Credit implications of a cybersecurity risk

As cyber attacks continue to evolve and cyber insurance becomes prohibitively costly, the panelists will look to shed some light on what municipalities can do to mitigate the risk as well as understand the credit implications of an attack.   Among topics of discussion will be: 
  • Auditing cyber preparedness of various agencies
  • Key takeaways for muni market from proposed SEC rules
  • Cyber insurance concerns
Transcriptions:

Rich Saskal (00:05):

Good afternoon, everybody. thank you for filtering down the hallway. those of you who count steps, that's our little bonus for you. again, Rich Saskal from the Bond Buyer. I'd like to introduce my, panel, next to me is, Joe Manoleas. He's an analyst for the local government's rating team at Moody's Investors Service. And we have Mike Makstman, the City Chief Information Security Officer for the city and county of San Francisco and, founder and co-chair, The Coalition of City CISOs, to his left is Ed Fierro, Senior Council at Bracewell LLP, where he handles a spectrum of public finance transactions. And his experience includes serving as Senior Council to the Director of the SEC's Office of Municipal Securities. And Michael Hoffman is a Senior Director and Head of Risk Division Operations at bitSight, where he oversees strategic initiatives with bitSight's largest investor, the Moody's corporation. Lets Start with, Mike Makstman, from San Francisco. I mean, I think most of us are familiar with one specific kind of a cyber risk, the ransomware attack where someone freezes the computers and says, you gotta give me a, Bitcoin or two to unfreeze them, but there anything else a proactive government should be looking out for defending itself against?

Michael Makstman (01:33):

That's a good question. And, and I, think ransomware is what we're mostly worried about. but I mean, beyond ransomware, of course we kind of traditionally deal with people who, are active politically and who want to express our political opinions, whether domestically or internationally. and then, for San Francisco, of course, with a higher risk profile, we have to worry about. And we actually had, in the last several years, published cases have nation states been interested in our critical infrastructure. San Francisco flies planes, of course, from SFO. We deliver water to our over 8 million, folks. And of course we have electricity and other critical infrastructure, components, but I think people when people think of ransomware, it's not a static field. Even now, several criminals, are evolving in something called a triple threat ransomware. That's been, lately in the news where they still your data and they try to, they lock your computers and they, try to get you to pay, to unlock your computers or get your data back. And, just for a little cherry on top, they also run denial of service attack against all of your websites and public properties, to make sure that the pressure is on, that's kind of a little similar case where, what the criminals are doing in a private sector where they're starting to, announce publicly the attacks to investors and customers. So we're seeing attacks on our properties that aim to deny the service, which is, absolutely terrifying. If you think about, our experience during COVID where our, whether it was our websites or our social media, we're really the only way for a lot of people to actually receive information on latest vaccines or for us, of course, as a whenever we have to worry about natural disasters and our web presence is critical in managing the emergencies, making sure that people actually get the right information. So criminals are (4:00) their game. and they're not, they're not aesthetic and we have to evolve to meet that, increased threat.

Rich Saskal (04:08):

Okay. Before go too much further, Michael Hoffman your organization may be less familiar to us than, than some of the others. can you tell us a bit about bit site and what it does?

Michael Hoffman (04:21):

Yeah, absolutely. so good to be here and thank you for having me. bit site is a cyber security ratings and analytics firm. We were founded about 10 years ago. we really invented the category of cyber security ratings. back when we were founded, we're the largest player in this space by a pretty significant margin at this point. and ultimately what a security rating does is it measures the performance of a given entities, cyber security posture, and it measures that performance over time. And it helps create a kind of a singular metric to communicate risk, to many individuals within an organization. interestingly bit sites, security ratings, and a number of the underlying metrics that support that rating, are correlated to bad outcomes such as breach and ransomware. And they're the only security ratings that are, that have proven to show such correlation. we have two primary use cases. The first is using all of this data and analytics set tool set on myself as a first party organization to help improve my security performance over time and security firms organizations can also use this data to help monitor the security performance of their critical vendors and third parties. And we've seen in the wake of some of the recent attacks that this is increasingly important now. typically the majority of our customers are corporates, but we do have a number of municipal and government entity customers. And both of those use cases are relevant for municipals. The state of California, for example, it's a customer and where I'm from the city of Miami is also a customer. And so you could see the city of Miami, using the first party kind of platform to measure all of the IP space and the digital footprint for, basically miami.gov and some of the other kind of government assets and using the third party view to help manage the security performance of some, critical infrastructure utilities, the banking sector like, and help work with those sectors to kind of improve their security performance over time. Now, given the fact that, we've correlated to bad outcomes and given the fact that for the largest organizations, we also apply some level of human curation to ensure that all of this data that we're collecting out on the open internet is accurately attributed to the right organization. We've more recently been focusing on what we think of as an oversight use case. this use case is evidenced by the large investment $250 million investment Moody's made in us last year. And the partnership that we've stood up working directly with Moody's cyber risk group on research around the intersection of cyber risk and credit risk, ultimately trying to identify cyber data points that are indicative of what we call material loss events, which would obviously have an impact on entities, credit profile, number of other kind of oversight use cases. Our data's used regularly in over to underwrite over 50% of the global cyber insurance premiums. we've got a partnership with glass Lewis, the proxy advisory firm, our data's involved used in.

