Listen On:
Moody's Talks - Inside Economics
CPI, Cyber and Colyar (Colly-yer)
In this wide-ranging podcast, we tackle the CPI inflation report, the mounting threat posed by cyberattacks on the financial system and broader economy, and the regulatory response. Jill Cetina and Lesley Ritter of Moody’s Investor Service and Joe Lyons of BitSight join us with their insights. And we finally learn how to pronounce Matt’s last name.
Follow Mark Zandi @MarkZandi, Cris deRitis @MiddleWayEcon, and Marisa DiNatale on LinkedIn for additional insight.
Mark Zandi: Welcome to Inside Economics. I'm Mark Zandi, the chief economist of Moody's Analytics, and we've got a action-packed podcast.
We had the CPI report come out this past week, the Consumer Price Index inflation report, and we're going to talk a little bit about that. Then we're going to dive right into a topic that we're spending a fair amount of time on. It's cybersecurity, and what it means for the financial system and economy. We've done some good work there, and invited a few guests to talk about cyber and the threat that it poses the economy.
Before we do that, let's dive right into the inflation report. As you can tell, guys, Marisa, Cris, no banter, no chit-chat. We're down to business here.
Marisa DiNatale: Very serious.
Mark Zandi: Unless there's something important that's happened in your lives that you want everyone to know about.
Cris DeRitis: No, there's nothing important in our lives, just ...
Mark Zandi: Okay.
Marisa DiNatale: Just the CPI.
Cris DeRitis: The CPIs.
Mark Zandi: Just the CPI report. We've got Matt ...
Matt Colyar: [inaudible 00:01:11]
Mark Zandi: Colyar. I got the last name right. Colyar, right?
Matt Colyar: Okay.
Mark Zandi: No? Oh, geez.
Matt Colyar: Marisa?
Marisa DiNatale: Colyar.
Matt Colyar: Yeah. There we go.
Mark Zandi: Colyar. Matt Colyar.
Matt Colyar: Nice.
Mark Zandi: There's more about that later in the podcast. We recorded the cyber before we recorded this. I won't belabor the point, but you'll hear more about Matt's name shortly. Matt-
Cris DeRitis: Stay tuned.
Mark Zandi: What's that?
Cris DeRitis: Stay tuned.
Mark Zandi: Stay tuned? Stay tuned. As you can tell, we're getting a little punchy because this is Friday afternoon before Martin Luther King birthday weekend. We're getting a little punchy here.
Let's talk about the inflation report. I think the way to characterize it is it was a little on the hot side, meaning inflation came in a little stronger than anticipated, kind of on the margin. I think we were expecting top-line CPI inflation to increase in the month of December by three tenths of a percent, core CPI excluding food and energy to come in at two tenths of a percent, and both came in at three tenths, kind of on the high side of three-tenths, if you kind of look at the second or third significant condition.
A little bit on the high side, but this comes after a string of very good inflation reports. I don't even think I'd characterize this as a bad report, it's just not quite as good as we anticipated.
What I thought we would do to help the listener is go through those parts of the CPI report that were surprising. Why was inflation a little bit hotter? Because I think there's a lot of things to learn there, and a lot of important messages.
First of all, I'm going to turn to you, Matt. Did I characterize the report correctly? I should say, on a year-over-year basis, I think top-line CPI is now 3.4%. Is that right, Matt? I think it's 3.4.
Matt Colyar: Could be 3.
Mark Zandi: Is it 3.3?
Matt Colyar: Yeah.
Mark Zandi: I think whether it's seasonally adjusted or unadjusted. The core year-over-year is now 3.8, I want to say. Something like that? Am I doing the right-
Matt Colyar: 3.9. I believe, but-
Mark Zandi: 3.9? Okay. 3.9.
Matt Colyar: Right there. Under 4. It starts with a 3.
Mark Zandi: Okay. It starts with a 3 for the first time in a long time. First of all, did I characterize it right, that it was on the hot side, hotter than we expected, but no big deal? It's still consistent with the idea that inflation is going to continue to moderate here. Is that-
Matt Colyar: Absolutely a fair characterization.
Mark Zandi: Okay. Marisa, Cris, any objection to that characterization? None? Hearing none. Okay. Fine.
Okay. I think the biggest surprise why inflation came in on the hot side was the growth in the cost of housing services, which is a very large component of CPI.
My sense of it is that, if I had to rank order the reasons why inflation came in a little bit hotter than anticipated, the number one reason was that the growth and the cost of housing services was ... It actually picked up in December, as opposed to decelerating further as we had anticipated. Is that correct?
Matt Colyar: That's fair. Owners and people that rent ... Shelter costs are all still buoyant, not coming down, and a major contributor to inflation.
Mark Zandi: Okay. We've had this long-standing view that the growth in the cost of housing services as measured in the consumer price index, again, it's over a third of the index, is ultimately tied by the Bureau of Labor Statistics, the keeper of the data, back to market rents. If you look at market rents, they are flat to down for about a year.
All signs are that that will continue for at least another year because a lot of supply in the multifamily market, we've talked about this in the past, coming to market. Vacancy rates are going to rise, put downward pressure on rent. We expect that weakness in rents to start showing up in much slower growth in the cost of housing services as measured by the CPI. Is that roughly right?
Matt Colyar: Yeah. Absolutely. To buttress that, you take shelter out, and we're at where the Fed wants to be, already about 2%, a little under 2% now. That's not the first time we've been there.
It's been a few months. This anticipated decline hasn't happened. Or it's happening, but happening slowly, so the conversation is, "Why is it stickier than anticipated?"
Mark Zandi: Yeah. You make a great point. If you take CPI, exclude food and injury, get to core and then throw out shelter ... I know we're throwing out a lot of stuff, but it makes a point. CPI inflation year over year is, I think, no more than 2%, or it's very close to 2%.
Cris DeRitis: 1.9.
Mark Zandi: 1.9%. If the growth in the cost of housing services was simply back to something more typical, normal, that would suggest that, all else being equal, we would be back to target. I think people take a lot of solace, particularly in the context of ... We feel confident that the growth in the cost of housing service is going to slow, because it's almost an accounting exercise. It's not really an economic forecast.
Do you agree with that, Matt? I know I'm leading the witness here, but I'm actually going to get to a question where you can riff a little bit. Is that-
Matt Colyar: Yeah. The third-party rent indexes that you're referencing, that everybody references, you look at -1, 0, 1, 2% year-over-year growth, it's been about a year that that's been the case. It is a calculation method, the way the BLS looks at rent, the way that they use that same calculation or similar calculation to determine owner's equivalent rent, which is what a homeowner could rent their house for. All of this is predicated on rent growth, and we have this really reliable data to say that that moderation has been ongoing. Yes, I certainly agree.
Mark Zandi: Okay. Here's the question. Why isn't the growth in the cost of housing services slowing more quickly? What's the deal? Is it just a measurement thing, seasonal adjustment issue? Are we missing something? Should I be nervous that my confidence that the growth in the cost of housing service is going to continue to decelerate because that's what I see in rents? Am I missing something?
Matt Colyar: It's certainly not something with a ton of history to rely on and say, "After 11 months," or, "12 months," or, "13 months, this is the deceleration in the CPI with the BLS." The official statistics are going to say ... I've heard relatively persuasive theories as to why it's been happening a little bit more slowly than we're thinking. There's what the group-
Mark Zandi: What's that? What's the theory?
Matt Colyar: That the BLS has been really behind on price appreciation, housing inflation, and so the two peaks of rental growth, and from Zillow's apartment list. That gap is going to be a little bit wider than 12 months, because the BLS is still playing catch-up on housing inflation that already happened. Subsequently, the ending of rent growth is taking longer to show up as well.
That's a theory. I think it's relatively persuasive, but curious what the group here thinks.
Mark Zandi: Cris, what do you think? Should we be worried about this, that it's overly ... Is it persistent meaning that it's not going to slow, or at least not slow to the degree that we need it to get back to target?
Cris DeRitis: I think it's a measurement issue [inaudible 00:09:14].
Mark Zandi: Issue with measurements?
Cris DeRitis: It is possible that that measurement issue is going to persist, though, so you might see this very elongated recovery period here. I'm sympathetic to this idea that ... This is an unprecedented run-up in rents over this period as well. We had this huge spike. Maybe there is this lagged effect in terms of the CPI picking it up.
My other theory, and I have no basis to prove this, is that concessions may be difficult to measure as well. A lot of the rent decreases we're seeing aren't actually marking down the monthly rent, just giving a month or two of free rent.
