Moody's Talks - Inside Economics - CPI, Cyber and Colyar (Colly-yer)
Episode Date: January 12, 2024In this wide-ranging podcast, we tackle the CPI inflation report, the mounting threat posed by cyberattacks on the financial system and broader economy, and the regulatory response. Jill Cetina and Le...sley Ritter of Moody’s Investor Service and Joe Lyons of BitSight join us with their insights. And we finally learn how to pronounce Matt’s last name.Follow Mark Zandi @MarkZandi, Cris deRitis @MiddleWayEcon, and Marisa DiNatale on LinkedIn for additional insight. Questions or Comments, please email us at helpeconomy@moodys.com. We would love to hear from you. To stay informed and follow the insights of Moody's Analytics economists, visit Economic View. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Welcome to Inside Economics.
I'm Mark Sandy, the chief economist of Moody's Analytics, and we've got an action-packed podcast.
We had the CPI report coming out this past week, the Consumer Price Index, Inflation Report,
and we're going to talk a little bit about that.
And then we're going to dive right into a topic that we're spending a fair amount of time on
as cybersecurity and what it means for the financial system and the economy.
We've done some good work there and invited a few guests to talk about cyber and the threat
that opposes the economy.
But before we do that, let's dive right into the inflation report.
And as you've got tell guys, Marissa, Chris, no banter, no chit-chat.
This is, we're down to business here.
So unless there's something important that's happened in your lives that want me to
everyone to know about.
No, there's nothing important in our lives.
Just the CPI.
Just the CPI report.
And we've got Matt.
Collier.
I got the last name right.
Coillier, right?
Oh, geez.
Larissa?
Collier.
Oh, there we go.
Collier.
Oh, Matt Collier.
There's more about that later in the podcast.
We've recorded the cyber before we recorded this.
So I won't belabor the point, but you'll hear more about Matt's name shortly.
But Matt.
what's that?
Stay tuned.
Stay tuned.
Stay tuned.
And as you can tell, we're getting a little punchy because this is Friday afternoon before Martin Luther King birthday weekend.
And so we're getting a little punchy here.
But let's talk about the inflation report.
And let me, I think the way to characterize it is it was a little on the hot side, meaning inflation came in a little stronger than anticipated, kind of on the margin.
I think we were expecting top-line CPI inflation to increase in the month of December by three-tenths of a percent.
Core CPI excluding food and energy to come in at two-tenths of percent, and both came in at kind of three-tenths on, kind of on the high side of three-tenths.
If you kind of look at the second or third, it's a good condition.
So a little bit on the high side, but this comes after a string of, you know, very good inflation reports.
And I don't even think I'd characterize this as a bad report.
it's just not quite as good as we anticipated.
But what I thought we would do to help the listener is go through those parts of the CPI report
that were surprising, you know, kind of why was inflation a little bit hotter?
Because I think there's a lot of things to learn there and a lot of important messages.
And first of all, I'm going to turn to you, Matt.
did I characterize the report correctly?
And I should say on a year-over-year basis,
I think top-line CPI is now 3.4%.
Is that right that?
I think it's 3-4.
3-3.
And I think whether it's seasonally adjusted or unadjusted.
And the core year-over-year is now 3-8, I want to say,
you know, something like that?
3-9.
3-9.
Okay, 3-9.
Under 4.
It starts with a 3.
For the first time in a long time.
Yeah.
First of all, did I characterize it right, that this is, it was on the hot side, hotter
than we expected, but no big deal.
It's still consistent with the idea that inflation is going to continue to moderate here.
Is that kind of sort of a fair characterization?
Okay.
And Marissa, Chris, any objection to that characterization?
None.
No.
Okay, fine.
Okay.
So I think the biggest kind of surprise why inflation came in on the hot sun.
was the growth in the cost of housing services,
which is a very large component of CPI.
So my sense of it is that if I had to rank order,
the reasons why inflation came in a little bit hotter than anticipated,
the number one reason was that the growth and the cost of housing services was,
it actually picked up in December as opposed to decelerating further as we had anticipated.
Is that correct?
That's fair.
Owners who are equivalent rent, shelter costs are all still buoyant, not coming down,
and a major contributor to inflation.
Okay.
So we've had this longstanding view that the growth in the cost of housing services
as measured in the consumer price index.
And again, it's over a third of the index,
is ultimately tied by the Bureau of Labor Statistics,
the keeper of the data back to market rents.
And if you look at market rents, they are flat to down for about a year.
And all signs are that that will continue for at least another year because there's a lot of supply in the multifamily market.
We've talked about this in the past coming to market.
So vacancy rates are going to rise, put downward pressure on rent.
And we expect that weakness in rents to start showing up in much slower growth than the cost of housing services as measured by the CPI.
Is that right, roughly right?
Yeah, absolutely. And to kind of buttress that, you take shelter out and we're at where the Fed wants to be already, about 2%, a little under 2% now. And that's not the first time we've been there. So it's been a few months. This kind of anticipated decline hasn't happened or it's happening, but happening slowly. So the conversation is, why is it so stick? You're stickier than anticipated.
Yeah, you make a great point. If you take CPI, exclude food and injury, get to core, and then throughout shelter, you.
I know we're throwing out a lot of stuff, but I mean, it makes a point.
Inflation, CPI inflation year over year is, I think, no more than 2%, or it's very close to 2%.
1.9%.
1.9%.
So if the growth in the cost of housing services was simply back to something more typical, normal,
that would suggest that all else being equal, we would be back to Target.
And that, I think people take a lot of solace, particularly in the context of,
we feel confident that the growth in the cost of housing service is going to slow
because it's almost an accounting exercise.
It's not really like an economic forecast.
And do you agree with that, Matt?
I know I'm leading the witness here,
but I'm actually going to get to a question where you can say you can riff a little bit.
Yeah.
The third party rent indexes that you're referencing,
things that everybody references, you look at negative 1, 0, 1, 2% year-over-year growth,
it's been about a year that that's been the case. So it is a calculation method of the way
the BLS looks at rent, the way that they use that same calculation or similar calculation
to determine owner's equivalent rent, which is what a homeowner could rent their house for.
All of this is predicated on rent growth. And we have this really reliable data to say that
that moderation has been ongoing. So yes, I certainly agree. Okay, so here's the question.
Why isn't the growth and the cost of housing services slowing more quickly? I mean, what's the deal?
I mean, is it just a measurement thing, seasonal adjustment issue? Are we missing something?
Should I be nervous that my confidence that the growth in the cost of housing service is going to
continue to decelerate because that's what I see in Renz. Am I missing something?
It's certainly not something with a ton of history to rely on and say,
hey, after 11 months or 12 months or 13 months, this is the deceleration in the CPI with the BLS.
The official statistics are going to say, I've heard persuasive, relatively persuasive theories
as the why it's been happening a little bit more slowly than we're thinking.
What's that?
What's the group thing?
That the BLS has been really behind on price appreciation, housing inflation, and so kind
of the two peaks of rental growth and from Zillow's and apartment list, that gap is going
to be a little bit wider than 12 months because the BLS is still playing catch up on housing
inflation that already happened.
So subsequently, the ending of rent growth is taking longer.
to show up as well as a theory. I think it's relatively persuasive, but curious, we can prove here. Thanks.
Chris, what do you think? I mean, should we be worried about this, that it's
overly persistent meaning that it's not going to slow or at least not slow to the degree
that we needed to to get back to target? So I think it's a measurement issue. It is possible that
that measurement issue is going to persist, though. So you might see this very elongated
recovery period here.
I'm sympathetic to this idea that, oh, this is an unprecedented run-up in rents over this period as well, right?
We had this huge spike, and maybe there is this lagged effect in terms of the CPI picking it up.
My other theory, I have no basis to prove this, is that concessions may be difficult to measure as well.
So a lot of the rent decreases we're seeing aren't actually marking down the monthly rent.
It's just giving a month or two of free rent.
Right.
So maybe the data doesn't really pick that up properly.
You're just seeing the actual rental price, but it's not accounting for that discount.
I don't know.
Again, a pet theory.
I don't know if that's...
We're not measuring the effective rent here.