Michael Hoffman (07:37):

No problem. It's okay. about 15,000 proxy reports, increasingly our data is being looked at as an alternative data set for financial analysis, ESG, cyber, and again, we rate private public entities, cyber is a great proxy that we've proven over the last couple of years for kind of overall organizational, governance and performance. And it's a really powerful metric and we're getting some great feedback on the metric for especially private entities. so yeah, that's who we are.

Rich Saskal (08:14):

All Right, Ed, given that you've served with the, SEC's, municipal securities office can you talk about the, regulatory environment that issuers need to think about, least in terms of, municipal securities regulation and disclosure? How is that evolving as threats evolved evolved?

Edward Fierro (08:35):

It's Evolving. I, think right now, if you look at the agency's proposed rulemaking agenda, you'll see, cyber with, in connection with investment management, the division of corporate finance and also division of trading and markets. so they're certainly active in this space with respect to disclosure. muni market, I guess, is best to kind of look at the corporate space, what they're doing there for public companies. And if you look at what they've done in the past, since 2011, they came out with interpretative guidance to sit telling issuers or public companies, excuse me, that they should evaluate their exposure to, cyber risk. And, they also provided some helpful tips, guidance, things that would be applicable to public companies. And in 2018 they reaffirmed it, that guidance. And then they went out with additional guidance, basically saying if there's any, material, incidents it'd be probably in the best interest of the public company to disclose that to investors. Recently in 2022, I think in March, they issued a proposed rulemaking, and the way the SCC works is typically if, there's a, they identify a problem they'll issue interpret of guidance first and then come out with proposed rulemaking. so that's what they've done and this is only applicable to public companies, but a lot, a lot of bond lawyers who you'll speak with, in the, in the muni market, all test that that's kind of where we draw a lot of our, best practices from a lot of the corporate space. A lot of things that are being done there, you take a look at that and you apply it to the muni market and see, how to best serve their interests of clients to keep them out of, in SEC enforcement action. So, the rules that are proposed basically require 10, 10 K disclosure for policies and procedures basically requiring public companies to assess, one disclose if there's, they have, a policies and procedures and then evaluate what to disclose there. and on the event side, there's a amendment to eight K, which is essentially like 15, C, two 12, it's a material event notice, and they're requiring, or proposing, that if there is an incident, and within four days to notify investors. So those two, primary and secondary, market disclosures are out there, for the public for public companies, anticipate, I don't know whether the SEC will apply that to the muni market. I mean, it's, it's hard to say, usually we get our guidance from staff and from SEC, interpretive releases, but typically rule making not a thing they do often, but, they did in 2008 and they did it most recently for the, incurrence of financial obligation. So there could be a scenario where I could see the S E C including a 15 CT, 12 amendment, possibly, I don't know. but on the primary market side, things, when you're drafting official statement, bond lawyer is gonna be looking at corporate space and seeing these rules, if these are proposed rules are required, and they're gonna be analyzing, seeing whether, that they should beef up the disclosure in the OS.

Rich Saskal (11:46):

And maybe Ed and Mike, might have thoughts on this. there a balance between how much you disclose about how prepared you are?

Edward Fierro (11:54):

Oh, absolutely. And I think that's we are, my firm is, underwriters council for, the city of new York's general obligation bonds. And it's a very delicate process, the diligence, as well as the in connection with their issuances, we have, meetings with the cyber command unit, for the New York city. So there's certain things that are appropriate disclosed, but there's also certain things you don't wanna have a roadmap, yeah. to cyber criminals of what's going on there. So it's important that, you work with council, FA everybody in the working group works together to kind of draft, tailor disclosure that'll fit needs of the issuer.

Rich Saskal (12:37):

I mean, do you find that you need to draw a line in San Francisco, Mike in terms of.

Michael Makstman (12:44):

Yeah, I mean, I think I heard somebody say, you have to target the disclosure to what is being asked. Right. I, think, I don't know if there would be a lot of benefit from it, from just closing something very specific, or even, that thing that there was a consideration of is that going to actually put the city and the county at larger risk. Right. So I think that that balance is always there. We, have great advisories our work with our finance folks as well, to make sure that, our disclosure actually helpful in the market. Right. And gives assurance that we, as San Francisco could take this space seriously, we're investing, we have a formal program, with the office of cybersecurity that our lead. So there's, there's a lot of attention from both mayor's administration and board of supervisors in this space. And I think that to me is what being asked of us to say, is there attention here? Is there, investment and oversight? And if we can demonstrate that, I think that actually meets the requirements. And, I, think that's where that's where our focus is.