Maybe the data doesn't really pick that up properly. You're just seeing the actual rental price, but it's not accounting for that discount. I don't know. Again, a pet theory. I don't know if that's ... We're not measuring the effective rent here, we're measuring the stated rent. It may be-
Mark Zandi: Survey data may not be ... I think the question is designed to try to capture that, but I worry that the methods or the responses may not actually be stating that. Or, if there's an upgrade to the unit, how do you account for that? There are other concessions that might be out there that potentially aren't fully captured in the survey. I'm little bit ... Speculation.
Cris DeRitis: Yeah. I know you're stretching. That's what ... Yeah. Right. Trying to square the circle, right?
Mark Zandi: Square the circle. Yeah.
Cris DeRitis: Because you have these market signals that are very strong. They're across all the surveys, it's not just one or two surveys. Every survey is saying rent growth has slowed in terms of market rents, and then the CPI is saying something quite different.
Mark Zandi: Then we'll move on because I don't want to belabor the point, but could it be that we're seeing the weakness in rents in the high end of the rental market? That's where all the supply is, right? The affordable rental market's tight as a drum. There's just no space. But, at the higher end, we put up a lot of towers, these big towers in big urban areas.
There's this really significant bifurcation in the rental market, and BLS is maybe not picking up ... Because it was more focused on the affordable part of the market and not picking up this weakness in rents at the high end. Does that resonate at all, Cris?
Cris DeRitis: It's possible.
Mark Zandi: Possible.
Cris DeRitis: Or that the waiting between those ...
Mark Zandi: Waiting between.
Cris DeRitis: Different markets may not be ... Things maybe shifting around quickly, and not capturing it properly.
Mark Zandi: Right. Yeah. Okay. I think we need to do more work here. Marisa, anything you want to weigh in on this particular point?
Marisa DiNatale: Yeah. I'll just say that I agree. This is not happening as quickly as we thought it would. But, with regard to the December CPI report, if you dig into the details of the shelter numbers, rent for primary residents ... Growth in prices actually decelerated over the month. All of the acceleration in shelter prices was coming from hotels, so it was not ... OER stayed the same.
Mark Zandi: I missed that. I did. I missed that. Interesting. Okay.
Marisa DiNatale: OER was the same as it was in November, .5% month over month. Rent of primary residents actually decelerated over the month. That tick up in shelter was just lodging away from home.
Mark Zandi: Got it. Okay. It doesn't explain it completely, but it helps it make it less perplexing. Okay.
Marisa DiNatale: Doesn't explain the longer trajectory of why it isn't coming down faster, but it ...
Mark Zandi: Right. Explains December to some degree.
Marisa DiNatale: Makes me feel a little better about the December report.
Mark Zandi: Yeah. Right. Okay.
Going back, the second thing on the list of surprises ... First, number one is the cost of housing. The second is ... This is me speaking. Maybe I've got this wrong, but new vehicle prices. I thought new vehicle prices would decline. They had started to roll over. I think they declined back in November. Feels like they're starting ... Everything suggests that they should, because we're seeing improvements in global production, inventories of cars on dealer lots is starting to rise.
I think it's at least back to what you would expect in a typical market. That all this would start to put downward pressure on new vehicle prices, which went skyward during the pandemic, during the shortages, but we did not see that in the month of December. Matt, any comments on that?
Matt Colyar: This, I think, is confounding as well. Used cars isn't too different. I think, in December, both ran contrary to what you would expect, but for all those reasons you outlined. Inventories rebuilding. Incentives are on the rise. I'm a car dealer, how I'm trying to get you to sell that car. I'm doing more and more to do that, which ... The intuition there is that that's working against the price, whether it's captured in MSRP or not.
Those are the kinds of things that happen when supply is all caught up, so you would expect prices to go down. Perhaps there's some measurements seasonality, post-pandemic stuff happening. Again, it's difficult to say.
Again, I put out used cars. I think there's similar head-scratching things there, but both contributed to the core CPI going three-tenths of percentage point as opposed to the two-tenths that we and consensus expected.
Mark Zandi: But you're not changing your forecast. Do you still think new vehicle prices are going to come in as inventories continue to rise?
Matt Colyar: I do. I think ... The PLS just announced they're changing their methodology a little bit for how they're calculating used vehicle prices. It's total speculation that that's because they're confused too, but there is some weirdness there that I think the fundamentals in, again, the inventory rebuild being biggest, the supply chain stuff that pushed prices up way up in 2021, 2022.
That stuff's behind us. It's really hard to imagine why prices would not moderate.
Mark Zandi: Got it. Marisa, Cris, anything on the new vehicle prices you want to mention, or used vehicle prices? I do think this is important not only because of car prices, but new vehicle prices also impact the cost of maintenance, cost of car insurance, and these things have risen very sharply as well. Anything else you'd like to add? No? Okay.
Cris DeRitis: No. I get worried, though, when we start attributing everything to measurement, right?
Mark Zandi: Yeah. Right.
Cris DeRitis: But I think ... Doesn't really fit-
Mark Zandi: Generally I would agree, but here we are, we're debating to the second significant digit, right?
Cris DeRitis: Yeah.
Mark Zandi: When you're trying to understand to the second significant digit, then you got to into the ...
Cris DeRitis: Fair enough.
Mark Zandi: Okay. Third on the list is the electricity prices. They jumped strongly. The narrative I have in my mind there is that reflects the bump-up in natural gas prices that occurred back over the last couple, three months.
We saw ... I think natural gas was closer to $2 per million BTU a few months ago. Now we're at closer to the 3. Still very low in the grain historical scheme of things, but that bump-up is what's reflected in that.
Because 60% of electricity generation ... I'm making that number up, but roughly 60% of electricity generation in the US is natural gas powered. That's what's behind this. Which, if that's the case, natural gas prices I don't think are going anywhere. They're roughly where they're going to be. We'll start to see electricity prices ... The increase start to moderate as well. Matt, what do you think?
Matt Colyar: That's how I would characterize it. Prices started to come down in December and have risen a little bit in January, but that's a month or two down the road problem, I would say. You're not going to have the same increase in January CPI from electricity prices.
The rest of the components of energy, gasoline, relatively stable in recent weeks. Some geopolitical challenges there, but have so far not proven to be a meaningful impact. Your read is how I see it as well.
Mark Zandi: Okay. Cris? Marisa? Anything on that one, on electricity prices? No? Okay.
Cris DeRitis: That makes sense.
Mark Zandi: Yeah. We're now really descending into the weeds. Okay. I want to ask you about what is happening over in the Middle East around the Houthi attack and what that might mean for inflation here, if anything.
Before I do that, Matt, is there anything on that list that I didn't mention that contributed meaningfully to the miss in terms of inflation coming in a little hotter than anticipated? Did they miss anything?
Matt Colyar: No. Maybe rank ordering the vehicle ... Misjudging the vehicle prices trends, I think, is really interesting and consequential, but shelter's massively important as well.
Mark Zandi: You would've said vehicle miss was number one?
Matt Colyar: As I say that, I think the weight that shelter has in CPI ... It would be difficult to say that anything could be more important if there's a gap there. Yeah, vehicle prices are really interesting. Potentially something could change, the next few months.
Mark Zandi: The Houthi attack on shipping in the Red Sea. Of course, the US, UK, and allies have responded. That's creating a fair amount of angst that that's going to ... Because of the disruption and the added cost of avoiding the Red Sea as ships go around South Africa, how big a deal is this in terms of what it means for inflation here back in the United States? Matt, do you have a view on that?
Matt Colyar: The primary channel in the US for sure was always going to be in energy markets. Not the only channel, but the primary channel. Mid-December, you have these announcements that commercial cargo is starting to reroute away from the Suez Canal. Insurance costs have gone up really high. It just wasn't practical to ship through there anymore. But there wasn't a huge run-up in oil prices, and certainly nothing showing up in December CPI report, as we wouldn't have expected it to.
Moving forward, I think it's a marginal effect. I think the US is a little better insulated than, say, Europe and Asia, just based off the way that we get our goods compared to the Eurasian continent. It's just too small share of goods for the US, so not expecting to see any kind of goods inflation returning, as if this were anything reminiscent of the 2021 supply chain issues.
Again, on the margins, there's a few reasons for that that we can discuss. Some of it comes from the pandemic. There's investments in adaptability to make your business's supplier network a little bit more resilient. The increase in container ship capacity, which was a binding constraint in 2021, 2022. Those things are less of an issue now, and should make the run-up in prices a little less dramatic if this were to be protracted and disruptive affair.
Mark Zandi: I suppose you can construct darker scenarios where all the shipping through the Red Sea is shut down, and Iran's engulfed in the conflict, and their oil is disrupted, and so forth and so on. You've got to think that this is going to bleed out in a much more significant way before it does a lot of damage.
