Moody's Talks - Inside Economics - The Macroeconomics of Cyber Attacks
Episode Date: May 27, 2022Jim Hempstead, Lesley Ritter, and Leroy Terrelonge from Moody's Investors Service, Join the podcast to discuss the rising concern of cyber risks and attacks.Full episode transcriptFollow Mark Zandi @M...arkZandi, Ryan Sweet @RealTime_Econ and Cris deRitis on LinkedIn for additional insight. Questions or Comments, please email us at helpeconomy@moodys.com. We would love to hear from you. To stay informed and follow the insights of Moody's Analytics economists, visit Economic View. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Welcome to Inside Economics.
I'm Mark Zandi, the chief economist of Moody's Analytics.
And today, it's a special podcast.
We're going to be talking about the threat posed by cyber risk and the macroeconomy.
And of course, I'm joined by my two co-hosts, Ryan Sweet, the director of real-time economics, and Chris Duretys.
Chris is the deputy chief economist.
And we're also joined by three of our colleagues from the rating agencies, Moody's investor
service. And so this is a special podcast. It's the first podcast, I think, where we've had both folks
from Moody's Analytics and MIS together. And because of that, it's important to recognize that
the folks from MIS may have different views than those from Moody's analytics. That's us.
And the views expressed by, I guess, from one company or division within the Moody's family
can't be attributed or shouldn't be attributed to other companies or divisions. It's also, I think,
important for me to say that, you know, by listening to this podcast that you're downloading
it, you are agreeing to Moody's legal terms and conditions that's found at moody's.com
slash disclaimer, including any information provides not information or financial advice,
and that Moody's will not be liable for losses arising from your use of the information.
I mean, clearly, this is a language that's necessary in the context of this podcast where we're
going to have folks from both the MIS and Moody's analytics.
And I do think this highlights one of the very special things about the Moody's Corporation
that just shows the very talented group of folks that we have there.
So with that, let me bring in our guests from MIS and begin with Jim Hempstead.
Jim, can you tell us a little bit about how you landed where you are today?
Sure, thanks a lot.
And by the way, I'm a huge fan of your weekly podcast.
I very much enjoy watching the three of you.
And I agree, great talent on that podcast.
that you do every week.
But I manage the North American.
Well, Jim, Jim, this is really important.
Jim, Jim, this is important.
Which of the three do you like the most?
That's the key question.
I'll let you know at the end of the statistics game.
Oh, wow.
Very good, very good.
Okay.
But Mark, I'm part of the project and infrastructure finance team here at Moody's.
We, on a global basis rate a little over $3 trillion of
debt in the electric utility, gas, midstream, water and wastewater sectors. And we have a lot of
municipal and other infrastructure sectors like airports, seaports, and toll roads. I manage the
North American portfolio. And I also manage a small team. And we've got Leslie Ritter and
Leroy-Tarra along with us, a cyber group inside the rating agency. So our job is not to manage Moody's
corporation cybersecurity, but what we are trying to do is raise the knowledge and the awareness
of our 1,300 global credit analysts so that when a cyber event affects one of the rated entities
that we work with, we could respond more authoritatively and have better engagement with the
marketplace by doing that. And this all really came about back in 2015, I would say,
when the utility industry was doing a lot of introspection on their cybersecurity capabilities.
And I started to have a conversation with our chief information security officer for Moody's Corporation as a way of starting to learn more about it.
And we've really grown over the last bunch of years as a result of that.
Did you say how many years have you been with the Moody's, Jim?
I've been at Moody's since 2002.
2002.
Well, about 20 years now.
And prior to that, I was in the investment banking sector.
I started out at the terms.
I did a run through Smith Barney, Solomon Smith Barney,
and then also Merrill Lynch for the first 12 years.
All in the infrastructure sector.
Got it.
And Leslie Ritter also is joining us from MIS, the rating agency.
It's good to have you, Leslie.
Hi.
Thanks for having me.
Yeah, so I'm Leslie Ritter.
I've been with the firm for 10 years now, almost 10 years,
and working for Jim for almost 10 years.
So I started out really as a credit analyst in the electric utility and natural gas pipeline space.
Prior to that, I was doing work at GE Energy Financial Services.
So we underwrote different power deals all around the world.
And at that time, we never talked about cyber.
But since joining the team with Jim, we started a discussion, like he said in 2015,
thinking about cyber and how it would impact our companies.
and we realized that we really hadn't thought that through so much,
and we wanted to know more.
And over time, we built our team and created our own cyber team in 2019.
And I've been there since.
So it's been really fascinating and I'm really thrilled to be here today.
Oh, so you've been working with Jim for 10 years.
I know.
Hence all the gray hair.
Good for you.
Good for you.
Good for you.
Good.
Hey, and we also have a Leroy, Teralong.
Good, good to have you, Leroy.
Yeah, thanks, Mark.
So I'm, I guess, the junior member of the team or one of the junior members of the team.
I've only been at Moody's for three years since 2019 when the cyber risk group sort of had its formal inception.
And my background is I started working as a language analyst for the national security agency.
And then ended up sort of falling into cybersecurity and really becoming very interesting.
in sort of the links with financial performance.
I did a master of international business degree.
And then when the opportunity at Moody's opened up, I was like, wow.
I mean, how many opportunities are there to have cyber expertise and then also,
you know, marry that with financial performance.
And so, yeah, I've loved the past three years that I've been here.
You said you were a language, what?
A language analyst.
Analyst for the NSA?
That's correct.
Yeah, I speak Persian-Farsi.
No way.
Really?
Oh.
Yeah.
You know, I'm, I'm, uh, Zandis is a Persian name.
Yeah, of course, you knew that.
You didn't know that.
I knew it.
Oh, you guessed it.
Oh, okay.
Yeah.
My, you know what?
It's, I'm, um, disappointed to say, but I don't know Farsi.
You know, when my dad came over from Iran, he was a student.
And at that time, the philosophy was that you needed to be an American.
You had to speak English.
You cannot, you should not speak the language from where, wherever you came.
So I don't, unfortunately, know Farsi.
Such a beautiful language.
Absolutely.
And difficult, right?
That's a very hard language to learn.
I believe.
It's, I mean, I think the difficulty comes to the writing.
Learning the writing is probably the hardest part.
But speaking, like you said, it's very beautiful.
And it has a lot of traits that it shares with other Indo-European languages like English.
So it's not so hard on the speaking front.
Do you know any poems?
