Cyber breaches dominated the headlines for much of 2018. Systems vulnerability and unauthorized access to confidential commercial and consumer information have become a critical focus of nearly every digital interaction and, consequently, an important consideration for the executives, trustees, and directors for companies of all sizes.
The statistics are staggering. At issue are millions of accounts and trillions of dollars. Many companies highlight daily cyber breaches in the hundreds. Anecdotal feedback suggests most cyber incidents continue to go unreported and that smaller companies frequently simply cannot recover from significant breaches. Insurers and credit providers, however, point to the frequent immateriality of most uninsured breaches experienced by large companies.
Evidence of fearmongering regarding corporate cyber hygiene is now ubiquitous. Billboards and regular television advertisements from cybersecurity providers tout the availability of compromised systems data on the dark web. Insurance has been extended as far as the mass consumers.
Accordingly, cyber risk has become a core risk factor. It must be assessed as a stand-alone consideration as well as a trigger or accelerator of traditional risk considerations.
As market participants ponder the cyber risk of a specific company or sector, it is important to first consider the governments and other critical infrastructure providers providing the fundamental requirements for companies to operate in a region or locality (e.g., water, power, gas, etc.).
On Oct. 31, 2018, S&P Global Ratings hosted a roundtable to discuss the fundamental business environment within which individual and corporate citizens operate. We assembled our leading analysts from the U.S. Public Finance, Utilities, and Infrastructure teams as well as Courant Institute's RiskEcon Lab and Guidewire Software to determine whether the current state of cyber affairs should scare us. What follows is a transcript of that event.
- Peter Kambeseles, Managing Director, Business Transaction and Product Management, S&P Global Ratings (Moderator)
- Geoff Buswick, Sector Lead in U.S. Public Finance, S&P Global Ratings
- Andre Carletto, Director of Solution Architecture at Guidewire Software
- Gabe Grosberg, Sector Lead for North America, Regulated Utilities, S&P Global Ratings
- Matthew Honea, Director of Cyber Security at Guidewire Software
- Kyle Loughlin, Analytical Manager and Head of the North American Regulated Utilities Team, S&P Global Ratings
- Paul Mang, Head of Guidewire Software's Analytics and Data Services business
- David K. A. Mordecai, Co-managing Member of Numerati partners, and Lead Investigator at the RiskEcon Lab for Decision Metrics at the Courant Institute of Mathematical Sciences at New York University
- George Ng, Co-Founder of Cyence, and Chief Technology Officer at Guidewire Software's Analytics and Data Services
(For full participant bios, see the Appendix.)
An Existential Threat
Peter Kambeseles: We would like to welcome you all to our roundtable discussion. Today's event is a special Halloween Roundtable Discussion, given the date. The theme is, Should Cyber Threats Scare You? I think we all know the answer to that.
Before we start, I should highlight that in February of this year, S&P Global Ratings and Guidewire Software announced that they have joined forces to bring the cyber risk knowledge and insights of Guidewire's Cyence Risk Analytics to S&P Global Ratings360TM, a digital delivery system that provides a view of companies' critical credit risk factors. We have been working with Cyence for a number of years to really highlight and assess such 21st century-type risks.
As you can see, there is great depth of knowledge in this room. The different perspectives will provide robust dialogue. We are all looking forward to a lively interactive discussion.
Geoffrey Buswick: When you ask about whether cyber risks should scare us, it reminds me of an event I recently attended. I was at a similar roundtable with a number of people up at Columbia University two or three weeks ago. It was an all-day event talking about cybersecurity and how government can help other governments, how we can all prepare and work together for this. It was a heady group. Many who have been on the intelligence side in threat identification and focused on sovereign threats were there. It is a world I do not participate in, but you asked if we should be scared.
The first hour of that all-day session was how existential a risk is cybersecurity. Is every system and structure we know about to be threatened and possibly collapse? When I am looking at some of the losses in local government and hospitals and whatnot, am I thinking the end of organized structure? No, that is not what I went into that meeting thinking, but I was scared after the first hour that that is what these people were focusing on for a lot of their time. Maybe the credit risks are more relatable, than the existential threats, but just knowing that those other threats are out there highlights the importance of all debt issuers having a keen eye on the topic.
I appreciate all your expertise. I am looking forward to learning today and hearing this. It is one where should we be scared. You answered "I think we all know the answer." I would say, yes, we should be scared, but more so, we should all be prepared. I hope that through today's discussion we can focus on how we can be prepared as analysts to recognize the risk, identify who is doing what they need to, and identify those who just are not spending the needed time on the topic.
Cyber Risk, Traditional Risk, And S&P Global Ratings
Peter Kambeseles: There is cyber risk and then, of course, there are many related more traditional risks that come with it. Guidewire has characterized such related risks as "silent cyber."
To kick off our discussion, let's have the S&P Global Ratings analysts provide an overview as to how they take into consideration cyber and related risks. How does it factor into S&P Global Ratings' U.S. public finance, infrastructure, and utility ratings?
Kyle Loughlin: In terms of the approach to rating utilities, we very much look at utilities as corporations. We are using our corporate ratings methodology. In terms of cyber and other potential disruptive forces, I think the most important thing is to recognize that these are rapidly evolving risks.
Cyber in particular is a complex risk that will involve complex and coordinated solutions. That involves government. It involves industry groups. It involves industry trade groups.
Importantly, in our work, it will certainly involve the risk awareness of the management teams of the companies we follow. There are no direct components in our methodologies that specifically ask what do you think about cyber risk today or how do you build that in in some prescribed fashion to try to gauge how this impacts default risk work.
