Listen On:
Moody's Talks - Inside Economics
The Macroeconomics of Cyber Attacks
Jim Hempstead, Lesley Ritter, and Leroy Terrelonge from Moody's Investors Service, Join the podcast to discuss the rising concern of cyber risks and attacks.
Full episode transcript
Follow Mark Zandi @MarkZandi, Ryan Sweet @RealTime_Econ and Cris deRitis on LinkedIn for additional insight.
Mark Zandi: Welcome to Inside Economics. I'm Mark Zandi, the Chief Economist of Moody's Analytics and today it's a special podcast. We're going to be talking about the threat posed by cyber risk and the macro economy, and of course I'm joined by my two co-hosts. Ryan Sweet, the Director of Realtime Economics and Chris deRitis. Chris is the Deputy Chief Economist, and we're also joined by three of our colleagues from the rating agencies, Moody's Investor Service, and so this is a special podcast. It's the first podcast, I think, where we've had both folks from Moody's Analytics and MIS together and because of that, it's important to recognize that the folks from MIS may have different views than those from Moody's Analytics, that's us, and the views expressed by guests from one company or division within the Moody's family, can't be attributed or shouldn't be attributed to other companies or divisions.
It's also, I think, important me for me to say that by listening to this podcast that you're downloading it, you are agreeing to Moody's legal terms and conditions that's found at Moody's.com/disclaimer, including any information provided is not information or financial advice and that Moody's will not be liable for losses arising from your use of the information. Clearly this is language that's necessary in the context of this podcast where we're going to have folks from both the MIS and Moody's Analytics. I do think this highlights one of the very special things about the Moody's corporation that just shows the very talented group of folks that we have there. So with that, let me bring in our guests from MIS and begin with Jim Hempstead. Jim, can you tell us a little bit about how you landed where you are today?
Jim Hempstead: Sure. Thanks a lot, and by the way, I'm a huge fan of your weekly podcast. I very much enjoy watching the three of you and I agree, great talent on that podcast that you do every week, but I manage the north American-
Mark Zandi: Oh Jim, this is really important. Jim, this is important. Which of the three do you like the most? That's the key question.
Jim Hempstead: I'll let you know at the end of the statistics game.
Mark Zandi: Very good. Very good. Okay.
Jim Hempstead: But Mark, I'm part of the Project and Infrastructure Finance Team here at Moody's. We, on a global basis, rate a little over $3,000,000,000,000 of debt in the electric, utility, gas, midstream, water and wastewater sectors and we have a lot of municipal and other infrastructure sectors like airports, seaports, and toll roads. I manage the north American portfolio and I also manage a small team and we've got Lesley Ritter and Leroy Terrelonge with us on a cyber group inside the rating agency.
Our job is not to manage Moody's Corporation cyber security but what we are trying to do is raise the knowledge and the awareness of our 1300 global credit analysts so that when a cyber event affects one of the rated entities that we work with, we can respond more authoritatively and have better engagement with the marketplace by doing that. This all really came about back in 2015 I would say, when the utility industry was doing a lot of introspection on their cyber security capabilities and I started to have a conversation with our Chief Information Security Officer for Moody's Corporation, as a way of starting to learn more about it and we've really grown over the last bunch of years as a result of that.
Mark Zandi: Did you say how many years you've been with Moody's, Jim?
Jim Hempstead: I've been at Moody's since 2002. So, well, about 20 years now and prior to that I was in the investment banking sector. I started out at [inaudible 00:04:06] firms. I did a run through Smith Barney, Salomon Smith Barney, and then also Merrill Lynch for the first 12 years. All in [inaudible 00:04:15] infrastructure center.
Mark Zandi: Got it. And Lesley. Lesley Ritter also is joining us from MIS, the rating agency. It's good to have you, Lesley.
Lesley Ritter: Hi, thanks for having me. I'm Lesley Ritter. I've been with the firm for 10 years now. Almost 10 years and working for Jim for almost 10 years. I started out, really, as a credit analyst in the electric utility and national gas pipeline space. Prior to that, I was doing work at GE Energy Financial Services. We underwrote different power deals all around the world and at that time we never talked about cyber, but since joining the team with Jim, we started a discussion like he said, in 2015, thinking about cyber and how it would impact our companies and we realized that we really hadn't thought that through so much and we wanted to know more and over time we built our team and created our own cyber team. I think, 2019. I've been there since. It's been really fascinating and I'm really thrilled to be here today.
Mark Zandi: Oh, so you've been working with Jim for 10 years?
Lesley Ritter: I know. Hence all the gray hair.
Mark Zandi: Good for you. Good for you. Good for you. Good. Hey, and we also have Leroy Terrelonge. Good to have you Leroy.
Leroy Terrelonge: Yeah, thanks Mark. So I'm, I guess, the junior member of the team or one of the junior members of the team. I've only been at Moody's for three years, since 2019, when the cyber risk group had its formal inception. My background is I started working as a language analyst for the national security agency and then ended up falling into cybersecurity and really becoming very interested in the links with financial performance. I did a Master of International Business degree and then when the opportunity at Moody's opened up, I was like, wow. How many opportunities are there to have cyber expertise and then also marry that with financial performance? And so, yeah. I've loved the past three years that I've been here.
Mark Zandi: You said you were a language what?
Leroy Terrelonge: A language analyst.
Mark Zandi: Analyst for the NSA?
Leroy Terrelonge: That's correct. Yeah. I speak Persian Farsi.
Mark Zandi: No way, really?
Leroy Terrelonge: Yeah.
Mark Zandi: Did you know I'm... Zandi is a Persian name. Of course, you knew that. You didn't know that?
Leroy Terrelonge: I knew it.
Mark Zandi: Oh, you guessed it? Oh, okay. I'm disappointed to say, but I don't know Farsi. When my dad came over from Iran, he was a student, and at that time the philosophy was that you needed to be an American. You had to speak English. You should not speak the language from wherever you came. So I don't, unfortunately, know Farsi. Such a beautiful language.
Leroy Terrelonge: Absolutely.
Mark Zandi: And difficult, right? That's a very hard language to learn, I believe.
Leroy Terrelonge: I think the difficulty comes through the writing. Learning the writing is probably the hardest part, but speaking, like you said, it's very beautiful and it has a lot of traits that it shares with other Indo-European languages like English. So it's not so hard on the speaking front.
Mark Zandi: Do you know any poems? Because my dad, all he does all day long is recite poems. In Farsi.
Leroy Terrelonge: I do, but I don't if I can recite any right here.
Mark Zandi: Eat pomegranates. Eat pomegranates and recite poetry. You don't know any poems?
Leroy Terrelonge: Not off the top of my head. I do really like Iranian poetry, but you put me on the spot here. I'm feeling [inaudible 00:07:52]
Mark Zandi: No, no, no, no. Okay. And Iranian food, right? Oh my gosh.
