Specialty Podcast: S&P Global Warning - Cyber Will Be Factored Into Credit Ratings

Ron Borys (01:19):
Well, welcome everyone. Thanks for tuning in to the latest Alliant specialty financial Alliant podcast. My name is Ron Borys and I'm here with two guests; Brian Dunphy, who leads our Management and Professional Solutions group, and David Finz, who's a senior attorney specializing in the area of cyber risk and policy wording within our legal and claims practice. For those of you who don't know me, I lead our financial institution's industry vertical. And what we wanted to talk about today was some recent developments specific to S&P's recent decision to add cyber security to their list of risk factors for evaluating credit scores. Certainly, you know, cyber risk has been something that's been considered by many and, I'm sure some of the damages and losses associated with cyber events over the last few years have had impacts on rating agencies, views of how they rank or rate organizations and certain types of debt networking.

The fact that they are now officially going to include cyber security and an evaluation of cyber security relative to their process. I think opens up a lot of doors that people need to think about and consider. So, we thought it'd be a good idea to spend a few minutes just sharing our thoughts and perspectives on that. What do you think, Brian?

Brian Dunphy (02:45):
Yeah, it's an interesting pivot by S&P right? We’ve seen companies have an impact on the backend and the wake of cyber, specifically public companies, and their respective share prices. There can be a clampdown, if you will, on cash flow and available cash for activities investment or otherwise, because they then have to go and remediate things. But this is an interesting pivot as they move to, sort of, preemptively assess corporate postures to network security.

So David, from your expert opinion, your vantage point, what do you think aside from the obvious, what do you think’s prompting this? What are they seeing? What are they trying to get across here?

David Finz (03:33):
So, first of all, thank you both for having me on today. What's precipitating this, from my view, is that S&P Go Global has seen a cause-and-effect relationship really between cyber attacks and credit worthiness of organizations. You know, they've noted that even though some companies do come out of a cyber incident with their credit rating unscathed, the number of negative rating actions that have been taken following a cyber attack has more than doubled over the past two years, 2020 and 2021 versus the two-year period immediately prior to that. And that suggests that they're continuing to see cyber risk as a contributing factor in these ratings. And what's really interesting that they're doing now, as you noted Brian, this report that they came out with last week indicates that companies could see an impact on their credit rating, even before they experience, a cyber-attack based upon the type of governance and internal controls that they have in place.

Brian Dunphy (04:40):
It really is an interesting approach, right? And in the report, S&P talked about a lot of different issues and while this is a cyber issue and we are in the space of risk advisory, this really, in my opinion – and I'd like to know what you and Ron think - is actually furtherance of the intersection of cyber risk, as opposed to cyber liability. But the true risk in the intersection of that is with directors' and officers liability insurance.

Ron Borys (05:16):
Yeah. Listen, as we know, the cyber preparedness and incident response in the financial institution space, has been year in and year out. I think I just saw an email that the SEC just announced their 2022 priorities for the asset management space and cybersecurity is on it once again, right? So clearly from a regulatory perspective, people have been onto this for a while. And then, understand the magnitude that poor cyber security preparedness, and poor cyber security controls can have, not only on the organization itself but certainly on the customers and other counterparties that rely on these organizations to protect the information and data that they're sharing. I mean this kind of takes it to a little bit of a different level, right?
Because now, you're working this into a governance standard. And we all know that cyber risk and cyber security have become, probably, the number one topic in the boardroom for most public companies. Now, whether you are a manufacturer or an IT service provider, or a financial institution everybody's talking about cyber and it's because of how the risk and the attacks have evolved. But I certainly am not surprised by this. I just wonder how long before other parties, i.e. the plaintiff bar starts to sink their teeth into this as an opportunity to start again, bringing actions and trying to “right the wrong”, for lack of a better term.

David Finz (07:01):
Yeah. So look, what, what S&P Global is looking for here is, they want to see a culture of good cyber hygiene on the part of organizations. They're looking for the types of internal controls and good corporate governance and internal audits around cyber security that are designed to thwart an attack or prove that an organization will be resilient in the face of an attack. And what they're doing is they're relying upon the NIST framework to evaluate these organizations. And the NIST framework, really, these are standards, they're not regulatory, they're not necessarily something that in and of themselves create liability for an organization if they don't do them in terms of violating a law. But what they do is they do establish a standard of care that organizations are expected to follow. And to your point, Ron, that can help inform the plaintiff's bar in formulating a cause of action around what a company should have done and where they may have been negligent.

Brian Dunphy (08:00):
And David, just, just quickly, if you can just tell everyone who issues NIST, what NIST is, for the uninitiated?

David Finz (08:10):
Sure. So, NIST refers to the National Institute of Standards and Technology. So their standards are really considered the benchmark for best practices around cybersecurity. And they're looking at five core functions here that they're expecting organizations to adapt and comply with. And these include the identification of cyber risk, the protection of assets, the detection of cyber attacks, the response and limitation of damages when there is an incident, and then recovery from an incident - how resilient is an organization in terms of their ability to continue to operate in the face of an attack?

