Rockwell Automation, Inc. (ROK) Earnings Call Transcript & Summary

Hello, and thank you for joining today's webinar. Before we get started, we have a few housekeeping items. The audio for this event will be streaming through your computer speakers. So make sure your volume is turned up and your speakers are turned down. However, our platform performs best on Chrome and Firefox browsers. On the lower left-hand side of the presentation, you will see a Q&A box. We encourage you to answer any questions you have there, and we will answer them at the end of the presentation. If you're having any trouble connecting to the webinar, please take a moment to refresh your browser and disconnect from your VPN. If you're still having trouble, please clear your cache. We have instructions in the handout section of the webinar platform. All of our panels of the webinar platform are adjustable. So to resize, simply click on the corner to adjust and hit the maximize screen at the top right-hand corner of the panel. Today's event will be recorded and will be available right after it is completed. You can access the recording utilizing the same link that you use to access the live event. After the webinar, we will also be sending you an e-mail with resources from today's event, including the slides, handouts and event recording. Additional information regarding today's topic can be found in the handout panel of the webinar platform. With that, I would like to introduce today's speaker, Maupert.

Good morning. Thank you very much. Thank you for a good introduction. I hope everyone is well -- for me, I am. Good morning, good afternoon and good evening. As you could see, I have a cybersecurity operating center in our background. This is the Rockwell Automation cybersecurity operating center located in Israel. We have also our cybersecurity center of excellence is also located. Welcome all to the third part of our cybersecurity webinar series. Today, we talk about how to protect your organization from cyber attacks. My name is Maupert Luigies. I'm located in Netherlands, very near to Rotterdam. I have a long history in the IT and OT space. Since 2019, I work for Rockwell Automation and covering the Benelux and Eastern Europe for our cybersecurity services. Rockwell has people with my role, everywhere on the globe. So if you need questions, we need to help afterwards. Please reach out via the Q&A, and we will find out who the right person is in your area that can support you with your questions or other questions. For me, I've got 2 goals this -- today. And I hopefully -- you can join me in those 2 goals. One goal is to explain how you can protect your organization, of course, against cybersecurity threats. And the other one is help to create awareness in the organization because I see these days that it is not always easy to find people that, let's say, are on the same level of awareness and have, let's say, the same feel of urgency. And at the end of this presentation, you will have the possibility to make use of free cybersecurity preparedness assessment to find out how good you comply within this. And in the end, how good your cybersecurity measures are. Now let's take a close look at the agenda on the next slide. What we're going to discuss today -- I'm sorry. A few points that I would like to discuss for you. First of all, people think that cybersecurity is one of the biggest enterprise risk, but there is more on C-Level. The other point that I would like to discuss with you, it are not only the hackers that drive the cybersecurity road map, there is more to it. And we, as Rockwell, have an answer, of course, how we help our customers based on the best practice within this framework. And many people think that cybersecurity only cost money, but the opposite is true, there is also, let's say, a revenue from it. And then the key takeaways. The summary of the best practices we identified in the market and more information, of course, about the free of charge assessment, what I was just talking about. And this last, a short overview of the upcoming webinars. Now let's take a close look at the next slide, which is one of the following questions that we have for you today. The question for this question is what cybersecurity technology does the company want to implement. And we have a few options for you in the screen. As you can see, endpoint security, next-generation firewalls, security remote access, incident response, threat protection, and I'm wondering what at this moment is, let's say, up to mind, what are, let's say, the solutions that are high on your agenda to implement. So please answer the question and tell us what is high on your agenda. And of course, we as an organization need to be ready for the questions that come from the market. So it will be very helpful if you share with us your thoughts. At this moment, it's quite equal, what I see happening. It's not that we, let's say, have a new winner. So please answer the question. Let's give it a few moments more, a bit more time because I see many people still responding. At this moment, we have frac detection on #1. Let's see what the other ones are going to do. And there we are -- yes. So what I see here is that for you, let's say, threat detection is one of the most important topics these days to implement, to protect your organization. On the second place, we see that we have endpoint security and next-generation firewalls, and the last towards secure remote access and incident response. Now the good thing is we cannot cover them as Rockwell. And it is important indeed to start also with the threat detection to make sure that you know what is happening in our network. Let's take a closer look at the next slide and see on the next slide, what is on the mind