Because my dad, all he does all day long is,
recite poems in Farsi.
I do, but I don't
know if I can recite any brief here.
Commigranes and recite poetry.
Yeah.
Yeah. Do you know any poems?
Not at the top of my head.
Okay.
I do really like Iranian poetry, but you put me on the spot here.
No, no, no, no.
Iranian food, right?
I mean, oh my gosh.
Yeah, every year, a new tradition for my family.
We're not, we don't have any, you know,
birth links to Iran. But my husband and I, we have an annual Norus, Persian New Year party.
And yeah, we eat lots of great Iranian food. Okay. Well, it's so good to have you. It's
really a pleasure to have all of you. And thank you for spending some time with us. So, again,
the purpose of the conversation is to get a better grip on cyber risk.
Of course, we're macrocom. So we're really curious if there's a lot of
any nexus between cyber and the macro economy, but obviously there's a lot of in-between
between companies and governments and everything else, individuals, everything that's going on.
So maybe we should just level set and talk about what is cyber risk?
You know, what are some examples of the threats posed by by cyber?
Leroy, you want to kind of lead us down that path a little bit?
Sure, yeah, it's good to have an idea of what a cyber attack is because you hear about that all the time.
in the news and may not be clear for listeners what they should expect when they hear about
cyber attacks. So basically, a cyber attack is anything that impacts what we call this CIA triad.
It's not the Central Intelligence Agency. It's not the Culinary Institute of America. It's
confidentiality, integrity, and availability. What that means is confidentiality, think data that
people shouldn't have access to or at least unauthorized access to.
You want to keep that data secrets.
So a data breach like the cyber attack against Equifax in 2017,
that would be an example of something that's affecting confidentiality.
On the integrity front, this is you want to make sure that the data that you have is accurate.
It hasn't been changed or manipulated.
And so one example of an attack against integrity was in 2014,
attackers were able to change the election results for the Ukrainian election.
And they figure that out 40 minutes before they were supposed to announce the election results.
Yeah.
So they caught it in time.
They were able to fix that.
But that's an example of an attack against integrity.
And then lastly, is availability.
And that's making sure that you are able to access the information you have in a timely matter.
So ransomware has been a lot in the news recently.
That's when people lock up your data, say that you have to pay a ransom to get access to it.
That's an attack against the availability of your data.
Is ransomware the most prevalent form of cyber risk at this point?
It feels like that's what's mostly in the news.
Is that top of mind for most businesses when they try to protect themselves against cyber?
It's definitely having a moment, right?
Like I feel like cyber attacks, different types of cyber attacks have shelf lives.
And right now we're in sort of the cycle for ransomware.
It's very profitable.
And because of the business disruption, a lot of organizations want to pay.
So until we see some sort of movement on deterring ransomware attacks, we think it's
have, you know, a long shelf life is going to have a lot more impact.
Right, right.
I guess I've, go ahead, Leslie.
I was just going to add just because when I got into cyber, I always thought of availability
of data as being, you know, like customer information, but availability, availability of
data is a lot more because if you think about it, different types of manufacturers operate
on digitally enabled machines that operate off of it.
of data, right? So you could disrupt a machine through some kind of ransomware attack,
and that's affecting the availability of data, too. So I just want to make sure your listeners
understand that we're not only talking about, you know, customer information, but data is
everywhere. Yeah, it makes a lot of sense. What about denial of service? That also is,
that seemed to be more popular a few years or the popular form of cyber risk a few years ago.
Is that right? Do I have that right? That's right. Yeah, especially in the early,
2000s or 2010s, I should say, people might be familiar with an ominous, the group that had
like the, yeah, they had the weird videos, the voice, you know, We Are Legion, blah, blah,
et cetera. The industry really didn't have a good handle on denial of service attacks,
which is when you send so much web traffic to a server that it can't handle the legitimate
traffic so people can't get to websites. But since then, there have been leaps and bounds in
protecting websites from those sorts of attacks. And so you don't really hear about DDoS attacks
as much. They happen, but they're not as impactful as they were in the early 2010s.
Right. And what about fishing? That's the other, at one point was popular. So it's still an issue,
the fishing where people kind of send you an email or text or something and entice you to
click on it and then they've got you. They've infected you.
in your machine. Yeah, fishing is a perennial risk that we see. I mean, you know, at Moody's at any
organization, basically, you're working at. You're probably seeing these fishing tests where they
send you a message and then if you click on it, then you get something saying, oh, you fell for this
fishing test. You might have to go do some extra. It happens to write all the time, Leroy.
Yeah. Happens them all the time. He's batting perfect for that. I always didn't fear of those because,
you know, imagine five fall for one of those, and I'm on the cyber risk, right?
Like, you must be sweating all day long.
I'd be so embarrassed.
Just don't check your email.
That's a, that's the response.
Yeah, that's the right answer.
You know, are we pretty good at people getting better at,
they must be getting better?
You know, one thing I've always wondered,
is it the same people that always fall for the fishing, you know, efforts?
I mean, some people just can't resist.
Is that, is that, that's kind of sort of in my mind.
Is that true?
Is that what happens?
To a certain extent, yes.
I mean, yeah, organizations never want to fire somebody because they've fallen victim to a fishing attack, right?
It's to raise awareness, is to make sure people know that these sorts of threats are out there.
But there have been instances where folks have so egregiously just clicked wantonly on, you know, all these things coming in.
Yeah.
It does, some companies have made the decision that at some point it has to affect your performance evaluations.
Yeah, I'm so, you know, I'm so paranoid now that if I see anything that I don't know exactly what it is, I send it to my IT guy and say, should I click on this?
And I'm thinking it would be nice for the company to have someone like that where I could just say, hey, should I click on this and get an answer back, you know?
You're not aware of the button on Outlook that says fishing?
you hit that.
Is that what that's for?
I'm supposed to put it over there.
Oh, I just send it to Gershman.
Well, now Gershman's not with us anymore, but to Sal, you know, and say, hey, Sal, should I click on this?
I'm sure.
I'm sure.
I love getting those emails.
It's the fishing clicking that is one of the most frequent methods for people who shouldn't be in the system to get into the system.
And that's why companies test so much for it.
And you do have a handful of employees that always fail the test.
Yeah.
When they fail the test three or four or five times, that's where you have to try to decide how to remedy that situation.
Okay.
Any other new things coming down to pike here that you want to call out in terms of new cyber risk?
