Cyber attacks are going strong and the recent water systems cyber events in 3 small towns in Texas are making sure the state, as well as the rest of the country, remain on high alert. We will examine the tangible and intangible costs of cyber breaches and potential risk-mitigation strategies that municipalities can implement.
Transcription:
Ed Fierro (00:09):
All right, great, thank you. So we're going to kind of go through this first discussing recent attacks. Second, we'll discuss more of a kind of in the trenches experiences from City of Austin, as well as hear from Hilltop. And then we're going to go through some disclosure issues and then look at risk mitigation solutions. And I think Omid, if you want kind of provide us with a overview of recent attacks or what you've been seeing in your space.
Omid Rahmani (00:40):
Sounds good.
(00:41):
Go ahead. Yeah, no, yeah, I got my entire leadership here from directly above me to God, so I'm going to try to keep my job by the end of this. It's going to be a struggle, but we're going to try. So yeah, interesting things happening. Just so today, I was actually a report that I was reading that. So for Q1 ransomware, successful ransomware intrusions this year are made a record all time high and that's still the number one thing we're dealing with. Although as we were talking, the other issue that's becoming a lot more prevalent now, and I've talked about this before at this conference, but is the nation state aspect of it, we are starting to see a lot more interest in infiltration from adversarial nation states. Obviously we're at a point of geopolitical influx right now. We're having some disagreements with certain nations and trying to quash some disagreements with other ones. And usually cyber risk or low intensity warfare of any kind, including cyber warfare is a component to that.
(01:53):
In addition, I think Brian, I think it was the first time you and I spoke at this conference, I think that was three years ago where we talked about a hypothetical scenario of a threat actor actually using both technology and advanced social engineering to hijack a bond issuance. And this is one of, I've been doing this with Brian for a long time and we usually talk about hypotheticals and then several years later we get to do, I told you so we're here to do, I told you so. Yeah, we had, the other interesting thing that happened that I think is very relevant for this community is we had the first publicly disclosed instance of a threat actor actually successfully infiltrating and hijacking an issuance of municipal bonds. It happened in the state of Michigan, fairly small issuer, however sizable amount for that issuer, some of you guys may be familiar with this, a fairly large portion of that issuance is actually gone.
(02:58):
So the threat actor was successfully able to steal it, manipulate the system using technology and social engineering and steal that. It is the first public one, but it is not the first one that I have heard of. I do know of at least seven more other than that, that have been private. But it is really interesting because this is a new phenomenon and was with anything cyber risk. Once a threat actor actually cuts their way through new territory, develops a new vector of attack, others will follow. It also shows a distinct level of sophistication and increased education on the part of the threat actors in how municipal bonds are issued in the United States because that's a fairly esoteric process. Not a lot of people understand how that process works and the timing of it has to be very, very accurate for this kind of a plan to work. So we do know that for years the advanced threat actors have hired, for example, finance analysts to study disclosures that we're legally required to put out. They have a really good understanding of how our finance system works, and this is just another example of their ability to lead more sophisticated types of attacks. When we can sit here and talk about all kinds of scary things about how we're all going to die, I can guarantee that, but I will pass it on to Brian to talk more about that topic.
Brian Gardner (04:33):
So good afternoon, I'm coming from the city of Austin. Like I said, I've only been here about two months. I worked as the CSO for the city of Dallas for almost six years. I actually was in the front lines of all the scary stuff that Omid, and I'm going to say that my leadership is not here. It's city council day, so I can be chaotic and I won't lose my job. But anyways, I've taken a different role. I was on the front lines handling all the things that Omid talked about, but my role here in the city, Austin, is actually on the backside of all this, is making sure that the city is more resilient. And that's the thing I think in all of this that we need to take out of it is all these bad things are going to continue to happen. Just before I came in here I was reading Oracle has been breached, the treasury department's been breached, Microsoft's been breached, Cisco's been breached.
(05:28):
These are all the big players that have something. So it's not a question of if it's when and then how do we get back on our feet. I can tell you Dallas went through several incidents when I was there and we were really resilient and that's how we did it. And that's kind of my goal here in the city of Austin is getting the city of Austin back on its feet, building a resilient environment so that business can operate the residents get their services and we continue to move forward. I know Brett, you're going to talk about the wire fraud piece, which as a CISO and an it, we weren't really that close to that. That was always in the controller's office and managed there. However, there is a technical component that is in the CSO or the CT here in Austin,
Omid Rahmani (06:21):
There is,
Brian Gardner (06:21):
It CTM, but it's the IT shop basically.