Leroy Terrelonge: Yeah. Every year... A new tradition for my family... We don't have any birth links to Iran but my husband and I, we have an annual Nowruz, Persian new year party, and we eat lots of great Iranian food.
Mark Zandi: Okay. Well, it's so good to have you. It's really a pleasure to have all of you and thank you for spending some time with us. So again, the purpose of the conversation is to get a better grip on cyber risk. Of course, we're macro economists so we're really curious if there's any nexus between cyber and the macro economy, but obviously there's a lot of in-between, between companies and governments and everything else. Individuals or anything that's going on. So maybe we should just level set and talk about what is cyber risk? What are some examples of the threats posed by cyber? Leroy, you want to lead us down that path a little bit?
Leroy Terrelonge: Sure. It's good to have an idea of what a cyber attack is because you hear about that all the time in the news, and it may not be clear for listeners what they should expect when they hear about cyber attacks. So basically a cyber attack is anything that impacts what we call this CIA triad. It's not the Central Intelligence Agency, it's not the Culinary Institute of America. It's confidentiality, integrity, and availability.
What that means is confidentiality; think data that people shouldn't have access to or at least unauthorized access to. You want to keep that data secret. So a data breach like the cyber attack against Equifax in 2017. That would be an example of something that's affecting confidentiality. On the integrity front. This is you want to make sure that the data that you have is accurate, it hasn't been changed or manipulated. And so, one example of an attack against integrity was, in 2014, attackers were able to change the election results for the Ukrainian election and they figured that out 40 minutes before they were supposed to announce the election results. So they caught it in time. They were able to fix that, but that's an example of an attack against integrity. And then lastly is availability and that's making sure that you are able to access the information you have in a timely manner. So ransomware has been a lot in the news recently. That's when people lock up your data. Say that you have to pay a ransom to get access to it. That's an attack against the availability of your data.
Mark Zandi: Is ransomware the most prevalent form of cyber risk at this point? It feels like that's what's mostly in the news. Is that top of mind for most businesses when they try to protect themselves for against cyber?
Leroy Terrelonge: It's definitely having a moment. I feel like cyber attacks, different types of cyber attacks, have shelf lives and right now we're in the cycle for ransomware. It's very profitable and because of the business disruption, a lot of organizations want to pay. So until we see some sort of movement on deterring ransomware attacks, we think it's going to have a long shelf life, it's going to have a lot more impact.
Mark Zandi: Right, right. I guess I've... Oh, go ahead, Lesley. Did you have something to say?
Lesley Ritter: I was just going to add, because when I got into cyber, I always thought of availability of data as being customer information, but availability of data is a lot more because if you think about it, different types of manufacturers operate on digitally enabled machines that operate off of data. So you could disrupt a machine through some kind of ransomware attack and that's affecting the availability of data too. So I just want to make sure your listeners understand that we're not only talking about customer information, but data is everywhere.
Mark Zandi: Yeah. Makes a lot of sense. What about denial service? That also is... That seemed to be more popular a few years... Or the popular form of cyber risk a few years ago. Do I have that right?
Leroy Terrelonge: That's right. Yeah. Especially in the early 2000s or 2010s I should say. People might be familiar with Anonymous. The group that had... They had the weird videos, the voice, we are Legion, blah, blah, blah, etcetera. The industry really didn't have a good handle on denial of service attacks, which is when you send so much web traffic to a server that it can't handle the legitimate traffic, so people can't get to websites, but since then there have been leaps and bounds in protecting websites from those sorts of attacks. And so you don't really hear about DDoS attacks as much. They happen, but they're not as impactful as they were in the early 2010s.
Mark Zandi: Right. And what about phishing? That's the other... At one point was popular. Is that still an issue? The phishing? Where people send you an email or text or something and entice you to click on it and then they've got you. They've infected your machine.
Leroy Terrelonge: Yeah. phishing is a perennial risk that we see. At Moody's, at any organization basically, you're working at, you're probably seeing these phishing tests where they send you a message and then if you click on it, then you get something saying, oh, you fell for this phishing test. You might have to go do some extra remedial.
Mark Zandi: That happens to Ryan all the time, Leroy. Happens to him all the time.
Ryan Sweet: I'm batting perfect for that.
Leroy Terrelonge: I always live in fear of those, because imagine if I fall for one of those and I'm on the cyber risk team, right?
Mark Zandi: You must be sweating all day long.
Leroy Terrelonge: I'd be so embarrassed.
Mark Zandi: Just don't check your email.
Leroy Terrelonge: That's the response. Yeah. That's the right answer.
Mark Zandi: Are we pretty good... People are getting better at... It must be getting better... One thing I've always wondered. Is it the same people that always fall for the phishing efforts? Some people just can't resist. Is that... That's in my mind. Is that true? Is that what happens?
Leroy Terrelonge: To a certain extent, yes. Organizations never want to fire somebody because they've fallen victim to a phishing attack, right? It's to raise awareness, it's to make sure people know that these sorts of threats are out there, but there have been instances where folks have so egregiously just clicked wantonly on all these things coming in some companies have made the decision that at some point it has to affect your performance evaluations.
Mark Zandi: I'm so paranoid now that if I see anything that I don't know exactly what it is, I send it to my IT guy and say, 'Should I click on this?" Then I'm thinking, it would be nice for the company to have someone like that, where I could just say, "Hey, should I click on this", and get an answer back.
Ryan Sweet: You're not aware of the button on outlook that says phishing? You hit that [inaudible 00:15:15]
Mark Zandi: I am. Is that what that's for? Am I supposed to put it over there into the... Oh, I just sent it to Gershman. Well, now Gershman's not with us anymore, but to Sal and say, "Hey Sal, should I click on this?"
Ryan Sweet: I'm sure Sal loves getting those emails.
Jim Hempstead: It's the phishing clicking that is one of the most frequent methods for people who shouldn't be in the system to get into the system and that's why companies test so much for it, and you do have a handful of employees that always fail the test. When they fail the test three or four or five times, that's where you have to try to decide how to remedy that situation.
Mark Zandi: Okay. Any other new things coming down the pike here that you want to call out in terms of new cyber risk? All these things we talked about, ransomware, phishing, denial of service, they're all pretty... We have a pretty good grip on those, we understand what they are. Are there some things out there that are so new, just coming on the scene, that we should be aware of?
Lesley Ritter: I think maybe the one that you didn't mention was data breaches and that's not new, but what's happening is the attackers are merging two different types of attacks. So ransomware and data breaches together. So they would go after you and hold you ransom and say, "If you don't pay us, we will disclose all your information to the public." So that's a new tool. Well, not so new anymore. It's been about, what Leroy? Two years that they've been doing this? But that's been a more potent type of attack that's come up on that end.
Leroy Terrelonge: I think I'd add really quickly too, that I think in the cyber security field, we're always interested what's the newest thing, what's the newest type of attack? But most of the attacks are pretty much been the same for a long time. They are able to use the same techniques to achieve the same end and just like anybody else, cyber criminals are often lazy. They want to get the biggest bang for their buck by doing the easiest thing. Organizations are often like, Hey, what's the newest, sexiest new attack, but really focusing on the tried and true methods and basic cyber hygiene practices is really where they're going to protect themselves the most.