We're measuring the kind of the stated rent.
Yeah, I mean, survey data may not be...
I think the question is.
to design to try to capture that, but I worry that the methods may not be, or the responses
may not actually be stating that.
Or if there's an upgrade to the unit, right, how do you account for that?
There are other concessions that might be out there that aren't fully captured in the,
potentially aren't fully captured in the survey.
I don't know.
I'm a little bit.
Yeah, I know you're stretching.
That's why, yeah, right.
I'm trying to square the circle, right?
Because you do have these market signals that are very strong.
They're across all the surveys.
It's not just one or two surveys.
Every survey is saying, you know, rank growth has slowed in terms of market rents, and
then the CPI is saying something quite different.
Could it be, and then we'll move on because I don't want to belabor the point, but could
it be that we're seeing the weakness in rents in the high end of the rental market?
That's where all the supply is, right?
I mean, the affordable rental market's tight as a drum.
There's no space.
but in the higher end we put up a lot of towers,
these big towers and big urban areas.
And so there's this really significant bifurcation in the rental market
and the BLS is not,
is maybe not picking up,
it was more focused on the affordable part of the market
and not picking up this weakness in rents at the high end.
Does that resonate at all, Chris?
It's possible, or that the waiting between those
different markets may not be.
I mean, things have maybe shifting around quickly and, right, capturing it properly.
Yeah, okay.
I think we need to do more work or.
Mercer, anything you want to weigh in on this, this particular point?
Yeah, I'll just say that I agree.
This is not happening as quickly as we thought it would.
But with regard to the December CPI report, if you dig into the details of the shelter numbers,
rent for primary residents actually growth in prices.
actually decelerated over the month. All of the acceleration and shelter prices was coming from
hotels. So it was not, OER stayed the same. I missed that. I didn't miss that. Oh,
I didn't miss that. Oh, interesting. OER was the same as it had was in November, 0.5% month over month.
Rent of primary residents actually decelerated over the month. So that tick up and shelter
was just lodging away from home. Got it. Okay. That makes it, it doesn't explain
completely, but it helps it make it less perplexing.
Okay.
It doesn't explain the longer trajectory, right, of why this isn't coming down faster,
but it explains December.
It makes me feel a little better about the December report.
Yeah, right.
Okay.
Okay, so going back, the second thing on the list of surprises, first, number one is the
cost of housing.
The second is, this is me speaking, maybe I've got this wrong, but new vehicle prices.
I thought new vehicle prices would decline.
It feels like they had started a roller.
I think they declined back in November.
Feels like they're starting.
And everything suggests that they should because we're seeing improvements in global production,
inventories of cars on dealer losses starting to rise.
I think it's at least back to what you would expect in kind of a typical market.
And that all this would start to put downward pressure on new vehicle prices,
which went skyward during the pandemic during the shortages.
But we did not see that in the month of December.
Matt, any comments on that?
This I think is confounding as well.
Used cars isn't too different.
I think they kind of run in December, both ran contrary to what you would expect.
But for all those reasons you outlined, inventories rebuilding incentives are on the rise.
So I'm a car dealer, how I'm trying to get you to sell that car.
I'm doing more and more to do that, which, you.
The intuition there is that that's working against the price, whether it's captured in MSRP or not.
Those are the kinds of things that happen when supply is all caught up.
So you would expect prices to go down.
Perhaps there's some measurement, seasonality, post-pandemic stuff happening.
Again, it's difficult to say.
And again, I put out used cars.
I think there's similar head scratching things.
things there, but both contributed to the core CPI going three-tenths of percentage point as
opposed to the two-tenths that we and consensus expected.
But you're not changing your forecast.
Do you still think new vehicle prices are going to come in as inventories continue to rise?
I do.
And I think the PLS just down.
They're changing their methodology a little bit for how they're calculating use vehicle prices.
That's, it's total speculation that that's because they're confused too.
but there is some weirdness there
that I think the fundamentals
and again the inventory rebuild
being biggest
the supply chain stuff
that push prices up way up in
2021, 22. That stuff's behind us
it's really hard to imagine why prices would
not moderate.
Got it. Marissa, Chris, anything on the new vehicle
prices you want to mention or use vehicle prices? I mean I do think
this is important not only because of
car prices, but new vehicle prices also impact the cost of maintenance, cost of car insurance,
and these things have risen very sharply as well.
But anything else you'd like to add?
No.
Okay.
Well, I get worried then when we start to measurement, right?
Yeah.
But I think it doesn't really fit.
But that, you know, generally I would agree, but here we are, we're debating, you know,
to the second significant digit, right?
Yeah.
Yeah. I mean, so when you're, when you're trying to understand to the second significant digit, then you got to get into, I mean, you got to get into the, yeah. Fair enough.
Yeah. Okay. So the third on the list is the electricity prices. They jumped strongly in kind of the narrative I have in my mind there is that reflects the bump up in natural gas prices that occurred back over the last couple, three months. And, you know, we saw, I think,
where natural gas was closer to $2 per million BTU a few months ago. Now we're closer to the
three. Still very low in the grain historical steam of things. But that bump up is what's reflected
in that because 60% of electricity generation, I'm making that number up, but roughly 60%
of electricity generation in the U.S. is natural gas powered. And that's what's behind this,
which if that's the case, natural gas prices I don't think are going anywhere. They're kind of
roughly where they're going to be. We'll start to see electricity prices, the increase start to
moderate as well. Matt, what do you think? That's how I would characterize it. Prices started to
come down in December and have risen a little bit in January, but that's kind of a month or two
down the road problem, I would say. You're not going to have the same increase in January
CPI from electricity prices. And the rest of the components of energy, motor gasoline, relatively
stable in recent weeks. Some geopolitical challenges there, but have so far not proven to be a meaningful
impact. But that's the, your read is how I see it as well. Okay. Chris, Marissa, anything on that one,
on electricity prices? No. Okay. That makes sense. Yeah, we're now really descending into the
weeks into the weeds. Okay. I want to ask you about what happened and this happened
over in the Middle East around the Houthi attack.
But before I do that, and what that might mean for inflation here, if anything.
But before I do that, Matt, is there anything on that list that should be that that I didn't
mention that contributed meaningfully to the miss in terms of inflation coming in a little
hotter than anticipated?
Did they miss anything?
No.
And I guess maybe rank ordering the vehicle, misjudging the vehicle, misjudging the vehicle
prices, trends, I think is really interesting and consequential, but shelter's massively important
as well.
Oh, so you would have said vehicle miss was number one?
As I say that, I think the weight that shelter has in CPI, so it would be difficult to say
that I think it could be more important if there's a gap there.
But yeah, vehicle prices are really interesting and potentially something could change
the next few months.
Okay, so the Houthi attack on shipping in the Red Sea and, of course, the U.S., U.S.,
UK and allies have responded. And that's creating a fair amount of angst that that's going to,
because of the disruption and the added cost of avoiding the Red Sea as chips go around
South Africa. How big a deal is this? How big a deal is this in terms of what it means for
inflation here back in the United States? Matt, do you have a view on that? The primary channel
in the U.S. for sure was always going to be in energy markets, not the only channel, but the primary
channel. And mid-December, you have these announcements that commercial cargo is starting to reroute
away from the Suez Canal. Insurance costs have gone up really high. It just wasn't practical to shift
through there anymore. But there wasn't a huge run-up in oil prices and certainly nothing showing up
in December CPI report, as we wouldn't have expected it to. But moving forward,
I think it's a marginal effect.
I think the US is a little better insulated than, say, Europe and Asia, just based off the way that we get our goods compared to the Eurasian continent.
It's just too small share of goods for the US, so not expecting to see any kind of goods inflation returning as if this or anything reminiscent of the 2021 supply chain issues, again, on the margins.
There's a few reasons for that that we can discuss some that comes from the pandemic.
There's investments in adaptability to kind of make your businesses supplier network a little bit more resilient.
The increase in container ship capacity, which was a binding constraint in 2021, 2021, 2022.
Those things are less of an issue now and should make the run-up in prices kind of a little less dramatic if this work.
to be a protracted and, you know, a disruptive affair.