I mean, all these things we talked about ransomware fishing, denial of service, they're all pretty, we've pretty, a pretty, a pretty,
get grip on those, we understand, understand what they are. Are there some things out there that we
just are so new that just kind of coming on the scene that we should be aware of?
I think maybe the one that you didn't mention is data breaches. Okay. That's not new, but what's
happening is the attackers are merging two different types of attacks, so ransomware and data breaches
together. So they would go after you and hold you ransom and say, if you don't pay us, we will
disclose all your information to the public. So it's kind of a, you know, a new tool. Well, not so
new anymore. It's been what they were two years that they've been doing this, but that's been
a more potent type of attack that's come up on that end. And I think I'd add really quickly, too,
that I think in the cyber security field, we're always sort of interested, what's the new,
what's the newest thing, what's the newest type of attack? But, you know, most of the attacks are
pretty much been the same for a long time. They are able to use the same techniques to achieve the
same end. And just like, you know, anybody else, cyber criminals are often lazy. They want to get the
biggest bang for their buck by doing the easiest thing. So, you know, we want organizations, or
organizations are often like, hey, you know, what's the newest, sexiest new attack? But really
focusing on the tried and true methods and basic cyber hygiene practices is really where they're going to
protect themselves the most. Yeah. I think maybe what's new. And not.
So much in terms of types of attack, but who they're going after.
They're finding ways of attacking maybe higher profile companies or companies in spaces
that they didn't use to go after.
So like industrial companies and energy companies.
Before it was very retail focused, banking focused.
And now they're finding ways of going after different industries, which might require
more sophisticated skill set because you have to go into these kind of physical operations
in order to tamper with them and cause problems.
I just say I like to use the phrase, you know,
cyber risk is not as bad as you think it is,
but it's worse than you know.
And to Leslie's point, the interconnection between the information systems,
the IT systems, the information technology systems,
and the operations of these industrials and widget makers
is something that I think we'll see a lot more focus on going forward because you can use the IT systems to disrupt the operations.
I'm thinking about temperature and flow and pressure and things of that nature that actually makes the widgets.
You can disrupt them through a cyber incident through the IT system.
And the colonial gas pipeline story, which were about the one year anniversary of that,
is a great example of that.
Right, right.
Hey, maybe we should move on.
That was a very good assessment of all the different ways cyber is affecting us.
And talk a little bit about the costs.
You know, Jim, you and I have been kind of having this conversation about having this cyber risk conversation in the podcast for quite some time.
And I was always struggling to figure out, well, does this risk risk,
rise to a level that it becomes a broader macroeconomic problem.
And can you give us some context here?
How big a deal is this in the grand scheme of things in terms of the cost?
So the costs associated with a cyber event can be defined and measured in many different ways
and the cost range.
So I think this morning we were emailing about the almost trillion dollars worth of global
costs that you cited. There's another number that's been cited of $6 trillion. It's sort of the third
largest economy, if you include that. When we think of costs to a company, we call them issuers in
the rating agency because anybody can issue debt. It doesn't have to be a company. It could be a
project. But we think about, you know, the impact on regulatory oversight, reputational damage,
lost revenue. We think of litigation, liquidity impacts, and other types of off-balance sheet
liabilities or contingent liabilities that could incur. But if you add the numbers up, they can get
very big. So a trillion dollars is a lot of money. But if you compare it against the $22 trillion
US GDP, you know, maybe it's it tells you one thing. If you compare it to the global GDP,
it gets very small.
But if you compare that against the $2 trillion of revenue that global utilities generate every year,
it becomes very large.
So as we think about cyber losses, they get dispersed in a large pool.
But if they get concentrated in a particular sector or a particular region or a particular
asset class, that's when I think we can finally really have that discussion about the macroeconomic impacts of that.
Yeah, I think that what you're referring to is I found a citation from the Center for Strategic and International Studies that they estimated that malicious cyber attacks cost the global economy, I believe it was last year, almost a trillion dollars, almost a trillion.
And as you said, the U.S. I think the U.S. GDP, I think nominal dollars is $22 trillion. I think that's, and then global GDP is probably about $100 trillion.
So that's about 1%.
But, you know, if you think about it in the context of like climate, so if you look at the, I was just looking at this, if you look at the total economic cost from acute physical risk, these are, you know, floods and hurricanes and fires, that kind of thing, comes up to about 350 billion per annum.
So, you know, that's obviously a lot, but this dwarfs that, you know, in the grand scheme of things.
And it feels like it's rising quickly, right?
this doesn't feel like it's going in the other direction here.
If anything, it's just going to become more and more costly.
It's rising quickly, and that's actually one of the potential statistics game is 4 trillion,
8 trillion, and 21 trillion.
Okay, so we're playing the game here now.
I just want to throw that out there.
Okay, so I didn't, yeah, that's right.
You wanted to play the statistics game in the conversation.
So, okay, so we're going to do that.
Leslie and Leroy, you have statistics as well?
I've heard one if you want one.
But I know the answer to Jim, so that's cheating.
But I have one with a quiz Jim on later.
That's kind of sort of what Ryan does every once in a while, so that's not.
No, I'm the one trying to investigate the collusion between Zandi and Chris over there.
Okay, okay, we're going to play the game.
The game is we each state a statistic, in this case, it's got to be cyber-related,
and the rest of us try to figure that out based on the deductive reason,
questioning and clues.
So go ahead, Jim.
What are the numbers again?
4 trillion, 8 trillion, and 21 trillion.
And this is cyber related.
Is it cyber related or is it your cyber million?
The 21 trillion is cyber related.
The 21 trillion is cyber related.
Oh, my goodness.
Is this a forecast over different horizons?
We looked at what, what, um, told that my sector is most exposed to, to cyber risk,
to environmental risk and social risk.
So what he's telling you is $21 trillion of issue debt is highly exposed to cyber risk.
8 trillion, right?
8 trillion is social and 4 is environmental.
You know, it's obvious Leslie doesn't understand this game.
It's pretty clear.
Did I give you all the answers?
I mean, like Leslie, what the heck?
You know?
No Cal Bell.
Yeah.
I mean, you might have said ESG.
that or something like that
it's like okay right
she what I'm done with this game
we're done okay how is he gonna get it
oh you felt bad for us that's fine
I think so bad for you a little bit you're saying
you guys look like idiots I'm putting you out of your misery
is what you're saying those numbers in fairness
we're in the notes that we sent about that but for
you know to your point on on
four trillion dollars is the amount of debt
that we looked at over all the global sector
and said these are the sectors that are most exposed to environmental risk, which includes
physical effects of climate change, carbon transition, water management, $4 trillion.