Cris, Marisa, do you have any different perspective on that? Is that consistent with your views as well? Yeah? Kind of on the margin? Okay.
Bottom line, it feels like, "Yeah, I wish the inflation report was a little bit better than it was," but it wasn't that bad. It was kind of close, a little hotter than expected, but it doesn't change anybody's forecast. Inflation feels like it's coming in to a ... Inconsistent with a soft landing. Is that roughly right? Anyone disagree with that kind of characterization? Cris, any pushback on that?
Cris DeRitis: Not real pushback. As we think about Fed policy, March seems a little less likely now in terms of a first cut, given this report, but it's still early days here.
Mark Zandi: Yeah. I saw today, because the PPI, the Producer Price Index, came out today. CPI came out on Thursday, PPI today. That was surprisingly soft, right?
Cris DeRitis: Negative. Yeah.
Mark Zandi: Yeah. I saw the futures markets for ... What's the probability of a March rate cut? It's now over 80%. Not that that's right or that's what's going to happen, but that's market expectation, moving that direction.
Okay. I think we're going to end the conversation there around the inflation report and turn to the topic at hand. That's cyber risk, and what it means for the financial system and the economy.
Let's welcome our star-studded cast of folks to talk about cyber risk and what it means for the economy. Let me begin with you, Joe. Joe Lyons. Good to see you.
Joe Lyons: Hi.
Mark Zandi: You're with Bitsight?
Joe Lyons: Yeah. I'm with Bitsight. Currently, I'm a senior director at Bitsight focusing on the application of cybersecurity data into financial models.
Mark Zandi: Before Bitsight, I understand you were a Moody's employee. You were a so-called ethical hacker, so you were trying to hack in to figure out where our vulnerabilities were at Moody's in ...
Joe Lyons: Yeah. Exactly. Before Bitsight, I spent a number of years as a cybersecurity practitioner, both on the offensive and defensive side of security. Most recent stint was at Moody's as a offensive security person, attempting to hack Moody's on behalf of Moody's to make sure that Moody's was secure.
Mark Zandi: Joe, did you ever try to hack me? I'm just asking.
Joe Lyons: Not that I'd tell you about.
Marisa DiNatale: Somebody did hack your Twitter, Mark. Maybe it was Joe, right?
Mark Zandi: It could have been. Twitter's going in a pretty tough direction here. I'm getting ... There's doppelgangers all over the place, apparently. Very difficult to control.
It's good to have you, Joe. Thanks for coming on. We've got Jill Cetina. Jill, good to see you.
Jill Cetina: Yeah. Thanks, Mark.
Mark Zandi: Jill is with us at Moody's, but you came from the Federal Reserve system. You were there before you came here, is that right?
Jill Cetina: Yes, that's right. I had worked at the Fed as a vice president in supervision most recently before I joined Moody's. Also spent some time at the OCC, which is one of the other federal banking regulators, and also the Office of Financial Research, which is tasked with thinking about financial stability risk.
Mark Zandi: I think of you as all things banking, all things financial system. Cyber is, what, a sideline, or is that a major part of what you're doing?
Jill Cetina: A bit less-
Mark Zandi: Because you know everything about ... Everything that you want to know about the ... In fact, I got a gazillion questions about the financial system, but that's for another podcast.
Jill Cetina: Okay. I look forward to that, Mark.
Just to take a step back, I had the group at the Office of Financial Research that did research on cyber and financial stability when I was there. Then, also, when I was in the Dallas Fed, I had responsibility for IT/cyber supervision. That was for about four years.
Mark Zandi: [inaudible 00:25:15]
Jill Cetina: Thought about the topic a bit in both of those contexts.
Mark Zandi: Good to have you on board.
Lesley Ritter. Lesley, you are definitely all things cyber, right, at Moody's?
Lesley Ritter: I am all things cyber, all things credit rating agency, I believe.
Mark Zandi: In cyber that you do in the rating agency, you're involved with all of that?
Lesley Ritter: Yeah. We stood up a cyber credit risk team, as we call it, about four years ago, looking to think about how cyber impacts credit. That's where I sit, and that's what I-
Mark Zandi: Yeah. Jim Hempstead, is he in your world? He's ...
Lesley Ritter: Yeah. He used to be part of our world. Now he's moved on to bigger mandates, and so I come and try to fill his shoes.
Mark Zandi: Got it. It's good to have you on board.
We've got two of our own, Jesse Rogers and Matt ... Oh, gosh. Colyar.
Matt Colyar: Close enough. Yeah. Sorry, but ...
Mark Zandi: No, I got that wrong? What is it? Colyar?
Matt Colyar: Colyar. Yeah.
Mark Zandi: Colyar.
Matt Colyar: [inaudible 00:26:18]
Mark Zandi: Here's the weird thing. How long have you been with us, Matt?
Matt Colyar: Four years.
Mark Zandi: Four years. In four years, he's never tried to correct me when I call him Colyar. What was the catalyst for saying, "Hey, guys, you're mispronouncing my last name"? What was the straw?
Matt Colyar: I don't correct people often. Everyone gets it wrong. I think it's spelled wrong, my last name, but I can't change it at this point, so ... I don't know.
Mark Zandi: It is spelled wrong. You're right.
Matt Colyar: I think so. The Y catches everybody's eye, and they get hung up on it, but ... I don't know. I just thought maybe it's time to correct it.
Mark Zandi: It's time to do that. What nationality is that?
Matt Colyar: I believe English. There's some ties there, but not-
Mark Zandi: That wasn't a trick question. I thought you would know the answer to that.
Matt Colyar: Yeah. I don't know. I think English. We'll go with that. Western European.
Mark Zandi: Okay. We got Jesse. Hey, Jesse. Good to see you.
Jesse Rogers: Hey, Mark. Good afternoon.
Mark Zandi: It is good afternoon. You're headed to Mexico City pretty soon for us, right? You're going to be managing operations down there.
Jesse Rogers: That's right. It's like a jet-setter in one direction.
Mark Zandi: Yeah. Matt and Jesse just finished a piece on cyber and the financial system, and trying to suss out the impact on the economy. We'll definitely come back to that.
I thought maybe we can begin the conversation with you, Lesley. Good timing, right? Because you, the rating agency, just came out with a good piece on the outlook for cyber for 2024. Maybe I could just turn it to you. What'd you find?
Lesley Ritter: Yeah. Sure. It's perfect timing for us to ... hot off the presses. On Wednesday, we published our fourth now cyber outlook. This is for 2024, of course. It's on the website, if anybody's interested.
We found a lot of things, but I think I want to focus in on three key points. The first one is that the cyber risk landscape is really about to undergo some very important changes driven by transformative technological advancements. By that I mean GenAI, and quantum computing is also starting to rear its head there. If you think about these changes happening, they're also happening against the backdrop of very challenging macroeconomic environments, which are putting some downward pressure on cyber budgets.
What we're closely watching is, how are our companies that we rate balancing these two? On one side you have heightened demand for capital to invest in cyber, because GenAI and quantum are going to, in truth, mean more cyber risk. On the other side of the equation, you expected more limited capital to be allocated to cyber. It would be the first time we see a reduction in capital potentially going towards cyber.
Over the past five years when we just completed a survey, we saw about a 70% increase in cyber budgets over the past five years. Now we're seeing this dipping down. It's a big change-
Mark Zandi: That doesn't sound like a lot. 7%?
Lesley Ritter: 70. Seven, zero. [inaudible 00:29:21]
Mark Zandi: 70. Okay. That sounds like a lot.
Lesley Ritter: That sounds like a lot, right? How are these two competing trends going to be balanced? It could lead to some very difficult decisions that could have very long-term competitive implications for the companies that we look at.
The second point that we highlighted, and I think Jill will have a lot to say on that, is about what's happening the regulatory arena. There's a number of pretty ambitious cyber regulations that have just gone or about to go into effect. Here I'm really thinking about the SEC cyber disclosure rules that went into effect in December of 2023, so just few weeks ago. The other one is the DORA regulations that applies to the European financial services system that is still being finalized, but it's going to be going into effect in January of 2025.
Mark Zandi: Here's a test. DORA means ... What does-
Lesley Ritter: DORA? The-
Mark Zandi: It's an acronym for ...
Lesley Ritter: It stands for the Digital-
Mark Zandi: You're searching. You don't ...
Lesley Ritter: I'm looking for the-
Mark Zandi: Gotcha.
Lesley Ritter: Digital Operational Risk something.
Mark Zandi: Assessment. No?