Yeah, I suppose you can construct darker scenarios where all the shipping through the Red Sea shut down
and Iran's engulfed in the conflict and their oil is disrupted and so forth and so on.
But you've got to think that this is going to bleed out in a much more significant way before it does a lot of damage.
Chris, Marissa, do you have any different perspective on that?
I mean, is that consistent with your views as well?
Yeah.
Yeah, kind of on the margin.
Okay.
Okay, so bottom line, it feels like, yeah, I wish the inflation report was a little bit better
than it was, but it wasn't that bad.
It was kind of close.
It was a little hotter than expected, but it doesn't change anybody's forecast.
Inflation feels like it's coming in and consistent with kind of a soft landing.
Is that kind of roughly right?
Anyone disagree with that kind of characterization?
Chris, any pushback on that?
Not real pushback.
I guess as we think about Fed policy, March seems a little less likely now in terms of a first cut given this report.
But it's still early days here.
Yeah.
I saw today because the PPI, the producer price index came out today.
CPI came out on Thursday, PPI today.
That was surprisingly soft.
Negative.
Yeah.
Yeah.
And I saw the futures markets for the March, what's the probability of a March rate?
cut and it's now 80, over 80%, not that that's right, or that's what's going to happen,
but that's market expectation.
So kind of moving that direction.
Okay.
I think we're going to end the conversation there around the inflation report and turn to the topic at hand,
and that's cyber risk and what it means for the financial system and the economy.
And let's welcome our star-studied cast of the folks to talk about cyber risk and what
it means for the economy. And let me begin with you, Joe, Joe Lyons. Good to see you.
And you're with Bitsight. Yeah, I'm with Bitsite. Currently, I'm a senior director at Bitsite
focusing on the application of cybersecurity data into financial models. And before Bitside,
I understand you were a Moody's employee. You were a so-called ethical hackers. You're trying to
hack in to figure out where our vulnerabilities were at Bouti's in. Yeah, exactly. So before Bitsite,
I spent a number of years as a cybersecurity practitioner, both on the offensive and defensive side.
of security. Most recent Stint was at Moody's as an offensive security person,
attempting to hack Moody's on behalf of Moody's to make sure that Moody's was secure.
Joe, did you ever try to hack me? I'm just asking. Not that I'd tell you about.
But somebody did hack your Twitter, Mark. Maybe it was Joe, right?
It could have been, yeah. But Twitter's going, you know, in a pretty tough direction here.
I'm getting, there's doppel gangers all over the place, apparently. So,
very difficult to control. But it's good to have you, Joe. Thanks for coming on. And we've got
Jill Satina. Jill, good to see you. Yeah, thanks, Mark. And Jill is with us at Moody's, but you came from
the Federal Reserve System. Is that you were there before you came here? Is that right? Yes, that's
right. I had worked at the Fed as a vice president's supervision most recently before I joined Moody's.
Also spent some time at the OCC, which is one of the other federal banking regulators, and also the
Office of Financial Research, which is tasked with thinking about financial stability risk.
And I think of you as all things banking, all things financial system. But cyber is what kind of a
sideline, or is that a major part of what you're doing? Well, a bit less. Because you know everything
about everything you want to know about the finance. In fact, I got a gazillion questions about
the financial system, but that's for another podcast. Okay. Well, I look forward to that, Mark.
No, so just to take a step back, I had the group at the Office of Financial Research that did research on cyber and financial stability when I was there.
And then also when I was in the Fed and the Dallas Fed, I had responsibility for IT cyber supervision.
That was for about four years.
So I thought about the topic a bit in both of those contexts.
Well, good to have you on board.
And Leslie, Leslie, you are definitely all things cyber, right, at Moody's.
I am all things cyber, all things credit rating agency, I believe.
So in cyber that you do in the rating agency, you're kind of involved with all of that.
Yeah, so we stood up at a cyber credit risk team, as we call it, about four years ago,
looking to think about how cyber impacts credit, and that's where I sit.
Yeah.
And Jim Hempstead, is he in your world?
I mean, he's...
Yeah, so he used to be part of our world, and now he...
He's moved on to bigger or bigger mandates.
And so I come and try to fill his shoes.
Got it, got it.
Well, it's good to have you on board.
And we've got two of our own, Jesse Rogers and Matt.
Oh, gosh, Collier, Collier.
Calliard.
Close enough.
Yeah.
No, I got that wrong.
What is it?
Collier.
Collier.
Collier.
Yeah.
Collier.
So here's the weird thing.
Matt, Matt, how long have you been with us, Matt?
Four years.
Four years.
And four years, he's never tried to create.
correct me when I call him Cole Yard.
So what was the catalyst for saying, hey, guys, you're mispronouncing my last name?
What was the straw?
I don't correct people often.
Everyone gets it wrong.
I think it's spelled wrong, my last thing, but I can't change it at this point.
So I don't know.
It is spelled wrong.
You're right.
I think so.
The Y's catches everybody's eye and they get hung up on it.
But, yeah, I don't know.
I just thought maybe it's time to correct.
It's time.
Time to do that.
And what nationality is that?
I believe English, English.
There's some ties there, but not.
That wasn't a trick question.
I thought you would never answer to him.
Yeah, I don't know.
I think English.
We'll go with that.
Okay, and we got Jesse.
Hey, Jesse.
Good to see you.
Hey, Mark.
Good afternoon.
It's, oh, that is good afternoon.
And you're headed to Mexico City pretty soon for us, right?
You're going to be managing operations down there.
That's right.
It's like a jet setter in one direction.
Yeah.
Well, and Matt and Jesse just finished a piece on cyber in the financial system and trying to sess out the impact on the economy.
We'll definitely come back to that.
But I thought maybe we can begin the conversation with you, Leslie, you know, good timing, right?
Because you guys just, you, the rating agencies just came out with a good piece on the outlook for cyber for 2024.
So maybe I can just kind of turn it to you and what did you find?
Yeah, sure.
it's perfect timing, fresh hot off the presses on Wednesday.
We published our fourth now Cyber Outlook for this is for 2020, of course,
and it's on the website if anybody's interested.
We found a lot of things, but I think I want to kind of focus in on three key points.
The first one is that, you know, the cyber risk landscape is really about to undergo some
very important changes driven by transformative technological advancements.
By that, I mean Gen.
I mean, Gen.I.
And quantum computing is also starting to rear.
It's had there.
And if you think about these changes happening,
they're also happening against the backdrop of very challenging macroeconomic environments, right,
which are putting some downward pressure on cyber budgets.
So what we're closely watching is how are our companies that we rate balance these two, right?
On one side, you have heightened demand for capital to invest in cyber because
Gen AI and quantum are going to choose more cyber risk.
And the other side of the equation, you have, you know,
more expected, more limited capital to be allocated to cyber.
It would be the first time we see a reduction in capital,
potentially going towards cyber.
Over the past five years, when we just completed a survey,
we saw about a 70% increase in cyber budget over the past five years.
And now we're seeing kind of this dipping down.
It doesn't sound like a lot, seven percent?
70.
70.
Oh, 70. Okay, that sounds like a lot.
That sounds like a lot, right?
So how are these two kind of competing trends going to be balanced?
And it could lead to some very difficult decisions, right?
That could have very long-term competitive implications for the companies that we look at.
The second point that we highlighted, and I think Jill will have a lot to say on that,
is about what's happening, the regulatory arena, right?
There's a number of pretty ambitious cyber regulations that have just gone or about to go into effect.
And here I'm really thinking about the essence in cyber disclosure rules that went to effect in December of 2023, so just a few weeks ago.
And the other one is the DORA regulations that applies to the European banking or financial services system that is still being finalized, but it's going to be going into effects in January of 2025.
Here's a test. Dora means
what is an acronym for?
It stands for the digital.
Ah, you're searching.
Oh, I got you.
Digital operational risk.
Assessment.
No?
No.
Okay.
Okay.
But at the core of it, both of them are trying to do very important work.
They're trying to introduce more transparency and more structure in terms of how companies
are impacted and how they mitigate against cyber risk.
And so from a credit standpoint, obviously we see that really positively.