Omid Rahmani (06:24):
They are distinct though. So for example, things like wire fraud, I consider that to be distinct from cybersecurity.
Brian Gardner (06:30):
And that was kind of always a discussion in Dallas and now here is in Austin, is that the financial controls really need to be in place, not just the technical controls, making sure that those financial controls are really there so that everything is approved appropriately and that you're actually sending it to the right people.
Ed Fierro (06:49):
So we're actually talking about two different things as far as being attacked, like an issuer cyber attack from ransomware versus a deal where funds are being transferred to another party and a fraudster captures that money. I think that's what you were saying with respect to
Omid Rahmani (07:07):
The township. So the basis of it, the mechanism may be different,
Ed Fierro (07:10):
Yeah,
Omid Rahmani (07:11):
But the basis of it is still as old as time. It's still social engineering. Cybersecurity is not a technology problem, it's a psychology problem and it'll continue to be a psychology problem as long as there's humans.
Ed Fierro (07:24):
So for the township issue in Michigan, I can't speak on it directly, I represent one of the parties there, but there's significant legal consequences that come with a cyber attack and you're not only dealing with litigation from parties that are all the parties in the working group, you got to think that through. And then you also got to think about regulatory issues with the S-E-C-D-O-J, anything like that. If it was something internal, there are a lot of things you need to think about if you're either a victim or involved in one of the cyber attacks, whether it's through ransomware or whether it's through some kind of psychological phishing exercise by a fraudster.
Omid Rahmani (08:03):
And ultimately I think one of the things that I try to dispel is there's this false sense of security that it's somebody else's problem, that it's a federal government's problem or someone else. It's actually that entity's direct problem and they have full responsibility for it.
Ed Fierro (08:20):
Absolutely. And that's what Brian,
Brian Gardner (08:21):
Going to be the cyber and the financial people working it together to get resolution or even preventing it for that matter. It can't be one or the other.
Ed Fierro (08:30):
Absolutely. I think in some scenario where you have a large issue where things often get siloed information, maybe processes, procedures, it's important that you consider that in Austin. You're on the front lines, I assume, Brian, so you speak to that. And also Ted, I know you're working on the deal side of the house and kind of seeing things from that perspective. Do you have any thoughts on what you've been seeing in the market and in the overall perspective?
Ted Chapman (08:57):
Yeah, I mean, I know we're going to talk a little bit about disclosure. I'll just go kind of sequentially throughout today. Bullet points, lunch, sweet treats, lunch, coma. So I'm going to be that guy that's like, all right, let's just do a brief show of hands to make sure everybody's still awake, whether you are an issuer or you support an issuer in some way, shape or form. How many people in this room have suffered some kind of a cyber related event? Maybe it's a brute force attack, maybe it's ransomware, maybe it's none of the above, just sort of nuisance. Our website's been offline for a couple hours. Quick show of hands.
(09:40):
I mean that's a fair amount already. And there's probably another aspect of that. It's like, yeah, but I don't really want to raise my hand. I don't want to share my dirty laundry. Or you're going to put your hand over your name badge and then raise your hand. So one of the questions is, when you talk about best practices of how to deal with all of this stuff, do you disclose it? There's all kinds of levels of, I mean generally the threshold. It's very vague material and relevant. So if you were to look at 15 C two 12, that's basically the continuing disclosure rules that guide our world. The target, for example, is 10 days. Now if you look further into that, it basically speaks to is this going to, generally speaking, impede the ability to pay in full on time? It's essentially what it's saying.
(10:37):
I mean it's deeper than that. You contrast that with publicly traded companies that file on Edgar, they're registered with the SEC, they have to disclose within four days. And it can be anything, yes, material and relevant, but it could be like a change in the board of directors. Maybe there's a new CEO. There's also something in there that speaks to cybersecurity events. We don't really have that in the municipal world. I'm just going to read to you very briefly. This is from a 15 C two 12. This is a municipality, a very large one. I'm not going to name names, but it was a front page high profile event that lingered for a while. They couldn't collect bills from the utility department. They were having all kinds of issues with recovering data. They weren't really sure how much cash they had. They resorted basically for an extended period of time, keeping books on paper, pencil, sometimes just local spreadsheets that weren't connected to a network.