Rich Saskal (14:02):

Joe, can you talk about what, Moodys is seeing in terms of, cyber risk in the municipal, market?

Joseph Manoleas (14:08):

Yeah, sure. So cyber security risk is credit risk, and we expect this risk to, to increase, greater digitization of processes, increase amount of core business, taking place on interconnected technologies and reliance on third parties. These are all, making entities more, more interconnected. the attackers are becoming more sophisticated. I think 5, 10 years ago, we would see attacks there's technologies now available that to individual actors that used to be only available to nation states. It's becoming more susceptible financial costs. Are it trending upwards and credit rating actions are, forecast to move upwards as well. So, so far, the number of rating actions because of, have been relatively limited due to a, cybersecurity attack, and it's generally limited to the corporate space, but this is mainly because of the very high threshold that needs to be breached for there to be a meaningful, financial impact or governance impact that would make us reconsider a rating. The primary credit risks that we view in the public sector are gonna be business disruption, unintended data disclosure, and reputational risk. and there are a lot of strengths that are unique to the municipal market that we talk about in credit in a different way as well. The monopolistic powers, the economies of scale, the strong balance sheets. These are all strengths in the municipal market that we think positions the municipal space, generally speaking in a, good place to absorb or, react to prepare themselves for, for cyber risk. But they're also some, some weak spot potentially, which include, bolstering their it infrastructure, particularly for smaller issuers, maybe not for the city of San Francisco, but for a smaller local government in say, rural Pennsylvania or to that effect. and then also vulnerability of information that's that local governments in public sector entities are handling.

Rich Saskal (15:49):

Okay. Michael kinda along the same line. I mean, I think most of us have heard about the Baltimores and the Atlantas and colonial pipeline, but, what is the big data that you guys have access to at bid site kind of telling you about, how much are we not hearing about in terms of the cyber risk?

Michael Hoffman (16:09):

Absolutely. So, interestingly, when you look at the data that's coming out of bit site, and you look at, the technical kind of cyber security telemetry data, and you look at some of the more qualitative data that Moody's has started to collect through surveys and other mechanisms, it actually paints kind of a complete picture. And so at bit site, outside of our headline rating, there are a number, number of metrics that we've proven to correlate to bad outcomes. just calling out two of those are what, what we call patching cadence and, open ports. And so, patching cadence is a measure of how quickly organizations can respond, to problems on their network as they arise. that could be well known vulnerabilities, such as some of, the ones you've seen in the news recently, such as log four J or just general kind of outdated, SaaS applications or it kind of legacy systems and what we've seen out of the 22 sectors that we monitor is that, governments, municipalities at the education sector are, are, are dead last in terms of pageant cadence. The second one I would call out, which again has strong correlative nature to, to bad outcomes. we rank these on a scale from A to F organizations that's that rate in F are almost twice as likely or over twice as likely to experience a breach relative to organizations that rank a, is open ports. And so to kind of use like a house in burglar example, if PA, if patch and cadence, how quickly you can close the open doors and windows of your house to try to keep the bad actors out open ports is a measure of, how many doors and windows do you have, right? What is your internet facing kind of attack surface to potential, exploits, and again, what you see there in the technical telemetry is, governments and municipalities in the bottom quartile. So I think a lot of this is due to, general budgets lagging relative to some of the more mature sectors that we see in the private market or the private sector. now interestingly at Moody's, they've been collecting a lot of, of survey data recently, again, self attested, 1500 issuers responded, but you're, able to see, some of the data points line up. And so you're, seeing, public finance entities, trailing in terms of deployment of kind of security, best practices, such as widespread deployment of multifactor authentication regular backups of critical systems, critical data, widespread use of red teaming. Right? And so all of these, when you look at the qualitative kind of self attested data, and you look at , cyber technical data, to your point, you saw about 4 billion in losses in the us due to ransomware alone in, in 2021. I mean, it's certainly a challenging environment.

Rich Saskal (19:19):

Mike, The very prefix cyber makes, makes me maybe a first bus think of, cyber security as a, like a technical problem. That's, you get the right hardware and software to manage. does that paint the full picture or is there more to it?