But it is an important issue. I think of it under the banner of risk awareness and preparedness. Regulated utilities are spending record levels of capital every year. In each of the last five or six years, we have been hitting new record levels of capital spending in this sector, over $100 billion a year in each of those years that I mentioned. That capital spending is being driven, in part, by utilities recognizing that the world around them is changing very quickly.
This is not specifically around cyber risk, but it is around adapting and preparing for technological change, as renewables come to bear, as sensitivities around climate change and emissions profiles become increasingly important, as utilities look to become more modular in their generation and get away from a central power station model.
I applaud this sector for responding to these changes, but it is something that is putting pressure on management teams, on regulators, and, ultimately, on ratepayers who have to bear the cost of utilities services. I put cyber in this category, as a competing threat and growing challenge that this sector is very much aware of. Trade groups and the management teams will all readily admit that this is a key issue, an issue that needs to be focused on.
In my view, we are going to see risk mitigation of cyber risks increasingly competing for capital. One of the topics Gabe and I would probably like to come back to is the urgency and the coordination needed on the part of the utilities to prioritize this issue and also the need for utilites to work with their state regulatory commissions so that this becomes a priority. Just as they are dealing with the change in the generation platform and building a smart grid, investing in modularity, and dealing with emissions, cyber risk has to be competing for some of those capital dollars.
With the support of regulators and the federal government and coordination, I believe you will see this sector adapt effectively. I share Geoff's observation earlier. He is a little scared. I am a little scared as well because of the opacity around this topic, but this is not driving ratings today. This industry has a great track record of dealing with disruption and challenges, for example, posed by huge weather events, and coordinating effective responses to that.
We have not seen a major disruption to power through cyber threat in my knowledge in the U.S. I think there was an incident in the Ukraine in 2015. Still, this is an important risk, something that needs to be dealt with. Electricity will impact the grid and industry. It impacts our natural gas utilities. It impacts our water utilities as well, when you think about pumps and systems and treatment processes, that kind of thing.
So I think of this as a threat and risk that has to be mitigated, under the banner of preparedness, enterprise risk management, and companies adapting to change.
Gabe Grosberg: Kyle, I would just add that while cyber risk is elevating and increasing, S&P has not, to date, downgraded any utility because of just cyber risk. The reason for that is if you think about utilities, like Kyle indicated, they are investing more and more in technology to prevent and reduce the risk of a cyberattack.
If we looked a decade ago, the primary systems that utilities used were generally programed in Cobol. You could not penetrate through them. These systems did not speak to anybody and were essentially stand-alone systems. Not a great system, but in terms of safety and security, pretty good because it did not interact with anybody.
As utilities are growing, through mergers, becoming larger and collecting more and more data, they are making upgrades to systems that now talk with other systems, making themselves more vulnerable to cybersecurity risks. One area that we are focused on is data security and privacy.
Utilities collect an enormous amount of customer information, whether it is social security numbers or addresses, they all have to be protected. That is one issue. Another growing issue, also related to technology, is operations and specifically smart meters. If you wanted to turn off a customer a decade ago, you would send a technician out to the premises and they physically turned off the customer. Today with smart meters, we are seeing that customers can be shut off remotely. Once something can be done remotely, the risk of a cyber breach increases, requiring multiple layers of security.
These are some of the topics we are discussing with management teams, as they continue to make these technological investments. Technology makes a utility more productive and decreases costs, but certainly can add risk. The industry must continue to remain vigilant regarding these cyber risks to protect their credit quality.
Geoffrey Buswick: I will echo Kyle and Gabe. It is increasing in our discussions with management teams as a credit issue. There is no sector score in any of the public finance criteria either. We cannot point back to a criteria article and say the weighting of this is X or we are asking these questions because it falls directly here.
I guess stepping back to say what we are doing could be helpful here. S&P Global has the definition of what a rating is, but my elevator speech is that we are looking to the willingness and ability of the obligor to repay debt on time, in accordance with the documents--the bond documents, the legal documents.
If you look at it that way, cybersecurity, even though it is not explicitly scored, can impact that willingness and ability to pay on time and according with the legal documents. It is very clear that it can affect management and governance. So, to management, we may ask: Are you prepared? Are you looking ahead, as Kyle was talking about? Is this a potential risk or disrupter that you are trying to mitigate over time?
It can also affect performance. We have seen hospitals. There was a hospital in West Virginia that had to divert ambulances from their emergency room for over two months. It affected their quarterly reports for multiple quarters. We wrote about the experience in the credit report. They have come back, and they are back where they were, but still, for a temporary period, they were affected pretty significantly. It's this type of performance issue that could lead to a credit issue.
We look at liquidity in all of our criteria pieces. If an issuer has to remedy a cybersecurity situation, liquidity clearly comes into play. We have had a public utility that paid a ransom, so it affected liquidity a little bit. They then determined that the solution to not have this happen again was to replace their entire computer system, which ended up being a couple million bucks that was not covered with insurance. They had the liquidity, which was good, and yet their liquidity position going forward in the short term was weaker.
One of the key long-term issues we're watching in public finance is that everything government does is bolstered by the trust of your constituents. There is already a weakening trust of government in general. You can see that across the country with the great political discord that we are facing and hearing on a daily basis. If a government entity needs to get approval for a rate increase, approval for that next infrastructure project, approval for whatever they need to do to raise a rate, a fee, a tax, and yet there have been repeated cyberattacks; people could say, why would I trust you with more money, if you cannot handle what we are already giving you?
That loss of trust erodes the ability to deliver public services in the future. Yes, through a cyberattack there is the risk where it could affect ratings incrementally short-term absolutely. There is the chance that liquidity could be hit and management could be really surprised, but it's this long-term risk of how much does this erode the ability for government to deliver what they do? Governments rely on trust. Municipal services are based on trust. If it is gone, it's very hard to get back. We worry a lot about that possible long-term affect.