At the same time, we have to recognize that implementing and adhering to these regulations
are going to be difficult because there's a lot of room for interpretation and there's a lot
of potential pitfalls that come with that, disclosing more information that you want that could
potentially exploit it by cyber attackers, right? So this is a new area to watch. And
And we're starting with some of the big sectors when we think it's going to spread to other sectors over time.
And you said three.
That was, I counted two.
That's two.
Yeah, the last one.
And I have to end in the positive because there's so much doom and gloom with cyber typically,
that has to do with what's happening in the cyber insurance space.
And here, finally, after years of very steep increases in the cost of cyber insurance premiums,
I think 300% in some cases, those prices are finally kind of leveling off and stabilizing.
And that's really good because companies are very eager to carry cyber insurance.
And it was becoming exceedingly costly for them to carry it.
But now that the prices are stabilizing, they can access it again.
And actually even companies that weren't able to enter the market before and now are able to
buy those kinds of cyber insurance policies.
and it's particularly helpful to small and medium-sized companies that often see cyber insurance
is kind of their first line of defense in terms of cyber risk management.
So, Leslie, I haven't had a chance to read the piece in its totality, but like most people,
I think I'm not weird in any way.
I go right to the charts.
One of the charts that struck me was it looks like the number of cyber taxes down.
Is that right?
I mean, it built like a peak back when, 2020, 21?
Or did I misread that or what's going on there?
Yeah, and I think, Joe, feel free to time in here, because I'm sure you have a lot to say there, too.
In 2022, we saw them come down.
And that was really more ties of the fact that some of the very active attackers were disbanded
through some different, you know, governmental operations.
Let's put it this way.
Well, wait, can you say it again?
I admit you were.
Oh, so a lot of the very prolific attackers.
Prolific attackers.
In 2022, we're disbanded.
Disproved.
Okay.
These are state actors that disbanded?
Loosely affiliated state actors.
Let's put it that way.
Okay.
Now, you're being a little coy, but tell us why you're being coy.
Because we're not into the business of attribution or talking about where they're coming from.
That's why it doesn't.
really have any bearing on our analysis.
Got it.
But to answer your question, I have to highlight the fact that, you know, there were,
there were groups, very active groups that were disbanded.
So if we were out at a bar and you had had a cocktail or two and we're just talking,
you would tell me who you think this is, but you're not going to tell me on this
podcast who you think is.
You can very easily Google it, but I'm not going to say it.
Easily Google it.
Okay.
But post-2020.
Now, Joe, Joe would spill his, is going to spend.
spill the beans right away.
Attribution for me.
I'm trying to stop.
No, no, you're no attribute.
You don't attribute either.
Okay.
I know nothing.
You know nothing.
But I think what's interesting is these players, they didn't disappear.
So they regrouped and they got back together.
And in 2003, we started to see an uptick in a task as well.
That's why the chart you see, look, it is a bit misleading.
So attacks for 2023, I think we're having finished kind of tabulating them, but they're up from
2020.
And just anecdotally, if you look at what's happening.
in the news. I mean, especially the past few months, it's been kind of relentless every other day
is another big company disclosing some kind of ransomware attack or data breach. So it has not
so cyber is not becoming less of an issue. It's becoming steadily more of an issue.
And it's in all the trend lines here look, I guess, pretty scary. I don't want to put words in your
mouth, but I know rating agencies are you guys there. You're kind of cautious in how you say it,
But, you know, we should be worried about this is what you're saying.
Yeah.
I mean, do you think of, yes, because think about what's happening with the trends in technology
and digitization and gen AI.
This is all introducing more of a growing the digital footprints that can be exploited, right,
by attackers.
Got it.
Unless it's properly secured, they will be exploited.
Yeah.
Yeah, no, I'm going to just say, like, another way of thinking about what Leslie's saying
is just, it gets bigger.
every year. And then also, I think companies also face pressure to innovate around some of these new
technologies. And innovation, of course, can be very positive. But if, you know, you bring the risk,
you know, bringing the cyber risk in at the back end after you've done the innovation, then becomes
costly to remediate as opposed to starting with, you know, managing cyber risk as a first principle
in mind.
Are you talking, Jill, about like AI
quantum computing as innovation
and because companies are all in on that,
they're kind of diving ahead
that they're exposing themselves
to increase cyber risk.
Is that what you mean?
Yeah, that or having the fintech partner.
I see.
You know, and, you know,
you open up a system between you
and some of your fintech partners.
You know, things like that can,
again, if you, if you
start first with the innovation,
and don't have the risk management as a piece at the front end of the project,
then you've got to remediate it on the back end and it becomes costly.
But that's just my perspective on things like that.
Hey, let's talk about AI because that come on the scene here very quickly.
And I know, Joe, you've done a fair amount of work from there saying,
is AI a plus or a negative when it comes to cyber and how that's all going to play out here
going forward?
I mean, here's some pretty dark.
Yeah, it's a good question, right?
I think it remains to be seen.
You know, the reality is when we start out, I think that AI will generally be a negative for cybersecurity.
And I say that only because organizations are a little bit slower to move.
There's a lot more governance.
There's a lot more things to change around an organization than there is around cyber criminals, right?
Cyber criminals can run fast and as fast as they want with no regulation and try things a million times.
And, you know, the reality is, especially with generative AI, we've seen this with things like deep fake and,
chat GPT, it's extremely easy to impersonate people and extremely easy to both fish people
and to generate new attacks from AI. And just to take one point back from, you know, the
attack trend, if you think about the digitization in 2021 and why it peaked and kind of dropped
off a bit, in my opinion, a little bit is due to the hyper digitization that happened during
COVID. If you take a step back and you think about what happened during that time,
period, every single business in the world basically went hyper digital overnight because they
had to keep businesses moving forward.
Right.
So there's two things that go into it.
There is cyber is always a lagging indicator, right?
It takes a while for companies to know they are hacked and it takes them even longer to admit
their hacked and to actually go from being hacked to the regulation around it to being picked up
in either a FOIA request or somewhere else we're going to get that data back from.
It's usually a pretty long lagging indicator.
So, you know, like not dissimilar to the S&P.
500 where everyone says like, oh, like zoom out. You're having it down. You're like zoom out. You'll see it's
going up over time. I think in 2030, we're going to look back at 2022 and see it's like probably
just in line with 2021 and continue to uptick. And I think, you know, bringing that back to generative
AI, I think that hyper digitization is not going anywhere. And with hyper digitization comes more risk.
The reality is cybersecurity lags behind governance in a lot of different ways. And one of the ways is
businesses want to solve problems very fast.
So they'll use a ton of cybersecurity mechanisms to do that without necessarily
understanding the full risk implications of that.
It's, you know, it's make the money and figure out the risk around it after.
So from the offensive perspective, as a practitioner, I'm nervous, right, about
generative AI and AI and security.
And the reason being is, and I'm saying this as a practitioner and with a lot of experience
in fishing emails and people are the weakly.
link when it comes to cybersecurity.
It's usually the person who ends up.
You know, I say that about Chris all the time.
Definitely the weak link here on this whole fishing thing.
Yes.
And he's so big into crypto, too.
He's huge into crypto.
And at the same time, you know, he gets captured by these fishing things all the time.
We've got to watch that guy.
Very careful.
Yeah.
Yeah.
What can I say?
What can I say?
Imagine a higher volume and more specific.
You say, imagine more Chris's.
Is that what you're saying?
saying to me? Well, imagine, imagine pandering directly to Chris's emotions, right? You can quantify
what Chris is interested in. Definitely don't want to do that. Create a model around that and then
fire an email that directly plays off his emotion. So like, that's realistically the lowest barrier
to entry for cyber criminals is going to be in that area. How do people speak? What is their tone like
when they write emails, right? Let's say I'm writing an email and persuading Mark Zandi.
I'll go through all of your publications. I'll go through all of your interviews and I watch that
with a learning model and then create model to speak and use the same exact tone and vernacular
in terms that you will and then send emails out to everybody as a impersonating Mark's Andy
and it's I'm of the view no machine can you can impersonate me there's like no possible way
yeah I can I say a guy oh yeah I can yeah oh so that so is that a challenge mark
you just you just send that out to the universe exactly exactly uh so
So a good example of how AI could really be a problem is just on fishing, just designing the hook in such a way that it's so shiny and bright and enticing.