(11:39):
And this was in an offering statement, an OS that they not too long after, I mean it was enough time that they were able to get back to the market. They disclosed a generic just under the risk factors section that we all see in offering documents. I'm just going to read it to you very quickly if you can begrudge me. It says the city operates in a local government arena, which makes the city a target of cyber attacks. Additionally, outside parties may attempt to fraudulently induce the city's employees, customers, et cetera, to disclose information in order to gain access to sensitive data in the city systems. The city is devoted and continues to devote significant resources to the continued improvement of its security. And it goes on for a couple of more sentences, but it doesn't say anything meaningful. It does not really go into the heart of, even though it was front page news, locally, nationally, certainly within muni land that this was a pretty serious ransomware attack. So yeah, I mean voluntary disclosure, is it material and relevant? It certainly was for them. Disclosure, how do you define material and relevant? I mean, I would defer a little bit to counsel on that, but that's evolving. And this is an area where again, it's not just the timeliness of muni land versus corporates, it's the level and detail of disclosure. Could this be material and relevant? It was for these folks.
Ed Fierro (12:59):
And Ted, just to clarify as well, the SEC has rules for public companies regarding cybersecurity and there's an event disclosure if they're attacked and there's also information that they got to include inside of their filings with respect to processes and procedures that have been implemented. Obviously you all know that that doesn't apply in our market, but certainly it provides some guardrails to see what's going on in that area and see whether it's applicable to your issuer or whether an attack may be something you want to voluntarily disclose. If you look at the township issue in Michigan, they voluntarily disclosed it within a week I think, of the attack occurring. And that's all publicly available information from Emma. And they followed up with, I think they went out to market, they had a POS in the market about a month later, which actually described more fully about the incident as well as any preventative mitigation or risk modification factors. Omid, can you talk about more of the impact on the credit rating and from that perspective?
Omid Rahmani (14:04):
I'll get to that here in a minute. I'm just going to reframe Ted's initial question. I'm going to demonstrate something. How many IT employees do we have in the room?
Ted Chapman (14:16):
One, okay, you can't count your 17-year-old son that plays Call of Duty.
Omid Rahmani (14:23):
So how many of you guys use a computer for work?
(14:28):
Okay, let me re-ask that question. How many IT employees do we have in the room? They're not getting it. They're not understanding this. How many of you guys can do your job without your phone or your computer? One person? That's amazing. I can't. I definitely can't. So what I'm demonstrating here is the disconnect and that disconnect exists largely in the municipal sector because very few people actually consider themselves IT employees because it is actually my opinion that there's no such thing as a school district. There's no such thing as a hospital. A school district is an IT department that teaches children a hospital is an IT department that treats disease because we are so interwoven, our workflow is so interwoven and so absolutely dependent on integrated technology that you cannot separate it. How many of you guys even know how to do your job or get in touch with the people you work with without access to your phone or laptop?
(15:44):
That's the point that I'm trying to make. That is the environment that we're operating in. Literally that's our reality. But unfortunately culturally, we haven't matured as a community, as a municipal community to understand that that's not just cybersecurity, but integrated technology, cybersecurity is only one aspect of that is something that completely permeates not just our life but our workflow as a result. I'm tying it back into ratings. Governance is something that we look at and governance is not just something at the top of an organization. Governance permeates through an organization, what I like to call a vertical culture of cyber hygiene because cyber all, as Brian can tell you, all people are equal in the eyes of a cyber breach. You could be a janitor, but if you make the wrong decision, you could take down an entire organization, you could also be the head of an organization. And if you make the wrong decision, you could take down an entire organization. It's equal opportunity problems. And the interesting thing is, so I've been studying this particular problem in the muni sector for a long time and what I've noticed, and Brian you can comment on this, is that there's a bell curve to cyber hygiene. Usually the people at the most junior people, the people with the least responsibilities and the most senior people and the people with the most responsibilities have the weakest cyber hygiene in our organization.
Brian Gardner (17:14):
That's true. Usually you have, well in Muni, you have a lot of workers that don't have a lot of technology during the day. So that's your short end where they only log in to get their W2 or do their time. So their hygiene is usually lacking. And the same goes on the other side. And that's actually true in the corporate world as well.