Kyle Loughlin: I should also mention that in the corporate ratings methodology, there are a number of ways that cyber risk could impact our assessment of business risk. Clearly, cyber risk can be considered like any other potential disruption and would be factored in by a committee if it elevated business risk.
Even the key regulatory risk component of business risk could be impacted. That deals with the quality of the relationship between the regulator and the utility management team. To the extent that this issue increases pressure on management teams, they will have to deploy some of their capital, to focus on dealing with cyber risk.
If they do not do it, you can imagine strains that could play out in that regulatory compact between the management team and the regulator. Or a company may seek to deploy capital at a brisk pace to prepare for change. In that way, it is another competing influence for funds that could be used for other purposes within the business model of the utility.
Over time, I certainly see very clear ways that this could impact our scoring, could impact our assessment of the industry risk that is right at the heart of our analysis. Geoff made some great points--it is there and can impact everything. To Gabe's point, we have not, to date, taken an action on cyber risk alone or factored it directly into an analysis where I could say that it was a driving influence.
Just as with climate change, preparedness for disruption from technology is likely to be increasingly considered by our analysts. We think about what could impact the longer-range health of the utility enterprise, and it certainly would not surprise me if cyber risk could become part of that.
The Economics Of Hacking
Peter Kambeseles: Given all the reported breaches and recent headlines, it appears vulnerabilities are being exploited with increased regularity.
David Mordecai: Let me highlight some themes we should keep in mind. One is that the economic cost of hacking is going down. There is a proliferation of machine learning algorithms and so forth that are being increasingly used for industrial controls.
There is a practice that is used for benign purposes called Google Dorking, which is a hacking technique that is used by investigative personnel, news people, security auditors, but also can be used for nefarious purposes, which is to put together a bit strain, feed it into Google and you will have open portals, for example, for industrial controls and so forth. Just raise their hand and say, I am here, I am open. What do you want?
This is obviously a vulnerability. Folks had not anticipated ubiquity of the internet when these portals were originally created, for the purposes of connectivity. You have inexpensive tools that have, again, the non-usage for hobbyists, are used by Red teams to do vulnerability testing, but now can also be used increasingly for other purposes.
The economics are getting cheaper. I can say more about that later perhaps. In addition, you now have the connectivity, which results in potential for those catastrophic cascade failures. Depending on how a network organizes itself based on traffic flow, a particular type of shock that could come from a hack or a cyber failure of some kind then begins to percolate across a system.
If you think about things like contingent business interruption and business interruption, supply chain issues, municipal governments and other public entities are responsible oftentimes for services that may be part of a supply chain. How flood and fire and some of these other things that can come out of weaponized cyber threats could then lead to a series of events that could have operational risk effects, credit impacts, liquidity impacts, that might be more acute.
You have a hospital emergency room, for example, that cannot take in folks that are affected for some period of time. You are going to just have some much more severe effects on everything, not just the potentialized power, but even code that might be running HVACs. It might be running the generator. An attack on the generator, which is supposed to back up, at the same time as you are having an issue with potentially electricity.
Other things I think, as we said, make us scared, keep us up at night, and need to be addressed. One of those is, as much as we saw the financial crisis when something like that, a common VAR model amplified, certain negative effects, we need to think about what tactic was put in place to make sure that a common neutral net configuration, for example, given some executive control in an industrial control setting, SCADA or PLC, or some of the other common and often employed configurations, does not result in what we call a system-like failure or some systemic risk.
Sizing Tangible Losses
Peter Kambeseles: Many of the long-standing risks now appear to be greatly exacerbated by an emerging 21st century risk. As you think of risk across its three main dimensions (market, operational, and credit), there is an impressive amount of information to ingest. Many are looking for any cyber-related data available and the corresponding insights or signals they provide.
In this new era of data science, we have a unique opportunity to capture what information is available and study it to derive any available insights. Guidewire, Numerati, and Courant's RiskEcon Lab for Decision Metrics have done an impressive amount of work in assessing these emerging risks.
I understand Guidewire collects and aggregates data across several factors to score an entity's susceptibility to breach and the motivation of other entities or state actors to target it.
From the perspective of the balance sheets of larger entities, however, many cyber-related incidents may ultimately be immaterial. Please share your thoughts on sizing tangible losses.
Paul Mang: Losses today may be immaterial, from a credit rating perspective, but these losses will be amplified when we move further into the "era of the platform." It is hard to imagine attending any technology or insurance conference today without hearing about the concept of platforms. Whether it is around e-commerce networks or efficient supply chain management or the sharing economy, the promise of the platform is efficiency through information standardization and modularity. Participants in platforms need to coordinate through electronic or digital interfaces. But this brings about the increasing risk to balance sheets--connectedness drives efficiency but introduces cyber-type risks. The efficiency of connectedness and platforms is good; until it is not good.
The challenges are to assess that cybersecurity tail risk, understand the economics of the risk, and to manage it.
Over time, we can even imagine a world when digital assets become as important as physical assets, and interactions on digital platforms become more critical for all businesses--then cyber risks will not be the thing you add on as the additional factor. Maybe at some point cyber risk will become a critical factor as you look at balance sheets of your rated entities. If you ask a CFO of a publicly traded company or the finance chief of a municipality what keeps them up at night, I imagine the current answer is different than it was 10 years ago, and it will be very different 10 years from now.
Kyle Loughlin: That is a really important point. One of the points you raised earlier was essentially, it's good until it is not good. This is something that really resonates with me. We cover a sector that does face catastrophic weather events from time to time, without a lot of advance notice.
In this sector, you look at what has happened very recently with the severity and frequency of Hurricane Michael and Hurricane Florence--you saw tremendous coordination and response by utilities to restore power quickly, to mobilize operators, and utilities collaborating to do the work that was necessary to restore electricity and to get society and the economy in those impacted areas back up and running. So critical.