Lesley Ritter: No.
Mark Zandi: Okay.
Lesley Ritter: But, at the core of it, both of them are trying to do very important work. They're trying to introduce more transparency and more structure in terms of how companies are impacted and how they mitigate against cyber risk.
From a credit standpoint, obviously we see that really positively. At the same time, we have to recognize that implementing and adhering to these regulations is going to be difficult because there's a lot of room for interpretation. There's a lot of potential pitfalls that come with that. Disclosing more information that you want ... That could potentially exploited by cyberattackers.
This is a new area to watch. It's starting with some of the big sectors, and we think it's going to spread to other sectors over time.
Mark Zandi: You said three. I counted two.
Lesley Ritter: That's two. Yeah. The last one ... I have to end on a positive, because there's so much doom and gloom with cyber typically. That has to do with what's happening in the cyber insurance space.
Here, finally, after years of very steep increases in the cost of cyber insurance premiums, think 300 percents in some cases, those prices are finally leveling off and stabilizing. That's really good because companies are very eager to carry cyber insurance, and it was becoming exceedingly costly for them to carry it. Now that the prices are stabilizing, they can access it again.
Actually, even companies that weren't able to enter the market before now are able to buy those kinds of cyber insurance policies. This is particularly helpful to small and medium-sized companies that often see cyber insurance as their first line of defense in terms of cyber risk management.
Mark Zandi: Lesley, I haven't had a chance to read the piece in its totality, but, like most people, I think, I'm not weird in any way, I go right to the charts. One of the charts that struck me was ... It looks like the number of cyberattacks is down. Is that right? It felt like a peak back ... When? 2020, '21? Or did I misread that, or what's going on there?
Lesley Ritter: Yeah. I think, Joe, feel free to chime in here, because I'm sure you'll have a lot to say there too.
In 2022, we saw them come down. That was really more tied to the fact that some of the very active attackers were disbanded through some different governmental operations, let's put it this way.
Mark Zandi: Can you say that again? You were ...
Lesley Ritter: A lot of the very prolific attackers ...
Mark Zandi: Prolific attackers. Okay.
Lesley Ritter: In 2022 were disbanded.
Mark Zandi: Okay.
Lesley Ritter: Through some covert [inaudible 00:33:24]-
Mark Zandi: These are state actors that disbanded ...
Lesley Ritter: Loosely affiliated state actors, let's put it that way.
Mark Zandi: Okay. You're being a little coy, but tell us why you're being coy.
Lesley Ritter: Because we're not into the business of attribution or talking about where they're coming from, that's why. It doesn't really have any bearing on our analysis.
Mark Zandi: Got it.
Lesley Ritter: But to answer your question, I have to highlight the fact that there were very active groups that were disbanded. [inaudible 00:33:52]
Mark Zandi: If we were out at a bar, and you had a cocktail or two and we're just talking, you would tell me who you think this is, but you're not going to tell me on this podcast who you think is ...
Lesley Ritter: You can very easily Google it, but I'm not going to say it at that-
Mark Zandi: Easily Google it. Okay. All right.
Lesley Ritter: But, post 2020-
Mark Zandi: Joe was going to spill the beans right away.
Joe Lyons: No attribution for me. I'm trying to [inaudible 00:34:14]-
Mark Zandi: No, you don't attribute either. Okay.
Lesley Ritter: We're [inaudible 00:34:16].
Joe Lyons: I know nothing.
Mark Zandi: You know nothing. Right.
Lesley Ritter: But I think what's interesting is, these players ... They didn't disappear. They regrouped and they got back together. Then, in 2023, we started to see an uptick in attack as well. That's why the chart you see is a bit misleading. Attacks for 2023 ... I think we haven't finished tabulating them, but they're up from 2022.
Mark Zandi: Got it.
Lesley Ritter: Just anecdotally, if you look at what's happening in the news, especially the past few months, it's been relentless. Every other day is another big company disclosing some kind of ransomware attack or data breach. It has not slowed down.
Mark Zandi: Cyber is not becoming less of an issue, it's becoming steadily more of an issue, and all the trend lines here look pretty scary. I don't want to put words in your mouth, but ...
I know rating agencies are ... You guys there, you're cautious in how you say it. But we should be worried about this, is what you're saying?
Lesley Ritter: Yes, because think about what's happening with the trends in technology, and digitization, and GenAI. This is all growing the digital footprints that can be exploited by attackers.
Mark Zandi: Got it.
Lesley Ritter: Unless it's properly secured, it will be exploited.
Jill Cetina: Yeah. No, I'm going to-
Mark Zandi: Look ... Go ahead, Jill.
Jill Cetina: Sorry to-
Mark Zandi: Go ahead.
Jill Cetina: I was going to just say, another way of thinking about what Lesley is saying is the attack surface is just ... It gets bigger every year. Then, also, I think companies also face pressure to innovate around some of these new technologies. Innovation, of course, can be very positive, but bringing the cyber risk in at the backend after you've done the innovation then becomes costly to remediate, as opposed to starting with managing cyber risk as a first principle in mind. I don't know.
Mark Zandi: Are you talking, Jill, about AI and quantum computing as innovation, and because companies are all in on that, they're diving ahead, that they're exposing themselves to increased cyber risk? Is that what you mean?
Jill Cetina: Yeah. That, or having the fintech partner.
Mark Zandi: I see.
Jill Cetina: You open up a system between you and some of your fintech partners, things like that can ... Again, if you start first with the innovation and don't have the risk management as a piece at the front end of the project, then you got to remediate it on the backend and it becomes costly. But that's just my perspective on things like-
Mark Zandi: Let's talk about AI, because that come on the scene here very quickly. I know, Joe, you've done a fair amount of work trying to understand ... Is AI a plus or a negative when it comes to cyber, and how that's all going to play out here going forward? You hear some pretty dark-
Joe Lyons: It's a good question. I think it remains to be seen. The reality is, when we start out, I think that AI will generally be a negative for cybersecurity. I say that only because organizations are a little bit slower to move.
There's a lot more governance, there's a lot more things to change around an organization than there is around cybercriminals. Cybercriminals can run as fast as they want with no regulation and try things a million times.
The reality is, especially with generative AI ... We've seen this with things like deepfake and ChatGPT. It's extremely easy to impersonate people and extremely easy to both phish people and to generate new attacks from AI.
Just to take one point back from the attack trend, if you think about the digitization in 2021 and why it peaked and dropped off a bit, in my opinion a little bit is due to the hyper digitization that happened during COVID. If you take a step back and you think about what happened during that time period, every single business in the world basically went hyper-digital overnight, because they had to to keep businesses moving forward.
There's two things that go into it. There is ... Cyber is always a lagging indicator. It takes a while for companies to know they are hacked, and it takes them even longer to admit they are hacked. To actually go from being hacked to the regulation around it, to being picked up in either a FOIA request or somewhere else where you're going to get that data back from, it's usually a pretty long, lagging indicator.
Not dissimilar to the S&P 500, where everyone says, "Zoom out." You're having it down, you're like, "Zoom out. You'll see it's going up over time." I think in 2030 we're going to look back at 2022 and see it's probably just in line with 2021, and continue to uptick.
Bringing that back to generative AI, I think that hyper-digitization is not going anywhere. With hyper-digitization comes more risk. The reality is cybersecurity lags behind governance in a lot of different ways.
One of the ways is businesses want to solve problems very fast, so they'll use a ton of cybersecurity mechanisms to do that without necessarily understanding the full risk implications of that. It's, "Make the money and figure out the risk around it after."
From the offensive perspective, as a practitioner, I'm nervous about generative AI and AI in security. The reason being is, and I'm saying this as a practitioner and with a lot of experience in phishing emails, and ... People are the weak link when it comes to cybersecurity. It's usually the person who ends up [inaudible 00:39:39]-
Mark Zandi: I say that about Cris all the time. He's definitely the weak link here on this whole phishing thing. He's so big into crypto, too. He's huge into crypto, and at the same time ... He gets captured by these phishing things all the time. We got to watch that guy very carefully.
Cris DeRitis: What can I say?
Lesley Ritter: [inaudible 00:39:59]
Joe Lyons: Imagine a higher volume and more specific phishing-
Mark Zandi: You say imagine more Crises? Is that what you're saying to me?
Joe Lyons: Imagine pandering directly to Cris's emotions. You can quantify what Cris is interested in as a person-
Mark Zandi: Definitely don't want to do that.
Joe Lyons: Create a model around that, and then fire an email that directly plays off his emotions. That's realistically the lowest barrier to entry for cybercriminals, is going to be in that area. How do people speak? What is their tone like when they write emails?