There's no way I'm not going to bite on that thing.
It's not dissimilar to how advertising, especially on social media, is amazing at pandering to your emotion.
And there's a reason why you continually click back.
AI will be able to do that with fishing emails.
And the reality is it's going to exacerbate this context of a cyber poverty gap, right?
You're going to have the well-funded and cutting-edge engineering groups in defense that will use AI for the best possible use cases.
They'll make their own operations operate with a higher margin.
It's the mid-to-lower tiers that are going to be really adversely affected by it because they're going to not have enough money to buy the products that are created out of AI.
And they're also not going to have the talent pull, right, to pull the talent to defend against AI.
So I think it's going to end up polarizing the cyber market to start off with.
And then I think as it becomes more and more commodity defense will catch up.
And then that will be the next step in the arms race.
But you think, I mean, I was reading your interview you did.
You did an interview back in the fall on this issue with some folks from the rating agency.
you kind of landed in a in a more negative spot, meaning there's, you know, pluses, there's
minuses, but on the net of all of this, it feels like it's a net negative.
I think that's exactly the terms you used, I think.
Yeah, yeah, I think so.
At least, you know, I would say at least for five to ten years.
I think the reality is set.
Right.
And it's going to take a long time for organizations to implement countermeasures to understand,
you know, not only does the technology need to exist.
to understand when something is generated by AI from an attack perspective,
but then you have to go about defending against it with an organization.
And, you know, again, the reality is people are the weak link.
People click things.
People are tricked fairly easily when it comes to phishing emails.
So putting data behind that is kind of a terrifying concept out of the gate.
I think, you know, at the end of the day, organizations will defend against it,
but it's going to be a lag from my perspective.
And of course, it's not only AI, it's quantum computing too, right?
I mean, do you want to explain that briefly, you know, what that's all about?
Yeah, sure.
So, I mean, so the crux of the problem with quantum computing is encryption algorithms.
There's this, there's this algorithm called the Shores algorithm, which is a method for doing prime factorials, that once quantum computing gets to a stable enough state, that algorithm will be implemented.
all encryption as we know it today will be broken pretty much instantaneously.
The algorithm's already written.
It's just a fact of getting it into a quantum computer now.
So there's a bit of a frenzy right now across all of technology to understand how to make
quantum resistant encryption technologies.
And maybe a light definition of what encryption technologies are.
It is the way that you keep information that is on the wire secret.
So it is the secret language that you speak between.
between two organizations to make sure that your data is not sniffed by anybody to not viewed
by anybody. So it's really important. And the area in everybody's life where you'll know
where encryption is, is you look at the top left of your browser. You see that little lock,
H-TPS at the end of the URL. That means that all of your communications are encrypted. So everything
is secret. The risk is that that secret handshake is then broken, leading to realistically,
you know, kind of a wide systemic security problem.
Well, I hope you're a shareholder in Bitsite.
Sounds like you're going to do really, really well here going forward.
Yeah, yeah.
Yeah, and, you know, I'm sure that maybe you're, yeah, you look how well dressed he is, guys.
I mean, look at that.
I mean, I come from financial services.
I can't wear the T-shirt.
Right, right.
Okay, so let's move forward.
and, you know, I've been, we're economists, and we've been asked often about cyber and the economy, you know,
what is the potential macroeconomic consequence of cyber attacks?
And I've always had a hard time with this one.
I mean, coming up with scenarios where cyber could, you know, take out, if not the entire economy,
big parts of the economy.
I mean, we have attacks like the colonial pipeline, and that's very disruptive.
but so far there's not been anything that's kind of shut things down in a, you know, significant way,
at least not here in the United States.
There's examples, I think, Ukrainian and some other examples, but as far as I know.
But one area where I think there is become, I've come to appreciate real risk is in the financial system.
And we saw that come home clearly recently with the hack of ICBC.
And I thought, Jill, you wrote a great piece about that hack, and maybe you can describe what that's all about and, you know, what it means, you know, from your perspective.
Yeah, no, there were just, thanks, thanks, Mark.
There was in the U.S. operation of ICBC an affiliate that faced some cyber challenges.
And they were very important in terms of basically for ICBC.
conducting repo transactions in the Treasury market.
And the challenges, the cyber challenges that they faced, you know, did create a meaningful
spike in failed trades for a day or two while that was worked out.
And, you know, as you know, I know you well, you know, the repo market plays a very important
intermediation role between financial institutions and fixed income markets, particularly
the Treasury market.
So that was a bit disconcerting, you know, when it first kind of came out.
Of course, you know, there are some tools that the official sector has, like extending the FedWire
operating day to give a little bit more time for settlement.
But, you know, I think, you know, there are, and I think your paper that some of the people
in your team have worked on, you know, thinks about that there's different ways in which cyber
can become, I'll call it a financial stability risk. One is if you, you know, maybe have contagion
from a cyber event. The other is, of course, if you hit someone who's kind of in from a network
perspective, a bit like a spoke. And then, you know, you have contagion kind of radiate out from
there. You can have a different kind of contagion, which is more like maybe a confidence-related
contagion where you have a cyber event that affects a certain type of business model and then
other types of contagion kind of spread from there in financial institutions.
So that's sort of ICBC at a very level.
The ICBC just what kind of caught my eye is it's the largest bank in the world, right?
Correct.
This is the Chinese bank.
ICBC is what I can't remember what the acronym stands for.
but uh industrial and commercial bank of china but make a china largest in the world and uh you know
it was a small affiliate that got hacked but it it led to some significant disruptions and i think
the send certainly should send off some some yellow flares i mean in terms of what that means
but i think i think there's um you know certainly been some other incidents uh in the financial
sector or in service providers to the financial sector. I think there's a couple channels through
which financial institutions can experience cyber stress. So one is directly themselves in their own
systems. You know, Joe made the great point about, you know, somebody at a bank or a non-bank
financial institution getting, I'll call it an email that's a phishing email, and that's kind
of direct on the financial institution. But then financial institutions, as Leslie pointed out,
have many IT service providers that they utilize.
And I think we've seen instances, I'll just point to solar winds and some others,
where Citrix Bleed is another, you know, different things like that,
where a service provider is the channel through which there becomes a cyber incident at a financial
institution.
And then the third channel is really on the asset side for a financial institution.
where we've only seen a very limited amount of this.
There's a very nice paper on the malware attack, the NotPetya attack,
that sort of shows that this is done by some of my colleagues at the Fed,
that sort of illustrates that some of the institutions that banks were lending to
were negatively affected by Not Petia and,
talks a bit about how that could have created credit stress, had the malware associated with
that cyber attack actually proven catastrophic for some of those corporates that they were lending
to. So there's multiple channels if you're a financial institution, unfortunately,
through which cyber risk can affect you. But yeah, I see BC it was, again, attribution's hard.
So I think we'll just kind of maybe not try to attribute or talk through which of the channels.
Before we kind of dig even deeper into cyber and the financial system and we'll turn to Jesse and Matt's work shortly.
Maybe, Leslie, I'll turn it back to you and maybe Joe.
You know, my thought, as I articulated, was that the, and I'm asking you to put on your economist at now if you're willing to do that for a second.
my thought is that the most likely cyber scenario that would have macroeconomic implication would be one where it has a major effect on the financial system.
You know, something broad.
Jill mentioned the potential for contagion or affects, you know, something deep in the plumbing of the financial system, trading, mentioned the repo market or the Fedwire, you know, something that's kind of critical to the plumbing in the system and the movement of liquidity around.
the system. Is that, when you think about the kind of the panoply of risks here, would you put that
kind of at the top of the list of concerns or is there other kind of vulnerabilities in other
industries and other parts of the economy that you think might be more of a threat to the macro
economy? I know that's probably an unfair question. I'm asking you to do my job, but maybe you could
do that. Leslie, do you have a view? You mean other industries that are as
but it can't. Yeah. Yeah. I mean, I thought, you know, like, for example, I've thought about the ports, you know, maybe a hack of the ports. I've thought about the electric grid, maybe, but I still have a hard time connecting the dots between those things in a macroeconomic event. On the financial system, I can connect the dots. But on the others, I can't. But I'm just asking you, am I missing something? Is there something else out there that we should be focused on or thinking about? I know it's an open-ended question. Maybe there's no answer, but what do you think, Leslie?