Omid Rahmani (17:35):
Yeah, I think that's true everywhere. And so the governance piece is something that we look at. And as of this year at Fitch, we've actually had two ratings that have been changed where cyber was an influencing force in that rating change. So what we're seeing is the sophistication of attacks is continuing to increase. The frequency is not going down any further. The cyber insurance landscape is becoming more complex to navigate as a means of risk transfer, which again, I go back to my point in the beginning. It puts the responsibility back on the organizations themselves back on the Munis themselves. They are completely and fully responsible for their cyber hygiene and most importantly their preparedness and response. I'm getting to the point where I really don't, as the person who does the cybersecurity stuff for the public sector at which, I'm almost getting to the point where it doesn't matter to me what you're doing as preventative. I'm only looking at how fast can you recover. I use a rocky code. It's not about how hard you can hit, it's about how hard you can get hit and keep moving forward. That's literally the make it or break it because what we're seeing is that organizations suffer in the recovery phase, making the right decisions, making sure they're not throwing bad money at the problem, making sure they understand how to deploy their resources and how fast they recover is key.
Ted Chapman (19:02):
And I think if you're to the point where it's like we don't know what we don't know, you call folks like Robert.
Robert White (19:07):
Yeah, I think cybersecurity, it's kind of hard to understand in a lot of ways for people because when I first started thinking about cybersecurity, I think of somebody in a hoodie breaking into a very complex system and hacking and stealing data. But I think everybody in this room is generally speaking, doing transactions or they're involved in transactions. And you may have great security internally, you may not, but you're dealing with people and you don't know what security,
Omid Rahmani (19:38):
That's correct,
Robert White (19:38):
They have. And when you connect those two dots and you're doing a transaction, what are the tools available to prevent a cybersecurity inside those transactions like we saw in the township in Michigan? And so you're really vulnerable to the weakest link in your transaction. And a lot of times that weakest link is the system itself. And we see it in email. Email. It wasn't built for cybersecurity and protection. It's built for communication. It'd be interesting to ask how many people think they have sensitive data in their email right now It's going to be everybody. And you get these instructions or pieces of information and you put 'em on a document and then you ship 'em around. There's a whole realm of scariness that happens that it's kind of cyber, it's kind of not. To Omid's point.
Brian Gardner (20:36):
To Omid's point about it being more sophisticated, I wanted to as an IT person say it's not about what they're scripting, it's about their social attack. They're being more sophisticated, attacking you personally with better dialogue. So you believe that they're the person that you're actually working with and should be working with. And that's the sophistication that's getting better. And generative AI is helping that immensely because now you don't get that prince from Nigeria. You have that person across the street that you actually know and trust.
Omid Rahmani (21:09):
I need about 30 to 45 seconds of voice or video of you to completely clone you to make basically put you on a video call and have that video of you say whatever I wanted to say. That's where we're getting to. So I'm almost getting to the point where I don't trust people on video calls. I like to go grab people, be like, are you real? Can I touch you? So should we have the cameras turned off?
Ed Fierro (21:40):
Well, I think that's a solution for a lot of underwriters is having phone calls and having video calls and instead of just relying on email when closing the transaction, I can remember a time when I used to have a closing room and people would go to the closing table, at least for the city of New York and they would send funds and the trustee would be called directly from the office. So I mean, there's a time when that occurred and I don't know if that's where we're headed, but it seems like if you have a deep fake or you have bad actors out there attacking your most vulnerable employees, you got to have some kind of structure, some kind of mechanism to defend yourself. So I don't know, Robert, if you want to kind talk about what you all do in your space and give us an overview of that.
Robert White (22:25):
Yeah, I think for us, I did many, many transactions as a municipal advisor and do the common ways of conducting those transactions like we all do. And I think one of the interesting things that we have seen is that a lot of times our answer to stuff is, well, we have cyber insurance and I have that protection, but that is not something to really lean on because a lot of times while an email in a transaction starts as cyber, it actually is the highest denied claim because it goes to a business process and a financial workflow. And if your financial workflow is, well, I just send an email and I get the instructions, put it on a closing memo and then we ship it off and the underwriter sends $29 million and all somebody had to do was impersonate that email. They didn't have to hack into a system, they just had to switch an I to an L and look at it. And we have an even harder problem in municipal finance because all of our details are public knowledge. I can see the official statement, I can see the dates, I can see the players, I can target that and I don't really have to be that sophisticated to attack that. So it's pretty scary. So at base fund we built a tool to basically create the digital workflow, the financial workflow that you could hang your hat on and try to prevent some of that wire fraud and not just trust email.
