The cybersecurity dilemma: What can municipalities do to protect themselves

The panel discussion will focus on the evolution and ever-growing frequency of cyber attacks and the serious credit quality-related risks they pose to public finance agencies. Our panel of experts will examine the tangible and intangible costs of cyber breaches and potential risk-mitigation strategies that municipalities can implement. Among the points of discussion will be:
  • How landscape has changed and what municipalities are facing
    • 3rd gen strain and hackers' adaptability 
    • municipalities' in/ability to respond: what is needed to improve the response/adapt quickly enough
  • Understanding the importance of having a robust plan when an attack happens because federal agencies like FBI and CISA can't help, they can only investigate
  • Disappearing cyber insurance and potential solutions in the form of self-insurance models and pooling of funds for smaller municipalities
Transcript :

David Mcintyre (00:09):

Good morning and welcome to the final panel. I'm David Mcintyre, Chief Technology Officer for Build American Mutual. And this topic is something that I live every day and it's something that build America looks at from two different perspectives. Of course, my own role is focused in keeping our company secure, but more broadly, our underwriters and analysts worry about what our 5,000 plus member issuers are doing to keep their own infrastructure safe because we know that failure to do so can increase credit risks and cause financial losses. At the end of the day, the title of this panel is not quite correct. It's not really a dilemma. The risk is real, it's pressing, and we know we have to manage these risks as best we can. Our panelists are doing just that with their jobs every day and they're going to address both these issues. We're going to share insights into the types of threats, municipal issuers, face practical and cultural strategies that can help manage them and how investors and analysts are approaching this issue and why good cyber security practices can save issuers money when they sell bonds. So let me introduce our panel. Next to me is Brian Gardner. He's the Chief Information Security Officer for the City of Dallas. He joined the city in 2017. Since taking the role as CISO, he has implemented a risk-based framework for cybersecurity strategy. He is a founding member of the Coalition of City CISOs. This group is dedicated to bring municipal leaders and cybersecurity professionals together to advance municipal cybersecurity. Next we have Barbara Goodson, who is the deputy Commissioner of the Division of Administration of the state of Louisiana, which serves as the state's government's management arm and the hub of its financial operations. Her responsibilities include oversight of the Office of Technology Services, which is the consolidated agency for the executive branch IT infrastructure and security operations. Next we have Dan. Dan Larkin joined PNC Financial Services in 2014 where he drives internal and external messaging regarding today's evolving threat landscape. Interestingly, prior to that, Dan served in the FBI for more than 24 years and established the first cyber fusion unit for the federal government and co-authored the federal FBI National Cyber Crime Strategy in 2002. And finally, we have Omid Rahmani, who's an associate director with Fitch Ratings, US Public Finance tax supported group where he serves as the US public finance, international public finance, global infrastructure, and project finance cybersecurity lead. In addition, he serves as representative in the company-wide cyber risk group and as a strategic cyber risk subject matter resource in the company's cross practice ESG group. So let's start with Omid. Omid, why should investors care about the cybersecurity profile of issuers?

Omid Rahmani (03:02):

I think what we're seeing is, especially since covid and really in the last year, the sophistication and intensity of attacks against municipal entities has really increased. And we're seeing that successful attacks, if not managed properly, if prior forethought has not been put into proper cyber hygiene and cyber defense can have an impact on the performance of municipal entities in their day-to-day roles as well as in critical things like revenue generation, expense management and things like that. We are increasingly seeing the threat landscape and the expansion of the threat landscape pressure municipalities when it comes to finances. We're seeing investors get more interested in this. They're seeing this particular risk is very different from a lot of other risks. This is not an area that most investors in this community may be well versed in. It's a bit of a black hole, and I think they're starting to try to understand how do they gauge what the actual risk is to the paper that they're buying

David Mcintyre (04:17):

Anybody?

Brian Gardner (04:18):

Well, it has a financial impact and that's why everybody should really step up and understand what's really going on. Obviously as a CISO, my job is to inform you and what I've in my career have noticed that it's a difficult conversation because there's a communication gap. And what has provided me guidance in the past is really equating that to dollars using something like fair risk assessment so that the business really understands financially what a breach to a system is going to impact their bottom dollar.