Brian Dunphy (08:53):
And so this is something that, as we were talking if a company does experience a cyber attack, those are things that you would expect them to do normally, but, you mentioned before, the number of rating downgrades that have happened over the past two year period, I believe you were saying… talk about some of the impacts, some of the fall out that could happen to companies seeking rating approval or, or issuers generally.

David Finz (09:31):
Sure. So when a company experiences a cyber-attack, or for that matter of public entity that is, is issuing bonds, there can be so much damage, not only to their bottom line but also to reputation, right? An organization could suffer a loss in market share and competitive advantage. They could see reduced cash flow and a liquidity crunch due to the financial losses associated with responding to the incident. And also, their management and governance can be called into question as well, in terms of how adept were they at detecting and responding to the incident.

And Ron for our financial institution clients, it's early days, obviously. This just literally was issued within the last seven days, but what are our takeaways here in terms of how we want to counsel and advise our clients in the financial institution space?

Ron Borys (10:29):
It’s a great question. I think you know, cyber security, cyber preparedness, has been something that we've been talking about in the financial institution space for probably close to a decade or more. Now, the fact that it's now being integrated with something like an ESG risk factor as part of S&P's evaluation, I think changes the dynamics a little bit in that, typically, right? What are the modifiers from an S&P evaluation where, you know, certainly liquidity is a big one, capital structure is a huge one? But those are very measurable types you know, modifiers diversification, financial policy, right? Management governance is a tricky one because while certain organizations will provide companies with an ESG score and I can tell you in reviewing our data and analytics platform, right?

And Brian, as you know, we incorporate a lot of this into the data and analytics that we do for public companies. And I can tell you, it's oftentimes interesting to see how senior management or CFO reacts to that score, right? Yeah, I think more times than not, they probably disagree with that score. And I've actually even heard people say to me, where did you get that from? And I'm like, well, we didn't make it up. This isn't something that’s proprietary to us. This is something that we pulled from, from, from organizations, that generate these scores based on a variety of factors. And I just think given the volatility of cyber right now and how even the people who think they're the best equipped and most protected and are doing everything they think they can possibly do to protect their organization from a cyber event, we still see them happen. And the fact that it will now have an impact, it's just going to be very interesting to see how S&P and others use that to incorporate what that score ultimately looks like.

Brian Dunphy (12:37):
Yeah, I agree. And I would expect to see insurance underwriters starting to ask questions around this, this issue speaking to insureds through their, their either normal underwriting review process or off-cycle meetings.

Ron Borys (12:54):
That's, it's bad enough that the cyber underwriters right now are, putting our clients and have been putting our clients now through this hard market cycle, through some really challenging questions. And we've seen where pricing and retentions and everything have gone. If now we're going to say that cyber risk and cyber preparedness is going to factor a governance score. Are we saying now that could impact D&O pricing and how underwriters are underwriting and evaluating D&O? I mean, I certainly hope not. The market has finally started to settle down when it comes to public company D&O. If now people are going to start getting downgraded because you know, some S&P analyst is not happy with how a particular company may be prepared for a cyber attack, how are they going to evaluate that? I mean, I would imagine David, they're going to have some prerequisite set of criteria that they're going to provide companies in advance so that they at least know what the basis is, by which they're going to be evaluated.

David Finz (13:55):
Right. Well, again, for starters too, a NIST framework gives you an idea broadly about what factors S&P Global will be looking at. And these are things that insureds should be keeping in mind anyway as they approach their underwriters for renewal. But what this underscores to me is that cybersecurity and cyber risk truly is a boardroom issues. And, you know, we've put together a list of the seven bad cyber security habits of highly vulnerable organizations. And we can make this available to our listeners to help frame the discussion with their board and really get the conversation going around the types of red flags that, not only will the credit rating agencies like S&P Global will be looking for, but also that their underwriters are looking for as well, so that this helps put companies be in a better position and helps the underwriters view them in a more positive light.

Ron Borys (15:13):
Yeah. Just, don't give out your cell phone number, David, I think between your LinkedIn and your email, you're probably getting pinged enough. And I'm sure there are probably plenty of other cyber folks that are listening here. I'm sure the phishing exercises on David Finz’ email and LinkedIn profile, or if they haven't already started, they're going to, there's going to be an uptick over the next few days, but listen, I've realized we're-

David Finz (15:35):
I was going to say, I already told the prince that I don't want 10 million sent to my bank account, so we -

Ron Borys (15:41):
Got it. Well, listen, I realize we're probably up on our time here, but Brian, it's always nice, to jump on and record one of these with you. I think you know, the work that you've been doing in our management professional solutions group, particularly in the area of cyber and public company D&O outside of the FI industry has just been fantastic and certainly enjoyed watching you grow your business, and you know, certainly David, we always really enjoy having you and I know from the feedback I've received, our listeners love hearing your perspective.

And for those of you who would like to talk to us more or learn more about Alliant, you can visit our website at www.alliant.com. You know, listen at the end of the day you know, we hope and truly believe that we can help our clients and prospects find the more rewarding way to manage risk. And that's certainly the reason why we're out there every day doing what we do. So thank you both for taking some time out of your busy day and look forward to talking to you again soon.

David Finz (16:38):
Great to be with you both. Thanks, everyone.