Let's say I'm writing an email impersonating Mark Zandi. I'll go through all of your publications, I'll go through all of your interviews. I'll watch that with a learning model, and then create a model to speak and use the same exact tone, and vernacular, and terms that you will, and then send emails out to everybody, impersonating Mark Zandi. It's going to be-
Mark Zandi: I'm of the view, no machine can impersonate me. There's no possible way.
Joe Lyons: AI can. I certainly-
Mark Zandi: AI can? Yeah.
Cris DeRitis: Is that a challenge, Mark?
Mark Zandi: No. Please, no.
Cris DeRitis: Did you just send that out to the universe?
Mark Zandi: That's good. Exactly.
A good example of how AI could really be a problem is just on phishing, just designing the hook in such a way that it's so shiny, and bright, and enticing, there's no way I'm not going to bite on that thing.
Joe Lyons: It's not dissimilar to how advertising, especially on social media, is amazing at pandering to your emotion. There's a reason why you continually click back.
AI will be able to do that with phishing emails. The reality is, it's going to exacerbate this concept of a cyber poverty gap. You're going to have the well-funded and cutting-edge engineering groups and defense that will use AI for the best possible use cases. They'll make their own operations operate with a higher margin. It's the mid to lower tiers that are going to be really adversely affected by it, because they're going to not have enough money to buy the products that are created out of AI, and they're also not going to have the talent pull to pull the talent to defend against AI.
I think it's going to end up polarizing the cyber market, to start off with. Then, I think, as it becomes more and more commodity, defense will catch up. Then that will be the next step in the arms race.
Mark Zandi: But you think ... I was reading your interview you did. You did an interview back in the fall on this issue with some folks from the rating agency. You landed in a more negative spot, meaning there's pluses, there's minuses, but on the net of all of this, it feels like it's a net negative. That's exactly the terms you used, I think.
Joe Lyons: Yeah. I think so. I would say at least for five to 10 years, I think the reality is cyber [inaudible 00:42:44] move fast and hard on this, and it's going to take a long time for organizations to implement countermeasures. Not only does the technology need to exist to understand when something is generated by AI from an attack perspective, but then you have to go about defending against it with an organization.
Again, the reality is people are the weak link. People click things. People are tricked fairly easily when it comes to phishing emails. Putting data behind that is a terrifying concept out of the gate. I think, at the end of the day, organizations will defend against it, but it's going to be a lag, from my perspective.
Mark Zandi: Of course, it's not only AI, it's quantum computing too, right? Just, do you want to explain that briefly, what that's all about?
Joe Lyons: Yeah. Sure. The crux of the problem with quantum computing is encryption algorithms. There's this algorithm called the Shor's algorithm, which is a method for doing prime factorials. That, once quantum computing gets to a stable enough state, that algorithm will be implemented and all encryption as we know it today will be broken pretty much instantaneously.
The algorithm is already written, it's just a fact of getting it into a quantum computer now. There's a bit of a frenzy right now across all of technology to understand how to make quantum-resistant encryption technologies.
Maybe a light definition of what encryption technologies are ... It is the way that you keep information that is on the wire secret. It is the secret language that you speak between two organizations to make sure that your data is not sniffed by anybody, it's not viewed by anybody. It's really important.
The area in everybody's life where you'll know where encryption is, you look at the top left of your browser and you see that little lock, HTTPS at the end of the URL. That means that all of your communications are encrypted, so everything is secret. The risk is that that secret handshake is then broken, leading to, realistically, a wide systemic security problem.
Mark Zandi: I hope you're a shareholder in Bitsight. Sounds like you're going to do really, really well here, going forward. I'm sure ... Maybe you are ... Look how well-dressed he is, guys. Look at that.
Joe Lyons: I come from financial services. I can't wear the T-shirt.
Mark Zandi: Right. Okay. Let's move forward.
We're economists, and we've been asked often about cyber and the economy. What is the potential macroeconomic consequence of cyberattacks? I've always had a hard time with this one, coming up with scenarios where cyber could take out, if not the entire economy, big parts of the economy.
We have attacks like the Colonial Pipeline, and that's very disruptive, but so far there's not been anything that's shut things down in a significant way, at least not here in the United States. There's examples, I think ... Ukrainian, some other examples, as far as I know. One area where I think I've come to appreciate real risk is in the financial system. We saw that come home clearly recently with the hack of ICBC.
I thought, Jill, you wrote a great piece about that hack. Maybe you can describe what that's all about and what it means from your perspective.
Jill Cetina: Yeah. No, there were just ... Thanks, Mark. There was, in the US operation of ICBC, an affiliate that faced some cyber challenges.
They were very important in terms of, basically, for ICBC, conducting repo transactions in the treasury market. The cyber challenges that they faced did create a meaningful spike in failed trades for a day or two. While that was worked out, and I know you know well, the repo market plays a very important intermediation role between financial institutions and fixed income markets, particularly the treasury market. That was a bit disconcerting when it first came out.
Of course, there are some tools that the official sector has, like extending the Fedwire operating day to give a little bit more time for settlement. I think your paper that some of the people on your team have worked on thinks about that there's different ways in which cyber can become, I'll call it, a financial stability risk.
One is if you maybe have contagion from a cyber event. The other is, of course, if you hit someone who's, from a network perspective, a bit like a spoke, and then you have contagion radiate out from there. You can have a different kind of contagion which is more like maybe a confidence-related contagion, where you have a cyber event that affects a certain type of business model, and then other types of contagion spread from there in financial institutions. That's ICBC at a very high level.
Mark Zandi: ICBC ... Just what caught my eye is it's the largest bank in the world, right?
Jill Cetina: Correct.
Mark Zandi: This is the Chinese bank. ICBC is what ... I can't remember what the acronym stands for, but can you-
Jill Cetina: Industrial and Commercial Bank of China.
Mark Zandi: Bank of China. Largest in the world. It was a small affiliate that got hacked, but it led to some significant disruptions. I think this certainly should send off some yellow flares in terms of what that means.
Jill Cetina: I think there's certainly been some other incidents in the financial sector, or in service providers to the financial sector. I think there's a couple channels through which financial institutions can experience cyber stress.
One is directly themselves in their own systems. Joe made the great point about somebody at a bank or a non-bank financial institution getting, I'll call it, an email that's a phishing email. That's direct on the financial institution.
But then, financial institutions, as Lesley pointed out, have many IT service providers that they utilize. I think we've seen instances, I'll just point to SolarWinds and some others, Citrix Bleed is another, different things like that, where a service provider is the channel through which there becomes a cyber incident at a financial institution.
Then the third channel is really on the asset side for a financial institution, where ... We've only seen a very limited amount of this, but there's a very nice paper on the malware attack, the NotPetya attack, this is done by some of my colleagues at the Fed, that illustrates that some of the institutions that banks were lending to were negatively affected by NotPetya, and talks a bit about how that could have created credit stress had the malware associated with that cyberattack actually proven catastrophic for some of those corporates that they were lending to. There's multiple channels if you're a financial institution, unfortunately, through which cyber risk can affect you.
ICBC, it was ... Again, attribution's hard. I think that we just maybe not try to attribute or talk through which of the channels [inaudible 00:51:14].
Mark Zandi: Before we dig even deeper into cyber and the financial system, and we'll turn to Jesse and Matt's work shortly, maybe Lesley, I'll turn it back to you, and maybe Joe.
My thought, as I articulated, was that the ... I'm asking you to put on your economist hat now, if you're willing to do that for a second. My thought is that the most likely cyber scenario that would have macroeconomic implication would be one where it has a major effect on the financial system, something broad.
Jill mentioned the potential for contagion, or it affects something deep in the plumbing of the financial system. Trading, mentioned the repo market, or the Fedwire, or ... Something that's critical to the plumbing in the system and the movement of liquidity around the system. When you think about the panoply of risks here, would you put that at the top of the list of concerns, or is there other vulnerabilities in other industries and other parts of the economy that you think might be more of a threat to the macroeconomy?
I know that's probably an unfair question. I'm asking you to do my job, but maybe you could do that. Lesley, do you have a view?
Lesley Ritter: You mean other industries that are as critical as [inaudible 00:52:36]?
Mark Zandi: Yeah. For example, I've thought about the ports, maybe a hack of the ports. I've thought about the electric grid, maybe ... But I still have a hard time connecting the dots between those things in a macroeconomic event.
On the financial system, I can connect the dots, but on the others, I can't. I'm just asking you, am I missing something? Is there something else out there that we should be focused on or thinking about? I know it's an open-ended question and maybe there's no answer, but what do you think, Lesley?