Lesley Ritter: Yeah. I think maybe what's new and not so much in terms of types of attack but who they're going after. They're finding ways of attacking maybe higher profile companies or companies in spaces that they didn't use to go after. So like industrial companies and energy companies. Before it was very retail focused, banking focused and now they're finding ways of going after different industries, which might require a more sophisticated skill set because you have to go into these physical operations in order to tamper with them and cause problems.
Jim Hempstead: I was just going to say, I like to use the phrase cyber risk is not as bad as you think it is, but it's worse than you know. To Lesley's point, the interconnection between the information systems, the IT systems, the information technology systems and the operations of these industrials and widget makers is something that I think we'll see a lot more focus on going forward, because you can use the IT systems to disrupt the operations. I'm thinking about temperature and flow and pressure and things of that nature that actually makes the widgets. You can disrupt them through a cyber incident through the IT system and the colonial gas pipeline story, which we're about the one year anniversary of that, is a great example of that.
Mark Zandi: Right, right. Hey, maybe we should move on. That was a very good assessment of all the different ways cyber is affecting us, and talk a little bit about the costs. Jim, you and I have been having this conversation about having this cyber risk conversation in the podcast for quite some time and I was always struggling to figure out well, does this risk rise to a level that it becomes a broader macroeconomic problem? Can you give us some context here? How big a deal is this in the grand scheme of things? In terms of the cost?
Jim Hempstead: So, the costs associated with a cyber event can be defined and measured in many different ways and the costs range. So I think this morning, we were emailing about the almost $1,000,000,000,000 worth of global costs that you cited. There's another number that's been cited of $6,000,000,000,000. It's [inaudible 00:22:41] the third largest economy if you include that. When we think of costs to a company... We call them issuers in the rating agency, because anybody can issue debt. It doesn't have to be a company. It could be a project.
But we think about the impact on regulatory oversight, reputational damage, lost revenue. We think of litigation, liquidity impacts and other types of off balance sheet liabilities or contingent liabilities that could incur. If you add the numbers up, they can get very big. $1,000,000,000,000 is a lot of money, but if you compare it against the $22,000,000,000,000 US GDP, maybe it tells you one thing. If you compare it to the global GDP, it gets very small, but if you can compare that against the $2,000,000,000,000 of revenue that global utilities generate every year, it becomes very large. So as we think about cyber losses, they get dispersed in a large pool, but if they get concentrated in a particular sector or a particular region or a particular asset class, that's when I think we can finally really have that discussion about the macroeconomic impacts of that.
Mark Zandi: Yeah. I think that what you're referring to is I found a citation from the center for strategic and international studies that they estimated that malicious cyber attacks cost the global economy, I believe it was last year, almost $1,000,000,000,000. Almost 1,000,000,000,000. And as you said, the US... I think the US GDP is, I think nominal dollars, is 22,000,000,000,000. I think you're... And then global GDP is probably about a $100,000,000,000,000, so that's about 1% but if you think about in the context of climate. So if you look at the... I was just looking at this. If you look at the total economic cost from acute physical risk, these are floods and hurricanes and fires, that kind of thing. Comes up to about 350,000,000,000 per annum. So, that's obviously a lot, but this dwarfs that, in the grand scheme of things, and it feels like it's rising quickly. This doesn't feel like it's going in the other direction here. If anything, it's just going to become more and more costly.
Jim Hempstead: It's rising quickly and that's actually one of the potential statistics game is 4,000,000,000,000, 8,000,000,000,000 and 21,000,000,000,000.
Mark Zandi: Oh, okay. So we're playing the game here now.
Jim Hempstead: I just want to throw that out there.
Mark Zandi: Oh, okay. So I didn't... Oh that's right you wanted to play the statistics game in the conversation, so okay. So we're going to do that. Lesley and Leroy, you have statistics as well?
Lesley Ritter: I prepared one if you want one, but we can... I know the answer to the Jim's, so that's cheating, but I have one we can quiz Jim on later.
Mark Zandi: That's kind of what Ryan does every once in a while so that's not...
Ryan Sweet: No, I'm the one trying to investigate the collusion between Zandi and Chris over there.
Mark Zandi: Okay. Okay. We're going to play the game. The game is we each state a statistic. In this case has got to be cyber related and the rest of us try to figure that out based on deductive reasoning, questioning and clues. So go ahead Jim. What are the numbers again?
Jim Hempstead: 4,000,000,000,000, 8,000,000,000,000 and 21,000,000,000,000.
Mark Zandi: And this is cyber related? Is it cyber related or is it... It's cyber related?
Jim Hempstead: The 21,000,000,000,000 is cyber related.
Mark Zandi: Oh, the 21,000,000,000,000 is cyber related. Oh my goodness. And Lesley, you know the answer to this?
Cris deRitis: Is this a forecast over different horizons?
Lesley Ritter: We looked at what [inaudible 00:26:18] by sector is the most exposed to cyber risk, to environmental risk and social risk. So what he's telling you is $21,000,000,000,000 of issued debt is highly exposed to cyber risk. 8,000,000,000,000 is social and four is environmental.
Mark Zandi: It's obvious, Lesley doesn't understand this game. It's pretty clear.
Lesley Ritter: Did I give you all the answers? Is that what I did wrong?
Mark Zandi: Lesley, what the heck?
Jim Hempstead: [inaudible 00:26:47] cowbell.
Mark Zandi: Yeah. You might have said ESG or something like that. It's like, okay. I'm done with this game. We're done. Okay.
Lesley Ritter: How is he going to get it? This is...
Mark Zandi: Oh, you felt bad for us. So that's why.
Lesley Ritter: I did feel bad for you a little bit.
Mark Zandi: You're saying you guys look like idiots. I'm putting you out of your misery, is what you're saying.
Lesley Ritter: Yes.
Jim Hempstead: Those numbers, in fairness, were in the notes that we sent about that but to your point on [inaudible 00:27:15] $4,000,000,000,000 is the amount of debt that we looked at over all the global sectors and said these are the sectors that are most exposed to environmental risk, which includes the physical effects of climate change, carbon transition, water management. 4,000,000,000,000.
[inaudible 00:27:32] 21,000,000,000,000. Now that cyber includes the banking sector. So even if you take the $10,000,000,000,000 of debt out from the banking sector in that number you're still higher, almost twice as high, as the environmental risk and the risk is today, as opposed to the longer term. The risk of environmental and climate change risk is today but the runway is longer than it is on cyber. So that's why I threw that and I didn't mean to [inaudible 00:28:03]
Mark Zandi: No, that's a great statistic, but just so I understand. So 4,000,000,000,000 in outstanding global debt that is at risk of an environmental issue. Meaningful. 7,000,000,000,000 is, you said social risk?