of C-Level. And let me go also here to the next slide because I see that you already have it in your screen. Now the question is, at that level is -- we need to look a little bit higher. What are the challenge at C-Level? What I was just mentioning, the challenges you see here like, Panametrics, customer satisfaction, safety, for example, are just a summary. They are on the same line on C-Level as cybersecurity. So the question is, of course, how do you get to, let's say, make yourself more important than the other risks? Now, in the inside of security C-Level, nothing more than this for the enterprise. One of the risks that the company is facing, all different risks you can accumulate and will end up in the enterprise risk from financial to cyber to the retention of employees, for example, with our all risk for the organization. It is up to the company if they accept the risk, and that is the risk appetite. So what you can say, we don't take measures as a company for cybersecurity, and the reason that we do not take measures as simply due with the fact that we have money enough on our bank account to solve direct the problem, that's risk appetite. But I can also say -- you can also say, well, we take insurance, and if you take an insurance, then you cover, let's say, your risk with an insurance company so that they will pay if something goes wrong. And there's, of course, another way to mitigate our risk as a company, and that is simply by taking the measures to make sure that, let's say, the risk of the event is as small as possible for the organization or as limited as possible. So if you want to see, if you -- where you are from a cybersecurity perspective in the organization, you should reach out to your risk department because your risk department exactly knows how you are compared to the other risk that the company is facing, and how high you are on the agenda. So if you want to create awareness, I would say, go to the risk department and have a conversation with them. If that doesn't work, then you have another alternative, and I'm going to talk more about that today. That is quite simple. Go to procurement departments and show them what's the same issue you'll have created good ROI, return on investments. That are the 2 ways, I think, that you can create awareness. But what we also see happening in the organization is that the people are not always as good informed as they should be related to the risk they are going to take. Now let's take a closer look at the cyber risks on the next slide. As you can see, we have risks that are above and the below surface. So we have direct and indirect costs. Simple examples of both the surface are legal costs. So if you are hit, you need a lawyer or whatever, but you need, but you need to go -- you need to find a whole guidance, probably you will need a lawyer to go to court, whatever. You need to take new cyber measures to avoid a similar event. And you don't have the time to do it via a planning or a long term. So you have to do it immediately. And how you think you do immediately will cost a lot of money. And then, of course, you need to investigate the root cause. So you need to have, let's say, 10, 20 people that are going to help you and find out in the network, what happened? Where did it start? Is it still there? Is it going, whatever? But that are the officious costs. But what do you think about still IP? What is the value of the IP of the company, the intellectual property? What if you have, let's say, another country that breaks into your company, what we have here in the Netherlands, which was right spread out in the news that the company from another country broke into the company and still the IP about chip making. What about the insurance case cost because the increase of the insurance costs are quite high in that sort of situation because you are a bigger risk for the insurance company, so you need to pay more. And then I'm not even talking about customers and NPLs, at least the company. So that are some of the examples. But if you also took in mind that if you are listed on the stock exchange, what happens to the value of the shares? So the question is, if the risk department is aware of it, because not all the risk departments are aware of, let's say, all the examples that we hear have on the slide, what can happen and what costs are? So costs above the surface and below the surface. Before we look at one of the, let's say, latest and newest regulations, I'm curious to know which on -- which are the regulations you are aware of. So let's take a look at that on the next slide. Here we have a new polling question for you. And it's not that 1 answer is true. So please give the answers you think -- please give the answers on the regulations you are aware of, and let's see how it goes. Let's see if we get more answers, people are aware about the Cybersecurity Act, GDPR, Information Technology Act. At this moment, I see many answers on the HIPAA. Most of the people answer on that one. I see not so many answers on the Gramm-Leach-Bliley Act. Someone on these 2, that's a quite new regulation. GDPR lot, we get still new answers. And Information Technology Act is also going in the right direction. But the Homeland Security Act, most of the people -- yes, 60% for the Homeland Security Act, and 16% on the HIPAA, what was expected because more people are, let's say, affected by those regulations than by the NIS2, for example. And thank you all for these answers because these answers help us because we also have, let's say, the responsibility to inform our customers about new regulations and how they should act on that. So of course, we're not a law firm or similar to that. But on the other hand, we also need to be aware and need to know what is