Barbara Goodson (04:59):

Well, I'll jump in. I'm not it, I'm management and finance, but as the previous panel talked about, it's all about money and in order to either protect or defend or repair, restore, respond, it's still all about money. And from the state, from our state, from Louisiana, we have developed an interesting way to assist and respond. And I'm not sure if you really want me to get into that right now, but

David Mcintyre (05:30):

You can mention if you want.

Barbara Goodson (05:32):

So it started back in 2014, I guess is when the initial idea to consolidate our IT resources began. Our current administration started in 2016, and that's when I took the job that I'm in now. We had to evaluate whether we wanted to maintain that consolidated approach at the state level. It wasn't state agencies always want their own people, and we had taken them and we had formed an organization called Office of Technology Services. We had about 800 scattered around the state. A lot of them had worked for various departments and so they had subject matter knowledge at the departments, but they then worked for us, they worked for the division of administration. That one move is key to how we have determined cyber risks can be handled. So from there we have developed, and the governor in 2017 did an executive order creating ESF 17, and most of you I'm sure are familiar with emergency support functions. So main in Louisiana when we have hurricanes, we have storms like you all were just talking about the ice storm in Texas. We have a very well organized machine on notification from the local level up to the state level for help in an emergency situation. So the thought process was really the same on cyber. So on the ESF 17, we consolidated our office, which was technology services, the department of military, the department of it's state police within public safety and our homeland security. So it started in 17. We were really tested in 2019 and I don't want to take off all the time, but we have had to put it into practice quite a bit. But 2019, the impact was at the local government level. Two weeks before school was to start, we had so many local school systems impacted by cyber attacks to where they were at the point they were not going to be able to open if we didn't react. So because we had this organization and this structure in place, we were able to send teams out to the local government school systems, help them rebuild their systems, protect them. We developed a strategy of what to do first before we even had teams on site and we spent and had employees outside of state government helping the local governments for I guess maybe nine months before we really got it all cleaned up. In Louisiana, we have not all school systems are created equal. So we had a lot of smaller rural schools who didn't really have an IT. They didn't have anybody to help them on site. They may have a contract with a small company locally and it just wasn't sufficient because the cyber attacks kind of took them by surprise. Their contractors could handle maybe ongoing it needs, but they certainly, I don't think anybody was as prepared as to what we were facing when we had so many school systems hit all at once. And I'm going to stop there and we can carry on later if that's okay.

David Mcintyre (09:29):

That's really interesting. Dan, could you talk a little bit about what the most common methods of attack are? I mean, how are these hackers actually getting into these systems?

Dan Larkin (09:38):

Sure. It's most of it's not a surprise. I mean a path of least resistance is actually still predictably where the bad guys are going to come and hang around until you make it something that they can't do. Not surprising based on some of the things that our other panelists have brought out that we've seen state and local governments targeted really over the last, even before covid, but certainly covid drove a lot of that. So again, the bad guys, it's two things. It's about emotion. So I mean one of the main indicators of a fraud person or entity being involved is they're going to send you something regardless of the channel that they send it to you on. It's going to be laced with motion that they're thinking is that if I can upper or cause your motion to swing one way or the other, you're probably going to drop your security awareness. That's typical. So you see something coming across a channel email more and more on the mobile channels these days that is laced with something that's in the media or something to kind of elevate your emotion. It's typically tied to something that the bad guys want you to do because you're going to click on that link, see this train wreck, literally see this train wreck. Unfortunately we've seen too much of that or plane crash or fire or something out there that people just have to look at.

David Mcintyre (11:07):

Her nephew is in prison in England or something like that.

Dan Larkin (11:10):