Michael Makstman (19:36):

Well, I think kinda asked the question now in a little bit of the answer, I would say that you can't do cyber security without technical pieces, but, technical pieces will engage you so far. Right? I mean, I think we've seen it in what the government's had to face during the pandemic where, before a lot of times you would have, one network and you were hoping that your technical controls or protect that safeguards, and then you finally sent tens of thousands of people home, and now you have 10,000 networks to protect, right. So what do you do in that circumstance? There's not enough technology, you can't send your whole security team home with every employee, so you have to rely really on education and training, on letting people, understand and in, what to look for, and, the policies that organization really has to, embody, and that really starts an education for, our elected officials, which, who have not traditionally been, that, that there hasn't been kind of focus and of elective campaign, but is becoming so right. kind of where the boards were, in, in private organizations maybe 10, 15 years ago, I think elected officials are very quickly coming up to, speed of what they need to expect from their, from their organizations. So it a challenging, it's a challenging situation. technology is not gonna solve that. during COVID we saw a lot of, we saw increase, I'm talking about hundreds of percent increase from criminals, right. And then we calling them step actors. I really don't like they term they're criminals, right. They're criminals after money. these are not good people. They're attacking, hospitals and shelters for the most vulnerable, right. And they don't care. honestly they don't care. They would demand millions of dollars from anybody who could pay. So, we saw a lot of pressure on, on our staff, but also all around on municipal staff where, people were now isolated. There was a lot of, urgency on everything they had to do. So, there was a lot of pros to kind of mistakes where before they could turn around and say to their supervisor or to our colleague, are we doing it this way? Is that's the right thing to do. especially if you were new organization, they had no one to turn to. Right. So, we did a lot of training because when we saw this just enormous amount of COVID related scams and attacks against government employees, we had to really step our training, issuing these set of, warning, what we call in job aids, especially to our folks in kind of financial procurement, accounting fields, because they experience attacks on a regular basis.

Rich Saskal (22:44):

That's it, do you have any technical advice for issuers present?

Michael Makstman (22:48):

There's a lot of technical, advice to, to actually to be had. And I, it, it's an unfortunate reality what we just heard from our colleagues from, and, and what bedside is seeing that the government has been underinvesting. and that's kind of just reality is I think technology itself has been underinvested. Right, and now there's an explosion of technology. the experiences of all of our residents have consumers have government services. So they want digital services, right. The single, mom who is working couple of jobs does not want to come into a government office to pay for some kind of fee. Right. she, or he, or they, want to do it at night, after kids go to sleep, right. When no offices are closed. So we have an explosion of technology, we have an explosion of demand. and on the technical side, I think we really need to look at where it starts, it starts with access, right? That's, that's the bottom line for everybody, how do you get access? Right, and if you don't have sufficient controls, and I know that, some of the federal officials go around, they even have shirts printed with say multifactor authentication. it's been well lived at all of our banks have implemented it, you go everywhere, but it hasn't really been, traditionally used as much in public sector services. so we, we have to implement kind of that kind of basic some of the basic technology, but I would say this a lot of, I hear a lot from whether it's from the insurance industry or from folks who are trying to assess us, they say, well, just why aren't you implementing this whole technology, right? Why aren't you implementing multifactor application and what, without realizing that we have to, we have a very different set of folks then banking does, right. That the tech does. We have to think about people who don't have phones or who aren't sheltered and have an old smartphone. How do they do that? In fact, multifactor education is the number one barrier to actually consuming government services by vulnerary populations. Think about that. somebody who who's only computer is in the library, right. And they're trying to access that, job application or, financial aid application or food application. And they have to remember that, multifactor, did they send it to their phone? Do they have that phone with them so that we have to really, in kind of an in government services and that's, it's built discussion right now is traditional advice has to be taken with the grain of salt because we have non-traditional populations of, we still have to serve. We can't just say, well, you don't, we can't do multifactors. So you're out of luck, right. That just doesn't work, or, well, now you have to come in and, and we'll do paper for you. Right. That, that, that doesn't work. I have to deal, we have a large retirement system, retirement system includes people in 52 countries. Right. they're not coming in. Right. And they're not going to send paper notices. So we have to be very smart in terms of what, how we do at traditional technology. and that's something that we really need to focus on.

Rich Saskal (26:04):

Yeah. Governments don't pick their customers in that sense. Yeah. Joe, can you talk about how, Moody's, what is Moody's doing as cyber risks evolve and how, how are, how is Moody's evolving its approach?