Jim Hempstead: Eight.
Mark Zandi: 8,000,000,000,000 social risk, and you said 21,000,000,000,000 is cyber?
Jim Hempstead: That's right and [inaudible 00:28:23] definition is high or highly exposed to that particular risk and these are all in our heat maps that we publish [inaudible 00:28:32] we have an environmental heat map, a social heat map and a cyber heat map [inaudible 00:28:36]
Mark Zandi: By the way, for the listener, you guys wrote a great whitepaper that went through this in detail. Is that paper available to the broad public or is that not? Just curious. Do you know?
Jim Hempstead: I don't know off the top [inaudible 00:28:51]
Mark Zandi: You don't know. Okay. No worries.
Jim Hempstead: I think it would be but I don't know.
Mark Zandi: Yeah, it's a great paper. It's a great paper. Okay. Okay. That's very good. I think we lost Chris. Hopefully he'll find his way back.
Ryan Sweet: I think he bailed.
Mark Zandi: Oh, do you think so?
Ryan Sweet: After that number. Those numbers scared him off.
Lesley Ritter: I ruined the game.
Ryan Sweet: Scared him off.
Mark Zandi: Oh [inaudible 00:29:07] him off. He was annoyed. Okay. So, Lesley, you have a statistic as well?
Lesley Ritter: Well, I like the idea of dimensioning cyber risk, so I was going try... It's probably an easy one for you but it was... It may be a harder one for Jim. We'll see. I was going to say if it's $1,000,000,000,000 of cyber costs, what is equivalent to in terms of GDP? What European country is that equivalent to? That's for you Mark.
Mark Zandi: Oh, I like this one. I like this one.
Lesley Ritter: Jim, what is the multiple of Amazon revenue is that equivalent to?
Mark Zandi: Oh, that's another good one. Okay. So you're saying... Okay. The estimated cost from cyber is $1,000,000,000,000 globally. Which European country has a annual GDP of about 1,000,000,000,000?
Lesley Ritter: About 1,000,000,000,000.
Mark Zandi: Okay. Okay. We're each going to name a country and I'll let Ryan and Chris go first, unless you guys want me to go first. And Jim, do you know the answer?
Jim Hempstead: Don't know the answer.
Mark Zandi: Okay. And Leroy, do you know the answer?
Leroy Terrelonge: No.
Mark Zandi: Okay. We're going to go around the horn. Okay. Chris, you go first. Oh, sorry. You can't... He looks very confused. Dazed and confused.
Ryan Sweet: Dazed and confused.
Mark Zandi: Ryan, what country?
Ryan Sweet: Oh, here he is. Chris. You can go.
Mark Zandi: Oh, did you hear us Chris?
Cris deRitis: You hear I'm having troubles here. Go ahead. Go ahead.
Mark Zandi: So Ryan, what country is $1,000,000,000,000? I think I know.
Ryan Sweet: Romania.
Mark Zandi: Romania? Are you out of your mind? Romania?
Lesley Ritter: They'd love to be there.
Mark Zandi: That's a bad guess, but okay. All right. Jim?
Jim Hempstead: Ireland.
Mark Zandi: That's interesting. I don't think so, but that's interesting. Leroy?
Leroy Terrelonge: I'm going to say Switzerland since Lesley's from Switzerland as well.
Mark Zandi: You're as bad as Ryan. Okay, Chris?
Cris deRitis: So which country has a GDP [inaudible 00:31:06]
Mark Zandi: Of 1,000,000,000,000.
Cris deRitis: Of 1,000,000,000,000.
Mark Zandi: You should know this by the way.
Cris deRitis: The Netherlands.
Mark Zandi: That's a pretty good guess actually. I think. I'm probably dead wrong. Lesley. Is it Italy?
Lesley Ritter: Chris. You got it right.
Mark Zandi: The Netherlands.
Ryan Sweet: Oh good job. Wow Chris.
Mark Zandi: Although I think Italy was also $1,000,000,000,000 Lesley. I'm just saying.
Lesley Ritter: I think it's a little bit more than 1,000,000,000,000.
Mark Zandi: Maybe it's 1,200,000,000,000.
Lesley Ritter: Those 200 million counts right?
Mark Zandi: Hold it, wait a second.
Lesley Ritter: Switzerland was 800 million.
Mark Zandi: If it was 2020, it would be 1,000,000,000,000. I'm just kidding. All right. Well okay. Now the other ones were interesting too. You said 1,000,000,000,000 is what percent of Amazon annual revenue.
Lesley Ritter: What multiple or percent?
Mark Zandi: Of Amazon's... I think Amazon's revenue... Wow, that's a great question.
Lesley Ritter: Global revenue for last year.
Mark Zandi: I don't know the answer to that question. I'd say it's probably got to be... Guys, you want to take a guess? I'd say 125,000,000,000.
Ryan Sweet: Amazon's revenue...
Mark Zandi: So 10 times. 10 times. No? She's looking. She's being very coy.
Lesley Ritter: You're really low balling it there, I have to say.
Mark Zandi: Oh really? Oh okay.
Jim Hempstead: [inaudible 00:32:25] times. 500,000,000,000 [inaudible 00:32:26]
Mark Zandi: Is it 500,000,000,000? Wow.
Jim Hempstead: [inaudible 00:32:29] of how much my kids use Amazon.
Lesley Ritter: That's right Jim.
Mark Zandi: I had no idea it was that big. 500,000,000,000. I was going to say something about Bezos, but I'm going to practice the Thumper principle. So I won't do that. All right very good. That was good. Leroy, we're going to come to...
Ryan Sweet: Mark, Italy's GDP was 1,000,000,000,000 back in 1990.
Mark Zandi: 1990? Italy?
Ryan Sweet: Italy.
Mark Zandi: Oh, I was really wrong. Oh no, wait a second. Italy's GDP has not risen at all in 20 years.
Ryan Sweet: It's 1,900,000,000,000 now.
Mark Zandi: Is it really 1.9?
Ryan Sweet: Yeah. All that tourism money from Chris.
Mark Zandi: From Chris. Exactly. Okay. All right, let's go back to the topic hand. Hey Jim. So cyber is obviously a big deal. It strikes me as being different than other kinds of risks in lots of different ways. Do you want to give us a sense of that?
Jim Hempstead: Sure. So cyber is indiscriminate. It does not respect boundaries. It could affect any asset class, any sector, in any region, at any time. So from that perspective, it's a little bit unique compared to some of the other risks that we think about. Cyber risk is ubiquitous to an organization because it can affect your reputation and some soft factors like that, as well as hard factors like your liquidity and your revenue. It can show up in any number of ways an organization measures itself and so, from that perspective, it's also a very evolving risk and because of the digitization that we see taking place across industry and the economy in general it's morphing around in novel ways. And so we're always chasing around trying to figure out how best to think about that risk, measure that risk, define that risk and then see how that risk changes over time.