Is it $21 trillion?
Now, that cyber includes the banking sector.
So even if you take the $10 trillion of debt out from the banking sector in that number, you're still
higher, almost twice as high as the environmental risk.
And the risk is today, as opposed to.
to the longer term, the risk of environmental and climate change risk is today, but the runway is
longer than it is on cyber. So that's why I threw that. And I didn't mean the jump. No, that's a great
statistic. But just so I understand. So four trillion in outstanding global debt that is at risk of
an environmental issue, meaningful. Seven trillion is, you said social risk? Eight trillion
social risk and you said 21 trillion in cyber.
That's right.
And definition is high or highly exposed to that particular risk.
And these are all in our heat maps that we publish.
Yeah.
We have an environmental heat map, a social heat map, and a cyber heat map.
By the way, for the listener, you guys wrote a great white paper that kind of went through
this in detail.
Is that paper available to the broad public or is that not?
Just curious. Do you know?
I don't know. Oh, no. Okay.
I don't know. Okay. It's a great paper. It's a great paper.
Okay. Okay. That's very good. I think we lost Chris. Hopefully he'll find his way back.
I think he bailed.
Oh, you think so that number. There was a number.
I ruined the game. He stared them off. Yeah. He was, he's annoyed.
Okay. Okay. So, so Leslie, you have a, you have a statistic as well?
Well, we, we, we, I, I, I, I like the idea of dimensioning cyber.
risk. So I was going to try it was it's probably an easy one for you, but it was maybe a harder
one for Jim. We'll see. I was going to say if it's a trillion dollars of a global cost,
of cyber costs. What is that? What is that equivalent in terms of GDP? What European
country is that equivalent to with us for you? Oh, I like this one. Jim, what is what is the
multiple of or what is the multiple of Amazon revenue is that equivalent to? Oh, that's another good
ones. Okay, so you're saying, okay, the estimated cost from cyber is a trillion dollars globally.
Which European country has annual GDP of about a trillion?
About a trillion.
Okay. Okay. Well, he's going to name a country, and I'll let Ryan and Chris go first, unless you all guys want me to go first.
And Jim, do you know the answer?
Don't know the answer.
Okay. And Leroy, do you know the answer?
No.
Okay. All right. We're going to go around the horn.
Okay. Chris, you go first.
Oh, sorry.
I don't think he looks very confused.
Dazed and confused.
Ryan, what is it?
What country?
Oh, here it is.
Chris, you can go.
Oh, did you have?
I'm having troubles here.
Go ahead.
So, Ryan, what country is a trillion dollars?
I think I know.
Romania.
Romania.
Are you out of your mind, Romania?
Romania.
It'd love to be there.
That's a good, that's a bad guess, but okay.
Jim?
Ireland.
Oh, that's interesting.
I don't think so, but that's interesting.
Leroy?
I'm going to say Switzerland,
since Leslie's from Switzerland as well.
You're as bad as Ryan.
Okay, Chris.
So which country has GDP?
Of a trillion.
Of a trillion.
You should know this.
The Netherlands.
That's a pretty good guess, actually, I think.
I'm probably dead wrong.
Leslie, is it Italy?
Chris, you got it right.
A Netherlands.
Oh, Chris.
Although I think Italy was also a trillion dollars, Leslie.
I'm just saying.
I think it's a little bit more than a trillion.
Maybe it's a trillion, too.
Those 200 billion counts, right?
Hold it.
Wait a second.
My Switzerland was 800 billion.
If it was 2020, it would be a trillion.
All right.
Now, the other one was interesting, too.
You said a trillion is what percent of Amazon annual revenue?
What multiple or percent?
Amazon's revenue.
Wow, that's a great question.
Global revenue for last year.
I don't know the answer to that question.
I'd say it's probably got to be, guys, you want to take a guess?
I'd say $125 billion.
So what multiple?
Ten times.
Ten times.
No?
She's looking, she's being very coy.
You're really low-balling it there, I have to say.
Oh, really?
Oh, okay.
Times.
$500 billion.
Is it $500 billion?
How much my kids use Amazon?
That's right, Jim.
I had no idea.
It was that big.
$500 billion.
I was going to say something about Bezos,
but I'm going to practice the thought.
Number principle. Yeah, okay. So I won't do that. All right, very good. That was good. Leroy, we're going to come back to you.
GDP was $1 trillion back in 1990.
1990?
Italy?
Italy.
Oh, I was really wrong.
Yeah, it's one.
Oh, no, wait a second. Italy's GDP has not risen at all in 20 years.
It's 1.9 trillion.
Was it really? One point nine?
Yeah, all that tourism money from Chris.
From Chris.
All right, let's go back to the topic hand.
Hey, Jim, so cyber is obviously a big deal.
It's also, it strikes me as being different than other kinds of risks, right?
I mean, just in lots of different ways.
Do you want to give us a sense of that?
Sure.
Well, so cyber is indiscriminates.
It does not respect boundaries.
It could affect any asset class, any sector, in any region at any time.
So from that perspective, it's a little bit unique compared to some of the other risks that we think about.
Cyber risk is sort of ubiquitous to an organization because it can affect your reputation and some soft factors like that, as well as hard factors like your liquidity and your revenue.
it is, it can show up in any number of ways in organization measures itself.
And so from that perspective, it's also a very evolving risk.
And because of the digitization that we see taking place across industry and the economy
in general, it's morphing around in novel ways.
And so we're always kind of chasing around trying to figure out how best to think about that risk, measure that risk, you know, define that risk and then see how that risk changes over time.