Yeah. Yes. So again, the bad guys are looking for the path of least resistance. When we talk about this a lot, when we talk about the security pro services you provide, obviously it's the stuff that's been out there for years that are typically, ah said, hygiene, the patches that are unpatched, the different vulnerabilities that have been out that people just haven't paid attention to. It's not my job or they believe it's not their job to fix it. So the bad guys are out scanning for those vulnerabilities all the time and they're going to hit those entities up. So even if you offload the work that you need done because you don't want to build an in-house team for IT infrastructure assessment or whatever it is you think is, and it can be costly, you offload it to a vendor to do that for you. If you're not asking the right questions, they may not have in place some of the basic things that they need to. So they may be very vulnerable themselves at the end of the day where that liability end up landing as an event unfolds. I'll leave that to you attorneys. We can debate that as long as you like actually, really. But again, I think one of the things that we try to get people to tune into is that you got to have a path in place to contact the trusted party who's sending you the message, and it can't be the email that you received. We amazed how many people just respond to the email that they got in their inbox. Did you really want this one money spent here? Oh yeah, that's me. I said, of course they said it. It's the bad guy. Do what the email says. So have something in place that allows you to confirm with a live body that is in fact what they want to see happen, whether they're adding something to the profile changing, typically it's changing how you pay me. That should be a red flag going off for everybody. But again, I, we'll talk about this and maybe as time permits get into this a little bit more, but even as we've learned that getting you the right tools obviously is key, having those in your inventory to you assess whether they're yours or ones that you leverage through a vendor. I think one of the lessons learned over the last several years has been how to incentivize that performance. We can give people all the tools out there and say, this is really, we want you to find this stuff and want you to do X, Y, Z, but they're like, well, it's not really how you evaluate me. I might find it, but I'm not going to spend a lot of time on it until it means something in my paycheck or it means something in how my performance is evaluated. So really people perform based on how they're evaluated. We've learned more and more of that. So coming up with a way to incentivize that kind of behavior and again, arm them with the resources to make informed decisions is something as well that we try to do more and more of. I'll stop there for now.

David Mcintyre (14:20):

Dan, do you think that, I'm sure many of our companies do email phishing training where our company sends us fake phish emails. Is that an effective?

Dan Larkin (14:31):

It is. And actually a colleague of mine, and it just was sharing some stories today or yesterday actually too, where we both fell victim to a really good scheme. I was like, wait a minute. That was unfair. They really packaged that up really well. It really, I even felt for that one. But yeah, I think having some in place that evaluates your performance of your employees against those threats is key. And to tune it up, adjust it just to rate it, how's it working, how the employees performing? Is there a need for some updated awareness training or something that tunes up, tunes them into the threat a little more than they had in the past? And we know the job that I do is this thing doesn't change. The bad guys don't just give up. They keep changing what they're doing every week at least, or certainly every month. So tuning into what the threat is today or going to be tomorrow is something that you really need to make sure that your program includes that in how you're looking to threat and how your employees evaluate the threat that they might confront. So yeah,

Brian Gardner (15:42):

In the city of Dallas, when we started our ph.ising testing and security awareness training about four years ago, we were at a click rate of about 41%. We are now hovering around 10%. I'd still like it to be in the single digits, but it is effective. We did find that it is important to do it often, make it very complex, make it almost to the point of annoying, and people do listen to it and pay attention to it, even to the point where some of our departments have complained that these are really hard and they failed. But that's what you want. You want to fail your rate with what you're doing, not when the bad guys are doing it.

David Mcintyre (16:24):

When Dan started our Phishing training, we hired a company to do it, but before then I was handcrafting the Phishing emails myself, and I spent a long time once getting Starbucks coupons and I sent the firm a Starbucks coupon and we got about 80% of the firm who wanted our free Starbucks. Now if you fail twice, you have to talk to Sean McCarthy in his office and he tells you why you're putting the firm at risk. So it's an interesting,

Omid Rahmani (16:52):

I think the point that all my panelists here are trying to make is that today cybersecurity is still not a technology problem, a psychology problem. If you can have an organization that adopts a vertical culture of cyber hygiene with all of its employees, you'll be eliminating most of the risks facing your organization without really needing to do much on the technology side. Now, there are certain technology challenges when it comes to cybersecurity, especially in the municipal sector, which I believe has a really unique threat profile and really unique challenges that face it that the private sector just doesn't have to experience. It's a different style of leadership. We have right now a lot of issues. We have major, major staffing issues when it comes to IT. We're seeing a fairly large brain drain when it comes to IT talent, and I'm sure Brian can talk about that when it comes to the public sector. It's just the demand keeps growing. It's been growing by a rate of about 50% a year across the nation, the availability of talent to positions. And so we just don't pay enough in this community. We can't compete in some ways.