Joseph Manoleas (26:15):

Yeah, sure. So Moody's has been deepening its commitment to thinking about cyber risk for about the last, particularly the last five years. I'm on the Moody's public finance group, cyber risk, task force that focuses, advancing Moody's thought leadership on local governments, states higher education healthcare, but that's just one work stream across our firm. So we have, cyber working groups across corporate structured finance and thinking about, how to better position moods and its thought leadership. that's, we're working on a number of analytic efforts right now, in partnership with bid site. Many of them, the first is our heat map. That's updating our analytic framework at the moment, for how we think about, cyber risk exposure to 71, global rating sectors and over $75 trillion in debt. we came out with a heat map first in 2019, that identified over 21 trillion in rated debt as either at very high or high risk. And that is, substantially higher than, rated debt that we viewed, at high or very high risk to environmental or social concerns. Right, The heat map categorizes, risk into two categories. So there's the exposure subcategory. And then the mitigation subcategory, the exposure subcategory focuses on systemic risk and it's subjectively based. And then the mitigation sub-category focuses more on, estimated financial loss. So one is vulnerability and the second one is potential financial consequence. so this is what we're working on right now. We're pretty excited about it. and it's something that we're expecting to refresh and come out with, later on in the year. Earl, in addition to that, Michael talked about our cyber survey, which is when we reached out to, 26 industries across four regions, soliciting issuer feedback about preparedness impact and strategy overall. And we've found some pretty interesting findings here, both that really NCE differences in overall preparedness between issuers, between and within sectors and the governance really sets the tone for an organization's overall cyber strategy. And lastly, we came out with a cyber mediums report, which is just one more way that we can try to benchmark cyber practices, across geographies and across sectors. And we've been working closely with mid side on that and trying to leverage some of our cyber survey data as well.

Rich Saskal (28:28):

All right, maybe I'll, I'll start this question with ed, but I might go around, how do the challenges of, of cybersecurity shake out differently for a government say compared to a business?

Edward Fierro (28:42):

Well, I mean, you're just looking at, you're analyzing it from a different perspective, for a business it's, about shareholder stock price and competition and reputational risk. I think with, municipal issuers, it varies, it depends on, what exactly your municipal municipality or your, public, local state agency is doing. And, whether or not a cyber attack will impact either operations or financial condition. And if so, then would it impact, credit worthiness of the issuer or maybe operations of the issuer. And I think if that, that's kind of how you have that kind of, that tension there, the difference between corporate and the public space. And in addition to, to what Mike was saying is the type of users, end users you have and, and how you're implementing, your policies or your procedures internally. I think, a lot of what municipalities and probably other issuers have to deal with different. when you're evaluating your exposure to cyber risk, it's just, the port authority versus, a geo or just a standard city credit. I, I think you, it requires an independent analysis and, with respect to, if you're gonna disclose, in a official statement or make a voluntary filing of some sort, all of that needs to be taken in consideration, could it is different than the corporate space and, there's different, analysis that's gonna be, undertaken.

Rich Saskal (30:16):

Yeah. And maybe I'll, pose the same question you might, but I know you also worked at kind of a large scale nonprofit before joining city government. How, how, how do, how do those challenges shake out differently on in a government?

Michael Makstman (30:32):

Yeah, I mean, any, my career span, for profit, non non-profit and, and now government, and government is different, everybody says that, but really is. And, for those who experienced that, he Anderson kind of the, the level of impact to the communities who we serve by not being able to offer critical services that are needed for people sometimes daily life, is, that presents kind of, I think, substantial different risk reward situations, right, being when you talk about public health or public safety, this takes are much different. And I, would say they're higher. and that's where I think we need to think about our investments. we need to think about the strategy, how, where, how do we, build our program in a different way. millions of people depend every day, right? For, for their daily sustenance sometimes, sometimes just to be able to walk down the street and make sure that the lights are working right, that this, what they expect to see, is available to them. And, that's absolutely critical. The pandemic, I think, especially brought into start relief. critical role technology plays right in government operations. my team actually ran the technology branch of our COVID command center in San Francisco. And, we were helped organize all the emergency technology that supported, Code relief. And it was, it was just without phones, you can't take calls from people, right. without being able to, to register people, without systems, you don't, vaccine doesn't get delivered to the right folks. Well, when we're going street by street, when we're going, people who could not get out of their house right. But needed vaccine, right. That technology starts to play a really critical role in, in coordinating communicating. and when people had to rely on the news, from, through our websites and through, through our technology, whether it's even traditional technology, we deliver television news, as SF go TV a critical source of information of trusted information in the CF. Well, you probably have your own name for what that sea of information that's floating. Right. Having a trusted source that has been approved and has been vetted is, was absolutely, essential to, to people's daily life.

Rich Saskal (33:17):

All right. before I go on, I don't wanna wait till the end, and then run out of time before I ask for audience questions. So, if anyone has any, either think about it, or if you have one now raise your hand. Okay. I see a few people, wait for the mic will come around.

Audience Member 1 (33:39):

Hi. I work for the city of San Diego, and over the years, the trend seems to be in terms for insurance, cyber insurance. we used to have pretty broad coverage for cyber insurance. now the coverage is now, becoming more and more narrow in scope and more and more expensive almost to the point where it no longer seems worth it. I'm wondering, if you guys are aware of any kind of alternatives being, discussed in terms of helping to reduce a risk and, the liability on us for, yeah. Breach.