It's really been an interesting journey over the last couple of years. And I feel like we finally made it, Mark, because you and I have been talking about this now for a long time. And here it is. And so the geopolitical tensions that have taken.
taken place over in Europe right now has really amplified that risk, at least from a governmental
perspective. So there's, you know, the U.S. has shields up. We're very on a defensive footing right now
to make sure that we have extra protections. And so that risk is probably going to show up in ways
that are going to look creative. Hey, when I think, Leslie, about the kind of the nexus between
cyber and the broader economy, I kind of think of a few different things, and I'd like to just
throw them out and get your sense of how big a deal it is. The first is around systemic financial
risk, that, you know, you think about the payment processors or maybe the exchanges, that if they
went down because of a cyber issue, that that would be a problem. Like if I, you know, went to use
my M-X card or my master card or visa, and I couldn't, that would be bad, right? That'd instill some
panic. Is that, how big a deal is that? Do you think that's a big deal? Systemic financial risk
from cyber. I think it's, it's one of those key characteristics of cyber risks that we have to pay
close attention to. The banks and regulators are highly attuned to this and really focusing a lot
of energy on it. But it's true that if you think about the kind of the sectors that underpin
the functioning of our economy. So think about banking, think about energy. Think about technology,
right cloud, those are all highly integrated systems that are very digitized. So like you said,
if the SWIF system goes down, you know, it's a huge global issue. If, uh, when we, when we did our
survey. That's the international payment system. Yes. Yeah. Right. When we did our survey looking at
cloud computing, we asked our, so we asked, we reached out to about 5,000 sure. So we got 300 answers. And of those
1,300 folks that answered, there's 87% of them said that they actually used Microsoft Azure Cloud.
So think about that if Microsoft Azure Cloud goes down.
And those are folks who answered from all around the world, from all sectors of the economy,
if that cloud goes down, that's another huge issue.
And on energy, which is where Jim spends a lot of his time,
a lot of the key components that go into producing energy are manufactured by,
just a handful of manufacturers.
So if those manufacturers get tampered with somehow,
the whole energy system could be at risk as well.
So it's really, it's a characteristic of cyber risk that's really,
that can't be ignored.
So systemic financial risk.
So back to the payment processors or the,
the exchanges or international payments.
Yeah.
The cloud services.
because they, we're all on the cloud now.
And so if that gets hacked and is taken down,
that's a big problem for everybody.
You mentioned energy and that, I mean,
colonial pipeline shut down as a good case study,
good example of that, which was highly disruptive.
You didn't mention global supply chains.
How big a deal do you think it is for the movement of goods
across the globe?
Is this a big deal, do you think?
Is cyber a real threat there?
Yeah, I think more of that and more like almost a contagion risk concept,
more than systemic risk, thinking of what happened with NotPetya,
where it's just spreads and start causing disruption across a whole series of industries,
which spills into the supply chain.
Right. You said Non-Petya. What's that?
I think Leroy is the best person given his background to really.
Okay.
So I guess the Cliff Notes version of NotPetia is that in 2017,
an attack that has been attributed by numerous governments, intelligence agencies, and cybersecurity
research companies to the military intelligence of the Russian government, known as the GRU.
And that they tampered with the update of the tax software that's mandated by an – it's an accounting company in Ukraine.
and basically any entity that files taxes in Ukraine is required to use,
or at least was at the time required to use this company's accounting software.
So they pushed out this software update that had been tampered with
to a whole bunch of entities in Ukraine.
And then those entities, in turn, many of them were part of large multinationals,
and it was able to spread worldwide.
And it was some what we call Wiper Mout,
where they basically destroyed the computers that it landed on.
And it just, it caused a number of different repercussions.
I'll let Jim talk a little bit about some of the financial impact that took place as a result of that attack.
So this was another statistic we were going to use.
But eight multinational companies were affected by that, not Petia attack.
And they reported about $2 billion worth of financial loss.
$2 billion.
And if you add up the balance sheets of those eight companies, it was like a $350 billion balance
sheet.
So not a lot.
Again, to the point.
But those eight multinationals had 233 customers that were affected.
And they reported $8 billion worth of financial losses associated with it.
And again, you know, relatively dispersed and diversified.
But almost 90 of those 233 customers drew their bank lines down across 37 different banks.
Now, that could get, you know, interesting very quickly.
Luckily, zero credit losses were associated with those bank trucks.
So it worked out.
But that's a great example of contagion and interdependencies of how everything connects together
and why cyber risk is so important from a macroeconomic perspective.
There's a few wildcards that are in there that are floating around that we want to try to keep our eyes on.
Okay.
So we mentioned systemic financial risk.
the threat to the cloud, the energy system, global supply chain doesn't seem like that's as big a
direct threat. Anything else? Any other kind of major? So you're sitting at the White House and you're
worried about cyber affecting the broader economy. Are there any other kind of choke points,
stress points out there that can be exposed by a cyber attack? Anything you would focus on or mention?
The only other one to mention, and supply chain kind of hits it a little bit is the stuff that we use all the time.
So energy, water systems and things of that nature can be disrupted in some way, shape, or form.
When I say energy, I mean not only the fuels, but the electrical power as well.
And, you know, the grids are all interconnected.
And as Leslie said, there's only a handful of companies that make the big components that,
make energy and power grids work. And so it's a, it's a concentration point.
Okay. So it doesn't feel like, it seems it feels like we covered it, that there, you know,
there, there, there isn't anything out there that we're just not thinking about significant
vulnerability that could be exposed here.
We hit up the, what about infrastructure? Like, right, if we took down the, uh, air traffic
control system or, you know, shut down a, you know,
port or something, right?
Go ahead, Lira.
Yeah, I was just going to say that the U.S. government has identified 16 sectors as being
critical infrastructure sectors.
And I think, I mean, as a result, or at least what it seems as a result of the
colonial pipeline incident that happened last May and the geopolitical tensions in Europe,
Russia's invasion of Ukraine, that there's been a lot of movement in.
in raising the standard and raising the minimum bar
for these critical infrastructure sectors.
So we've seen executive orders from the Biden administration,
as well as from the government agencies
that oversee some of these sectors,
saying you need to meet this minimum standard.
You have to have somebody who is responsible
for cybersecurity in your organization.
You need to be doing weekly backups.
Some of these very basic procedures
to make sure that these critical infrastructure sectors
that so much depends on,
and that if something happened to them would cause a lot of hurt to the U.S. economy,
have some minimum level of preparedness.
I think the psychological damage on consumers would be enormous, right?
Even if you lost the air traffic control system for a day, right,
how are you going to regain the trust of the public?
That could have significant macroeconomic repercussions,
even beyond the direct impact, right?
Yeah.
I mean, it was funny.
We went through this exercise of those 16 critical infrastructure sector.
We're working on an update to our heap map, and I was talking to Leroy,
and we were talking about assigning systemic risk levels to the sectors.
And I think we were looking at, what, 92 sectors, Leroy?
And we were mapping them, and each of one of them kind of fell in one of these 16 critical infrastructure sectors.