The response to a storm is something that is taken very seriously by utility management teams. It goes to the very heart of the regulatory relationship. It goes to social risk and risk management issues. I think, increasingly, you can imagine cyber being similar. While we do not have an event to point to right now, it is good until it is not good, to again use Paul's comments here.
So I see cyber risk as part of a prudent risk-management construct, good governance. I think the more aware and forward-looking companies will think about preparedness in this regard. They are already. There are obviously examples of leaders in the sector who are already doing these things. I would like to see us get to a point where this is becoming much more consistent and we can see a standard best practice. I think that brings us to why this discussion today is so interesting--for us to start to think about a future where more information is available, and we have more disclosure, and we can understand the companies that are taking the appropriate steps.
George Ng: Obviously, we are capturing this data to measure. When we think about security, we need to think about the trade-off between convenience and security, which was Gabe's earlier point. There are connected devices talking, which makes our lives easier. The service worker does not have to visit a site physically, but the trade-off is that if he can remotely access the site, so can a hacker. If we want to improve security, we can always rely less on technology, but that is a huge trade-off on productivity and convenience.
Like Geoff, I used to run these scenario exercises too. When I was in the government, I spent some time with the Homeland Infrastructure Threat and Risk Analysis Center. This DHS group would create games, and experts would sit in these roundtable discussions.
We would do our red team versus blue team exercises. When we did them for national security concerns other than cyber, we would have fairly balanced discussions. But, whenever we did them for cyber, the discussions would revert to fearmongering. In some ways, this makes sense because the red team would always win because there are just so many openings that are indefensible in cyber.
To reference some of Paul's other comments, a company wants to risk mitigate where possible. Following best practices is going to be incredibly important. We know that we cannot fix everything in a security setting, which is why security-related risk transfer and insurance should be a huge part of that risk-management strategy for any company.
The key to all of this is measurement. In order to prioritize the addition of a new security device or the addition of a firewall, or a new training protocol, a business decision-maker needs to see ROI. These measures and models are imperfect but needed to establish a point of view of the cost and benefits. The decision-maker needs some estimate on the return if he or she will commit resources. Benefit questions include: What is my marginal decrease in risk? This requires measuring that risk, which includes determining the frequency and severity of that risk.
This is an evolving space. There is a time dimension to consider when managing this risk because of the pace of technology change. For example, if we are thinking from a nation state lens today, we are probably mostly focused on utility companies, transportation companies, or other sectors related to critical infrastructure. These types of companies would be impacted far more from this threat actor type.
We have seen incidents hit the retail sector, like with Target and Home Depot. Using a short-term lens, one might say that these are big deals. They have large market caps whose medium-term stock price was not impacted. From a credit perspective, they were not impacted. However, as these types of companies and the way they do business evolve, at what point does that impact become meaningful?
If public trust gets impacted, how does that impact broader market risk, whether it is for a geographic segment, a specific consumer segment, or a different set of companies? Those broader changes are more likely to lead to impact on credit risk. As technology dependency continues to evolve, we will see more and more sectors continue to digitize, and they will be more impacted by downtime and breaches.
Auto is another industry that everybody talks about today. You can already see how rapidly it's changed recently. For nearly 40 years, the only meaningful changes to the risk profile were seatbelts and then airbags. Now, in New York and other urban areas, there are more people that take Ubers and cabs than drive. This means that we have all these Ubers today. And when Uber and the car manufacturers release self-driving cars as the norms, the shape of that accident risk market will evolve dramatically.
Geoffrey Buswick: George, one of the things that we have been writing about at S&P Global for a while has been the aging of the population and what impact that may have on credit. I bring that up because of your last comment of all these additional technologies and the trade-off between efficiency and the introduced risk.
In the local government space, we are already seeing in places a degree of unwillingness to pay higher taxes. It's not uncommon to see the job function that used to be filled by three or four people being replaced by technology. It is good that you can have productivity maintained and have a lower cost technological solution replace these typically more costly employees. The risk assessment, though, for this replacement is rarely done on the municipal side. It is typically a cost decision. Yes, the trade-off is great, and you can do the same job of government with less people. In many cities across the country, we have seen a steady reduction in headcount. The services are remaining about the same for delivery. That is arguably a very positive attribute, but we want to know if the cyber risks were considered in adopting the change.
When the risk is there and you do not see what that risk may be, what is the acceptable trade-off for that? I am not sure that discussion is held as broadly as it should, and I think your point is dead on.
Systemic Risks Versus Isolated Risks
Peter Kambeseles: Earlier you mentioned the U.S. has been fortunate not to have reported power grid failures similar to those experienced in other countries.
One question that comes up regularly on this topic is whether the risks are widely systemic or more isolated. In other words, does it really matter which country or state you are in?
Some would suggest that if you are in a larger state with a larger infrastructure, you should be safer. Others argue that highly motivated hackers can remotely penetrate systems anywhere from anywhere.
Matt Honea: The threats are definitely growing globally. The typical trend we see is nation states usually deploy the most advanced types of malware. Eventually, tactics and techniques trickle down to criminal syndicates and other actors. Seeing the recent events taking place right now, a lot of nation states are developing new ICS/SCADA malware in secret. We only see a small sample that leaks to the larger public.
As time has gone on, since 2016, we started seeing the nation states are leaking tools related to these exact things, attacking ICS for SCADA control systems. I won't repeat all of the reporting, but new attacks are not just targeting and modifying the control systems, but also moving to the safety systems that are involved.