Brian Gardner (18:17):

I wanted to just back up for a moment. I completely agree with Dan on that, but I think the one thing that we all need to be aware of too is that some of the threats are not, or all the threats are external. There's a percentage that is internal and you have to be aware that that's there, which is can be significant impact on the business and financials. So while you're building out your cyber program, you need to make sure that that's a key piece of what's going on because it's not just the people that are clicking on things. I mean, you guess you could put them in that category. It's internal, but it's not. It's the internal threat that has been in financials as long as time has been here. So that build on what Dan was saying, I just wanted to make sure that you are aware, and we keep that in focus too, that there, there's a multitude of avenues here that can occur. Sometimes there are a course sometimes there for whatever reason.

David Mcintyre (19:19):

Is that what you're talking about, data loss, where people are walking out with

Brian Gardner (19:23):

Data loss, financial loss, any of those that even sometimes it's the bad guy coercing somebody internally to take an action against the organization that is actually an insider threat, even though that's coming externally to that person.

David Mcintyre (19:38):

So I mean, that's interesting. So what kind of controls can help us prevent that?

Brian Gardner (19:44):

So as a sister, this is kind of where my job gets gray and moves into the controller's office and their responsibilities around internal controls. I only have so much visibility into that, and I think as a CISO, my job is to sit there, make sure that I give them as much information as I have, monitor that, and then communicate often and understand what their controls are. But ultimately it does land in their lap because I don't have that visibility as much as, and I kind of don't want it to be honest. So that's what I see as far as the financial controls.

David Mcintyre (20:28):

Yeah. Okay.

Barbara Goodson (20:30):

So I'm going to add on to that because again, I'm not IT. So I asked the IT staff to give me some bullets so that I would make sure I didn't make a mistake in how I explained this, but it kind of goes to the consolidated approach of what we're doing where we have all devices running secure, federally compliant, baseline configurations with full endpoint protection. They're fully monitored and secured network perimeter, all internet traffic traverses, web proxy servers have a single point of monitoring, inspection and ability to block attacks. So they just tell me this and I say, okay, but the IT staff tells me that this is a way to help eliminate a lot of the fishing and a lot of the other attacks because there's somebody watching. So I believe them.

David Mcintyre (21:33):

Yep. Well, so Barbara, actually your, ESF 17 is largely based on incident response. Well, how is that? Are you going to move, is Louisiana going to move into helping small cities do more proactive preventative work?

Barbara Goodson (21:50):

We have, and I wanted to make sure that I explained that ESF function, most local governments, at least the ones in Louisiana are very familiar with. We started this after Katrina, which is, I was there then too with what we call a web EOC. If a local government, it doesn't matter whether it's a town, city, a police jury or what entity in local government has an issue normally hazard weather related, they can file a claim through this web EOC to our office of Homeland Security. Well, we've extended that for cyber. And so when a local government entity thinks they may have a problem, our chief of Homeland Security will touch base with the other parties that I mentioned, the state police, our home, our military department, and our OTs in our office, and they discuss it and then they will decide on what action to take to send a team to get on the phone, whatever they feel would be the appropriate action. What we are looking to do now is because this was started by executive order, this is the last year of our governor's term, second term, and we have proposed putting this into law, into statute to in order to support and maintain this infrastructure that we have built so that we are in session, we just started this week and our goal is to provide this ongoing, we have learned a lot. We do contract with a lot of private entities. We had to figure that out through the procurement processes that always has to deal with. And so we have resources out there that instead of just all state employees, we can reach out to other outside private sector to help us when there is a significant type of event and that they're not going to stop. So we have to keep this model and it's our belief we have to keep this model going and strengthen it also because these attacks are not going to stop.

Dan Larkin (24:15):

Yeah, I think those are all good things to have in place and good controls that are being implemented in your state. And to your point earlier that technology is you're taking some great steps to protect the perimeter and to protect the inbound threat. And I still come back to the behavioral part of the equation, which is I don't think we do enough consistent after action reporting or we talked to the people who clicked on and why'd you do that? And they tell you hopefully at some level of candor, and we've been dealing with the state and local governments for a long time too, to try to understand what it is they're seeing and why they're doing what they're doing. And some of the answers are easier than you thought and you're be blown away. Wow. I knew I could do that, but I wasn't getting paid to do that. I knew about these paths to go, but I was paid to get this money out the door as fast as possible. I said, well, you're paying the bad guys. That's all right. We don't care. We're just getting evaluated how quick the payment goes out the door. I said, well, I'm giving you a whole list of people not to pay, but you still want to pay them. I said, yeah, we get evaluated on that. I said, no, you shouldn't be so good. I think a better after action report is helpful to do to say, here's what we learned through these events. Stop doing that or change a little bit.