Ed Fierro (23:48):
Yeah, great points. And also in connection with cyber security insurance, there's limitations of liability and there's going to be a big argument when an attack occurs, the insurance company's not going to want to pay. So if you do have an insurance policy, whether you're a regulated entity or an issuer, it's important that you understand the terms and the limitations of that policy and make sure it fits with what you're actually doing in your deals. If it doesn't, it's not as good as the paper's written on and you're not going to be able to argue, well, you could argue it in court, but that's probably where you'll end up. If there's some terms in there that people.
Omid Rahmani (24:21):
I think a really important point to mention is Lloyd's act of war clause that has been adopted by the rest of the insurance industry when it comes to cyber insurance. So about three years ago, Lloyd's of London came out and said that they're not going to honor cyber insurance policies that they can link to a nation state or a nation state backed actor. And this Lloyd's being a leader in the insurance industry, this clause was quickly adopted by others in the insurance industry. Now the norm. Now, the reason that's really important for this community is because US government, including local government, is a incredibly important target for nation state and nation state backed actors to the point where most of the attackers that perpetuate some of the real scary attacks that you've heard about in this sector are nation state backed actors. What that means is if you're relying on your cyber insurance as your primary means of risk transfer and you're a component of US government, like local government, you may not have that means of risk transfer. Because here's the thing, in the United States, we make a lot of distinction between federal, state and local government how money gets flowed, who gets what, who has what powers. We're very good about making those distinctions. This is very unique to the United States. Our nation state adversaries, I can tell you point blank, they don't see that distinction to them. US government is US government. And I think Ted, you were reading a Wall Street Journal article.
Ted Chapman (25:56):
Yeah, there was an article in the journal just today that spoke to secret meetings between the US and China. Well not secret anymore, but they happened in December towards the end of the Biden administration where China basically admitted various different attacks on infrastructure and who builds infrastructure. It's state government's, local governance, it's 75, 80% of it, but they specifically mentioned airports, essential service, utilities among others, hospitals, school districts. China admitted it wasn't just bad actors or rogue bad guys within that happened to just live in China. It was all state sponsored and it was directly because of the US' support or views towards Taiwan. China didn't like that. China said, okay, well we'll show you. And they have essentially said, we're going to continue to do that and lean into that further. So when you hear about SCADA systems for water utilities getting attacked or not-for-profit hospitals, K through 12 is a huge target that's going to continue. So to omits point, when we advise clients, it's not just building resilience before the fact, but what do you do? Do you have a game plan in the midst of the attack and a plan for extricating yourself? And just moving on afterwards, because I guess I'll do one more like, okay, quick show of hands, who here likes paying insurance? Yeah, right.
(27:25):
Rating agencies can't advise you. They're legally prohibited by the terms of their employment that the analyst can't say, you should do this, you should do that. The insurance folks, even more so than municipal advisors can come in and say, we're going to do sort of a hygiene check and look at everything. Are you doing simple, easy, low hanging fruit stuff like multifactor authentication. MFA is not just something that you see on Snapchat that's really bad words. It actually means something important. But that's one quick example, easy low hanging fruit. Do you do training? Do you do sort of recurring? Don't click on the Q kitty. It's not really a YouTube video. Those are important things that the insurance company will look at if you're not doing it, they will give you a checklist and say, here's what you should be doing, especially if you want us to honor your policies.
Brian Gardner (28:14):
So to comment on that from the missile poll side, I would tell you that my time in Dallas and then the healthcare organization I came to from before that, I always engaged on the underwriters and walking through the insurance. When I started in EMS, it was, Hey, do you have a cyber program? Yes, okay, you can get insurance. By the time I left Dallas, that conversation was a full blown audit. Are you doing privileged access management? Are you managing your service accounts? And I know I'm getting into the technical here, but it was a full blown technical audit before you could even qualify to get insurance. So the insurance piece is slowly moving away to where municipal government is going to have to be self-insured in some manner to do that.
Omid Rahmani (29:01):
Yeah, so this past year, insurance premiums for the first time for cyber insurance came down. They didn't come down because we're doing such a good job. They came down because they're denying claims left and right and they've gotten a lot better at pricing the insurance. And if you talk to the major insurers, they'll tell you this community, the municipal community is not one they like to do business with.