Edward Fierro (34:18):

Well, I just, I mean, depending on, I guess the issuer, but some issuers, I know self-insure, if they have the revenue, I'm sorry to do that. Somebody had a New York, for example, they self-insure, if that's an option that's possibility. I don't know if anyone else has thoughts.

Michael Makstman (34:35):

Yeah. I mean, this year, especially there's been a big discussion. And so, and it was mentioned that I'm a lead coalition of CDC, so is kind of the new organization. Really. We have all the major metropolitan areas in the United States, and that's been a big discussion of whether, to self-insure right, or to look into some other risk schemes, versus insurance. I would say on the insurance side, some municipalities rely on insurance as a way to kind of cover, their maybe lack of investment. And I think that's gonna white. Right. I think this is, even to get insurance, you have to prove that you have a certain level of security. So the, I think my, questionnaires over three years went from something in the order of, 90 questions to 500 questions from our insurers. Right, and to the depths of, incredible depth. so in that, that just to be considered for insurance, that's no guarantee of insurance. So I think a lot of smaller municipalities are just, if they don't invest in cybersecurity, probably not gonna get insurance. And then the price of cyber insurance is gonna because the losses are accumulating. And I know we kind of said, well, how much loss has to happen before the credit rating starts being affected? Well, I think once, insurance might pay paid in the past, but the loss occurs again. And again, just because we haven't invested, I think that really starts accumulating and, and your rating. So I think it's a big conversation, is insurance affordable, is that really can, people who have a lot of gaps, right. Can, is that really meant for them?

Audience Member 2 (36:32):

Michael Hoffman, you have, you've mentioned bedside has a relationship with Moody's and I know Joe you're on analytical side of Moody's, if I'm an issuer or a financial advisor or banker, when would it come to you, Michael, versus when would I have discussions with Joe?

Michael Hoffman (36:50):

It's a good question. So what we are focused on now is, we executed this agreement towards partnership agreement towards the end of last year. this year has largely been focused on research and identifying data points that are, relevant and meaningful for what we, we call extreme loss events, what we're focused on now. And again, this research doesn't stop, but we're focused on training, the global analyst community at Moody's around these specific data points that we think are indicative of loss events, because ultimately these are the data points that we feel issuers are ultimately going to care the most about. And so, I have to imagine that the majority of that conversation will be between the issuer and MIS, but again, given the partnership we're active in those communications, we're certainly active in terms of, continuing to engage with the analyst community, and continuing to, to produce additional research both independently through independent model validation firms with MIS around as the threat landscape evolves around, which data points continue to be more and more indicative of, of these laws events.

Joseph Manoleas (38:12):

Yeah. And I'll just add through the normal rating assignment process, right? So is Moody's analyst reach out to issuers or vice versa, incorporating questions or a question right about cybersecurity into that rating conversation is playing a larger part of those credit conversations and moody's are having with(38:27).

Audience Member 2 (38:31):

Yeah, I guess I'm not sure who should address as whether it's Joe Or maybe Michael, but I brought this up yesterday, during one of the ESG sessions where I find it very curious that people kind of in a sense, most bang into each other, talk about green and what I'm trying to disclose, et cetera. But what I brought up yesterday was I said, there is a G in ESG, which is governance, which should be cyber. And I know a lot of investors I speak to, they find it curious that they hear very little from is worse. That, and, and they wonder, when are you gonna start to emphasize that? Which is probably more important us almost than is this green, but they feel everything is just going toward the E. And I feel that way myself. So how do we change that to make investors feel comfortable? Yes. That it is important because there is a view out there. They feel that ministry, we just don't get it. And I think we need to work on that. So I throw that out to the table, whether it be from the moody standpoint, issuer standpoint, but we need to work on that because that is the view that I hear from investors.

Joseph Manoleas (39:31):

Yeah. I mean, I think it's an interesting point, right. I mean, the, cyber risk does speak to both S and G factors. Yeah. Right. I mean, it speaks to, good customer relations. It speaks to responsible production. Right, it also speaks to management credibility and risk management. So, certainly this is, these are areas that we're thinking about. I mean, it's not, it's, it's something that we're continuing to work through, but, yeah, I hear

Audience Member 2 (39:53):

You. Yeah. I just think from the rain service standpoint, you could do the investors resist service and the industry, but kind of reinforcing that point, especially smaller issuers that don't seem to get it at all. So I would just throw that out as an idea that I think would help the market overall.