David Mcintyre (25:44):

And I think you can get that same feedback even from Phish tests when you see what, who's clicked on what. Yeah, why did they click on that

Omid Rahmani (25:51):

To make a point about something Barbara was saying, I think more states are starting to think about what their responsibility is when it comes to supporting local governments because of staffing shortages, because of major budgetary gaps between necessary resources and available resources because of major just IT debt, lack of investment in IT infrastructure as opposed to physical infrastructure. I think most states are starting to think about that, but one thing I always say is ultimately the responsibility of protecting your particular municipality is with that municipality squarely with that municipality. I think one of the things I like to really dispel when I have opportunities like this is I often hear from the state and local government community this incorrect idea or belief that there is federal cavalry or federal resources or in some cases state resources that are available to charge in as soon as you've had a situation and come fix it for you. This is a myth. This does not exist. I hear it mostly associated with the FBI. I will tell you, and as Stan who has much more experience in this matter, can tell you their job is not to come fix your problem, their job is to investigate crime and arrest criminals. Their problem, your problem is not their problem.

Brian Gardner (27:14):

So to kind of add on as well to what Barbara was saying here in the state of Texas just prior to covid, they added cyber as part of disaster. So it can be declared a disaster. And what that subsequently is led to is the state is building out SOCs around the state that local municipalities can utilize. What

David Mcintyre (27:36):

What Does SOCs stand for?

Brian Gardner (27:37):

Security operations. So monitoring of their systems, helping 'em in these incidences. I don't believe it's quite finalized. We as Dallas larger municipality, we have a high presence or substantial presence of our own security team, but for the smaller municipalities, this is ideal. You're going to have that state assisting you with that visibility to your systems. I know I speak with a lot of the smaller communities around DFW and they don't have a security team. Arlington just hired their first CISO last week. Garland, as far as I know, they do not have a dedicated security guy. And so what it does is it falls on the rest of that team to delegate that, which is a hard place to be when you're trying to make sure the servers running and the networks running and oh, by the way, I got to do security. So that can be very beneficial when the state does step in and help them out.

David Mcintyre (28:41):

So actually bringing a point that I was going to mention, many cities use MSPs, managed service providers or MSSPs, managed security service providers to handle their IT and security needs because they don't have employees to do that. But sometimes that's a problem. And I know in Texas in 2019, there was a MSP that got hacked in 25 Texas municipalities that ended up getting ransom wired. Dan, what do you have to say? I mean, what do we know about that?

Dan Larkin (29:15):

Oh, we looked in. You're looking into that and that's not unusual and sadly it's not unusual, but when you offload that overhead or that work and understand why to another entity to do it for you, you really do have to do some of your own due diligence. Even if you aren't going to bring that resource on as a full-time add to staff for you it, it's to better understand what they're doing to protect your data and to protect that service they're providing. Because again, if you're an MSP, typically, hopefully if you're a viable business, you're going to have clients in the dozens that you work with. So the bad guys know too. Again, you're looking for as an MSP, sometimes the path that you choose is the easiest, less costly path. So you're going to implement a new set of software, a new set of protocols that are off the shelf. They're things that you can get pretty easily and you're not adjusting them and you find out that you're using default passwords, you're using something that's known to be a weakness in the system. So the bad guys are scanning for that. They're looking for that out all the time to say, yep, we get this one company that has, they have a certain default set of passwords or criteria they're using so we can get a treasure trove of data if we just hit the one we're going to get 30. Or they'll target one. They know you have 30, 40, 50 clients say, well, if I can hit one and compromise one, I'm probably going to make my way into the rest of the network too. And they typically do. So they're something to be aware of when you're enlisting those services is you got to ask the good questions of what level of due diligence they're doing on their own to ensure that the data that they're entrusted with or the services they're entrusted with is something that's intact or there's some level of integrity around it as well.

