Today’s guest is Michael Taylor, a senior director at KBRA in New York and a long-time public finance practitioner. He has nearly 25 years of experience in Muniland, having worked as a fundamental credit analyst, portfolio manager, and fixed-income trader in a variety of public finance, infrastructure, and corporate consulting roles.
You will also see a familiar face on here today, too! We’re lucky to be joined once again by Rudy Salo, a public finance partner at Nixon Peabody’s Los Angeles office. Rudy was a guest on an earlier episode of A Little Privacy, Please!®, where we discussed cyber risk in the municipal bond market.
Watch A Little Privacy, Please! on cybersecurity risk and public finance credit ratings.
We know that the impact of cyberattacks on city and municipal governments can be significant. Hackers can steal sensitive data, such as employee and resident information, financial data, and intellectual property. Can you discuss cybersecurity and why KBRA includes this information in its credit reports?
To start, at KBRA, we believe that a key differentiator is the fact that we don’t offer an ESG (environmental, social, and governance) scoring product. Instead, we focus on ESG factors that affect or have the potential to affect the risk of borrower default, and we integrate those directly into our credit rating reports. In the context of credit, we believe that most ESG issues are inherently management issues, so we call our approach to ESG and corporate financial institutions and governments, or CFG ratings, ESG management.
Now, across the landscape of CFG, we have identified three factors that we believe have a higher likelihood of being credit-relevant. These are climate change with a particular focus on carbon emissions, stakeholder preferences, and, importantly, for this conversation, cybersecurity, which falls under governance. I think it’s important to understand, however, that the risks each sector and each issuer face are both unique and distinct. So, these three categories are not necessarily exhaustive.
What specific categories or types of cybersecurity-specific information is KBRA looking for during its diligence and credit rating process?
The questions regarding cyber risk that KBRA generally pursues can vary considerably based on the issuer and, overall, the sector in which they reside. But we worked with our own cybersecurity team to develop areas in inquiry, such as does the issuer or employee dedicated person, staff, or vendor manage information or IT security, does the issuer follow an internationally accepted security standard, and, finally, does the issuer have a business continuity or disaster recovery plan in place and are they regularly tested? Now, specific to US public finance, what questions can be focused on sector-specific areas like airports, utilities, colleges, universities, healthcare, and other credits? The fundamentals are remarkably similar.
If an issuer has been hit by a cyberattack, does that necessarily mean that the cost of borrowing is going to go up?
Not necessarily. We’re finding that where the issuer is domiciled is increasingly important. US states like North Carolina, Florida, Arizona, Pennsylvania, New York, and Texas have introduced legislation banning payments by governmental entities. So, in connection with the ransomware attacks, this potentially reduces or eliminates any financial incentives to attack altogether.
If an issuer you’re doing a rating on has absolutely zero cybersecurity protocols, could that affect the rating?
It is possible that a lack of safeguards altogether could lead to a lower rating category, but at this stage, that’s very few and far between from an issuer’s perspective.
What should issuers be doing if there’s been a cyberattack to improve their opportunity to get back on track and reduce the cost of borrowing?
I think it’s important to know that organizations, regardless of size and industry, are all at risk of cyberattacks, and the losses incurred are not simply monetary. Sensitive data, reputation; these things can all be compromised. So, the things that KBRA looks at are the potential financial losses as well as the possible denial of service to tax or ratepayers. More relevant is the strength and the ability of an issuer’s programs and systems to protect private data and prevent future breaches, malware, and ransomware attacks. For issuers that have already experienced breaches, I think it’s also important to note whether or not the ramifications were serious, what the ramifications of the breach were, and how the issuer has changed procedures and hardened systems to prevent future attacks.
How much has this changed over the last five years or so?
As we’ve seen increased instances of cyber breaches, theft of data, as well as demands for ransom, it has been increasingly in the headlines, and it’s something that, again, we’ve incorporated into our fundamental credit analysis.