Michael Hoffman (40:06):

Yeah. I would just to jump in there, I would, I would totally agree with your, with your sentiment. And I think, the first iteration of the cyber issuer survey that Moody's ran a couple of years ago is a really, really powerful data set. And they asked a number of questions around corporate governance related to, or organizational governance related to cybersecurity risk. and some of those questions were related to, prevalence of, the security manager within the organization, reporting lines, regular tabletop exercises or red team testing, more kind of governance oriented questions around cyber security and I, think there's also, in some ways a lack of data, around kind of organizational governance. And I, think that's why, those questions and the responses and the report got a lot of attention in general. And I think it's why more and more players in the public markets are looking at data like bit side data as kind of a proxy for effective organizational governance

Rich Sasco (41:16):

And a question in the front. can you get the microphone

Joseph Manoleas (41:20):

Here? I'll give it no problem. Thank you. Sure.

Audience Member 3 (41:25):

Do you, and if you do, how do you factor in an issuer's willingness to pay a ransom, as a credit risk, or is it a credit positive? And do you and is it a disclosure item for the lawyer that's on the panel and for the, issuer from San Francisco? Like, do you, it sounds like you have cyber insurance is negotiating of ransom, a part of that insurance coverage.

Joseph Manoleas (41:55):

You wanna start with the mood? Okay. yeah, I mean, I think it comes back to, to credit risk, right. And so the first question is, how was the vulnerability identified? How did it happen? What measures did the issuer do to address breach? And then what was financial impact of the ransom, right. I mean, governments in particular are tend to be large entities that are pretty resilient and, maybe a hundred thousand dollars ransom for a billion dollar entity. Doesn't move the needle in how we think about that. I know that we've seen some pretty high profile, breaches for very highly rated entities and the financial impact didn't make us rethink, the financial profile, those entities. So it was, did not make us move the rate.

Michael Makstman (42:43):

Yeah, we have insurance, I think it, it soon to see where the insurance is going and when the announcements from Lloyd. So just a few days ago that they're, they're basically, advising that nation state originated risk will not be covered. or so, I think insurance is evolving for us, of course, that's we understand that's a, the decision to be made. And during specific cases, in the instances where I was involved, it was clear from our advisors, but also from the federal government. And in, you have to understand that for us being, maybe we live more high profile, a major event it's, is going to be a statewide national event with, obviously attention from all corners. And so the scrutiny for pain and not pain is gonna be very different than a private organization that could fly, kind of under our radar. So, for us, it's gonna be a political, I think as much as, financial consideration. And, what we've done is we've actually established a protocol, right. Which is key, right. As we've published it, it's one of the first in the nations, cyber emergency response plan with it's clear, who's gonna make those decisions, right. And how decisions are gonna be made, because we think it has to be made at the highest level of the organization. Right. And that's, and that's the protocol. And that was kind of, we, decided, by, by San Francisco and I think that's appropriate, right. Because that's, that's a big decision.

Edward Fierro (44:24):

Yeah. Then on the disclosure side, I mean, there's no requirements if, if right now, if you were to, look at the corporate rules, that have been proposed it certainly may be a scenario where you would have to file a, an event notice under form eight K, but in the meeting market right now, there's no rules. So it'd be really a determination, of the issuer if they wanna make a voluntary filing or, I mean, if you take a look at, Los Angeles unified who just had a cyber attack they went out and did a, I think a public, press release and that kind of served as notice to, the world that, Hey, we got hit by a cyber attack. Now should have notice been posted on Emma, to investors directly. That's another question, right? It's not a requirement but it's something certainly that, the working group or disclosure council or whoever, represents the district should have, should be analyzing and make a determination, whether, it's appropriate for investors to receive a similar notice or some something, in more detail if, council's not, or think that's appropriate.

Michael Makstman (45:27):

I think that's an interesting point because, that's another great difference between the public sector and, and kind of, other sectors is that, any payment will become public. Right. Right. It, will just be disclosed. And, I think, what we're seeing, it might not be from kind of financial markets where we're seeing from the federal government, they're starting discussions right now around the public sector in terms of disclosure requirements. So whether it will come from financial markets, or it will come from the federal government kind of regulating, the local issuers, the disclosures are coming, right. They're just maybe, a few months, maybe more away, but we will have to disclose, and it will become public anyway. So, how will that be handled? How will it impact immediate any transactions in flight? I, don't know, but, there'll be definitely interesting to see.

Rich Saskal (46:27):

I Mean, are there any kind of from any organization, like an overarching best practices, guidelines about, should I pay a, should I pay a ransom, or is this kind of an ad hoc decision you make case by case.