It's really been an interesting journey over the last couple of years. I feel like we finally made it Mark, because you and I have been talking about this now for a long time and here it is. The geopolitical tensions that have taken place over in Europe right now has really amplified that risk, at least from a governmental perspective. US has shields up, we're very on a defensive footing right now to make sure that we have extra protections and so that risk is probably going to show up in ways that are going to look creative.
Mark Zandi: Hey when I think, Lesley, about the nexus between cyber and the broader economy, I think of a few different things and I'd like to just throw them out and get your sense of how big a deal it is. The first is around systemic financial risk. You think about the payment processors or maybe the exchanges. That if they went down because of a cyber issue, that that would be a problem. Like if I went to use my Amex card or my MasterCard or Visa and I couldn't, that'd be bad. That'd instill some panic. How big a deal is that? Do you think that's a big deal? Systemic financial risk from cyber?
Lesley Ritter: I think it's one of those key characteristics of cyber risk that we have to pay close attention to. The banks and the regulators are highly attuned to this and really focusing a lot of energy on it but it's true that if you think about the sectors that underpin the functioning of our economy; so think about banking, think about energy, think about technology, cloud, those are all highly integrated systems that are very digitized. So like you I said, if the SWIFT system goes down, it's a huge global issue. If when we did our surveys-
Mark Zandi: That's the international payment system.
Lesley Ritter: Yes. When we did our survey looking at cloud computing we asked... We reached out to about 5,000 insurers and we got 1300 answers and of those 1300 folks that answered this, 87% of them said that they actually used Microsoft Azure cloud. So think about that. If Microsoft Azure cloud goes down... And those are folks who answered from all around the world, from all sectors of the economy. If that cloud goes down, that's another huge issue. On energy, which is where Jim spends a lot of his time, a lot of the key components that go into producing energy are manufactured by just a handful of manufacturers. So if those manufacturers get tampered with somehow the whole energy system could be at risk as well. It's a characteristic of cyber risk that can't be ignored.
Mark Zandi: So, systemic financial risk. So back to the payment processors or the exchanges or international payment...
Lesley Ritter: Exchanges, clearing houses. Yup.
Mark Zandi: The cloud services because we're all in the cloud now and so if that gets hacked and is taken down, that's a big problem for everybody. You mentioned energy and that... Colonial Pipeline shut down. It's a good case study. Good example of that. Which was highly disruptive. You didn't mention global supply chains. How big a deal do you think it is for the movement of goods across the globe? Is this a big deal do you think? Is cyber a real threat there?
Lesley Ritter: Yeah. I think more of that in more of a almost a contagion risk concept, more than systemic risk. I'm thinking of what happened with NotPetya where it just spreads and start causing destruction across a whole series of industries, which spills into the supply chain.
Mark Zandi: Right. You said NotPetya. What's that?
Lesley Ritter: I think Leroy is the best person, given his background, to really fill you in on that so maybe I'll bring you into the conversation.
Leroy Terrelonge: I guess the cliff notes version of NotPetya is that in 2017, in an attack that has been attributed by numerous governments, intelligence agencies and cybersecurity research companies to the military intelligence of the Russian government known as the GRU and that they tampered with the update of the tax software that's mandated by... It's an accounting company in Ukraine, and basically any entity that files taxes in Ukraine is required to use, or at least was at the time, required to use this company's accounting software. So they pushed out this software update that had been tampered with to a whole bunch of entities in Ukraine and then those entities in turn... Many of them were part of large multinationals and it was able to spread worldwide and it was some, what we call, wiper malware that basically destroyed the computers that it landed on and it caused a number of different repercussions. I'll let Jim talk a little bit about some of the financial impact that took place as a result of that attack.
Jim Hempstead: So this was another statistic we were going to use, but eight multinational companies were affected by that NotPetya attack and they reported about $2,000,000,000 worth of financial losses. 2,000,000,000. If you add up the balance sheets of those eight companies it was like a $350,000,000,000 balance sheet, so not a lot. Again, to the point, but those eight multinationals had 233 customers that were affected and they reported $8,000,000,000 worth of financial losses associated with it. And again, relatively dispersed and diversified, but almost 90 of those 233 customers drew their bank lines down across 37 different banks. Now that could get interesting very quickly, luckily zero credit losses were associated with those bank [inaudible 00:41:02] so it worked out, but that's a great example of contagion and interdependencies, of how everything connects together and why cyber risk is so important from a macroeconomic perspective. There is a few wild cards that are in there, that are floating around, that we want to try to keep our eyes on.
Mark Zandi: Okay. So we mentioned systemic financial risk, the threat to the cloud, the energy system. Global supply chain doesn't seem like that's as big a direct threat. Anything else? Any other major... You're sitting at the White House and you're worried about cyber affecting the broader economy. Are there any other choke points, stress points out there that can be exposed by a cyber attack? Anything you would focus on or mention?
Jim Hempstead: The only other one to mention, and supply chain kind of hits it a little bit, is the stuff that we use all the time. So energy, water, systems and things of that nature can be disrupted in some way, shape or form. When I say energy, I mean not only the fuels, but the electrical power as well. The grids are all interconnected and as Lesley said, there's only a handful of companies that make the big components that make energy and power grids work. And so it's a concentration point.
Mark Zandi: Okay. So it doesn't feel like... It feels like we covered it. That there isn't anything out there that we're just not thinking about. Significant vulnerability that could be exposed here.
Jim Hempstead: We hit [inaudible 00:42:46]
Cris deRitis: What about infrastructure? If we took down the air traffic control system or shut down a port or something?
Jim Hempstead: Go ahead, Leroy.
Leroy Terrelonge: I was just going to say that the US government has identified 16 sectors as being critical infrastructure sectors and I think... As a result or at least it seems as a result of the Colonial Pipeline incident that happened last May and the geopolitical tensions in Europe, Russia's invasion of Ukraine, that there's been a lot of movement in raising the standard and raising the minimum bar for these critical infrastructure sectors. So we've seen executive orders from the Biden administration, as well as from the government agencies that oversee some of these sectors, saying you need to meet this minimum standard. You have to have somebody who's responsible for cyber security in your organization. You need to be doing weekly backups. Some of these very basic procedures to make sure that these critical infrastructure sectors that so much depends on and that, if something happened to them, would cause a lot of hurt to the US economy have some minimum level of preparedness.
Cris deRitis: Yeah. I think the psychological damage on consumers would be enormous. Even if you lost the air traffic control system for a day, how are you going to regain the trust of the public? That could have seen significant macroeconomic repercussions even beyond the direct impact.
Lesley Ritter: It was funny. We went through this exercise of those 16 critical infrastructure sector. We were working on a update to our heat map and I was talking to Leroy and we were talking about assigning systemic risk levels to the sectors. I think we were looking at what, 92 sectors Leroy? We were mapping them and each one of them fell in one of these 16 critical infrastructure sectors. It's very hard to say this sector is most impactful to the economy in terms of a cyber attack versus another. Everything's so interconnected. The water sector is hugely vulnerable and important but we haven't talked about that either. I think what we're learning more and more is everybody's exposed. Last week we wrote about an attack on an agriculture company. You wouldn't think of agriculture as being exposed to digital theft, but it happens and it just so happens that they timed it perfectly with when planting season is.