There are a lot of potential ways, if you are inside of a network, to do something directly even if you do not have control of critical network devices. You can control sensors, which are actually less scrutinized and less protected, and the sensors themselves may trigger something different down the stream. If you can trigger a water-level sensor to read a fictitious value that causes a release of water downstream, then you have cascading effects. We have to look at all the devices within a network.
Based on public data, there is over 20% year-over-year growth in IOT connected devices. Regardless of where IOT is implemented, whether internally or externally, this is more surface area for potential attacks down the road. One thing we looked at is the impact of a breach of one of the 90,000 dams in the U.S. We just recently published a paper on this. From a cybersecurity perspective, we analyze, in a cyber-catastrophic scenario, things like cloud outages, mass vulnerabilities, and other aggregated events. We research where the threats are--not just now, but where will they be in five years--and create thought leadership around that.
The threshold for hacking these systems is slowly decreasing. You have devices that are directly connected to the internet, for example. Those are the easiest ones to get to. You have devices behind the firewall. Those are slightly harder to get to. You have devices that are within a firewall and then network segmented. Those are the hardest to get to. As we see more and more sophisticated tools out there, this process becomes more and more automated.
This frequency will increase in the future because that is the way that we are trending, essentially, in that a process that is sophisticated now will not be as sophisticated in the future. We can use more and more prefabricated tools, and combine them together into one. This is what David was alluding to.
As tools are developed and sold or released to the public, there are more ways that they can be bundled together. They can use zero-day vulnerabilities that have been published out in the public. For example, the Shadow Brokers release with the Eternal Blue exploit, which caused WannaCry, was a bundled approach. They can be plug-and-play. They plug in an exploit into existing tools and now they have something that can go very quickly.
The last point I just want to make is as far as complexities go, where is malware growth? Where do we see things trending in that sense? Depending on where you look at as far as resources go, one in five to one in 10 of attacks are ICS related. That is a much smaller percentage than the overall global cyberattacks. Those attacks are increasing 5% year over year. We are seeing more and more attacks that are specifically targeting these control systems. It is growing, but obviously the larger cyberattacks are also a much bigger proportion of overall attacks.
Peter Kambeseles: Cyber simulations today combine traditional risk modeling and econometric models with catastrophe bond-oriented models. The cyber overlays can either be the catalyst or exacerbate the impacts. In trying to assess shocks to an entire country and its infrastructure, such simulation assessments are invaluable.
Can you share more color on simulations you have done or that can be done to surface some more of those interconnectivities referenced earlier?
Paul Mang: The interesting question is how we think about translating vulnerability in scenarios to real economic costs--how do we translate probabilities into dollars and cents? At Guidewire Cyence, we've invested in a proprietary methodology to model the economic implications.
David Mordecai: Some of the risks are nuanced. If you look at the recent news on the Lion Air 737, this brand new 737 delivered by Boeing to this airline, evidence is showing up that is very similar to the Air France situation again, which is a faulty air-speed sensor basically being the nexus of the problem. What happened to the ability to fly an aircraft that is fly-by-wire, where all of its controls are tied into a digital system. There is really no analog backup, no "old-fashioned" analog backups in the cockpit that a human can use to calibrate and say, do I believe the sensor readout or not?
What ends up happening is the wrong decisions are made about what to do with the aircraft and how to manage the aircraft. It does share some analogies with the concept of the net operating center sitting several states away, not really being sure how to interpret the sensor data. Sensor data is increasingly for these systems becoming the foundation to how they operate. That is a pretty big deal.
The other thing that occurs to me in terms of credit around regions and regional-wise, particularly public finance, is I think folks underestimate water treatment as an increasingly automated operation. If you look at Puerto Rico and some of the incidents that Puerto Rico has had around the storm and what has continued to cause issues for Puerto Rico, it is not just the electricity utilities and the telecom, but the disease incidents that follow a water treatment failure.
You think about what a critical resource water is. You think about what it would mean to have a massive or prolonged water-treatment failure in any region (big city or small collection of municipalities), what that would do to people's willingness or ability to stay there. What that may lead to in terms of tort issues that might follow and then how those things could compound to create severe credit impairment, is something that I think is often overlooked in some of these analyses. It is one that we are very much aware of.
I have spoken to some leading utilities who are saying, we are very much aware of the fact that cloud computing and digital interaction and digital connectivity are starting to drive everything from the communications through electricity down to things as fundamental as water management. Basic things for life are at risk and need to be risk managed.
George Ng: We are really looking for objective comparable data that we can find reliably and consistently. At Guidewire Cyence, we look at both technical and nontechnical risk factors. Nontechnical, because cyberattacks often involve active adversaries and motivation is a huge part of why a hacker would try to attack a company. Technical matters, too, because if the company is attacked, it does not mean that it will necessarily be successful. At times, that technical component is a second-order concern because a sophisticated actor is targeting a company.
As examples of motivation risk factors, we look at things like the dark web, social media, employee sentiment, news sentiment. We use data analytics techniques, such as natural language processing, sentiment analysis, and machine learning, to create proxy measures for different company risk views. From the technical perspective, we look at things like IT behavior such as patching cadence, network presence, network size, and the connectivity to get a sense of network segmentation.
Where possible to calibrate models, we want to use a lot of event data. But because of the rapid nature of technological evolution, this isn't always possible. If we consider attack attempts, there is a lot more data out there that is relevant but doesn't map as easily to financial impact. Many of these events do not lead to publicly reported losses.
There are other security ramifications that matter financially, but they are harder to measure. It is the implicit loss. Explicitly, in a data breach, a company would have to pay remediation for the number of records that they lost. Potentially, there is also a class action suit in a very bad case. What's missing are there longer-term reputation damages. Does the event create a lack of consumer trust? What types of companies are more likely to be impacted by security events? Cyence actively works on these problems. In fact, we are working with S&P Global to further improve these models.