Michael Makstman (46:42):

The federal government has a very clear position that paying ransom is not advised for a lot of technical reasons, but also because it supports, charterization organizations, you may get into, I guess the question is how would we, how would anybody even pay ransom in a federal, in, in the government space? Because if, pain ransom itself could be a Bitcoin of course, right? I mean, we don't hold, we don't hold, assets that, criminals demand, right. So we want to even generate assets. So that's, that's a big question for us is it even a criminal activity? And unfortunately, if you follow kind of the, some summer news right now there's a one, a former CISO of Uber is being tried and the trial has started for, not disclosing the payment, right. Trying to hide the payment and also maybe even making the payment. So I think a personal liability for CISOs in the private sector is about to go way up. So if the CSOs don't have a one of those director's insurance, they, they really should be looking for it. And in the public sector where the personal liability is already much higher than in the private sector, that might be a decision that no security officer will, will make in the near future.

Rich Saskal (48:07):

Okay. All right. I'll have I have, one more question. There's been kind of an overarching theme in several panels. I've observed over the last, 24 hours in which the, government sector is having trouble in general recruiting and filling positions. So can you talk about the, state of play for IT, the kind of positions that, you need to fill to conduct cybersecurity?

Michael Makstman (48:39):

They're like, I mean the news is not great. we, have to compete, the federal government announced, that they're recruiting thousands of cyber security professionals. So not only do we have to compete with, for us as San Francisco versus Facebooks and Googles, right. That are, offering popcorn and back rubs we have to compete with the federal government, the federal government. I mean, the challenging part for us of course, is that we're looking for not just to attract workforce or attract, attract workforce who are committed to public service. We're also looking for very diverse, inclusive workforce, which is a big consideration for us. we, are actually doing a lot of work in terms of, kind of considering, the, how, IT and cybersecurity professionals are actually performing their work, post COVID. But I know in a lot of municipalities, there's a desire to have people live in the city. So when they think about kind of the state, California can, the state can recruit and again, they're recruiting massively recruiting around cyber. They can recruit from anywhere in the state. And, I'm recruiting from bay area and the federal government is recruiting from anywhere in the United States, right. And I'm recruiting from the bay area and the Facebook allows, basically you work from home anywhere, right. And so you can see the dynamics are not easy. And so it's a big challenge. so, we are shifting our gears. We, we have to grow our own talent. we have to grow. And we, invest in a lot in, in tech apprenticeships in non-traditional work, forces who, who want to make the change and who actually are dedicated to public service, right. Who are interested in, serving the, the committees where they live, where they work or their families live. Right. And so we are, we're looking at a different kind of, a different approaches than just traditionally going out on LinkedIn and say, Hey, can I grad, get a great summer professionals that just, hasn't been working out so well. And so we are we're being agile in our recruitment and we're doing a lot of innovative stuff.

Rich Saskal (50:58):

Right. Any last questions from the audience? Oh, we do have one.

Audience Member 4 (51:06):

Yeah. I'm kind of curious how you guys think about, I guess disinformation, as it pertains to cyber security, or if you think about it in a kind, completely separate box. So just thinking today, I saw that Twitter, right? The Twitter shareholders voted to move forward that, the sale to, to Elon musk. and there was another, piece of view that, federal government said that Russia has spent like 300 million on influencing, elections. So I'm kind of curious how you think about that and how you would, I guess, rather than a direct attack influence operations.I'll take my answer later.

Michael Makstman (51:56):

I mean, I can speak it is absolutely part of the, it's always been part, integrity of information has been, has always been a consideration, right. I mean, for us in, public safety sector, check information during an emergency is absolutely. Yes. I mean, yes we're worried about somebody posting something that's not true. And, that is a concern, but what's a real concern is during an emergency, right. There's a tsunami, right. And somebody says, go this way, right. Versus, evacuate this way. that is a big concern. Right. And so this is why we're focused so much on having, and during COVID that became, there was so much misinformation, right. Was a around vaccines around where to get it. When peop people are panicking, right. It's easy to misinformed them. Right. So we are very much focused on protecting in being very careful and playing out, The attacks and kind of scenarios on our sources of, of public information, right? Whether it's, by Twitter, by a website, by our, by radio, something, again, different in public sector, we have radio systems, right. We maintain a public warning systems, by television. So that, that is absolutely critical area for us. And, we're paying a lot of attention of how to deliver information elections are coming up. we're gonna stand up an operation center to make sure that, in fact, in our election system, it's often, it's interesting, you talk about misinformation, but the lack of information could be just as devastating. If you click on that website and people click on the results website every second, right. They just to see the result. So we're getting, millions of clicks. And if the website is slow or doesn't display information, there is a million conspiracy theories of what's going on, who this is been my life for the last few years, as you can imagine. Right. I mean, so it's not just this information, it's lack information. So we have to make sure that there's trusted sources, better source of information available to everybody.

Rich Saskal (54:10):

All right. I'd like to thank, my panelist and thank the audience and especially those who ask such good questions. thank you very much.