Mark Zandi: It's almost like, as economists, we're thinking about this and how to bring cyber into our forecasting and thinking about the economy and at this point we're treating it more just like a cost of doing business. Like any other cost. It's not like an existential threat. It could potentially be. It's a risk and maybe a scenario, but it's hard to construct a scenario where a big enough part of the economy goes down long enough for it to really take out the economy. Is that a reasonable way of thinking about it or am I missing something?
Jim Hempstead: Mark, that has been the view I think, really, since we started to put our collective heads together on this, but it reminds me of the work that's been done over the last five to seven years. That, because the cost associated with cyber is relatively manageable, we've only had a handful of companies that have really been permanently or lastingly impacted by cyber risks but I think that's changing going forward. So as interconnectivity rises, as digitization increases, as the tools and methods that a hacktivist or a hacker has continues to get more dangerous in the hands of your average hacker, that the stakes at the table are rising and so it's something to keep an eye on, those tail risks, in terms of what is an unusual event and what would happen if one of those events took place in a particular region or within a particular sector. Then I think it could change very quickly.
Mark Zandi: Got it. Okay. Hey Leroy, one thing I find a little perplexing in the context of the Russian invasion of Ukraine is there hasn't been more cyber, at least to my cursory following of events, there hasn't been much on the cyber front here. Is that right and is that surprising to you as well? I thought we would see a lot more of a response. Correct me if I'm wrong, but I think Russia is ground zero for a lot of the cyber issues that originate globally. Is that correct to say?
Leroy Terrelonge: There's a company called Chainalysis. They do research on cryptocurrencies and based on their research in 2021, 74% of the cryptocurrency movements connected with ransomware went to actors who are, what they said Russia affiliated, or Russia connected. So yeah, that is the case and as for being surprised about the level of cyber activity in connection with the Russia Ukraine conflict, I would say yes and no. No in the sense that there has been a lot of cyber activity. Microsoft put out a blog at the end of April saying that six separate Russia aligned nation state actors have conducted more than 237 what they call operations against various Ukrainian entities and this includes things like destructive attacks that are impacting civilian welfare.
I think what most people were expecting are some of these splashier attacks. So, in 2015 and 2016, the Russian military intelligence again is accused of turning off the lights in various parts of Ukraine. There was a NotPetya attack again that wiped out hundreds of thousands of computers in Ukraine and around the world. So people were expecting really splashy, big scale attacks and what we've seen have been more moderate, less splashy attacks. Nonetheless impactful for people's lives. I will say that there's been a lot of attacks back on Russia as well. Not very impactful. They've been these DDoS attacks. So people have been sending lots of traffic, web traffic, to websites and services in Russia. They've been stealing tons and tons of data. One of the more higher profile ones has been the Belorussian... A cyber activist that have impacted train movements of troops. So again, not big splashy things, but there has been a significant amount of cyber activity.
Mark Zandi: There's state actors, state sponsored in some form actors in the cyber criminal activities, and then there's this private non-government related. Is there any sense of or any data related to how much is the result of one or the other? Do we know?
Leroy Terrelonge: Well, one of the really difficult things is that often they're the same. So they might wear one hat during the day. They might be a government or nation state affiliated the hacker and then they do some moon lighting in the evening and they're financially motivated and using the same techniques or tactics that they're using in their day job to pad their pockets. Before coming to Moody's I worked at a cyber threat intelligence company where we actually were in these communities where cyber criminals gather to exchange tools, techniques, tactics, and also to recruit for their various cyber criminal enterprises and yeah, it was it very difficult to know exactly... Well, you don't know what their identities are but they there's been some investigations that have shown extensive links, particularly in some countries, between their cyber forces and cyber criminals and cyber criminal activity.
Mark Zandi: Yeah. You're a pretty interesting guy. Man. Really interesting.
Jim Hempstead: And Leroy, tell them how it's a business. They have HR departments and...
Mark Zandi: No way. Really?
Leroy Terrelonge: Yeah. Payroll. So there's a large ransomware gang called the Conti ransomware gang and there was just a big leak of internal logs from that organization. Somebody was able to steal their communications and publish them and yeah, you have people writing in saying, "Hey, I need to take some vacation time. Going off with my family somewhere." It is run just like a business is in many respects. It's the black market, it's underground, it's the black economy.
Mark Zandi: Hey, one other question, you may not know the answer or may not want to respond, but how empowering is crypto to cyber? Is that a big part of empowering the ability to engage in cyber attacks and get paid?
Leroy Terrelonge: Especially for ransomware attacks. So ransomware attacks have technically been around since the late eighties. 1989 there was the AIDS ransomware that was distributed on floppy discs to AIDS researchers but you know, to pay the ransom, you had to send the money to a PO box in Panama and turns out that when you go show up to pick up stolen funds or ransom funds that you can be found and that person, the author behind that attack, was caught and put in jail. When you get the advent, or at least when cryptocurrency started taking off in the early to mid 2010s, then it became much more feasible for ransomware attacks to happen and so that's when you started seeing ransomware attacks against individuals in the 300 to 400 dollar amount range and then as time has gone on it's gone into the tens of millions of dollar range as they gotten more sophisticated and more targeted in their attacks.
Lesley Ritter: What's super interesting about these ransom payments is, and these criminal organizations is they're largely very disciplined. They take this money and they reinvest it in their business to develop more sophisticated weaponry. So going back to that $1,000,000,000,000 amount, it's a lot of R and D, right?
Mark Zandi: Oh, geez. That's scary. The thought of that is just really scary. Oh goodness. Now I assume some countries are just better positioned to manage through this than others. I kind of hope the US is in a good position but Jim, is that the case and what makes one country more susceptible or more impervious to cyber risk than others?
Jim Hempstead: To some degree everybody is on somewhat of a level playing field in the sense that we're all using the same internets and those types of capabilities, but there's a clear difference between the resources that are available for some of the developed countries versus some of the more emerging countries that are out there. The United States in particular is very forward leaning on both offensive and defensive capabilities. We have very sophisticated thinking around this and we continue to work with our friends and allies on that.
Mark Zandi: Yeah. I was reading, I think in foreign affairs. I can't remember. It was around cyber issues, and one of the points being made was that the US is somewhat insulated because the cyber criminals are fearful of retaliation from the United States. So that limits the attacks on the US to some degree, or at least the severity of the attacks. Does that ring true to you? Does that sound right?
Jim Hempstead: I'm not sure how much that sounds right. I think a lot of the inbound is in the US and maybe that's just a function of our society, but I'm not [inaudible 00:56:39] how... Go ahead, Leroy.