happening at our customers. So thank you for these answers. Now let's take a look at 1 of the newest regulations that there are. And the reason that I would like to discuss it with you is simply because of the fact that it has also affecting companies outside the European Union, for example. So on the next slide, you see here the NIS2. This is a new regulation of the European Union is called at this moment, the NIS2 Directive. The big question was the NIS -- all countries within the EU need to have implemented NIS2 in their law by October 2024. So we're running out of time because I see a lot of companies that still do not complied with, but that's another discussion. So the main changings for all the plans in the UAR -- EUR, European Union, in the past, it was only related to infrastructure, critical infrastructure. These days it's not only be related to critical infrastructure, but also to food, manufacturing, transport and many other branches. The message we have to take go much further than the measure that you take with the NIS. Now -- and then one other thing, what is very important. The senior management and C-Level are personal or reliable if you do not comply. So you have to go to court if you do not comply. Last Thursday, my colleague, Travis, spoke about the risk assessment we can do. The risk assessment that we as Rockwell can do is based on the ISA 62443 and NIS, it's a combination of those 2. And good for you to note is that the NIS2 is all cell-based on the NIS in ISA 62443. So the foundation between our risk assessment and NIS2 are exactly the same. It is not possible for us to tell you right now what, let's say, the exact role is going to be in every country, in every nation in the European Union, but what we can tell you is that if you, let's say, follow our risk assessment, then at least you are covered for, let's say, 80%, and you have a small gap only what you need to fix at the moment that you exactly know what the law will be in October 2024. And there's also another reason that I'm explaining you this year because you can think, I guess, European Union, that's not my problem. But if you are, let's say, a company in Japan, and you have asked for a doubt, and you have plants in the European Union, you are affected because your plants in the European Union need to comply to this NIS2 new regulation. So -- but that's the same for the U.S. or North America or South America. It doesn't matter if you are a global company, you have plants in the European Union, please prepare because you have to comply. The fines are high and the personal is -- and the C-Level management is personally reliable. If you have questions, you can, of course, reach out to us. Let's take a -- I was just talking about the NIS and how the NIS -- what the NIS, what the foundation was from the -- for the NIS2, and for our risk assessment, for example, let's take a closer look at the NIS. The NIS cybersecurity framework was first created in 2014. In response to an executive order, mandating increased cybersecurity of the nation's critical infrastructure. Since then, the framework has been voluntarily adapted or mandated for adoption by organizations of all sizes of all industries. The framework is organized according to 5 functions that define the high-level practices of any cybersecurity program; identify, protect, detect, respond and of course, in the end because we only decent up again will recover. Within these 5 functions are a total of 180 subcategories or discrete controls like statements that define the practices organization should consider when addressing their own cybersecurity program. The NIST CSF is designed to be vendor-agnostic and stable. It is also non-protective. So the NIST CSF is a tool to be used, not a checklist to be followed. NIST has shared several proposed changes to the CSF in an attempt to make it more useful and aligned with the latest best practices. While the core structure of the NIST CHF is expected to stay the same. Several of the proposed changes are promising enhancements to the framework. The NIST Cybersecurity Framework can be used as a basis determining the industry best practices. And when combined with other framework at standards, such as the critical infrastructure, CIS, in Austria, the European Union's network at the Information Security Directive, Germany's platform Industry 4.0. U.K.'s National Cybersecurity Center or the International Society of Automation, the ISA, the IEC 62443 standards, organizations can recap the benefits of implementing cybersecurity measures that make sense. So let's take a closer look because that's the most important. The benefits of the NIST on the next slide. There are many benefits of the NIST Cybersecurity Framework. And as discussed earlier, it's a voluntarily approach that represents the collective experience of thousands of information security professionals. So it's not 1 person who made it. It are many people. There are many people that talk about it, what are the best practices for such a framework. So it's widely recognized as an industry best practice. And the most comprehensive in that set of framework controls showing an organization up against cyber threats and attacks. It is a top priority of any cybersecurity and to NIST CSF is a necessary part of the mission. . Harnessing that crowd-based wisdom enables you to fill in the blind spot. You didn't know you had and enables leaders to understand the perspective of all members on their organization. So the NIST CSF is also a selling point across supply chain and vendors, using a gold standard like the CSF foster trust between your partners and enables us the business growth while staying secure. Another benefit is that the NIST CSF can bridge the gap between technical and