to for high school as a challenge question, that concerns me because anybody can look that up on the web.

Use your head, use common sense. If you have it, if you have a concern, it's probably justified. At least vet it out before you make a determination whether you proceed with an action or not. And then the less you can put online, unencrypted, available to everybody, the better.

And the other thing I don't do, I don't use social media. I'll use LinkedIn for work, but that's it. Too many people I've worked with, we've tracked people. I mean, you know exactly what their routine is when they're on vacation, when they're at home. I think that's a bad practice. Personally, I'm not telling everybody what to do, but if you tell somebody you're in Sarasota, Florida for the next week, you’ve essentially told them you're not at your house.

Tony Roth: I don't use social media because I’m not even remotely cool enough to exist in that space. It’s funny to hear you talk about two factor authentication, because recently I went on a website to buy a dog bed for one of my dogs, and they said do you want to turn on two factor authentication?

And I sort of rolled my eyes and I said, well, you know, why? All, you know, is my address. The only thing that I that I provided to that website was the address and I guess a credit card, but only on a very temporary basis. They don't purport to keep that information. So I'm like, no, I'm not going to do I'm not going to do two factor authentication because who cares nothing on that website. Is that a mistake?

Eric Trexler: Let me ask you a question. Would you use multi factor authentication on your bank account or the dog website? Which I mean which one's a higher priority for multi factor authentication?

Tony Roth: I think my bank account, right?

Eric Trexler: Okay, I would definitely agree with you. What about your cell phone account when you log in with AT& T, Verizon, T Mobile, whoever you're using?

Tony Roth: Probably would use it there as well.

Eric Trexler: Okay. So what you're doing is you're making a judgment based on trust and risk.

And I think that's appropriate. And I think we all have that judgment that we've got to make, but the fact that you're thinking about it, we're having the discussion makes us better. It makes us stronger. I think that's a really good way to handle it to look at it.

Tony Roth: If I were to summarize, take away for all of us to bring the common sense that we use when we leave our house every day.

Whether it's to walk across the street in the crosswalk instead of in the middle of the block, which is what I typically do since I'm a New Yorker. Apply that same common sense to your, your existence and your presence in the digital domain.

Eric Trexler: I think that's a great way to look at it.

You go back to the earliest parts of society, trust again, if you see a shady character hanging out in the dark at night, you might not walk on that side of the street, or you might go a different way. That street? That's the internet in modern day times. If many people can think about it in that physical format and bring it over, that might help them understand, Hey, multi factor authentication is like turning the other way when I see some shady characters down the block in the shadows. I’m going to protect myself. I'm going to take action. This is what society looks like in 2023. Just manage it as if it's society because it is.

Tony Roth: Is there anything that you think is going to be particularly interesting in the next 12 months?

Let's just say in this space, in other words, we've got a big election happening next year, we've got a couple of big wars going on in the world.

Eric Trexler: Those are huge.

Tony Roth: If you look back 12 months from now, the biggest headline in your professional area of focus, what do you think it might be?

Eric Trexler: I think we'll see a lot in cybersecurity around the election. CISA and the government did a really good job from all reports on the last presidential election, securing the vote. They really did a nice job and I firmly, firmly believe that. I think they're going to do the same thing again, but we'll see a lot of information.

The one I would probably focus on the one we might have the most control around other than our own personal security and the actions we take at work, of course, is around disinformation. Disinformation is going to ramp up massively. It's going to ramp up around the election.

How do we know that? Well, it did in ‘16 and it did in ‘20. And it's going to do it even more. The artificial intelligence capabilities we have now, you're going to see just a volume we've never seen before around it. And then you look at the wars, what's happening in Ukraine, what's happening in Israel and Palestine.

That is an area where we’re already seeing massive amounts of disinformation from, from deep fakes to fake imagery to just imagery that in Ukraine, you might find a picture of some vehicle that was destroyed talking about an event that happened yesterday. But the image was from a month ago or a year ago. Validate your sources. As citizens of the United States and anybody else who's listening, I think that's the one we have the most direct control over.

Tony Roth: So, Eric, it's been a really interesting conversation, Thank you so much for challenging us and challenging how we think about things, and giving us an update on cybersecurity.

Eric Trexler: This was great. Just for all your listeners, think again, always pressure test everything you're doing and protect yourselves.

Tony Roth: Thank you. We invite everybody to go to wilmingtontrust.com for our latest roundup of thought leadership in the investment space and other areas. Have a great day, everybody.

Disclosure

This podcast is for educational purposes only and is not intended as an offer or solicitation for the sale of any financial product or service or recommendation or determination that any investment strategy is suitable for a specific investor.

Investors should seek financial advice regarding the suitability of any investment strategy based on the investor’s objectives, financial situation, and particular needs. The information on Wilmington Trust’s Capital Considerations with Tony Roth has been obtained from sources believed to be reliable, but its accuracy and completeness are not guaranteed. The opinions, estimates, and projections constitute the judgment of Wilmington Trust as of the date of this podcast and are subject to change without notice.

The opinions of any guest on the Capital Considerations podcast who are not employed by Wilmington Trust or M&T Bank are their own and do not necessarily represent those of M&T Bank Corporate or any of its affiliates.

Wilmington Trust is not authorized to and does not provide legal or tax advice. Our advice and recommendations provided to you is illustrative only and subject to the opinions and advice of your own attorney, tax advisor, or other professional advisor.

Diversification does not ensure a profit or guarantee against a loss. There is no assurance that any investment strategy will be successful. Past performance cannot guarantee future results. Investing involves a risk and you may incur a profit or a loss.

Any reference to company names mentioned in the podcast should not be constructed as investment advice or investment recommendations of those companies. Third-party trademarks and brands are the property of their respective owners. Third parties referenced herein are independent companies and are not affiliated with M&T Bank or Wilmington Trust. Listing them does not suggest a recommendation or endorsement by Wilmington Trust.

Private market investments are only available to investors that meet the U.S. Securities and Exchange Commission’s definition of qualified purchaser and accredited investor.

Facts and views presented in this report have not been reviewed by and may not reflect information known to professionals in other business areas of Wilmington Trust or M&T Bank and may provide or seek to provide financial services to entities referred to in this report.

M&T Bank and Wilmington Trust have established information barriers between their various business groups. As a result, M&T Bank and Wilmington Trust do not disclose certain client relationships or compensation received from such entities in their reports.

Investment products are not insured by the FDIC or any other governmental agency, are not deposits of or other obligations of or guaranteed by Wilmington Trust, M&T Bank, or any other bank or entity, and are subject to risks including a possible loss of the principal amount invested.

Wilmington Trust is a registered service mark used in connection with various fiduciary and non-fiduciary services offered by certain subsidiaries of M&T Bank Corporation including, but not limited to, Manufacturers & Traders Trust Company (M&T Bank), Wilmington Trust Company (WTC) operating in Delaware only, Wilmington Trust, N.A. (WTNA), Wilmington Trust Investment Advisors, Inc. (WTIA), Wilmington Funds Management Corporation (WFMC), Wilmington Trust Asset Management, LLC (WTAM), and Wilmington Trust Investment Management, LLC (WTIM). Such services include trustee, custodial, agency, investment management, and other services. International corporate and institutional services are offered through M&T Bank Corporation’s international subsidiaries. Loans, credit cards, retail and business deposits, and other business and personal banking services and products are offered by M&T Bank. Member, FDIC

© 2023 M&T Bank and its affiliates and subsidiaries. All rights reserved.

Eric Trexler   
Senior Vice President    
Palo Alto Networks