It's very hard to kind of say, like, this sector is most.
impactful to the economy in terms of a cyber attack versus another.
Everything's so interconnected.
The water sector is hugely vulnerable, right?
And important.
But we hadn't talked about that either.
It's just there's based, I think what we're learning more and more is everybody's exposed.
Last week, we wrote about an attack on an agriculture company.
You wouldn't think of agriculture as being exposed to digital theft.
right? But it happens. And it just happens that they timed it perfectly was when planting season is.
You know, it's almost like as economists, we're thinking about this and how to bring cyber into our forecasting and thinking about the economy.
And at this point, we're treating it more just like a cost of doing business, like any other cost.
It's not like an existential threat. It could potentially be it's a risk and maybe a scenario.
but it's hard to construct a scenario where a big enough part of the economy goes down long
enough for it to really take out the economy.
Is that a reasonable way of thinking about it?
Or am I missing something?
You know, Mark, that has been the view, I think, really since we started to put our
collective heads together on this.
But it reminds me of the work that's been done over the last five to seven years,
that because the costs associated with cyber is relatively manageable, we've only had a handful of
companies that have really been permanently or lastingly impacted by cyber risks.
But I think that's changing going forward.
So as interconnectivity rises, as digitization increases, as the tools and
and methods that a hacktivist or a hacker has continues to get more dangerous in the hands of your
average hacker, that the stakes at the table arise.
And so it's something to keep an eye on those tail risks in terms of what is an unusual event.
And what would happen if one of those events took place in a particular region, or with,
within a particular sector, then I think it could change very quickly.
Got it. Okay.
Hey, you know, Leroy, one thing I find a little perplexing in the context of the Russian invasion of Ukraine is there hasn't been more cyber, at least to my cursory, you know, following of what events.
There hasn't been much on the cyber front here, right?
Is that is that right?
And is that surprising to you as well?
I thought we would see a lot more of a response.
And correct me if I'm wrong.
But I think Russia is kind of ground zero for a lot of the cyber issues that originate globally.
Is that correct to say?
That is.
So there's a company called chain analysis.
They do research on cryptocurrencies.
And based on their research in 2021, 74% of the cryptocurrency movements connected with ransomware went to actors who are what they said, Russia affiliated or Russia-enacted.
or Russia connected.
So, yeah, that is the case.
And as for being surprised about the level of cyber activity
in connection with the Russia-Ukraine conflict,
I would say yes and no, no in the sense that there have been a lot of cyberactivity.
Microsoft data blog at the end of April saying that six separate Russia-aligned nation-state
actors have conducted more than 237 what they call operations.
against various Ukrainian entities.
And these includes things like destructive attacks that are impacting civilian welfare.
But I think what most people were expecting are some of these splashier attacks.
So in 2015 and 2016, the Russian military intelligence, again, is accused of turning out the lights in various parts of Ukraine.
There was a not peti attack again that wiped out hundreds of thousands of computers in Ukraine around the world.
So people were expecting really splashy big scale attacks.
And what we've seen have been more moderate, less splashy attacks, nonetheless impactful for people's lives.
And I will say that there's been a lot of attacks back on Russia as well.
Not very impactful.
They've been these DDoS attacks.
So people have been sending lots of traffic, web,
traffic to websites and services in Russia.
They've been stealing tons and tons of data.
One of the more higher profile ones has been the Belarusian or Belarusian, a cyber
activist that have impacted train movements of troops.
So again, not big splashy things, but there has been a significant amount of cyber activity.
Do you know there's state actors, state sponsored in some form actors in the cyber criminal activities?
And then there's this private, non-government related.
Is there any sense of or any data related to how much is the result of one or the other?
Do we know?
Well, one of the really difficult things is that often they're the same, right?
So they might wear one hat during the day.
might be a government or nation state affiliated to hacker.
And then they do some moonlighting in the evening.
And they're financially motivated and using the same techniques
or tactics that they're using in their day job
to pad their pockets.
Before coming to Moody's, I worked at a cyber threat
intelligence company where we actually were in these communities,
where cyber criminals gather to exchange tools, techniques,
tactics, and also to recruit for their various cyber criminal
enterprises. And yeah, it was very difficult to know exactly, well, you don't know what their
identities are. So, but there's been some investigations that have shown extensive links,
particularly in some countries between their cyber forces and cybercriminals and
cyber criminal activity. Yeah, you're a pretty interesting guy. Really interesting.
And Leroy, tell them how it's a business.
You know, these, they have like HR departments and.
No way.
Payroll.
Yeah.
Payroll.
There is a large ransomware gang called the Conti ransomware gang.
And there was just a big leak of internal logs from that organization.
Somebody was able to steal their communications and publish them.
And yeah, you have people writing in saying, hey, I need to take some vacation.
time, going off my family somewhere. It is run just like a business is in many respects.
It's the black market. It's underground. It's the black economy.
Hey, one other question. You may not know the answer, may not want to respond, but how empowering
is crypto to cyber? Is that a big part of empowering the ability to engage in cyber attacks and
get paid? Yeah, especially for ransomware attacks, right? So ransomware attacks have technically
been around since the late 80s. 1989, there was AIDS ransomware that was distributed on
floppy disks to AIDS researchers. But to pay the ransom, you had to send the money to a PO box in
Panama. And it turns out that when you go show up to pick up stolen funds or ransom funds that, you
know, you can be found, and that person, the author behind that attack was caught and put in jail.
When you get the advent, or at least when cryptocurrency started taking off in the early to mid-2010s,
then it became much more feasible for ransomware attacks to happen.
And so that's when you started seeing ransomware attacks against individuals in the like $300 to $400 to amount range.
And then as time has gone on, it's gone into like the tens of millions of dollar range as they've gotten more sophisticated and more targeted than their tax.
Yeah. And what's super interesting about these ransom payments and these criminal organizations is they're largely very disciplined.
They take this money and they reinvested in their business to develop more sophisticated weaponry.
So going back to that one trillion dollar amount, it's a lot of R&D, right?
Oh, geez. That's scary. That thought of that is just really scary.
Oh, goodness. Now, I assume some countries are just better positioned to manage through this than others.
I kind of hope the U.S. is in a good position. But Jim, is that the case? And what makes one country
more susceptible or more impervious to cyber risk than others?
To some degree, everybody is on somewhat of a level playing field in the sense that we're all using the same Internet.
you know, those types of capabilities.
But there's a clear difference between the resources that are available for some of the
developed countries versus some of the more emerging countries that are out there.