business stakeholders. The CSF comes from a risk-based approach, which executives understand well, because that was what I was showing on the first page, what is, let's say, on the plate obviously at C-Level. Security budgets will be better justified and allocated. That's also the reason that we have to go to the risk department. Adoption develops a common language for business and technical stakeholders to share facilitating, improve communication to whom the organization from IT and OT teams to the Board and C-Level. [ And actually ], the CSF is the most flexible framework, given it is risk-based outcome different approach. And that's also, of course, the reason, for example, that the NIS2, the new regulation in Europe, says, okay, we use the NIS as a foundation. So it is successfully adopted by many industries from sizable critical infrastructure verticals in energy, transportation, and oil to gas, small to medium-sized enterprises. So you find it everywhere being it used. Being a voluntary framework, it's highly customizable. The core functions are intuitive and making it easy to grasp blueprints that's speed adoption and provide ongoing guidance. So it's not for now because cybersecurity is ongoing process. Finally the CSF is built for the future, and it is the most reliable security measure for building and entertaining a cybersecurity program to prepare for new updates to existing standards and regulations. I've seen some questions coming in. I will answer them at the end of the presentation. Okay. Now we have seen what NIST is. We have discussed what the benefits are. Let's take a look how Rockwell using the NIST. Let's see it on the next slide. So with all those information that we have in mind, it was almost no other option for Rockwell Automation to use the NIST framework as a foundation for the cyber solutions. So all Rockwell Automation solutions are developed for the identify, detect, protect, respond and recover phase. So we cover all those phases with the right solutions to help our customers and ourselves, because we use also the solutions ourselves to make sure that we are as protected as possible. And in the end, what we do is, we try to help our customers to create a better and more sustainable and secure world. The good thing about model is that the model is free of charge. Everybody can use it. And it is easy to understand and to implement in every organization. Now -- then when you don't use a standard like this as Rockwell, you also want to make sure that you use something that is widely adopted. But for, let's say, the company that use other foundations, it needs to be, let's say, in line with the other frameworks like the ISA 62443. So if you're going to compare those 2, you will see a lot of similarity. In the last 2 webinars, we explained how we can identify and detect cyber threats. Today it's about protecting the company. How can we make it as difficult as possible to get in our company if you are not avoided, of course. Before we go into this, it is interesting, what will be our safeguards. What do our safeguards look like? On the next slide we have more about that. Safeguards, you need them. We need to have them in place. But also processes and controls to be able to mitigate against identified threats. The protect function supports the ability to limit or contain the impact of potential cybersecurity events. In the cybersecurity framework, protect refers to developing and implementing appropriate cybersecurity safeguards within the organization to ensure delivery of critical infrastructure services. What are the safeguards that we can use? Access control and [ user ] identity management because you want to know for sure who is getting into your organization and if somebody gets into your organization, you want them only to have access to the right asset and you want to be 100% sure that if that person logs in, that he is [indiscernible]. The other category is under this function is awareness and training. In a lot of companies, it's not happening that much and that's adequate, like you want to be. So if you, let's say, do the trainings from top level up to the lower level, then you make sure that everybody is aware of what the effect is if you do not, let's say, comply to the policies and procedures, and people understand that we need to invest money as a company in cybersecurity measures. Another category in the distinction is data security to protect the confidentiality, integrity, availability of information in their use, transmission and the rest. All the information we have in the organization, it can be about recipes or how we manufacture things, whatever. It needs to be secured. But it needs also to be backed up in a way that, for example, ransomware cannot get into it. But it needs also be fast available at the moment that we are hit by the tech -- if you are a tech consumer, you want to be ASAP running with the last available data. But it also means is that not everybody should have access to all data. So what you should do as a company? You should make sure that you have, let's say, your data protected and that only the persons for who it is relevant and access to data. Then we have our -- then we have information protection processes and procedures. That's also a category under the protect function. It's described as security policies that address, propose, scope, roles and responsibilities that is all about configuration magnet, baselines, networks and data distribution. Now next, we have, of course, maintenance, which is described as maintenance and repair of industrial control and information system components is to frame consistent with policies and procedures. It should not be that, let's say, somebody logs in into your systems, gives an update, and you