So Joe, correctly from wrong way.
I think Sessa is the body that oversees cybersecurity in the U.S.
I think they have 16 critical sectors for cybersecurity.
So I think their view, as any of these sectors are critical to the functioning,
the broader economy of the U.S.
So a cyber impact on a system-wide, so a cyber impact on any of these industries
would probably have some more impact.
I think you have to think about the fact that these critical sectors that span
the healthcare sectors, the energy to food and agriculture are all heavily digitized.
Every industry is sort of a tech company in some sort of way right now, right?
And another thing that's happening is a lot of these industries are used to operate very bespoke
equipment.
So the contingent was less there.
But looking to the electric utility space, for instance, there's a lot of the industry space,
for instance, there's a shift right in where your electricity is coming from.
It's very distributed and it's coming from a few manufacturers, right?
So you go from these centralized power generation centers, which are very bespoke.
And so an infection, one, wouldn't spread to others to a situation where you have very distributed
and homogenous type of equipment.
So if one of the pieces of the equipment is tampered with, all of them are left to tempered with,
And that spreads very easily.
And that's true in electricity in terms, very likely true in other sectors as well.
Joe, do you have a perspective on that or a view?
Yeah.
You know, when I think about this, I think about like the concept of magnitudes of change
and where risk is concentrated.
So why is the finance sector like kind of low hanging through for this?
It's because like everything is run through a central plumbing system.
There's an aggregation point.
It's a very easy place to attack.
When you're talking about systemic cyber attacks,
It's very hard to do a bespoke attack on every single type of organization.
So what comes to mind for me, honestly, and it's well offset with technology expertise,
with good reason, is the large technology companies.
If you think about how many businesses are dependent on centralized cloud infrastructure
across three major companies, if there is any disruption at scale at any of those three
major companies, it's going to adversely affect a massive part of the economy,
both from a consumer perspective and a business operations perspective.
So then it becomes a question of like not only is the magnitude.
You're talking like an AWS or Azure.
Exactly.
So any of these areas where there's a hyper concentration of technology,
there's also a hyper concentration of systemic risk, right?
And that's where the magnitude of change from an attacker perspective becomes very immense.
And I'm not saying this is necessarily low-hanging fruit.
this would be an extremely complex attack, and I'm sure all of these companies have a ton of
security around this. But if anyone were able to get into the infrastructure, the backbone of how
these cloud organizations operate, it would probably have the most impact out of any of the
sectors because it would impact every one of the sectors, because each sector leverages
centralized cloud computing more than anything.
Well, that makes a lot of sense.
Hey, Jill, turning back to you and back to the financial system.
I know obviously regulators, global regulators are all over this.
You want to spend a few minutes and describe some of the kind of things that regulators are doing
are certainly now starting to come to fruition and how effective you think those will be?
Sure.
I mean, there's a lot to talk about here, Mark, and some things are kind of further in train maybe than others.
So maybe just jumping back for a minute on quantum, the BIS, the Bank of International
Settlements, which is sort of like the Central Bank,
to central banks, did release a paper today talking about how they are concerned about what
Joe alluded to, which is the potential for quantum computing to render current encryption technology
obsolete and that to become a financial stability risk, for lack of a better word.
And they talked about some work that they are doing at a very technical level to think about
the transition from current encryption technology to maybe kind of a point.
post-quantum technology. They're doing that work with Bonc de France and the Bundesbank,
I believe it was what the paper said. So thinking first about central bank systems, but maybe
trying to create a bit of a roadmap for financial institutions. So I think that's really
important work. In the EU, Leslie referred to Dora already, and this is, you know...
Quick test. What does that stand for?
I would say I don't know either because I'm, you know, more focused on U.S. regulation than I am.
Gotcha.
But Leslie, I don't know if you came up with it in the interim.
The A was Axe.
That's the one word.
That was the one letter.
Oh, Axe.
The most oddest one, right?
The most oddest one, right?
Yeah.
There we go.
There we go.
We figured it out.
Okay, so Dora, it's not Dora the Explorer.
It's, uh, all right.
So anyway.
So Dora is kind of interesting to contrast a little bit and given Joe's comment about how service providers are potentially, you know, significant service providers are potentially such a high systemic risk for the economy writ large.
Well, Dora, as I understand it, Leslie can step in and correct me, but is requiring financial institutions to provide comprehensive lists of all their service providers.
and then they're going to take a risk-focused approach in the EU to saying,
aha, I've got all these lists, and I'm going to, you know, do supervision on those most
significant service providers.
And that's, I think, sounds like a great approach to this topic.
Now, in the U.S., people may or may not be as familiar with where we are from a regulatory
viewpoint. There's a old banking act called Graham Leach Bliley. I won't, I could have said glibba,
but I won't do that to folks. I didn't know. I always said GLB. Is glibba? Some people,
some people say glibba. It's, you know, there, it's like one of those acronyms mark,
like tomato, Tomato, FHFA, you know. Yeah. Yeah. People have different. The flubs, the FHLB.
Yeah. Got it. Right. So anyway.
You weirdos in the financial system. That's right, right. You know. So,
Anyway, Graham Leach-Blyleigh, though, does give U.S. bank regulators the ability to supervise service providers of banks.
But one of the challenges, because Graham Leach-Bleily, I think, as many know, is not recent legislation.
It doesn't give quite the same level of, I'll call it data collection around these service providers.
And so, you know, regulators have approaches to gathering these data.
But if you were to try to find, you know, again, people who are regulatory nerds in the U.S.
are well familiar with that any regulation has to go through notice and comment.
There's a paperwork reduction act type thing.
There is no regulatory filing that is systematic where banks are reporting, you know,
Joe might report a service provider.
written out one way, Leslie and might report it another, co-ulating that and getting to an efficient
portfolio of which service providers should be overseen in the U.S. I think is a bit of a data
challenge from a regulation supervision viewpoint. So we do have service provider supervision.
You can't find a list of which service providers are currently being overseen.
that's not publicly available information.
And it's an area of supervision that all of the banking regulators,
the federal banking regulators and some of the state regulators are involved in,
but there's not perhaps as much information about it.
Maybe the one other point that I would make is, as you know, Mark,
the U.S. financial sector has a lot of non-bank financial institutions in it.
And the bank regulators, of course, you know, in a number of cases, do not oversee them.
So think about like non-bank mortgage servicers where we've had some recent notable cybersecurity events.
Those are not overseen in any way by the federal banking regulators.
So that service provider oversight isn't happening in the same way for the non-bank financial sector as it does for vendors of banks.
And that is something that, you know, given the discussion we've had so far is arguably a bit of a gap.
We also have the ECB just to kind of round out.
Yeah, right.
They announce their stress test.
They have, it's like every other year they do kind of a neat little, let's kind of pursue a bespoke stress test that's different than what they traditionally do.
I think in 2017 they did interest rate risk.
That was,
had some force right there.
That was pressure, right?
Yep.
They've done market and liquidity.
And they just recently announced that they're going to do.
Climate.
Climate was a little bit.
Yeah, they did climate.
Yeah.
I'm doing cyber next.
And, you know, I think, I think that's a positive for European financial institutions.
Again, these aren't setting capital standards.
But I think just having those.
kinds of, I'll call it, tabletop exercises that are, you know, focused regulatory events can
help people up their game. Yeah, and that's the, I agree. And I think that this is a good segue
into the work that Jesse and Matt have done. And because it's kind of like a stress test.
We kind of, we took a couple of scenarios that cyber attacks to the financial system and
ran that through our models and tried to figure out what the,
macroeconomic impacts would be. And maybe Jesse, Matt, who would like to describe the work,
spend a few minutes and just kind of lay that out for us. And there's a white paper. It's available.