Ed Fierro (29:30):
So in addition to that risk, you also have regulated entities that have their own underwriters, municipal advisors that have regulatory risk and they have to comply with certain federal regulations regarding their standards of conduct. So it's important. It's not just this impacts everyone in the room. It's not just issuer or it's not just the rating that you see. Look at this is everybody. I mean, everybody's going to be asked a question if there's an attack, did you act reasonably if you're a regulated entity or on an issuer side, there might be litigation in connection with it where they're going to ask a similar question. I mean, did that employee act within their policies, procedures, or even if maybe they didn't act in a reasonable manner. So Robert, do you have any other thoughts here on what there other providers out there could for a solution, solution driven thoughts?
Robert White (30:21):
Yeah, I would say we talk with banks all the time. So even not just municipal finance, but banks in general talking to one this week and they put a bunch of standard of processes and procedures into place and there's a cost to that that is different than the cost of insurance, but they had to put it in place to get the insurance. So there's quite a bit of cost that goes into that. But also the bank was touting, well, we have $15 million of wire fraud insurance. And we asked the question is, does that cover the bank from a mess up? And he's like, yes. Does it cover your customers if they bring you faulty instructions? No, it does not. So then it comes back, it's like always on the end user and what do they have to do these things? And even callbacks, callbacks maybe is a great way to prevent wire fraud, but can you prove that you did a callback because the insurance company can deny you for that reason as well.
(31:23):
So there's so much that goes into this from an organizational level and I think addressing the problem organization wide so that you can trust that process and that all of the people from top to bottom can follow through and create that symmetry too, that you could be covered in insurance or you could just prevent the wire fraud and you don't have to deal with insurance. So are there solutions out there for cybersecurity? A hundred percent. There is not a ton on wire fraud, but it's a big, big problem and one of which I think we're going to have to pay attention to. And I think it's important on the disclosure side even we spend a ton of time in our offering documents, if you will, talking about credit ratings or what are the terms, what is this? We spend very little time talking about how we close those.
(32:24):
There's really not any mention, well we close at 10:00 AM at the law offices of X, Y, Z and that's all. And so then it's just up to us to go figure out what do we do to prevent an issue? How do we address these things? And I think this is an important framework and platform for people to take this seriously and work together towards what are you doing, what are they doing, what can we do to help each other prevent these kind of issues going forward in all forms of cyber? And as we did that show of hands, it's kind of interesting, what is the default rate in municipal bonds? 0.08% over the past 10 years I think. But when we ask how many people are going to get targeted for cyber attacks, it's 90%. We talk very little about this in our offering documents about what we're doing to prevent these things. It's a very, very complex deep issue, one of which I think we all are going to have to pay attention to more and more.
Ed Fierro (33:24):
So if anyone has any questions, we've got about 10 minutes left, feel free to raise your hand, but I'm probably going to, okay, go ahead.
Audience Member 1 (33:30):
So a lot of us finance tech advocate for years, but what's the best way to get funding staff resources at a much larger scale to safety protocols?
Ted Chapman (33:46):
So if you didn't hear the question was how to issuers, where's the financial, human and other resources to be able to address the problem? Alright, so I'm not a standup comedian despite my kind of smarmy and charming personality, but as we would say, we're workshopping new material. But I'll still go by the rule of three. So I'll do one last quick raise of hands, quick show of hands of the issuers in the room. How many people are like, yep, I am totally happy with my staffing level. We're fully employed. I don't have any available positions. Everybody is like we're short on staff. It's tough to even do the act for on time, let alone worry about it, which is sort of in our org chart, but kind of not. So I think one of the things that we are seeing is that there is a little bit of outsourcing, sharing pooled resources because IT folks, they're really good at what they do, but they're kind of hard to afford for a municipality.
(34:43):
I mean you guys can talk more to just the overall shortage for whoever, was it like over a million jobs unfilled,
Brian Gardner (34:50):
3.4 million,
Ted Chapman (34:52):
3.4 million unfilled jobs in the United States. So I mean municipalities are going to have to lean on some kind of common shared services, whether it's outside vendors, whether it's a council of government type of approach. But yeah, I mean it's for sure a problem and it's only going to be exacerbated if we ever get to oh, financial data transparency act, well let's pull some resources to help address that. So I don't know the good solution right now, but throwing money at it isn't going to hurt, but it's not going to solve everything.