don't even know that the update is done. But I see in a lot of cases, you see happening, no. We need to make sure that the person who's going to login, is the person that we know. We need to know what he's going to update, how he's going to update. We need to test it upfront. We have to make sure that we can see what he's doing. So there are many things that are around only, let's say, the maintenance, and it was just a small example. And the last category on this protect function is protective technology. It's described as technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures and agreements. This is all about logging and auditing, for example. So you need to have the right technology in your plans to make sure that you can protect everything that you have in your plants. And that's not always easy because then you see in a lot of cases, a skills gap because you need to have the right people in place to, let's say, execute all these tasks that are related to access control or whatever. And the gap between those, let's say, the gap between -- the technologies that you -- the new technologies like security or fair detection and let's say, the people that you have and know that they have the gap, which is in between the lower case, we can solve that. But it's common that you have, let's say, to find a solution to overcome the knowledge there. But remember that chain management because chain management is, of course, in all these cases, is very important and in a lot of cases under estimated is structured so that you can record the request, the impact, the approval, and disapproval process, for example. You build and tested notification, implementation, validation, but think also about, for example, versioning and baseline. Before we look at how Rockwell can help it -- help you. It is always interesting to see what is happening in the market. But let's first take a look at the next slide. We have developed 7 offerings as Rockwell to help you protect your organization. Before I tell you more about the offerings, you need to know a few things that are quite important. All the solutions are hardware-agnostic. So probably some of your people in your organization or you yourself know us from the hardware. But we do deliver hardware, but the solution that I'm talking about are all hardware agnostic. The solution that we offer, you don't see any names about products that are behind it. But the reason that we do not do that has simply to do with the fact that we are, let's say, assessing, looking at it and then discuss together with you what the best solution is. The solutions we offer our customers are the best solutions that we can find in the market, and we use them even ourselves. And that's important for you to know. So let's say, our experience is not only the experience that we have a solution that we can offer you for to protect the organization, but it is are also a solution that we use ourselves. So we already did went into the market and tried to find out what are the best solutions for threat detection, for example, or endpoint security. Now let's take a look at the solution that we have to offer as Rockwell. In the protect phase, of course, because the other phases will be -- are already discussed or will be in the next webinars. First of all, network segmentation. If there is no segmentation on attack, everyone can go through the network, see it like public transport. If there are no gates, everyone can just walk through. And we can help you with that. We can make sure that the network segmentation is, let's say, based on the best practices in the market, like the NIST framework, but we can also take into account the ISA 62443, how to do it. And together with Cisco, we even developed the CPwE. So what is the reference architecture? What's the best practice in the market for -- to do a good network segmentation? By the way, you can even found yourself on the Internet, the CPwE, because it's pretty available for everyone who wants to make use of it. The second solution is the IBM Z solution. The industrial [indiscernible] between IT and OT, of course, we need to move on and to go to, let's say, Industry 4.0, we need to have data go from OT to IT, from IT to OT. So it's a place in the network, it's not owned by IT. It's not owned by OT. There is a handshake between those 2. Because you need to modernize data -- to have data in IT and the other way around. So what we do is, we give in the IBM Z a handshake with -- between IT and OT. And what did we do as Rockwell? Because we see that every company needs to today because it's part of the -- not only from the NIST, but also part of the ISA. We developed ourselves a standardized IBM Z, and what do I mean with that? We can deliver you an IBM Z in a box. It sounds like silly, but of course, it is possible. And what we do? And that's, of course, what needs to happen is we would -- you need to configure it because every organization is a bit different. So of course, we need to configure it. And we can do that for you, but you can also do it yourself, and we can maintain it, of course, for you. The second thing or the third thing what we developed for our customers an OT data center. We have developed a robust ITC. If requested, we can monitor and maintain it. You ask yourself what has this to do with protect maybe. Now the answer is that we see that a lot of data centers are not well updated and patched. In fact, they are much too old, end of life, whatever. And that's one of the risks. If your service are, let's say, not have the right or the latest software are not updated, not patched or whatever or let's say, even the components are it cannot close them, that's not the right way to move forward. So we see more and more that companies say, okay, I