We are also looking at scenarios. To date, we have seen only a handful of meaningful events. We know that they could have happened in different ways, so we are always looking at counterfactuals and stress testing our scenarios.
Geoff, earlier we talked about aging populations and changing demographics. We could take an event like the Dyn DNS outage and the impact would be different depending on societal dependency and mode of usage of the internet. How many people will rely on Walmart.com versus shopping in the brick and mortar class in the future?
When considering these counterfactual cases, we're trying to think about realistic disaster scenarios. Are there cases where that same attack happened but instead the target was an emergency service--what would the impact have been? For another example, consider NotPetya. What if that event did not start in Ukraine? What if it originated in the U.S.? What if Microsoft didn't have a patch ready and WannaCry didn't happen a month earlier, accelerating patching?
You would probably think there is generally better security in the U.S. versus the Ukraine, so it is less likely to be impacted. Less market power for any single company, but more geographic ties with the rest of the world. Overall, we can easily see how this could have been a much bigger incident. Nobody has history on these scenarios, so we use expert judgement and modeling to extrapolate from a set of known events.
The geographic association in these events is going to be a little bit different than natural catastrophes, both from the enterprise's perspective and the consumer's. You can think about the eBay seller in China today shipping products to the U.S. That was not possible 15 years ago. In a cloud-pervasive world, hosting services are concentrated in specific data centers of large providers throughout the world. I might be located in San Francisco, but I might be using Amazon Virginia to provide my web portal to ship these products from China to customers in New York. I am actually more impacted if there is a catastrophe in Virginia rather than San Francisco in that scenario because it disrupts my customers' ability to purchase my products--even though I'm located in San Francisco and my customers are in New York. Supply chain risk has always been a concern, but in the digital space, supply chain does not map to geography as clearly.
Because geographic spread is different for cyber, we look for explicit lines of accumulation where possible. I think that is one of the most challenging and compelling parts of the Guidewire Cyence offering and evaluating scenarios in this space. Obviously, there is still some assumption of correlation just from being in the same geographic location. Suppose the U.S. economy has a massive recession, there is going to be impact across all sectors within the U.S. In the digital space, if we can see who uses which service providers, whether it is a cloud service provider, internet service provider, we can identify different lines of accumulation that are not just bound by geography. This is part of the data that we collect. We use that as an input to our models that measure economic risk.
Paul Mang: That gets to your question about differences in geography, municipality, state, and regions. Clearly, with a natural catastrophe, it does matter whether you are in Florida or Montana. In the digital space, it is not as obvious. There may be some preparedness elements for different municipalities or government entities, but that may be second order to the digital footprint or the entities' specific use of digital platforms.
This brings me to something that we started with. Kyle started us off with your concept of "preparedness" to highlight how can we anticipate the vulnerability and potential economic impact and performance of any entity, whether it is a municipality or a public utility. I'd like to consider how we think about the unit of analysis.
I would think that the unit of analysis might have to change from the entity and maybe even its supply chain, to the network that it is in. It is the resilience of the network, the digital network they are participating in, that may be the strongest driver of resiliency. Biology and natural sciences study ecosystems and can provide us with insights on the nature of the network and the resilience to shocks.
The rainforest is an often-used analogy. Individual trees have their own natural defenses, to protect it from insects and forest fires. However, biologists are showing us that rainforests are vulnerable when a relatively small part of that ecosystem is damaged. We are learning that the relevant unit of analysis in many ecosystems is not just the element--the tree or the organizational entity--but the pattern of connections in the network itself. The pattern of the network determines the fragility or resilience of the individual elements.
Kyle Loughlin: It is a way that we think about dealing with companies that are able to position themselves to be successful over a long period of time and to deal with disruptive change. I think it can fit here very well.
To the question about whether the location of the entity matters, interestingly, since we are featuring the investor-owned utilities in this discussion, it certainly will matter to some extent because there is a dynamic at play with investor-owned utilities where, by definition, you have a license to serve as a monopoly, to serve a service territory that is granted by public service commissions.
What I was getting at earlier, that important relationship, and this goes again to preparedness, the relationship between the investor-owned utility and its management team and thinking about the future and managing longer-term risks of disruption of every kind, is part of the dynamic of the relationship with the regulator. That regulator can potentially provide support or not, could easily influence where certain utilities are adapting and preparing faster than others for a future where cyber risks are more pronounced over time.
I think that is what will become more important in our work as we think about the regulatory relationship and we think about management teams that are taking important steps to work with their state regulatory commissions to prepare for all manner of disruption, including technology change and cyber risks.
David Mordecai: Moving to an analysis, it is focused more on ad-hoc networks and on the amount of traffic flow that takes place on the edges between nodes, if you treated each municipal location as a node.
Models based on certain kinds of data, connectivity between a node and other (either more distant or more proximal) adjacent nodes and then looking at how that changes with different conditions and traffic patterns--for example, seasonality of business conditions and so forth--can help explain the degree of interdependency between those locations, or those subregions. When shocks impact those, what are the alternatives for intervention?
To get back to the ecosystem concept: There was a trade-off, a natural tension between having redundancy in the system, which makes it more resilient, and having diversity in the system, which makes it more resilient, versus the more simplistic approaches or measures of efficiency we usually use or cost effectiveness we usually use, which may tend to make a system less robust or less resilient to shock and less able to recover.
There is this constant tension between having a buffer and having a buffer in terms of backups versus running something lean. I think that as we move to more of an ecosystem or more of a network approach and then that half-network approach, we are going to maybe have to think about changing those metrics. We already do it in finance.
We look at capital reserves. We look at buffers. We look at reserves in margins, these kinds of things. We may have to create some analogies for that in the network space, as we think about supply chains and we think about how municipalities and how other public regional domains and jurisdictions fit into that notion as service providers. Also, service geospatial locations for economic activity.