Omid Rahmani (31:12):

I think this is an area that continues to be a challenge for municipal entities. We're seeing third party risk supply chain attacks really become a preferred method of intrusion into multiple organizations simultaneously and within the municipal sector. I think we're really lagging behind when it comes to establishing controls on how we do business with vendors, how we structure agreements with vendors, what kind of access controls do we allow vendors to have. I don't think enough thought or auditing goes into how we are connected as organizations to other organizations. I think that continues to be a big risk.

Dan Larkin (31:56):

And again, just to build on that. Absolutely right. I mean the cascading vulnerability downstream huge. I mean the biggest compromises that I'm aware of in my career were target GSA, OPM, variety of different major providers in the healthcare industry and in the financial services industry. They were all third party providers, somebody that the company gave access to that they shouldn't have at a level. They, again, in the target breach was an air conditioning vendor. HVAC happened to be from Pittsburgh, sadly, but they in gave them access and they traversed the network pretty easily. And that happened In many of the biggest breaches that I'm aware of out there.

David Mcintyre (32:43):

Target was their cash register vendor right.

Omid Rahmani (32:47):

I think you have to look at, if you're doing business with a vendor, and if you actually come from an organization that has a robust and developed culture of cyber hygiene, you have to really look at the vendors that you are connecting into your system because that is a door you're opening for an organization.

Brian Gardner (33:04):

And it really becomes a risk problem because on the other hand, if you don't go with an MSP, you have to retain that talent, which is incredibly hard to do given the magnitude and the numbers of vacancies out there. Right. So do you go with an MSP or MDR and I, the acronyms lose me all the time, but I think to what Omid said, you really focus on vetting those vendors out before you decide that MSP is the one you want to use.

David Mcintyre (33:37):

Yeah, I would be worried that the municipalities that are small enough to need MSPs may also be too small to know what questions to ask the MSP

Omid Rahmani (33:44):

I think that's the challenge we're seeing.

David Mcintyre (33:47):

Yeah, fair enough.

Barbara Goodson (33:48):

So one of the things that we did last fall, because we were kind of talking about this with a lot of the local government entities and the staff has done presentations and had multiple meetings with the local government organizations in Louisiana. We have the municipal association, the police jury association. I know not all states are organized the same way, but to try to build relationships because quite frankly, part of the initial resistance to our staff going in to try to help was distrust to state government, big brother. And so we had to work through that. We had to build the relationships to say, no, we're just here to help. But last fall we did a survey of I think 150 different local government communities, entities and asking if they would like an evaluation of the security and safety of their internal network. And we had somewhere between 80 and 90% yes, asking Can you just come in and look at it? And it was something, the IT staff, what they tell me is, look, it's going to cost us money to go out and do it, but if they get hit, it's going to cost a whole lot more. So we're trying to do prevention and that is our next step is trying to get ahead of it when we can.

Omid Rahmani (35:23):

I think on the technology side, one major issue that I'm seeing across the municipal sector is just the amount of technical debt compared to the private.

David Mcintyre (35:31):

Explain what technical debt is.

Omid Rahmani (35:33):

Basically, technical debt is, I'll put it to you this way. We have an easy time seeing lack of capital investment in things like pipes for water, streets for pedestrians and cars, much harder time seeing the lack of capital investment in virtual networks, which is a rampant problem. I mean, it is not shocking for me to hear a municipal entity with 30 to 50% out of life software or higher, I'm being told by a person in who does this for a living. But I think that's a major, major area of risk. It's a major sort of blind spot for this community. Just the amount of technical debt, average lifespan for systems and software is seven years. It is not unusual for me to see things that are 20 years out of life and unsupported. And what that means is for 20 years, we have not, or that entity has not been able to properly protect that asset. And when I look at just the state of municipal networks, I usually see a ram shackled set of systems and softwares and networks together because not enough time or resources is dedicated to cyber informed engineering networks from the ground up. You just sort of duct tape things together and then half the time you're duct taping things together, which half of them are out of life anyway. When I talk about the state of cybersecurity in the state and local governments it's a Swiss cheese of vulnerabilities. It is really a complex thing. It is something that I rarely hear people talk about is the lack of capital investment in virtual networks and technical debt.