would like to have the data center. Rockwell, please deliver with me data center, maintain it, and a bigger focus on our, let's say, core business creating fruit, creating paints, whatever. Attack management. We make sure that all the operating systems are updated with the latest specs. I think that needs no explanation. But you can ask us to help you with that to make sure that everything is -- has the latest specs. Then we have the endpoint security. The endpoint security that we used to secure all our endpoints like laptops, servers, printers, et cetera, help you to protect your network. It is part of an ecosystem. And in the end -- in the end, your endpoint security needs also to talk to the intrusion detection system, so you get a 365 view on all the incidents in the organization. And that's also maybe part for, let's say, for firewalls, for example, all those solutions that you take as a company, they need to talk to each other that will be monetized because if you have an intrusive detection system and have that aside a few -- in front of you or that's what in front of you, then you want to see if the, let's say, is somebody who's trying to get through the firewall or somebody is trying or there's something happening on an endpoint, you need to have, let's say, on debt where you can find all the right information related to the cybersecurity, or you can make use from the cybersecurity operating center like we have in Israel. And then one thing that we should not forget are the data backup at recovery plans. In the worst case, you get hit or lose data, then you need to have a better. You need to have a disaster recovery plan, not only from -- for your -- not only from your servers, but also from your PLCs. You need to have the configuration files because if you go down and you are affected by ransomware, for example, also your PLCs probably need to have a new implementation of the software. So how beautiful would it be that you have, let's say, all your assets captured with all the configuration files and that you have, let's say, a good IBM Z, a better plan for all your data, we can cover that in the protect phase. So the protect phase is not only, let's say, putting firewalls everywhere, but protection means also getting up on speed again after attack, for example. And we do this many times for our customers everywhere in the globe. So there are also customers that we already supported with this. An example you can find on the next slide. There are many reference stories to share. Importantly, we cannot share names simply because mentioning name is a cybersecurity incident in a lot of cases, because if you know what the customer is using, then we have the problem that somebody who wants to do an attack exactly knows he's using this and this endpoint security system. Or he is using that and that and that, then I can find this and this on the Internet. And then I will know how to, let's say, find more in. So we never mentioned which customers are using what solution, for example. So we randomize them all. This customer had a few goals, go from CapEx to OpEx. So from onetime investment pressures recurring costs, reasons for customers are from a expert perspective, some cases and/or keep money available to extend their businesses, the businesses. So the current businesses -- because, yes, if you don't have, let's say, to invest a lot of money in months, then you have other money available to do other things. And the other one, the other goal what they have in a lot of cases is reduced troubleshooting because what you see is that, if we do the troubleshooting in a lot of cases, it goes faster and sooner. And yes, I'm sorry to say that, that's not that I want to offend you. But -- for us, we use standardized solutions for all our customers. So they are tested, they are always. Before we deliver them, we have strict procedures all over the globe, how to monitor them, and there are people that are dedicated to monitoring and for example, for the IDCs, industrial data centers, those people are, let's say, 100% time working only with the IDC. So they exactly know how it is going with the IDC and what needs to be done when something happens, for example. Another target, it is these days not easy to find knowledgeable persons because the networks are becoming more and more complex due to manufacturers, but one of the factors all the new technology that needs to step in, intuition, detection and full security -- the solutions we're just talking about. And what I was mentioning, we at Rockwell, standardized the network based on the best practices in the market. Best practices related to the network architecture but also related to cybersecurity standards. Now the teams that monitor these networks, so also for this customer and monitor, let's say, based on the standard as always, so within 10 minutes, in a lot of cases, we need to respond. You can call us 24 hours if there are problems. But on the other hand, we also make sure that we have spare parts available. So if you give us a call and you have a problem, then we have to spare parts because we need to because we have the SLAs. And then another example, what this customer found out, that was a big advantage was the fact that normally, when you have, let's say, easy, for example, the IDC. If you have a problem, you need to talk with the person who maybe -- may create [ cabinets ], the different software suppliers, maybe the hardware suppliers, whatever, and you need to coordinate all those discussions between all those suppliers. If the customer in this case told us and asked us and said, "Hey, I don't want 10 telephone numbers to get support because my production needs to move on. I want 1 telephone and that person is going to fix my problem." And