Leroy Terrelonge: I'll add really quickly that for a cyber criminal, especially financially motivated ones, they have this line that they're trying to walk. They don't want to cause too much of a splash because then that will bring the full force and might of the US government down on them. So you think about... We keep referencing the Colonial Pipeline incident. In that case, because it became such a splashy attack, the cyber criminals themselves came out and said, "Whoa, whoa, we didn't know it was so important. We didn't mean to hit a pipeline, please back off". We've heard from some victims of ransomware attacks that were hospitals, that they contact the ransomware gang and say, "Hey, we're a hospital", and the ransomware gangs give them the decryption key and say, "Hey, we're sorry. Please tell the FBI or whatever that we gave you the key", because they don't want the heat.
Mark Zandi: Yeah. Empathetic cyber criminals. Yeah. Right. That great.
Leroy Terrelonge: Self-interested cyber criminals.
Mark Zandi: Self interested. It makes a lot of sense. It's a business, as you said, so they're doing risk management. Like any other good business they're trying to manage their own risks that they face. Good. Again, back to the report you guys did. I thought it was fabulous and obviously represented a lot of work. All the survey work that you did. Hey, Lesley, based on that are there some things you learned that companies, businesses, should be doing, could be doing or not be doing that would make them more resilient to managing through cyber threats and risks?
Lesley Ritter: Well, I guess the first thing I'd say is we're, at the rating agency, not in the business of giving cyber defense recommendations. All I can do is...
Mark Zandi: Good point, yes.
Lesley Ritter: Again, financials background. I can talk to some of the findings. What we learned from the folks that we were able to survey and who generously donated their time to answer us. Largely, it seems like they're attuned to cyber risk and there's a cyber operations that are being created within the issuers that we surveyed. That means that they have a cyber manager, and they have a couple of cyber folks working full time within their organization and largely they're doing the very bare minimum of what's called cyber hygiene. Using multifactor authentication, scanning their systems, but once you start looking at more advanced forms of ways to mitigate the risk, then you start seeing a very disparate set of responses based on sectors. Banking seems to be way ahead of the pack across the board in terms of how they look at how they govern cyber, in terms of how they manage it from an operational standpoint on a day to day basis, and even from a risk transfer standpoint. On the other end of the spectrum, not surprisingly the public sector is lagging.
Mark Zandi: Oh, is that right?
Lesley Ritter: Yeah. It's costly. It's a cost center. So you have limited ways you can allocate resource and cyber is oftentimes the one that is probably not the primary focus.
Mark Zandi: Got it. Well, that's pretty disconcerting that the public sector is so exposed. I guess not surprising, as you point out. What about risk mitigation here on cyber? Is there a way companies can use the insurance markets or some other form of risk transfer to make this... Again, because it feels like this is at this point in time, more of a cost of doing business. So if there's a way to quantify that and compartmentalize it, then you can transfer the risk and make it more manageable. Is that right? That thinking. And is there any efforts along those lines? Is that even a possibility around the cyber risk?
Lesley Ritter: Yes. Yes. So there's this thing called standalone cyber insurance or cyber insurance for short, which is quite popular. I think in our survey, I want to say about 80%, 85% of the folks that responded said they carried some form of cyber insurance. That always sounds good and there's some financial benefit to it, but the policy coverages are actually quite small, but where the rest of the benefit is is that you get access to a lot of third party services. So if you're attacked, you suddenly have access to experts that can help you with negotiating with the criminals, facilitating the cryptocurrency payments and doing all sorts of forensics and that's an added benefit. It's not necessarily direct financial, but it's avoidance of cost I guess. That's beneficial. It's a very dynamic market and maybe Leroy can jump in here, talk about what's happening in the cyber insurance market because it's changing rapidly.
Leroy Terrelonge: I think this is a good circle back to my stat.
Mark Zandi: Oh good. I was going to ask about that because I had not forgotten Leroy. I was going to come back. But you want to do your stat?
Leroy Terrelonge: Sure. I'll do my stat and you have a good hint already that it's some something related to cyber insurance and the number is 300%.
Mark Zandi: 300%. Is that the increase in the outstanding amount of risk that's insured over the past 10 years? No. Past five years.
Leroy Terrelonge: Nope.
Mark Zandi: Okay. Can you give us a hint?
Jim Hempstead: Is it the increase in premiums?
Leroy Terrelonge: That's it. Year over year.
Mark Zandi: No way.
Leroy Terrelonge: Yes. They were some of the hardest hit.
Mark Zandi: Way to go, Jim. Hey Ryan. That is a cowbell moment.
Ryan Sweet: I got to get it. Hold on.
Mark Zandi: That is a cowbell moment. Very good. That's great, Jim. Fantastic. 300% from what to what? Do you know?
Leroy Terrelonge: That's year over year for some of the hardest hit by ransomware sectors. So that includes things like education, government and manufacturing [inaudible 01:03:00]
Mark Zandi: Oh no way. I thought that's the increase in the premium.
Leroy Terrelonge: Premium. Exactly. Year over year increase in premium.
Mark Zandi: The premium last year was $10,000 and this year it's... What's 300%? $30,000? Something like that.
Leroy Terrelonge: Yeah exactly. Yeah. Then at the same time, the coverage is shrinking for some of these hardest hit sectors because you have to remember that cyber insurance, for a long time, was focused primarily on first errors and emissions and then on data breaches and those do not have the same loss magnitude as ransomware attacks have had. One of the biggest drivers of that impact is business interruption that comes from that and so the insurance companies, they just weren't ready for it and they experienced heavy losses. Wasn't profitable for a number of cyber insurers and some have even exited the cyber insurance market because they decided it's just not... They can't [inaudible 01:04:06].
Mark Zandi: Can't make the return.
Leroy Terrelonge: Yeah, exactly.
Mark Zandi: Yeah. Interesting. Okay. Hey Ryan and Chris, did you guys come up with statistics? Did you have a statistic you wanted to throw out to the group? Chris did you?
Ryan Sweet: I have one you one. Chris can go first. Yeah.
Cris deRitis: Oh, go ahead Ryan.
Mark Zandi: And then I do want to end on a high note. I'm going to ask each of you guys, give me some good news. Okay? Please. Some good news. Okay. All right, Chris, what's your number?
Cris deRitis: 1834.
Mark Zandi: 1834?
Cris deRitis: Yep.
Mark Zandi: Not the date. Not the year?
Cris deRitis: It is a year.
Mark Zandi: It is the year 1834?
Cris deRitis: Yes.
Mark Zandi: Are you kidding me? 1834?
Cris deRitis: Yep.
Mark Zandi: 1834. 1834.
Ryan Sweet: That might be the worst stat ever used.
Jim Hempstead: Is that-
Mark Zandi: It's related. Hold it. Wait. It's related to cyber, right?
Cris deRitis: Yes. Yes.
Mark Zandi: Is 1834 the name of a form of hacking?
Cris deRitis: Nope.
Mark Zandi: Okay. Is 1834 the name of a criminal cyber group?