Lesley Ritter: Joe, correct me if I'm wrong, but I think CISA is the body that oversees cybersecurity in the US. I think they have 16 critical sectors for cybersecurity. I think their view is any of these sectors are critical to the functioning of the broader economy of the US, so a system-wide cyber impact on any of these industries would probably have similar impact.
I think you have to think about the fact that these critical sectors that span the healthcare sectors, the energy, to food and agriculture are all heavily digitized. Every industry is sort of a tech company in some sort of way right now.
Another thing that's happening is a lot of these industries used to operate very bespoke equipment, so the contagion risk was less there. But, looking to the electric utility space, for instance, there's a shift in where your electricity is coming from. It's very distributed, and it's coming from a few manufacturers.
You go from these centralized power generation centers, which are very bespoke, and so an infection in one wouldn't spread to others, to a situation where you have a very distributed and homogenous type equipment. If one of the pieces of equipment is tampered with, all of them are likely tampered with, and that spreads very easily. That's true in electric utility space, very likely true of other sectors as well.
Mark Zandi: Joe, do you have a perspective on that, or a view?
Joe Lyons: Yeah. When I think about this, I think about the concept of magnitudes of change and where risk is concentrated. Why is the finance sector low-hanging fruit for this? It's because everything is run through a central plumbing system. There's an aggregation point. It's a very easy place to attack. When you're talking about systemic cyberattacks, it's very hard to do a bespoke attack on every single type of organization.
What comes to mind, for me, honestly, and it's well offset with technology expertise with good reason, is the large technology companies. If you think about how many businesses are dependent on centralized cloud infrastructure across three major companies ... If there was any disruption at scale at any of those three major companies, it's going to adversely affect a massive part of the economy, both from a consumer perspective and a business-operations perspective. Then it becomes a question of ... Not only is the magnitude-
Mark Zandi: You're talking like an AWS, or [inaudible 00:55:39]-
Joe Lyons: AWS, an Azure, I think.
Mark Zandi: Azure. Yeah. Right.
Joe Lyons: Exactly. Any of these areas where there's a hyper concentration of technology, there's also a hyper concentration of systemic risk. That's where the magnitudes of change from an attacker perspective becomes very immense.
I'm not saying this is necessarily low-hanging fruit. This would be an extremely complex attack, and I'm sure all of these companies have a ton of security around this. But if anyone were able to get into the infrastructure, the backbone of how these cloud organizations operate, it would probably have the most impact out of any of the sectors because it would impact every one of the sectors, because each sector leverages centralized cloud computing more than anything.
Mark Zandi: No, that makes a lot of sense. Jill, turning back to you and back to the financial system, I know obviously global regulators are all over this. You want to spend a few minutes and describe some of the kind of things that regulators are doing or certainly now starting to come to fruition, and how effective you think those will be?
Jill Cetina: Sure. There's a lot to talk about here, Mark, and some things are further in train, maybe, than others.
Maybe just jumping back for a minute on quantum, the BIS, the Bank of International Settlements, which is like the central bank to central banks, did release a paper today talking about how they are concerned about what Joe alluded to, which is the potential for quantum computing to render current encryption technology obsolete, and that to become a financial stability risk, for lack of a better word. They talked about some work that they are doing at a very technical level to think about the transition from current encryption technology to, maybe, a post-quantum technology.
They're doing that work with Banque de France and the Bundesbank, I believe was what the paper said. Thinking first about central bank systems, but maybe trying to create a bit of a roadmap for financial institutions. I think that's really important work.
In the EU, Lesley referred to DORA already. This is-
Mark Zandi: Quick test. What does that stand for?
Jill Cetina: I will say I don't know either, because I'm more focused on US regulation than I am ...
Mark Zandi: Gotcha.
Jill Cetina: On EU. But, if ... Lesley, I don't know if you came up with it in the interim.
Lesley Ritter: The A was Act. That was the one letter I-
Mark Zandi: Act. Right.
Jill Cetina: Act.
Mark Zandi: Yeah. Right.
Lesley Ritter: [inaudible 00:58:16] The most obvious one, right?
Mark Zandi: Yeah.
Jill Cetina: There we go. You figured it out. Okay. DORA, it's not Dora the Explorer, it's ...
Mark Zandi: Yeah.
Jill Cetina: All right. Anyway, DORA is interesting to contrast a little bit. Given Joe's comment about how significant service providers are potentially such a high systemic risk for the economy writ large, DORA, as I understand it, and Lesley can step in and correct me, is requiring financial institutions to provide comprehensive lists of all their service providers. Then they're going to take a risk-focused approach in the EU to saying, "I've got all these lists, and I'm going to do supervision on those most significant service providers." That, I think, sounds like a great approach to this topic.
In the US, people may or may not be as familiar with where we are from a regulatory viewpoint. There's a old banking act called Gramm-Leach-Bliley. I could have said GLBA, but I won't do that to folks [inaudible 00:59:33].
Mark Zandi: I didn't know. I always said GLB. It's GLBA? Really? Is that what you-
Jill Cetina: Yeah. Some people say GLBA. It's one of those acronyms, Mark, like tomato, tomato, FHFA, F-H-F-A. People have different-
Mark Zandi: The FHLBs, the F-H-L-B. Yeah.
Jill Cetina: Yeah.
Mark Zandi: Got It. Yeah.
Jill Cetina: Right. Anyway ...
Mark Zandi: You weirdos in the financial system. That's ...
Jill Cetina: Right. Anyway, Gramm-Leach-Bliley, though, does give US bank regulators the ability to supervise service providers of banks, but one of the challenges ... Because Gramm-Leach-Bliley, I think as many know, is not recent legislation, it doesn't give quite the same level of, I'll call it, data collection around these service providers.
Regulators have approaches to gathering these data, but if you were to try to find ... Again, people who are regulatory nerds in the US are well familiar with that any regulation has to go through notice and comment. There's Paperwork Reduction Act type thing. There is no regulatory filing that is systematic where banks are reporting.
Joe might report a service provider written out one way, Lesley might report it another. Collating that and getting to an efficient portfolio of which service providers should be overseen in the US I think is a bit of a data challenge from a regulation supervision viewpoint.
We do have service provider supervision. You can't find a list of which service providers are currently being overseen. That's not publicly available information. It's an area of supervision that all of the banking regulators, the federal banking regulators and some of the state regulators, are involved in, but there's not, perhaps, as much information about it.
Maybe the one other point that I would make is, as you know, Mark, the US financial sector has a lot of non-bank financial institutions in it. The bank regulators, of course, in a number of cases, do not oversee them. Think about non-bank mortgage servicers where we've had some recent notable cybersecurity events. Those are not overseen in any way by the federal banking regulators.
That service provider oversight isn't happening in the same way for the non-bank financial sector as it does for vendors of banks. That is something that, given the discussion we've had so far, is arguably a bit of a gap.
We also have the ECB. Just to round out, they've obviously announced their stress test. They have ... It's like every other year they do a neat little, "Let's pursue a bespoke stress test," that's different than what they traditionally do. I think in 2017 they did interest rate risk. That was ...
Mark Zandi: Prescient?
Jill Cetina: Had some points, right there. That was prescient, right?
Mark Zandi: Yep.
Jill Cetina: They've done market and liquidity. They just recently announced that they're going to do cyber-
Mark Zandi: Climate. Climate was one of them.
Jill Cetina: Yeah. They did climate, and doing cyber next. I think that's a positive for European financial institutions. Again, these aren't setting capital standards, but I think just having those kinds of, I'll call it, tabletop exercises that are focused regulatory events can help people up their game.
Mark Zandi: Yeah. I agree. I think that this is a good segue into the work that Jesse and Matt have done, because it's like a stress test. We took a couple of scenarios, cyberattacks to the financial system, and ran that through our models and tried to figure out what the macroeconomic impacts would be.
Maybe, Jesse, Matt ... Who would like to describe the work, spend a few minutes and just lay that out for us? There is a white paper. It's available. If folks are interested, we can provide that to you. I think we're doing a webinar, too, aren't we, Jesse, at some point here, Matt?
Jesse Rogers: Yeah. I think in early February, what I put on there.
Mark Zandi: Okay. Good. Yeah. Jesse, Matt?
Jesse Rogers: Sure.
Mark Zandi: One of you want to take the comm here and explain what you did?
Jesse Rogers: Yeah. I'll take a stab. Matt, I'll pause here and there so you can chip in and round it out.
I think the interesting thing about our paper, and you alluded to it before, Mark, is trying to take cyber risk, which largely for companies is business risk or operational risk, and trying to figure out, how does that become macro risk? We took a look at the financial system where the linkages just seem more concrete, or the potential for systemic damage is just a little bit easier to imagine.