And, you know, folks are interested. We can provide that to you. And I think we're doing a
webinar too, aren't we, Jesse, at some point here, Matt? Yeah, I think in early February.
Okay. Good. Yeah. So Jesse, Matt, one of you want to take the com here and explain what you did?
Yeah, I'll take a stab. And Matt, I'll pause here.
and there so you can chip in and round it out. I think the interesting thing about our paper,
and you alluded to it before, Mark, is kind of trying to take, you know, cyber risk, which,
which largely, you know, for companies is business risk or operational risk and trying to figure
out how does that become macro risk. And, you know, so we took a look at the financial system
where the linkages just seem more concrete or the potential for systemic damage is just a little bit easier to imagine.
And we came up with two scenarios.
The first we're calling a cyber deposit run, which is a bank run or a banking panic that begins with successive cyber attacks on smaller and medium-sized banks.
and in this scenario, we consumers or depositors, rather, flee to the perceived stability of larger banks.
And it's kind of, it's very similar to the situation that we saw in March of last year, but on a much larger scale.
And it puts the Fed in a unique situation because what we ultimately have is a liquidity and solvency crisis that is, you know,
operational in nature. It's not something the Fed is really designed to solve. Providing liquidity
to banks we found doesn't necessarily change the calculus for consumers that have, or depositors
rather, that have experienced a large cyber attack. And as these attacks continue for some time,
the incentive to run grows and grows until we get into a broader banking crisis scenario that does
have real damages on both the financial system and economy.
These are ransom.
The scenario is ransomware attacks on smaller banks,
where I think there's a general sense that I think Joe mentioned this,
that there's more vulnerability.
They just don't have the resources to be able to, you know, defend themselves.
Yeah, that was one of our, just to jump on that is the focus on the small and mid-sized banks
was exactly that reason of there's gaps in coverage.
because a lot of the coverage is expensive, the red team testing that Joe was doing in his
earlier life was not cheap.
Big banks can afford that.
Big banks can afford top talent to do that.
So that's kind of our door open in a way for this type of attack.
Yeah.
And so those attacks led to a loss of confidence, faith, and depositors and kind of sort of
of what happened back with the Silicon Valley Bank crisis where depositors kind of ran.
that happens in this scenario. So Jill, does that, does that resonate with you? Is that,
do you think that's a viable threat or, or do you think that's far-fetched that, that scenario?
No, I mean, so first, a couple of things. I do think that there is, you know, the potential for what
I'll call maybe business model contagion. So you, you see some institution that looks like your
your financial institution where you bank having very critical, you know, cyber risks manifest
that are, you know, in the news. And there could be some attempt to kind of diversify deposits.
This is probably more on the commercial side, I would say, though, than the retail side.
I did, Mark, if it's okay, want to share a little data on this topic of small versus large
bank and where the risk is, if that's okay, because the...
the most recent Fed supervision report, actually, it's not, how should I put it, you know,
if one were to ideally, you know, sort of design a disclosure around this topic, this might not
be the ideal disclosure, but it does provide some data on that issue. So the Fed in the supervision
report that became available, and these are data for Q2, 2023, so,
They did disclose that of the, for community banks, that the top issue in terms of supervisory
findings, now you can raise the question are supervisory findings the same as intrinsic risk,
like you could have risks that supervisors haven't found, right?
But in terms of supervisory findings, IT cyber, for both community banks and regional banks
were the most frequent type of supervisory finding.
like 30% of outstanding community bank findings roughly were related to IT cyber and 35% for regional banks.
But where it gets even more interesting is for the large bank population.
And here the data aren't quite kind of broken out the same.
And I want to be very clear, these are about findings, not the number of institutions.
So that I just quoted for regional banks.
When you talk about large banks, basically under the, for the large financial institutions,
the rating system for them is three-pronged.
There's a capital component, a liquidity component, and a governance component.
And you're either, there's multiple ratings levels, but, you know, you're either kind
of broadly meeting expectations or you're, you know, conditionally or you're deficient.
And so as of Q220, you know,
what the supervision report says is that most of the large financial institutions in the U.S.
large banks were meeting expectations on capital and liquidity, but that the challenges were really
around governance and controls mainly related to operational resilience, cyber and I money laundering.
And the less than satisfactory percentage of the LFIs or the large banks in the U.S. in the Fed
Supervision Report is about 50%.
So just to kind of get to the bottom line on that, about 50% of large bank ratings are less than
satisfactory, according to the report, mostly driven by these governance and control operational
IT cyber issues, not related to capital, not related to liquidity. So it does sort of, and the other
thing that's interesting in the report is it shows a time series for this for the large banks.
The amount of non-satisfactory is very stable. Now, the report doesn't break out, you know,
two years ago, was it more about capital and now it's more about cyber? But there's some interesting
data there that suggests that, you know, there are meaningful operational cyber resilience
issues also at large institutions.
So it sounds like consistent with the concerns represented in this scenario that we've constructed.
Oh, yeah.
No, I mean, definitely this is the supervision.
But it's really for banks of all sizes.
Yeah, right.
Jesse, anything more on the, or Matt, on the first scenario?
I mean, clearly you can construct this in lots of different ways.
And in the scenario, we constructed it in a way that it did ultimately end up in causing a loss of confidence,
affected equity markets, financial markets more broadly, and land is in a recession.
But anything else more about that scenario, you want to call out?
Jesse?
I don't think so, Jesse, do you?
I mean, the cycle of frozen, I think.
Oh, no, I'm here. I just wanted to give Matt a chance to chip.
I think that the psychological contagion is a big fulcrum for that scenario.
It's believable. I think we saw the power of morality in 2020, 23, 24 with Silicon Valley Bank.
Large coordinated movements can happen if everybody's kind of getting the same tweet, text, you know, push notification.
So we did rely on that quite a bit for the basis of that scenario.
I don't know, just do you want to add to that or touch the second scenario?
Yeah, the only other thing I'd say something that you brought up, Matt, when we're when we're constructing this scenario is just, you know, how fast things can move when it's your cell phone, like you mentioned, that gets an alert and depositors can sort of remove their deposits or move them within minutes.
and sort of the interconnected digitized banking system of today.
And I think that plays a lot, a very big role in our first scenario and how fast risk spreads.
Okay, let's turn to the second scenario.
You want to describe that, Matt or Jesse?
Yeah, I'll give it an overview, Mark, because it involves the, the ACH network.
And maybe we'll take just a second to explain what that is.
The scenario broadly is a really dark scenario involving a ransomware attack that ultimately leads to the collapse of the retail payment system.
So in this scenario, depositors lose access to bank accounts, credit card networks, fearing contagion, suspend service.
And so the whole digital payment system we've come to rely on is out.
and left in its place,
we're all forced to migrate back to checks and cash,
imposing just tremendous frictions on, you know,
being able to go to the donut shop or get coffee at Wawa.
Donuts shop?
I don't know.
There's a great vegan donut place in West Philly that I go to that I really like.
I imagine that would be...
Vegan donuts.
I knew you're going to know.
I'm having a hard time get my mind around that one, but okay.
I know.
A lot of problems.
Um, oil, a lot of, a lot of coconut oil.
Got it.
Got it. Got it.
Um, anyway, it's, it's sort of a, almost a dark doomsday scenario where everything we've
come to rely on, um, is out of service.
And where we ultimately end up is in a large sort of single quarter, uh, plummet,
uh, in consumer spending that drags the rest of the economy with it.
Got it.
Got it.
Got it. Hey, Jill, does that ring true to you? I mean, does that feel like a scenario that has some possibility? Or is that kind of way out on the tail of possibilities?
Well, I mean, I think it gets back to thinking about Mark the point that there are things that are pipes, if you will, the plumbing of the financial system.
And so we don't think about the plumbing much when it's working.
and then when it backs up and creates lots of problems,
then it becomes very,
I don't know about the vegan donuts,
but it becomes very,
yeah,
I'm still thinking on the vegan donut thing, I must say.
You know, it becomes very painful.