The United States in particular is very forward leaning on both offensive and defensive
capabilities. We have very, very sophisticated thinking around this.
And we continue to work with our friends and allies on that.
Yeah, I was reading, I think, in foreign affairs, I can't remember it was around cyber issues.
And one of the points being made was that the U.S. is somewhat insulated because the cyber criminals are fearful of retaliation from the United States.
So that limits the attacks on the U.S. to some degree, or at least the severity of the attacks.
Does that ring true to you?
Does that sound right?
I'm not sure how much that sounds right.
I'm thinking about, I think a lot of the inbound is in the U.S.,
and maybe that's just the function of our society.
But I'm not going to go ahead, Lee.
Yeah, I'll add really quickly that, you know,
for cyber criminals, especially financially motivated ones,
they have this line that they're trying to walk.
They don't want to, they don't want to cause too much
of a splash because then that will bring the full force in mind of the U.S. government down on them.
So you think about, we keep referencing the colonial pipeline incident, in that case, because
it became such a splashy attack, the cyber criminals themselves came out and said, oh, we didn't
mean to, we didn't know it was so important, we didn't mean to hit a pipeline, right?
Like, please back off.
We've heard from some victims of ransomware attacks that are hospitals that they contact the
ransomware gang and say, hey, we're a hospital and the ransomware gangs. Give them the
decryption key and say, hey, you know, we're sorry. Please tell the FBI or whatever that, you know,
we gave you the key because they don't want the heat. Yeah, empathetic cyber criminals. Yeah, right.
Self-interested, cyber criminals. Yeah, self-interested. It makes a lot of sense. I mean,
it's a business, as you said. So they're doing risk management, right? So, you know, like any other good
business they're trying to manage their risks that they face. Good. You know, again,
back to the report you guys did, I thought it was fabulous and, you know, obviously
represented a lot of work, all the survey work that that you did.
Hey, Leslie, based on that, you know, are there some things you learn that companies,
businesses should be doing, could be doing, or not be doing that would, you know,
make them more resilient to managing through cyber threats and risks?
Well, I guess the first thing I say is we're like, at the rating,
agency not in the business of giving cyber defense recommendations. So all I can do is talk to, again,
financial background. But I can talk to some of the findings, what we learned from the folks
that we were able to survey and who generously donated their time to answer us.
largely it seems like they're attuned to cyber risk and there's a cyber operations that are being created within the issuers that we surveyed.
That means that they have a cyber manager and they have a couple of cyber folks working full time within their organization.
And largely they're doing the very bare minimum of what's called cyber hygiene, you know, using multi-factor authentication, scanning their systems.
But once you start looking at more advanced forms of ways to mitigate the risk,
you start seeing a very disparate set of responses based on sectors.
Banking seems to be way ahead of the pack across the board in terms of how they look at how they govern cyber,
in terms of how they manage it from an operational standpoint on day-to-day basis,
and even from a risk transfer standpoint.
On the other end of the spectrum, not surprisingly, the public sector is lagging.
Oh, is that right?
Yeah.
I mean, it's costly, right?
It's a cost center.
So you have limited ways you can allocate a resource in cyber is oftentimes the one that, you know, is probably not the primary focus.
Got it.
Well, that's not very, that's pretty disconcerting that the public sector so.
I guess not surprising, as you point out.
What about risk mitigation here on cyber?
Is there a way companies can.
use the insurance markets or some other form of risk transfer that, you know, to make this,
again, because it feels like this is at this point in time, more of a cost of doing business.
So if there's a way to kind of quantify that and compartmentalize it, then you can transfer
the risk and make it more manageable.
Is that, is that, is that right, that thinking?
And is there any efforts along those lines?
is that is that even a possibility around the cyber risk?
Yes, yes.
So there's this thing called standalone cyber insurance or cyber insurance for short,
which is quite popular.
I think in our survey, I want to say about 80%, 85% of the folks that responded,
said they carried some form of cyber insurance.
That always sounds good.
And there's some financial benefit to it,
but the policy coverages are actually quite small.
but where the rest of the benefit is
is that you get access to a lot of third-party services.
So if you're attacked, you suddenly have access to experts
that can help you with negotiating with the criminals,
facilitating the cryptocurrency payments
and doing all sorts of forensics.
And that's an added benefit.
It's not necessarily direct financial,
but it's avoidance of cost, I guess.
That's beneficial, but it's a very dynamic market.
And maybe Leroy can kind of jump in here, talk about what's happening in the cyber insurance market, because it's changing rapidly.
Yeah, I mean, I think this is a good circle back to my stat.
So I was going to ask about that because I had not forgotten Leroy.
I was going to come back.
But you want to do your stat?
Sure.
I'll do my stat.
And, you know, you have a good hint already that it's something related to cyber insurance.
Yeah.
And the number is 300%.
300%.
Is that the income?
increase in the outstanding amount of risk that's insured over the past 10 years?
No, past five years.
No.
Okay.
Can you give us a hint?
Well, okay.
Is it the increase in premiums?
Oh.
That's it.
Year over year.
Oh, no way.
Yes.
For some of the hardest it.
Wait to go, Jim.
Jim.
Hey, Ryan, that is a Cal Bell moment.
All right.
I got to get it.
Yeah, as a Calvall moment. Very good. That's great, Jim. Fantastic.
300% from like what to what, do you know?
That's year over year for some of the hardest hit by ransomware sectors.
So that includes things like education, government, and manufacturing.
Oh, no, wait. I thought that's the increase in the premium.
Exactly. Year of year, the increase in premium.
The premium last year,
was $10,000 and this year it was 300%.
$30,000?
Yeah, exactly.
Something like that.
Yeah.
Oh my gosh.
And at the same time, the coverage is shrinking for some of these hardest hit sectors.
Because when you have to remember that, sorry, that cyber insurance for a long time was
focused primarily on first errors and emissions and then on data breaches.
And those do not have the same sort of.
loss magnitude as ransomware attacks have had. And one of the biggest drivers of that impact
is the business interruption that comes from that. And so the insurance companies, they just
weren't ready for it. And they experienced heavy losses. It wasn't profitable for a number of
for a number of cyber insurers. And some have even exited the cyber insurance market because
they decided it's just not. It's they can't continue to carry it.
Yeah, exactly.
Yeah, interesting.
Okay.
Hey, Ryan and Chris, did you guys come up with the statistics?