We came up with two scenarios. The first we're calling a cyber deposit run, which is a bank run or a banking panic that begins with successive cyberattacks on smaller and medium-sized banks. In this scenario, consumers, or depositors, rather, flee to the perceived stability of larger banks. It's very similar to the situation that we saw in March of last year, but on a much larger scale.
It puts the Fed in a unique situation because what we ultimately have is a liquidity insolvency crisis that is operational in nature. It's not something the Fed is really designed to solve. Providing liquidity to banks, we found, doesn't necessarily change the calculus for consumers, or depositors, rather, that have experienced a large cyberattack. As these attacks continue for some time, the incentive to run grows and grows until we get into a broader banking crisis scenario that does have real damages on both the financial system and economy.
Mark Zandi: But the scenario is ransomware attacks on smaller banks, where I think there's a general sense, I think Joe mentioned this, that there's more vulnerability. They just don't have the resources to be able to defend themselves.
Matt Colyar: Yeah. That was one of our ... Just to jump on that, is the focus on the small and mid-sized banks was exactly that reason, of there's gaps in coverage because a lot of the coverage is expensive. The red team testing that Joe was doing in his earlier life is not cheap. Big banks can afford that. Big banks can afford top talent to do that. That was our door open, in a way, for this type of attack.
Mark Zandi: Those attacks led to a loss of confidence, faith in depositors. Sort of what happened back with the Silicon Valley Bank crisis, when depositors ran. That happens in this scenario.
Jill, does that resonate with you? Do you think that's a viable threat, or do you think that's far-fetched, that scenario?
Jill Cetina: No. First, a couple things. I do think that there is the potential for what I'll call, maybe, business-model contagion. You see some institution that looks like your financial institution where you bank having very critical cyber risks manifest that are in the news. There could be some attempt to diversify deposits. This would probably be more on the commercial side, I would say, though, than the retail side.
I did, though, Mark, if it's okay, want to share a little data.
Mark Zandi: Yeah. Sure. All right.
Jill Cetina: On this topic of small versus large bank, and where the risk is, if that's okay.
Mark Zandi: Yeah.
Jill Cetina: Because the most recent Fed supervision report actually ... It's not ... How should I put it? If one were to ideally design a disclosure around this topic, this might not be the ideal disclosure, but it does provide some data on that issue. The Fed in the supervision report that became available ... These are data for Q2 2023.
They did disclose, for community banks, that the top issue in terms of supervisory findings ... You can raise the question, are supervisory findings the same as intrinsic risk? You could have risks that supervisors haven't found. But, in terms of supervisory findings, IT/cyber for both community banks and regional banks were the most frequent type of supervisory finding.
Mark Zandi: Interesting.
Jill Cetina: 30% of outstanding community bank findings, roughly, were related to IT/cyber, and 35% for regional banks.
Where it gets even more interesting is for the large bank population. Here the data aren't quite broken out the same. I want to be very clear, these are about findings, not the number of institutions that I just quoted for community regional banks.
When you talk about large banks, basically for the large financial institutions, the rating system for them is three-pronged. There's a capital component, a liquidity component, and a governance component. There's multiple ratings levels, but you're either broadly meeting expectations conditionally, or you're deficient.
As of Q2 2023, what the supervision report says is that most of the large financial institutions in the US, the large banks, were meeting expectations on capital and liquidity but that the challenges were really around governance and controls mainly related to operational resilience, cyber, and anti-money-laundering. The less than satisfactory percentage of the LFIs, or the large banks in the US, in the Fed supervision report is about 50%.
Just to get to the bottom line on that, about 50% of large bank ratings are less than satisfactory according to the report, mostly driven by these governance and control operational IT/cyber issues, not related to capital, not related to liquidity.
The other thing that's interesting in the report is it shows a time series for the large banks. The amount of non-satisfactory is very stable. The report doesn't break out ... Two years ago, was it more about capital, and now it's more about cyber? But there's some interesting data there that suggests that there are meaningful operational cyber resilience issues also at large institutions.
Mark Zandi: Sounds like consistent with the concerns represented in this scenario that we've constructed, [inaudible 01:11:36].
Jill Cetina: Yeah. No, definitely the supervision one is [inaudible 01:11:39], but it's really for banks of all sizes.
Mark Zandi: Yeah. Right. Jesse, anything more, or Matt, on the first scenario? Clearly you can construct this in lots of different ways, and in the scenario we constructed it in a way that it did ultimately end up in causing a loss of confidence, affected equity markets, financial markets more broadly, and landed us in a recession. Anything else more about that scenario you want to call out? Jesse?
Matt Colyar: I don't think so. Jesse, do you? It does help-
Mark Zandi: Jesse's frozen, I think.
Matt Colyar: [inaudible 01:12:16]
Jesse Rogers: No, I'm here. I just wanted to give Matt a chance to chip in.
Mark Zandi: Okay.
Matt Colyar: No, I think that the psychological contagion is a big fulcrum for that scenario. It's believable. I think we saw the power of virality in 2023, 2024 with Silicon Valley Bank. Large coordinated movements can happen if everybody's getting the same tweet, text, push notification. We did rely on that quite a bit for the basis of that scenario.
I don't know. Jesse, do you want to add to that, or touch the second scenario?
Jesse Rogers: Yeah. The only other thing I'd say ... Something that you brought up, Matt, when we were constructing this scenario, is just how fast things can move when it's your cell phone, like you mentioned, that gets an alert. Depositors can remove their deposits or move them within minutes in the interconnected, digitized banking system of today. I think that plays a very big role in our first scenario and how fast risk spreads.
Mark Zandi: Okay. Let's turn to the second scenario. You want to describe that, Matt or Jesse?
Jesse Rogers: Yeah. I'll give you an overview, Mark, because it involves the ACH network. Maybe we'll take just a second to explain what that is.
The scenario broadly is a really dark scenario involving a ransomware attack that ultimately leads to the collapse of the retail payment system. In this scenario, depositors lose access to bank accounts, credit card networks fearing contagion, suspend service, and the whole digital payment system we've come to rely on is out. Left in its place, we're all forced to migrate back to checks and cash, imposing, just, tremendous frictions on being able to go to the donut shop or get coffee at Wawa.
Mark Zandi: Donut shop. What?
Jesse Rogers: I don't know. There's a great vegan donut place in West Philly that I go to that I really like. I imagine that would be-
Mark Zandi: Vegan donuts? How do they get them-
Jesse Rogers: I knew you were going to nail me for that.
Mark Zandi: I'm having a hard time getting my mind around that one, but okay.
Jesse Rogers: I know. A lot of palm oil, a lot of coconut oil in the batter.
Mark Zandi: Got it.
Jesse Rogers: Anyway, it's almost a dark doomsday scenario where everything we've come to rely on is out of service. Where we ultimately end up is in a large single-quarter plummet in consumer spending that drags the rest of the economy with it.
Mark Zandi: Got it. Jill, does that ring true to you? Does that feel like a scenario that has some possibility, or is that way out on the tail of possibilities?
Jill Cetina: I think it gets back to thinking about, Mark, the point that there are things that are pipes, if you will, the plumbing of the financial system. We don't think about the plumbing much when it's working, and then, when it backs up and creates lots of problems, then it becomes very ... I don't know about the vegan donuts, but it becomes a very big ...
Mark Zandi: Right. Then it becomes a problem.
Jill Cetina: Still thinking on the vegan donut thing, I must say.
It becomes very painful. I think the question, of course, is that, unlike maybe the plumbing in our house which we take for granted, these type of infrastructure are known to be systemic. One would hope that the level of cyber resilience and resources is higher than maybe the first scenario that Jesse and Matt outlined, where you've got smaller institutions and contagion risk from that. Maybe it's a little bit more of a plausibility test.
Again, going back to the BIS piece on quantum, there may be scenarios, whether it's some of the stuff Joe talked about on AI-enhanced attacks, or, again, post-quantum type stuff that could make even systems that we think of as fairly well protected, well resourced challenged. I don't know if others, like Joe, have thoughts on that, but ...
Mark Zandi: Yeah. Joe, Lesley, covered a lot of ground there. Anything you'd like to add? Joe?
Joe Lyons: No, I think the reality is that the risk is there. Think about, especially, endpoint payment. It is very much privatized at this point. There's a lot of companies that are delivering privatized endpoint payment devices. It's completely feasible that there is a systemic vulnerability across all devices that are connected to the internet that allow that. That could be used as an entry point into the plumbing.