Cris deRitis: No. No.
Leroy Terrelonge: I think there was some event that happened in 1834.
Cris deRitis: Yes. There you go.
Mark Zandi: Well there's events. Of course events in 1834, but cyber related?
Leroy Terrelonge: I think it was some sort of information manipulation or... Am I on the right track?
Cris deRitis: Yeah, yeah. Apparently... Do you give up?
Mark Zandi: Yeah, go ahead. I give up.
Cris deRitis: All right. Apparently the French telegraph system was hacked in 1834 and that might have been the first cyber attack in history.
Mark Zandi: Mon Dieu. Leroy gets a bell, Ryan. Come on. Leroy gets a bell.
Ryan Sweet: He does. He definitely does.
Mark Zandi: That's pretty darn good.
Ryan Sweet: That's impressive.
Mark Zandi: That is impressive. Yeah. All right. Very good. And Ryan? What is yours? What's your number?
Ryan Sweet: 5% to 35%.
Mark Zandi: 5% to 35%? Okay. So it's a range?
Ryan Sweet: It's a range.
Mark Zandi: And it's cyber related?
Ryan Sweet: It is.
Mark Zandi: Do you guys know? Any guesses? Can you give us a hint without giving it away?
Ryan Sweet: We kind of touched on it on some of the... Interconnected...
Cris deRitis: Probability of a major cyber event in the next year?
Ryan Sweet: Nope. No.
Mark Zandi: The percent of people who fail phishing tests by sector. By industry. 5% is the low, 35%'s the high. No.
Ryan Sweet: No. I'll give you one more hint.
Mark Zandi: Okay.
Ryan Sweet: This estimate comes from the Federal Reserve.
Mark Zandi: Oh, that's interesting.
Cris deRitis: Cost to businesses or consumers.
Mark Zandi: Cyber costs as a percent of sales.
Ryan Sweet: No, it's actually the amount of... The impact on the Fed's payment system. 5% to 35% of the payment system would be down if one financial institution was hacked.
Mark Zandi: Now that's interesting.
Cris deRitis: That's a good one.
Mark Zandi: That is a good one. That's a good one. Yeah.
Cris deRitis: Scary [inaudible 01:07:38]
Mark Zandi: So just say that one more. If a...
Ryan Sweet: 5% to 35% of the Fed's payment system would go down if there's one attack on a financial institution. One of the banks.
Mark Zandi: It's got to be a major [inaudible 01:07:51].
Lesley Ritter: One of the major ones.
Ryan Sweet: Major, yeah. Yeah.
Mark Zandi: Well, that's interesting.
Jim Hempstead: Is that the Dallas Fed did that, Ryan?
Ryan Sweet: Maybe I got to double check. I forget.
Mark Zandi: Okay. That was good. Excellent. All right, so good news. Any good news here guys? Let's go around the group from MIS. Jim, any good news?
Jim Hempstead: There is good news. The good news is you don't have to be a cyber technician to understand cyber risk and we see more and more companies adopting cyber into the traditional risk management frameworks that these companies operate under because cyber risk is an enterprise wide risk. It does reside at the board of directors or the trustees and things of that nature, and so we see CFOs getting more involved in making sure that they have the ability to talk about cyber in the same dollars and cents way that they talk about other risks and they are making estimates on losses and they are making estimates on investments, which may or may not have revenue growth or volume growth associated with it, but certainly has volume protection or revenue protection associated with it. And so, they're moving in the direction of being able to articulate that through the traditional risk management systems that they have. I think that's a really good piece of news.
Mark Zandi: That is. I'm on a couple boards and I'll have to say, hyper vigilant about cyber risk. Of all the risks, and I'm not sure he is even rational how sensitive we are to cyber given all the other risks that we face, but that's the one thing you just don't want to happen. Is have a ransomware threat. Goes through auditing, have auditors come in, take a look at your processes, making sure that there's no gaps or no holes, making sure that we're filling any holes as rapidly as we can so that, just based on my very limited experience, it feels like US companies and businesses are really focused on this as an issue. Yeah. Leroy, any good news?
Leroy Terrelonge: Yes.
Mark Zandi: And coming from you, this really means something.
Leroy Terrelonge: So my piece of good news is that, based on the results from our cyber survey, most of the vast majority of the organizations that we spoke with are implementing the basic cybersecurity practices. So again, things like weekly backups, having an incident response plan using multifactor authentication and that's really good news because the majority of cyber attacks that are happening are basic and they can be thwarted using these basic techniques and so it's good to see that there's such a widespread adoption.
Mark Zandi: That's my wife slinking back here, just so you know. That's a good one. That's a really good one. And Lesley, lead us out with really, really good news.
Lesley Ritter: Great. So what I would say is there's new SCC guidance out there for cyber risk disclosure, which means that we should start getting more data about the cyber events, which is in our view, very positive. As we get more data we can do better modeling, better modeling means better decision making. So there's a big movement towards more integrating cyber risk quantification so that you can estimate your dollars at risk based on different types of scenarios and then you can prioritize your investments in cyber, which should lead to much better outcomes going forward.
Mark Zandi: When are we going to get more information from the SEC? Do you know? When's that going to happen?
Lesley Ritter: That they are in the review period right now. I believe the review period ends in June.
Mark Zandi: Okay, great.
Lesley Ritter: And part of the guidance that they put forward is that you need to disclose material cyber attacks within four days of determining that they are material.
Mark Zandi: Great. Well, that's encouraging. Yeah, that is good news. So, okay. We covered a lot of ground here. Anything that you think we missed? Just an open ended question just in case I missed something that we should talk about. Anything? Jim? Leroy? Lesley? Chris? Ryan? Anything? No? Okay. All right.
Cris deRitis: I have one question.
Mark Zandi: Yeah. Fire away.
Cris deRitis: Quick question. Economics related. And I don't think there's a known answer here. Do you think that cyber attacks go up or down in recessions? Are they pro-cyclical or counter-cyclical?
Mark Zandi: That's interesting.
Jim Hempstead: I'm going to go with they're going to go up.
Mark Zandi: Like all crime, right? Probably.
Jim Hempstead: Like all crime.
Ryan Sweet: I think crime actually goes down in recession, right? People are at home. Well, property crime, maybe.
Mark Zandi: Oh. Oh, yeah maybe. I thought... Okay. That's interesting. So your instinct is that they'll go up in the downturns just as a source of income? Revenue. Yeah.
Lesley Ritter: And just also because the trend has been up and it continues to go up I think.
Cris deRitis: Okay. So there's no connection then. It's just...
Lesley Ritter: They might be disconnected. Yeah.
Mark Zandi: Might be disconnected. Okay. Very good. Well, I want to thank you guys for spending so much time with us and really appreciate it and learned a lot and looking forward to your next study. It sounds like you're... Got a lot of work here ongoing and doing a lot of really great work. So thank you for that and with that, we're going to call this a podcast. Thank you everyone.