And so, you know, I think the question, of course,
is that unlike maybe the plumbing in our house,
which we take for granted,
these type of infrastructure are,
known to be systemic. So one would hope that the level of cyber resilience and resources is
higher than maybe the first scenario that, you know, Jesse and Matt outlined where you've got,
you know, smaller institutions and contagion risk from that. So, you know, maybe kind of it's a
little bit more of a plausibility test. But again, going back to the BIS piece on quantum,
you know, there may be scenarios, whether it's, you know,
some of the stuff Joe talked about on AI enhanced attacks or, again, post-quantum type stuff
that could make even systems that we think of as fairly well-protected, well-resourced.
Challenge, I don't know if others like Joe have thoughts on that.
Yeah, Joe, Leslie, covered a lot of ground there.
Anything you'd like to add?
Joe?
No, I mean, I think, yeah, I mean, I think the reality is the risk is there and, you know,
think about especially endpoint payment.
Like it's, it is very much privatized at this point.
There's a lot of more companies that are delivering privatized endpoint payment devices.
It's completely feasible that, you know, there is a systemic vulnerability across all devices
that are connected to the internet that allow that.
And that could be used as an entry point into the plumbing, right?
So I think it's the same concept of hyper-digitization, hyper-risk.
And I think we are well into the hyper-digital age.
We're going there.
We're in route.
We need to secure ourselves a long way.
And I think that's kind of the main theme here.
Leslie, anything?
No, what just struck me is I think that's the impetus behind all of these very ambitious regulations, right,
that are very technically driven, not principle-based, not capital-based.
they're giving very clear instructions as to the type of defenses I expected to be in place from the technical standpoint and there's recognition of this particular risk.
Maybe just, I'm sorry, Mark, do you maybe just point though on the regulation?
In doing some background reading to get ready for this podcast discussion, I also read the OCC supervision report, where it was a semi-annual risk report.
And, you know, some of these things that we talk about for financial institutions,
institutions, they're very basic that still aren't being done by some financial institutions.
And in the OCC's report, they talked about the use of, I'll use the acronym first and then I'll
define it, multifactor authentication or MFA and talked about, you know, like this is the, you know,
that you need to get a text message on your cell phone before you can do a bank transaction.
They talked about that that's not in place for all banks in the report.
So these are very basic kind of easy cyber things to do, you know, not far, far easier than, you know, patching, you know, another thing.
Some of the stuff is just still not being done, not being invested in.
And regulators, in some case, are asking for it.
In other cases, they're recommending it.
But the change is, I think, sort of slow for the quantum of risk.
Well, I know if I didn't get my paycheck from Moody's in my bank account, I would, I'd panic pretty quickly.
So that does feel like a fodder for a good, good-sized recession.
Let's, we're coming to time.
Maybe we'll end in a different way.
Let's end with the game, the stats game.
We each put forward a statistic.
The rest of the group tries to figure that out through clues, deductive reasoning, questions.
the best stat is one that isn't so easy we are all going to get it.
But I am not worried about that at all.
This isn't going to be easy.
One that's not so hard that we never get it, but that may be the case here.
And because we've got so many potential players, I'm just going to call on the guests from outside and we'll play the game.
So, Joe, do you want to go first?
What's your step?
Is there any rules around this?
So could I put any...
You can put anything forward?
Anything forward?
I'm going to put two numbers out there.
And I guess what they're representative of.
It is $4 million and it's roughly 12%.
4,012%.
It has to do with cyber, I'm sure.
Number of cyber attacks?
No.
Over some period?
No.
Well, if it's 12%, what is that?
That's, what, 400?
50 million or something?
12% of
12% of the, it would be like 12%?
Oh, so the whole different, it's unrelated to the 4 million.
Yeah, it is part of, it's a characteristic of the 4 million.
Oh, I see.
I see.
There are 4 million entities in the United States, business entities, 12% get your
highest score from BitSight.
No. Okay.
Am I close?
I close?
Think security gap.
That is the only hint that I'll give.
Security gap.
Jill, Leslie?
Any ideas?
Four million.
Is it U.S. based?
Is it global?
Oh, it's global.
And is it four million entities, people?
It's people.
People, four million people.
Four million people, 12%.
Yeah, 12% of 4 million people have had something, have had some experience.
The cyber job openings?
Yes.
Oh.
There is an estimated 4 million per cent gap in cybersecurity expertise right now,
and it's estimated to grow at roughly 12% every year between now and 2030-ish.
Oh, that's a good one.
Way to go, Leslie.
That was very good.
Yeah.
Thank you.
Get a cowbell.
Yeah, we need a cowbell for you.
So across the globe, there's a shortfall of cyber professionals of 4 million,
and that's growing 12% per end.
Yep, exactly.
Got it.
Great.
Where did that come from, that estimate?
It is, I believe it's from one of the internet centers.
I don't remember exactly where I'm reading it.
I can look up exactly where it came from.
Joe, this is exactly what I was saying.
I mean, you're going to be a very wealthy man.
That's all I'm saying.
I mean, four million shortfall, you should be, you should be demanding a ton of equity in this Bitsite company.
Yeah, a ton of equity.
But, Mark, think about that number and the conversation we were having about non-bank financial institutions who are state regulated and then think about trying to get the talent.
Oh, yeah.
You know, IT supervision in that kind of a job market.
Right.
you know, at state salaries.
Yeah, good luck.
Okay, Jill, you're up.
What's your stat?
Okay, so 300 plus.
That's your stat?
300 plus?
That's my stat.
300, well, so 300 plus and it relates to community banks.
Community banks.
300 plus community banks.
Am I on the right track?
It relates to the theme of this podcast.
Yeah.
They,
now we,
the rating agency,
do you do some kind of ranking
with regard to cyber preparedness?
I think you do, right?
Is that?
At the sector level.
Oh, at a sector level.
You don't do it at an individual bank level.
Okay.
Okay.
So that's not it.
What do you think, Chris?
Marissa.
Is this also job-related, Jill?
It's not job-related, no.
Right.
Is it regulatory,
related? It is regulatory related. Very good guess. Okay. And it has something to do with the supervisory
notices? Might have to do with findings, yes. You're getting into great. Yeah. Yeah, you're basically
there. According to the supervision report, there was over a thousand community bank
supervisory findings. Yeah. Approximately 300, 30% of them were related to IT cyber. So it's a 300
outstanding findings in the community banking space.
Again, that's some fraction of the vulnerability, but it's, you know,
supervisors never find everything no matter how hard you try.
And I'm going to take credit for getting that one right.
I'm just sitting there.
Yeah, I think he did.
I think we could bring the gong for you.
I don't know.
Cowbell, no gongs.
Oh, okay.
Leza, you're up.
What's your stat?
I'll give you 53%.
Say that again?
53%.
And I'll give you a hint that it's based on something we collected.
So, Jesse, that might help you.
Something that the rating agency collects.
The rating agencies collected.
Through surveys, through your surveys.
So 53% of something related to one of the surveys that the rating agency.
Jesse, what do you think?
53% global financial.
Do I have to recuse myself, Leslie?
or can I think you can control us because you can find it in the paper um might even be in our own paper um
53% of global financial institutions um back up their systems at least once a week oh that i like that
point that was pretty good i don't think it's right but it's pretty good in the vicinity oh it is okay
what is it leslie 53% it was based on the cyber service on the cyber service
that we collected information from 240 financial institutions.
And 53% of them said that they had reported a significant cyber incidents to their board
in the past two years.
Oh, okay.
That's interesting.
Yeah, that is not in our paper.
I mean, we should revise, tuck it in there.
You get one more addition out.
Sounds like at least a footnote or something.
Well, okay, well, you guys have been great.
I know this is late Friday afternoon before MLK weekend.
You've been Yomin participant.
and I really appreciate that.
Before we sign off, just I'll throw it out to the group.
Anything that we miss that you think is important that you'd like to bring to the podcast
before we leave?
Just open-ended.
Matt, anything?
No, okay.
Joe, anything?
Yeah.
No.
Okay.
All right.
Very good.
Well, I think we're going to call this a podcast.
I hope everyone thought it was informative and useful, and I certainly did.
and I'm looking forward to the weekend.
So take care, everyone.
We'll call this a podcast.