David Mcintyre (37:31):

So that's a ray of sunshine.

Omid Rahmani (37:32):

Yeah, I'm really good at that part.

Brian Gardner (37:34):

It's not just municipalities and governments that have technical debt, let's, technical debt is something that's going to go through even private. It's really the end of your life of your systems, and so everybody's going to have that cycle. The bad thing for municipalities is, I don't want to say it's been neglected, but it's just not been funded properly. You really got to look at your technology infrastructure just like as Amid said, any other infrastructure, you got to keep it maintained and pave the roads and put on the dotted lines and all those things to keep it going and the light's on just at some point it's going to fail.

Dan Larkin (38:11):

Just for on my own clarification, because I don't know, I'm assuming, and I just wanted to call this out to me, technical debt as you guys are describing it, is obviously there's a resource associated with the infrastructure and whether it's up to date or you're out of life or out of it's expectancy to be carried on. But there's also human capital issues along the way too. The inability to hang on to really good help hire good help keep. So I think the human capital part of it.

Omid Rahmani (38:45):

Yeah, Dan, you're absolutely right. We recently did a study. It's interesting if you actually look at something as simple as a starting salary for a network analyst, and this is based on BLS data, there is roughly a 30 to 40% pay gap for the exact same person with the exact same degree from the exact same institution between this sector and the private sector. And then by the time you get to Brian's level, that can be hundreds of percent, which confuses me as to how anybody is able to do this. But that's a big problem. And the fact that the workforce gap keeps growing by 50% annually is causing major pressure on the human capital side.

Brian Gardner (39:33):

Well, and to Dan's point, there is a cost to this of the antiquated systems because you have to bring people in that have those specialized skilled, I'm going to use fortran language as an example, that's a dead language, but there are still systems that are running on fortran and to bring somebody in, it's a premium to have them come in and support the system that keeps whatever that is, that's do happening in that government.

David Mcintyre (40:02):

So Omid, I don't want to finish the panel without asking you, well, how does Fitch look at cybersecurity as part of your ratings process for issuers?

Omid Rahmani (40:10):

Sure. So we consider cyber risk to be an event risk, an asymmetric event risk, much like any event risk. We do engage our credits. We ask them basic cyber hygiene questions just to get an idea of what the philosophy of management around cyber hygiene is.

David Mcintyre (40:27):

So things like do you patch, do you have an offline backup?

Omid Rahmani (40:31):

So less technical. I'm more interested in, like I said, what management's philosophy is around it. If you have, for example, finance department that understands what the risk is, if you have a finance department that understands the responsibility in a situation, I like to get an idea of what CapEx looks like, what percentage of the budget is dedicated to technology. So it can be things like that. We ask whether organizations retain cyber insurance. That's a whole different conversation because that particular landscape is evolving faster than I'm talking right now. So that's an idea. And then if we have credits that have incidents and we do look at how they manage through that incident, that's why I think a culture of cyber hygiene I keep saying is very important. Is this an entity that has been thinking about this? Do you have a cyber incident response plan? Do you have a communication plan associated with your cyber incident response? Do you guys do tabletop exercises? If you have a situation, do people literally know who to call to be able to do their jobs? If you have no access to technology, you'd be surprised how much of a challenge that is if you've never practiced it. So it's those things that we're interested in and if we see that organizations are habitually neglecting this situation in the face of getting attacked, having issues in recovery, things like that, then yeah, we can assign an asymmetric risk due to that organization for lack of foresight or controls when it comes to this problem.

Barbara Goodson (42:11):

Well, I'm going to add onto that because this is, I'm so glad Fitch is sitting here at this table because one of my concerns is how to respond to the rating agencies for disclosure purposes because we cannot, and the person who is involved in this, we cannot disclose too much information when we have an ongoing attack happening. And so it's, you have to disclose to make sure that the agencies know something's happening, but I'm not going to let them disclose because other people are watching too.