that's what we did. And last but not least, and I was talking about that also in, let's say, related to the risk management department and to create awareness in the organization is, of course, the business case on the next slide. The [ 2-week ] to submitting a solid business case is to arm ourselves with the right data. If you do not have to write data, you will not be able to create a good ROI. Because if you present at the C-Level or anyone who needs to come up with the money, they will immediately see that you will not have, let's say, the right data. So in line with investment plan that meet risk and compliance requirements of your business. Also knowing the organization needs what make strategic planning simpler and lead to more equitable investments, things you will want to do include performing and all that, setting the right expectations, formulating the ROI and determining the right areas for the investments. So first of all, going to complete all this, conduct detailed inspection of your present security posture, this includes recognizing various sensitive data assets reside who wants access to it. And more importantly, who has access to it. Many security officers do not realize the risk of possible data and losses by reckless malicious insiders. Not all data bear the same risk level and no organization should grant special rights to any employee to access all of their organizational data or who this can be time consuming, it is necessary to get a wider view of where your security measures actually stands. Now to set the right expectations from the beginning for the ROI, cybersecurity is not important to our service. Assuming a company from losses is the only way for it to have any financial benefit. For example, if you can explain how 1 million investment would stop an event that would cost in the end 10 million to the company, you can get the management to vote for your site. So formulated return on assessment, a number of direct savings can be measured based on the size of a company using the budget elements of labor savings defined by a full time equivalent FTE cost savings per year and the reduction of costs associated with the server systems. And of course, the services to aid the cybersecurity management process. But what we know, what we learn from the market, the direct savings may amount between 100, 150 per annum for smaller companies. The number for larger companies is between the 200 and 300. Now what also important is that you have to determine the right areas for investment. A visible focus on the sewage of frac factors already present, such as restricted and in the grade services for employees, training and security awareness, policies and procedures that are insistently recorded and applied, undocumented proposals for untested disaster recovery as company disruption. Lack of device tackling, patching updates and patching practices, now automatic asset recovery, real-time insights in architecture, real-time insights and data flows for root cause analysis. But what is and what stays important is to get everyone in, so get all the stakeholders in. And why do I say that? It's because, let's say, on C-Level, the stakeholder is going to tell you what will be, for example, the damage to my reputation. What will be the damage to my revenue for the upcoming 10 months if this happens. But on a lower level, they were probably now, what, let's say, is the benefit of the fact that we're going to use low level, for example, threat detection system. But what is it going to be mean? Now it's going to bring you the good thing is that it's going to bring you direct asset discovery, it brings you that you have the real-time insights in data flow, so root cause analysis will go much rather, much smoother. Good thing is we can help you on both levels. So on C-Level, to take a look at it, what are your risks there. And of course, we're not able to say, okay, this is the ballpark figure that compliance with that and that, no we cannot do that. But we can help to think about it, and we can do it on a lower level. And in the middle level, we can also with the gap analyzed to show you what the investments will be to get on a certain level to make you more resilience. I see that we're already on time. Let's go to one of my last but not least, slides, the key takeaways. In the last webinar, you learned from my colleague, Travis, that you have to identify the gaps between best practice and your current network via risk assessment. And it's not something that you must do. But it's the easiest way to find out where the gaps are and what you need to do to align with the best practices. And you will see that the best practices are in a lot of cases, unlike the regulations. So if you know the gaps, you can focus and prioritize all the measures you can take for the known and probable threats. And we all know that if you want to modernize your data, your need in data, if you want to modernize, you need the data and that's, for example, the solution like an IBM Z that we have. You need to enrich data. So it's not possible that you can only use the data that you have in the plan, but you need also data from outside. You need to know where the vulnerabilities are. There are series and series, you need them, but you need also data for which hardware is end of life. So you need to combine all that data. So you need data from IT, you need data from OT, but also from third party. You need to combine it to make yourself knowledgeable and make sure that you are making decisions based on data and that you know the facts. There are a lot of smart people that have thought about smart solutions to secure network, think about the NIST and the ISA 62443. This information, these prospectuses are all available, make use