I think it's the same concept of hyper-digitization, hyper-risk. I think we are well into the hyper-digital age. We're going there. We're en route. We need to secure ourselves along the way. I think that's the main theme here.
Mark Zandi: Yeah. Lesley? Anything?
Lesley Ritter: No. What just struck me is I think that's the impetus behind all of these very ambitious regulations that are very technically driven, not principle based, not capital based. They're giving very clear instructions as to the type of defenses they expected to be in place from a technical standpoint. I think there's recognition of this digital risk.
Jill Cetina: I'm sorry, Mark.
Mark Zandi: Go ahead.
Jill Cetina: Maybe just one point, though, on the regulation. In doing some background reading to get ready for this podcast discussion, I also read the OCC's supervision ... It was their semiannual risk report.
Some of these things that we talk about for financial institutions, they're very basic, that still aren't being done by some financial institutions. In the OCC's report, they talked about the use of ... I'll use the acronym first, and then I'll define it. Multifactor Authentication, or MFA. Talked about ... This is that you need to get a text message on your cell phone before you can do a bank transaction. They talked about that that's not in place for all banks in the report.
These are very basic, easy cyber things to do, far easier than patching another thing. Some of this stuff is just still not being done, not being invested in. Regulators in some cases are asking for it, and other cases they're recommending it. The changes, I think, slow for the quantum of risk.
Mark Zandi: I know if I didn't get my paycheck from Moody's in my bank account, I'd panic pretty quickly. That does feel like the fodder for a good size recession.
We're coming to time. Maybe we'll end in a different way. Let's end with the game, the stats game. We each put forward a statistic, the rest of the group tries to figure that out through clues, deductive reasoning, questions. The best stat is one that isn't so easy we're all going to get it, but I am not worried about that at all. This isn't going to be easy, and one that's not so hard and we never get it, but that may be the case here.
Because we've got so many potential players, I'm just going to call on the guests from outside, and we'll play the game. Joe, do you want to go first? What's your stat?
Joe Lyons: Is there any rules around this, or could I put any [inaudible 01:20:25]-
Mark Zandi: You can put anything forward.
Joe Lyons: I'm going to put two numbers out there, and I want them to guess what they're representative of. It is 4 million, and it's roughly 12%.
Mark Zandi: 4 million, 12%. It has to do with cyber, I'm sure.
Cris DeRitis: Number of cyberattacks?
Joe Lyons: No.
Cris DeRitis: Over some period? Okay.
Mark Zandi: If it's 12%, what is that? That's, what, 450 million or something? 12% of ...
Joe Lyons: 12% is not part of the ... It would be 12-
Mark Zandi: It's a whole different ... It's unrelated to the 4 million?
Joe Lyons: Yeah. It is part of ... Is a characteristic of the 4 million.
Mark Zandi: I see. There are 4 million entities in the United States, business entities. 12% gets your highest score from Bitsight.
Joe Lyons: No.
Mark Zandi: No? Okay.
Joe Lyons: Close enough.
Mark Zandi: Am I close?
Joe Lyons: Think security gap. That is the only hint that I'll give.
Mark Zandi: Security gap. Jill? Lesley? Do you have any ideas? 4 million. Is it US based? Is it [inaudible 01:21:43]?
Joe Lyons: Globally.
Mark Zandi: It's global? Is it 4 million entities? People?
Joe Lyons: It's people.
Mark Zandi: People. 4 million people.
Marisa DiNatale: 4 million people, 12%?
Mark Zandi: Yeah. 12% of 4 million people have had something, have had some experience.
Lesley Ritter: Cyber job openings?
Joe Lyons: Yes. There is an estimated 4-million person gap in cybersecurity expertise right now, and it's estimated to grow at roughly 12% every year between now and 2030-ish.
Mark Zandi: That's a good one. Way to go, Lesley. That was very good. Yeah.
Lesley Ritter: Thank you.
Mark Zandi: Get a cowbell. Yeah. We need a cowbell for you. Across the globe, there's a shortfall of cyber professionals of 4 million, and that's growing 12% per ann?
Joe Lyons: Yep. Exactly.
Mark Zandi: Got it. Great. Where did that come from, that estimate?
Joe Lyons: I believe it's from one of the internet centers. I don't remember exactly where [inaudible 01:22:47] were reading it. I can look up exactly where it came from.
Mark Zandi: Joe, this is exactly what I was saying. You're going to be a very wealthy man, that's all I'm saying. 4 million shortfall? You should be demanding a ton of equity in this Bitsight company. Yeah. Ton of equity.
Jill Cetina: But, Mark, think about that number and the conversation we were having about non-bank financial institutions who are state regulated. Then think about trying to get the talent to IT supervision in that kind of a job market at state salaries.
Mark Zandi: Yeah. Good luck. Okay, Jill. You're up. What's your stat?
Jill Cetina: Okay. 300 plus.
Mark Zandi: That's your stat, 300 plus?
Jill Cetina: That's my stat. 300 plus, and it relates to community banks.
Mark Zandi: Community banks. 300 plus community banks. Am I on the right track?
Jill Cetina: It relates to the theme of this podcast.
Mark Zandi: Yeah. The rating agency ... Do you do some kind of ranking with regard to cyber preparedness? I think you do, right? Is that processes-
Lesley Ritter: At the sector level, not [inaudible 01:24:06].
Mark Zandi: At a sector level. You don't do it at an individual bank level. Okay. That's not it. What do you think, Cris? Marisa? Jesse?
Marisa DiNatale: Is this also job-related, Jill?
Jill Cetina: It's not job-related, no.
Marisa DiNatale: Okay.
Mark Zandi: Is it regulatory-related?
Jill Cetina: It is regulatory-related. Very good guess, Mark.
Mark Zandi: Okay. It has something to do with the supervisory notices?
Jill Cetina: Might have to do with findings, yes. You're getting very warm.
Mark Zandi: Finding?
Jill Cetina: Yeah. You're basically there. According to the supervision report, there was over 1000 community bank supervisory findings. Approximately 300, 30% of them, were related to IT/cyber.
Mark Zandi: Good.
Jill Cetina: You get to 300 outstanding findings in the community banking space. Again, that's some fraction of the vulnerability, but it's ...
Mark Zandi: [inaudible 01:24:55]
Jill Cetina: Supervisors never find everything, no matter how hard you try.
Mark Zandi: I'm going to take credit for getting that one right. I'm just going to do that.
Jill Cetina: Yeah. I think you did. I think we could ring the gong for you.
Cris DeRitis: I don't know.
Mark Zandi: Cowbell. No gongs.
Jill Cetina: Okay.
Mark Zandi: Lesley, you're up. What's your stat?
Lesley Ritter: I'll give you 53%.
Mark Zandi: Say that again?
Lesley Ritter: 53%.
Mark Zandi: 53%.
Lesley Ritter: I'll give you a hint that it's based on something we collected. Jesse, that might help you.
Mark Zandi: Something that the rating agency collects?
Lesley Ritter: The rating agencies collect it.
Mark Zandi: Through your surveys?
Lesley Ritter: Mm-hmm.
Mark Zandi: 53% of something related to one of the surveys that the rating agency ... Jesse, what do you think?
Jesse Rogers: 53% global financial-
Lesley Ritter: [inaudible 01:25:45]
Jesse Rogers: Do I have to recuse myself, Lesley, or can I [inaudible 01:25:48]?
Lesley Ritter: No, I say you can control it, because you can find it.
Jesse Rogers: In the paper. Might even be in our own paper. 53% of global financial institutions back up their systems at least once a week?
Mark Zandi: I like that. Boy, that was pretty good. I don't think it's right, but it's pretty good.
Lesley Ritter: It's in the vicinity.
Mark Zandi: It is? Okay. What is it, Lesley?
Lesley Ritter: 53% ... It's based on a cyber survey that we collected. Collected information from 240 financial institutions, and 53% of them said that they had reported a significant cyber instance to their board in the past two years.
Mark Zandi: Okay. That's interesting. Very interesting.
Jesse Rogers: That is not in our paper. Maybe we should revise, tuck it in there, and get one more edition out.
Mark Zandi: Sounds like at least a footnote, or something.
Okay. You guys have been great. I know this is late Friday afternoon before MLK weekend. You've been yeoman participants, and I really appreciate that.
Before we sign off, I'll throw it out to the group. Anything that we missed that you think is important that you'd like to bring to the podcast before we leave? Just open-ended. Matt, anything? No? Okay. Joe, anything? Yeah. No. Okay. All right. Very good.
I think we're going to call this a podcast. I hope everyone thought it was informative and useful, and I certainly did. I'm looking forward to the weekend. Take care, everyone. We'll call this a podcast.