The Role Of Regulation
Peter Kambeseles: Whenever we discuss cyber risk there is invariably a significant amount of perceived fearmongering. The topic is unequivocally "scary." It does beg the question, though. What can be done?
Governments (federal, state, and local) and utilities are uniquely positioned. They can effectuate regulatory changes that may drive changes and standardization in the industry. They can increase transparency.
There are typically a number of regulations following any extreme crisis. The impacted countries generally impose their own remediative measures and then enforce some standardized stress testing to evidence future preparedness.
Any suggestions as to what can be done to help drive preemptive change?
Geoffrey Buswick: I think that is what we need in the municipal space is help from these other entities. We at the rating agencies can have an interesting viewpoint in that we speak to 20,000 public finance entities a year; roughly 8,000 cities and towns; 4,000 school districts. We may see these trends. When we see the threats occurring or certain vectors being repeated as the attack weigh in, we need to talk about it. That is what we have been trying to do.
We have been trying to write about it, speak at different conferences, make sure that the analysts ask the right questions. Where the vulnerabilities are not being identified or the risks are being heightened, we write about it in our rationales. I see that across all the sectors. Public finance might not do it as explicitly as some of the other sectors. I know there are detailed questionnaires. There are specific things that are sent to some of the issuers and operating management teams in other sectors in public finance. We are trying to do it a little more organically to go back, but trying to identify it. We need to disclose.
I think the other side that we need to keep maintaining is disclose, disclose, disclose. One of the weaknesses in the municipal space is there is no obligation under 15c2-12, which is the primary SEC rule to dictate disclosure, that when you have a vulnerability, such as a cyberattack, that you tell anyone about it. Unfortunately, we have heard from school districts, oh no, we were attacked, but we did not report it anywhere because we did not want the shame from we were attacked out there. Whereas what we want to see is, oh no, if you were attacked, it is not a shame thing.
If your house is broken into, you call 9-1-1. You do not, NOT tell your neighbors you were attacked. Your neighbors need to know that somebody might be attacking you. I think our willingness to be out there, speaking about the risks, what we are seeing broadly, how we are assessing it as a credit risk, needs to be done. On the flip side, the issuers need to--even though it is not regulated in any way--disclose and share when these threats occur, what is happening, how they prepared for it, what might have worked, what might not have. Once the attack has occurred, what you did to head it off so it does not happen again.
We are not seeing that as uniformly as we can. You ask what may be worthwhile in the future? I think worthwhile is screaming from the treetops. Make sure everyone knows what is happening, how you did well to protect against it and how you did poorly to protect against it.
Gabe Grosberg: I would just say that, unfortunately, in order to see a real major change, you generally need a major incident. There is tremendous competition for capital. Where is it best for a utility to make their investments? Several decades ago, following several major nuclear incidents, investments in nuclear safety dramatically increased and the industry noticeably improved by openly sharing their best practices.
We had a decade and a half ago a Northeastern blackout. That also created an environment to share information and to prevent a major blackout from ever occurring again. When the San Bruno incidence occurred, every utility demonstrating why they would not be the next San Bruno and why their record keeping was better than peers. Unfortunately, we see that it really requires a major incident to cause a major change.
With regard to cyber risks, there have only generally been smaller incidents within the utility industry. Every management team describes to us the hundreds of attacks that are occurring sometimes on a daily basis. But the degree of the data breaches have not yet escalated to a major event, which would probably bring about standardization and the sharing of best practices. Unfortunately, it probably would require a major event to escalate cyber risk to the next level because this issue is competing against so many other major issues that the utility industry is currently facing.
Kyle Loughlin: I will try to be slightly more optimistic. I am not going to argue with that point. I think it is valid. I do think we have entered a phase where management teams in the utilities sector are dealing with change and taking leadership in terms of adapting to a world that is changing more quickly around them.
To really move this in a more positive direction, I think we need standardization--we mentioned earlier, we cover over 250 regulated utilities in North America--a consistent approach to assessing risk and just making standard disclosures around these issues so that we can have really good, crisp, and consistent discussions around this. I think all that helps to advance this topic.
Disclosure and standardization, risk assessment, coordination of various levels of government, state regulatory commissions, and management teams that put forth plans, can all help prioritize. We have a term in the sector: hardening. We think about assets being hardened from physical threats like storm damage, it is a very well-known concept in the utilities world. Hardening of technology infrastructure and disclosure of cyber-risk assessment and management is a way for companies to show that they are prepared for this emerging risk.
David Mordecai: I think there are coordinated efforts like OpenC2, which is being led by the NSA, and other such efforts, associated with something called OASIS, where they are trying to create cyber standards to allow for rapid response and robustness and resilience against cyber threats. I think that that is something that is worth raising on this call as an open source, nonclassifed activity that has broad value, if you will, or broad relevance for commercial, as well as for municipal and state and so forth, governmental activity around things you have been talking about.
In addition to that, I think we should really look at the very successful model of commercial ideation with the NTSB and other such groups and activities that I think have continued to improve, both in terms of reliability, resilience, as well as threat response of air travel and of air freight.
See how practices are already being applied in operating rooms, I think we should definitely look at how we can apply those to cyber activity, cyber physical activity as it relates to infrastructure, as it relates to supply chain, as it relates to regional and public finance connections to some of these activities that are commercial interaction as well.
Standardizing Cyber Risk Management
Peter Kambeseles: Any thoughts on specific scenarios or additional standardization that could help. Who could drive such change?
David Mordecai: I think one of the things would be prolonged or persistent cyber infrastructure attacks. I think a bad actor or someone who has a malicious intent may look to take advantage of other adverse conditions and may actually lay in wait with malware and deploy it in a way that makes it very difficult to untangle, in an extreme condition, that is affecting performance from their hack.