of them. But that's even for something like what is the best blueprint for an architecture, take a look at the CPwE that we developed with Cisco, and you have also standard for segmentation, for example. By using multiple layers on different levels implemented by different people, you lower your risk for your organization. No one has at that time the complete picture and/or the possibility to go through your whole network. So make yours of different people and good segmentations. Securing and updating effort is always different than securing an IT network. It is a transact -- IT is transactional, OT is a constant flow. Suppliers need to know what to do. The wrong decision can end up in downtime with a lot of impact. So make use of a partner that really understands OT, so that they don't, let's say, do a firewall update or whatever without testing, without discussing it with the engineering team, whatever. And we, at Rockwell, of course, know as no other company what the complexity of OT is. Now to help you and to give you what I'd say, the first starting point. What we did is, we developed the cybersecurity prepare this assessment. And more of that on the next slide. The cybersecurity pre-ratings assessment. Why? Simply because it's not the question when you will face the cybercrime? But the only question is, when you will be attacked. At that point, you need to act. And for the plants in Europe, there is besides the fact all cybercrime an issue. So in the end, you need or to be prepared for an attack or you need to be prepared for new regulations. So you need to move and you need to do something. And what you see here also in the [indiscernible] is that you can see how good you, let's say, comply to the different phases in a cyber-attack. So identify, protect, detect, respond, recover, the NIST model. So if you do this assessment, then you will get these results from us. So give it a try, and we will send you the full customized report. And on the next slide, you will find the QR code. And if you scan the QR code, you will be sent to the website where you can do this assessment. I will give you a minute to make a picture of it or scanned already directly. All right. I hope you all have it. And that was my presentation for today. The last thing that I want to share with you, and then I will go to the questions. We already discussed how do protect against cyber risk. We discussed how to identify, because it was today, and how to identify cybersecurity risks. That's what we did in my colleague, Travis, in the last session. And the next time, September 14, we will go how to detect cyber threats in real time, which will be also very interesting. So I would highly recommend you to join that where we are and see how we can help and take the lessons learned from it, whatever. But take your time and take a look at it.

Let me see if I can find some of the questions, I've got the few minutes left. Let me see. The C-Level management must be an EU term, I have never heard it before. What does it C-Level management includes can an engineer who identified an issue, but can't get this project funded by corporate level management by -- not just C-Level. C-Level is the CIO, CEO, the CTO, for example. So that's what I mean by C-Level. So it's the highest level in the organization. And that are in a lot of cases is, let's say, disposers, so they have to help you with the money. And the second part of the question is, what does C-Level management include -- C-Level management includes the highest level. So they in the end are responsible for organization. Can an engineer who identifies an issue but can get his project funded by corporate level management [indiscernible]? That's a good question because if you take a look at the NIST and that's something that has changed in the past, that was not possible. So let's say, on a lower level, you find out that there is no intrusion detection system. And then you think, okay, but we need an intrusion detection system because we are a food company. So we need to have that. In the past, senior management was not liable for that. But these days, with the new regulations in Europe and of course, there's not everywhere in the world, the C-Level is indeed responsible to implement it -- will not be, let's say, that black and white that they can say, you need to invest EUR 1 million or EUR 100,000. But they need to do, let's say -- and they need to approve the fact that you are going to do an implementation on a threat detection solution, for example. So yes, in Europe, it will become mandatory. Is it mandatory in a way that you can push your C-Level and say, we have to do it. Yes, you can do that. But only in a way did you say, okay, we need to implement it because the role tells us that we need to have an intrusion detection system. That's how far you can go on engineering level. But I would be cautious of doing that and do it in the right way. All right. That was the final question. And I think then I want to thank you all for your time for participating in this webinar. And I hope you will join the next webinars also.

Thank you very much, Maupert. It was a pleasure to hear what you have to say. And at the close of this webinar, I would like to remind you that if we didn't answer your questions, don't worry, we can do that by e-mail. So we would like to thank everyone for attending today's webinar. In an effort to keep improving and providing topics of value to you, we kindly ask you to participate in our brief survey. And if you would like to speak to a representative for more information, you can request that in your post-webinar survey. We look forward to seeing you again. And thank you very much, Maupert, for your lovely presentation. Have a great day, everyone.

Thank you.