Omid Rahmani (42:51):

So it depends. When it comes to disclosure, I think there's a lot of confusion around what that means and what that is and what that requires and when that is required. This is one of the reasons I keep saying when I talk to organizations that are going through incidents, they start going into, well, we have this particular issue with this network and thing. I have to stop him. I'm like, I don't want to know that. That's not my idea. Tell me about your incident response plan. Tell me how that's performing. What does that include? Those are things I'm interested in. So you should not necessarily needing, you should never feel like you need to give information that is going to cause a further vulnerability. I don't think that's what any rating agency is going to be interested in. I think they're going to be interested in how you're performing, what plans are in place, what percentage of the situation may be covered by your cyber insurance, if you have your cyber insurance, how much expenses to date have you had? What is your ballpark? And I, but when I say ballpark, I mean a large ballpark because as we know, the costs of these things are highly variable depending on the type of data breach and the various remediation costs associated. But I would think a robust management team would have an idea what a situation would cost roughly as they're going through it. That is the type of information that will be the topic of discussion. It should never be around things that I would consider to be confidential network security assets to begin with.

Barbara Goodson (44:21):

Thank you.

David Mcintyre (44:23):

All right. So before we go to questions, I'm going to end this by asking each panelist to give us one actionable idea or concept that we can give the audience to help with their cybersecurity issues. So Brian, why don't you start?

Brian Gardner (44:37):

So I would ask, do you have a security plan, strategic plan in place? Because that is really first and foremost what you need to put in place it any entity, government, private, doesn't matter.

David Mcintyre (44:48):

Okay.

Barbara Goodson (44:50):

I mean, I have to agree.

David Mcintyre (44:52):

Well, you have to come up with your own.

Barbara Goodson (44:54):

I Have to come up with my own. Well, I mean when we had that first incidence that in 2019 that was affecting so many of the local school systems, we put together, like I said, a set of bullet points. So the first thing to do, unhook un unhook from the internet, and we have instructed them to go out and make sure that they have backup servers that are separate from the system so that if you do get hit, you don't lose everything. You have a backup system that is separated and I don't know how to do that. So it goes on what you're saying, they have to have a plan, but I really do believe that some of these entities need help from other areas, whether it be private or public to develop. What kind of plan should they put together?

Dan Larkin (45:52):

And my I apologize, but I'll sort of have to make it sort of a two-pronged, two-pronged answer. I think that the taking away the obstacles that are out there and giving them the tools and the guidance that you can is great. I think that's something you have to do anyway. But to me, one of the biggest missing pieces for us, the lesson learned is truly incentivizing that behavior. How are you getting that staff person to do what you want them to do versus not? Because so many incidents that we've seen, there's really no penalty. You failed, you didn't do what we told you you probably should do, and said, you, so what? I get paid the same amount and nothing. It's no impact on me. So, so to me, you got to change that. So to the extent you can incentivize behavior and people perform based on how they're evaluated, if it's not part of the evaluation, don't expect the performance. That's simple as that.

Omid Rahmani (46:59):

I would say take an internal look into your culture and see if your culture matches the current risk landscape, things like that. And I'll elaborate on what that means. I hear things about zero tolerance policies. I completely disagree with that. I believe in a zero consequence policy, if you have an employee that did something wrong, they should feel totally comfortable running to you immediately. So you can isolate the problem as opposed to trying to hide it because they filled some repercussions. Making sure that, for example, the culture of your work, just your work environment is commiserate with the current landscape. And I'll explain what that means. There are municipalities who have not hired cyber talent who are in desperate need of it for a long time because literally their location does not offer candidates. And if you talk to them, they say, oh, well our culture requires everybody be in person when the role that they're hiring absolutely can be done remotely. And the question that I wonder about is, are you serving your constituency better by exposing yourself to this risk because you have this culture that this rigid culture that requires you to have somebody in person, or would they be served better if you hired somebody that may be 2000 miles away? What is actually performing that service for you? Look internally and see these types of problems. They're pretty rampant in the municipal sector. We have to improve our culture. We have to adopt a vertical culture of cyber hygiene from the most junior member of an organization to the city council or board of an organization. There has to be equal across the entire organization.

David Mcintyre (48:43):

My action point is to teach everyone never to click on links. If you don't know that you're getting a link from someone, don't click on it. Something over 90% of security attacks happen when someone clicks on a link. So it's something to learn. Are there any questions from the audience? We have a few minutes. It's really that light is really something. No. All right. Well thank you very much and safe trip home.