Geoffrey Buswick: Broadly, it is hard. There is very little standardization that we see in public finance. One of the more regular answers that we get, though, is that the issuers have used the NIST framework, the National Institute of Standards and Technology, back in 2013, put forth a framework to say here is how you should be thinking about cybersecurity across your organization.
It is not a definitive guide. It is not comprehensive in what you need to do. It is just broad parameters to say you should be thinking about these aspects of the risk. When we hear that an issuer has done some self-assessment using that as a broad framework, we get some comfort to hear they are thinking about it in a way that is beginning to be a little more standardized. We appreciate that. It is not an answer, but a start.
We do not have anything that we are saying we need to see or have to see, but because there is that federally advised, I guess. The industry starts to look at it a little bit. It is not anything that we require, but you are asking what can help in this that is out there as a standard. That is something that we hear regularly.
Matt Honea: I just wanted to add to Gabe and Geoff's point, it is nice to have a framework. Maybe having a major event will also help push it. I think one of the important things we are lacking is the repercussions. Following what GDPR has done in Europe, I think having some will help drive change. We saw some instances while researching our dam scenario. Many deficiencies were noted, but no repercussions occurred.
In Europe, GDPR is already having a significant impact. Almost every website has had to revise their policies. There are fines and penalties for noncompliance. The problem is that the U.S. system does not have the same repercussions and is not unified and under one reporting umbrella. I hope that there would be a push to bring the U.S. into a similar system.
The second point of the metrics, I think this is a problem we can solve. We can define metrics, it is not a hard problem. Every other industry has defined metrics. We just have to pick some and start the conversation. NIST is a great framework, but there are a lot of measurable components of NIST that can be done with either a yes or no question. It can be as simple as that or it can be statistics on patching rate, vulnerabilities from different software versions. Just having some data out there versus having none is an improvement.
Peter Kambeseles: That brings our discussion to a close. I would like to thank you all for spending the time on this great topic. The salient risks surfaced, direct and indirect, matter greatly.
Cyber is adding a new dimension to the risk complexity of nations, governments, utilities, and infrastructure. The preparedness for interruption to critical services and tangible losses (insured and uninsured) warrants serious consideration.
The good news is that there are now data available that we can sink our teeth into, simulations you can assess and some specific actions that can be taken to help increase the transparency and drive additional standardization in this sector so fundamentally important to all of us.
Appendix: Speaker Bios
Geoffrey Buswick: I am a Public Finance Sector Lead in the Governments Group at S&P Global Ratings. The Public Finance division is very broad. It touches on just about everything from the university space to health care institutions to public power authorities to local governments. I spend most of my time covering local governments.
We have about 20,000 ratings in Public Finance that we look at, and 12,000 in the government space, alone. That ranges from states to the smallest townships. My background, like many of you, is in government, I was a Finance Director and a City Administrator for a couple cities up in Massachusetts before I came here 18 years ago.
Gabe Grosberg: I am the Sector Lead for the North American Utilities Team at S&P Global Ratings. I have been in the utility industry for more than 20 years. We follow about 250 utilities across North America. We speak, on average, to about 500 fixed-income investors a year, discussing the credit quality of the utility industry. Obviously, one of those key risks is cybersecurity and cyber risks.
Matt Honea: I am the Director of Cyber Security at Guidewire/Cyence. My background is primarily with Threat Intelligence, Forensics, and Reverse Engineering. Before Guidewire, I worked for the U.S. government in technical analysis and special operations, protecting against advanced nation states.
Kyle Loughlin: I am the Head of the North American Regulated Utilities Team at S&P Global Ratings. As Gabe said, we cover power, natural gas, and water utilities. Everything that is mostly a regulated utility falls under our coverage. I have been with S&P Global for about 20 years, been heading up the Utilities Team since 2012. I led other industrial teams previously and was an analyst at S&P prior to that. I spent about 10 years in banking before I started at S&P, primarily involved with the oil and gas space.
Paul Mang: I head the Analytics and Data Services business unit, within Guidewire. This unit has both the Cyence cyber modeling team as well as other advanced analytics capabilities we provide to clients. Prior to joining Guidewire, I was the Global CEO of Analytics at Aon. I am also a former partner at McKinsey & Co., where I was one of the leaders of the insurance practice for 14 years.
David Mordecai: I am a Co-Managing Member of Numerati Partners, a tech hub enabler and ecosystem curator, which was founded at the time we also funded the lab at NYU, the RiskEcon Lab at Courant Institute of Mathematical Sciences, an industrial lab without any one sponsor where I also serve. It basically engages the industry, government, and NGOs, and connects them to science research and experts within academia and creates public, private, academic, and NGO partnerships to deal with broad civil society issues.
We are heavily involved with RiskTech, that is risk technologies; InsurTech, insurance technologies; FinTech, which is obviously financial tech. I am the scientist in residence for the partnership with New York City's FinTech Innovation Lab. I consider myself propeller head in residence. We work fairly intensely on a number of the cyber risk issues from both a liability perspective, a reliability perspective, which is increasingly becoming important, as well as from the perspective of hacking and other kinds of cyber threats.
George Ng: I am the Chief Technology Officer [of the Analytics and Data Services Group] at Guidewire. Previously, I was the Chief Data Scientist at YarcData. Prior to that, I spent some time in the government as well, as a research scientist at DARPA and at US-CERT.
This report does not constitute a rating action.
|Primary Credit Analysts:||Geoffrey E Buswick, Boston (1) 617-530-8311;|
|Gabe Grosberg, New York (1) 212-438-6043;|
|Kyle M Loughlin, New York (1) 212-438-7804;|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: email@example.com.