Did you have a statistic you wanted to throw out to the group?
I have one.
Did you?
Chris can go ahead.
Oh, go ahead, Ryan.
And then I do want to end.
I want to end on a high note.
I'm going to ask each of you guys, give me some good news, okay, please, some good news.
Okay.
All right, Chris, what's your number?
1834.
1834.
Yep.
Not the date, not the year 1834.
It is a year.
Is the year 1834?
Yes.
Are you kidding me?
1834?
Yep.
1834.
1834.
That might be the worst stat ever used.
It's related, hold it, wait, it's related to cyber.
Yes.
Yes.
Oh, is 1834 the name of a form of hacking?
Nope.
Okay.
Is 1834 the name of a criminal cyber group?
No.
No.
I think there was some event that happened in 1834.
Yes.
There you go.
Of course events in 1834.
Cyber related.
It was, I think it was some sort of information manipulation or is, am I in the right track?
Yeah.
Yeah.
Yeah.
Apparently.
Do you want me to give up?
Yeah, go ahead.
I give up.
All right.
Apparently the French telegraph system.
was hacked in 1834.
That's good. That might have been the first cyber attack in history.
Mondeu.
Leroy, Leroy gets a bell, Ryan.
He does.
He definitely does.
That's pretty darn good.
That's impressive.
That is impressive.
Yeah.
All right.
Very good.
Chris, what's, I mean, Ryan, what is yours?
What's your number?
5% to 35%.
5% to 35%?
Okay.
So it's a range.
It's derange.
And it's cyber related.
It is.
Do you guys know?
Any guys, any guesses?
Can you give us a hint without giving it away?
We kind of touched on it on some of the interconnective.
Probability of a cyber event, major cyber event.
in the next year?
Nope, no.
The percent of people who fail fishing tests in the sector, by industry,
5 percent is the low, 5, 35 percent is the high?
No.
I'll give you one more hint.
Okay.
It was, this estimate comes from the Federal Reserve.
Oh, that's interesting.
interesting.
Cost to businesses or consumers?
Cyber costs is a percent of sales.
No, it's actually the amount of the impact on the Fed's payment system, 5% to 35%
or the payment system would be down if one financial institution would happen.
Oh, that's interesting.
That's a good one.
That is a good one.
That's a good one.
Yeah.
So we need to see it one more time.
Five percent to 35 percent of the Fed's payment system would go down if there's one attack on a financial institution.
It's got to be a major.
Major, yeah.
Well, that's interesting.
Is that the Dallas Fed did that, Brian?
Maybe.
I got a double check.
I don't forget.
Okay.
That was good.
Excellent.
All right. So good news. Any good news here, guys? Let's go around the group from MIS. Jim, any good news?
There is good news. The good news is you don't have to be a cyber technician to understand cyber risk. And we see more and more companies adopting the cyber into the traditional risk management frameworks that these companies operate under.
because cyber risk is an enterprise-wide risk.
It does reside at the board of directors or the trustees and things of that nature.
And so we see CFO is getting more involved in making sure that they have the ability to talk about cyber
in the same dollars and cents way that they talk about other risks.
And they are making estimates on losses and they are making estimates on investments,
which may or may not have, you know, revenue growth or volume growth associated with it,
but certainly has volume protection or.
revenue protection associated with it.
And so they're moving in the direction of being able to articulate that through the
traditional rate risk management systems that they have.
I think that's a really good piece in news.
That is.
You know, I'm on a couple of words, and I'll have to say hypervigilant about cyber risk,
of all the risks, and I'm not sure he's even rational how sensitive we are to cyber,
given all the other risks that we face.
But that's the one thing you just don't want to ask.
happen, is that, you know, have a ransomware threat.
So very, very, you know, goes through auditing, have auditors come in, take a look at
your processes, making sure that there's no gaps or no holes, you know, making sure that
we're filling any holes as rapidly as you can.
So that, you know, just based on my very limited experience, it feels like, you know,
U.S. companies and businesses are really focused on this as an issue.
Yeah.
Leroy, any good news?
Yes.
And coming from you, this really means something.
So my piece of good news is that based on the results from our cyber survey,
most of the vast majority of the organizations that we spoke with are implementing the basic
cybersecurity practices.
So again, things like weekly backups, having an incident response plan using multifactor
authentication.
And that's really good news because the majority of cyber attacks.
that are happening are basic and they can be thwarted using these basic techniques.
And so it's good to see that there's such a widespread adoption.
That's my wife slinking back here, just so you know.
That's a good one.
That's a really good one.
And Leslie, lead us out with really, really good news.
Great.
So what I would say is there's new SEC guidance out there for cyberdisclose.
which means that we should start getting more data about the cyber events, which is in our view very positive.
We can do better modeling.
Better modeling means better decision-making.
So there's a big movement towards more integrating cyber risk quantification so that you can kind of estimate your dollars at risk based on different types of scenarios.
And then you can prioritize your investments in cyber, which should lead to much better outcomes going on.
When are we going to get more SEC information from the SEC?
Do you know?
When's that?
They are in the review period right now.
I believe the review period ends in June.
Okay.
And part of the guidance that they put forward is that you need to disclose material
cyber attacks within the four days of determining that they are material.
Great.
Well, that's encouraging.
Yeah, that is good news.
So, okay, we covered a lot of ground here.
Anything that you think we missed?
Just kind of an open-ended question, just in case I didn't miss any.
I miss something that we should talk about.
Anything, Jim, Leroy, Leslie, Chris, Ryan, anything?
No?
Okay.
All right.
I have one question.
Yeah, far away.
Good question.
Economics related.
And I don't think there's a known answer here.
Do you think that cyber attacks go up or down in recessions?
Are they pros, pro-cyclical or counter-sical?
That's interesting.
I'm going to go with, they're going to go up.
like all crime right probably i think crime actually goes down in recession right people are at home
right there's a property crime maybe oh oh yeah maybe yeah oh i thought okay that's interesting
so your instinct is that they'll go up in in the downturns this is a source of income revenue
yeah that's just also because the trend has been off and it continues to go up yeah you know
okay so there's no connection then it's just it might be disconnected
It might be disconnected.
Okay, very good.
Well, I want to thank you guys for spending so much time with this and really appreciate it and learned a lot.
And looking forward to your next study.
It sounds like you've got a lot of work here ongoing and doing a lot of really great work.
So thank you for that.
And with that, we're going to call this a podcast.
Thank you, everyone.