Omid Rahmani (35:22):
I think here is the thing. So the number two reason why we're having a massive brain drain of cybersecurity professionals out of the muni sector is actually culture, not money. Number one is money. And that makes sense because therefore a starting position for the exact same person with the exact same qualifications for the exact same junior cybersecurity role is about 40% difference in pay between the public sector and this community. By the time you get to Brian's level, it could be as much as a thousand percent, which really makes me wonder, why are you working at Austin? Have you been drinking?
Brian Gardner (35:55):
And he beats me up every time we speak together about that every time.
Omid Rahmani (35:59):
But I'm going to have to talk about your life choices later with you not advising. But the point I'm trying to make is culture is a really, really big part of it. So I always tell people if I'm talking to issuers, who are the hardest employees for you to replace? The ones you don't think about, it's your IT and cybersecurity people because they're pretty much the only people who can be like, I'm tired, I'm going to leave tomorrow and by the next day have a job. That's how much the demand is. So go find your IT personnel, go give him a hug, take him out to lunch, make sure you tell 'em you love 'em and how nice they are. You can't afford to lose them. So I think culture is a big part. And I'll tell you, when we were coming out of the pandemic, one of the reasons that people were giving for leaving was what they called the anachronistic and rigid culture of the muni world, for example.
(36:57):
People were used to a lot of it, people are not very sociable people, so they don't like seeing people, they're really good at what they do and they don't like seeing people. They also don't like being forced to do things. So one of the number one reasons people were leaving for cultural reasons, this community was being forced to go back into the office when they could literally do their job from the other side of the globe. And again, they don't have to take it and they aren't. They still aren't, which is why we're having massive, I mean Brian can tell you how hard it is to hire and more importantly keep IT personnel.
Brian Gardner (37:33):
Retaining good help is really, really difficult of the paid skill differential.
Omid Rahmani (37:38):
And the thing is that what makes it more complicated is muni networks are built on the cheap. So they're not built engineered with any kinds of anything sensical from the ground up. They're just sort of built on top of each other as time goes on and you do it on the cheap, you just kind of connect things together.
Brian Gardner (37:56):
20 years ago, that's when those infrastructures were built. So you working on old stuff and people want to work on the new cool stuff. They're like everybody else here in the room, I want the coolest, latest and greatest. And if you're always working on that old stuff, it wears on you.
Omid Rahmani (38:11):
And it's super esoteric. You have to understand what is it you're dealing with a person, no matter how much qualifications in education can come into a complex muni network and be like, I don't even don't understand what I'm looking at here.
Brian Gardner (38:24):
Correct.
Omid Rahmani (38:24):
So that's another reason why, again, culture super important. Go kiss your IT personnel, tell them you love them because you can't afford to lose them. The retention part is a big, big problem because you bring these people, you train them on these esoteric networks and then they leave.
Brian Gardner (38:39):
Correct.
Ed Fierro (38:40):
Any other question?
Brian Gardner (38:40):
Cause they go work for the private entity at double their pay.
Ed Fierro (38:44):
Yeah. Great. Any other questions? Okay, if I could ask maybe the panels end with some key takeaways. We've got about four minutes if you ,want just
Omid Rahmani (38:54):
So me and Brian when we've done this in the past, we're told we're too much doom and gloom. So I want to start out by saying we're all going to die, but there is a positive note to that and I'm actually going to kick it off to him because he's one of the founders, he's one of the real visionaries of regional cyber cooperation and I think that's something that's actually made a difference in the United States. So why don't you talk a little bit about that silver lining of how there's a lot of cooperation among cybersecurity professionals within the muni community to protect each other and share resources.
Brian Gardner (39:26):
Correct. So about five years ago we started a group city CISOs, and so collaboration between Dallas and Austin and San Antonio and Chicago, New York, LA really just, I don't know if it was a shoulder to cry on or really exchange of information, maybe both, but really collaboration in that realm is important to share that information. I know we want to guard that information, what I got out and all those kind of things, but really understanding because they're not just targeting one city, they're targeting them all. They're making it and it's rinse and repeat. If I can target this city, I can target that city with the same opportunity and probably get just as good as a result. So that's how they're doing it. I'm going to, like I said, I am not the CISO here in the city of Austin. I'm on the resilience side, so the complete positive, we're going to get this place back up and on its feet approach. My one takeaway is as far as financial and technical controls, you need to work in tandem and together to understanding both are necessary in order to be really protected and then making sure that all the pieces to get yourself back on the feet or them back on their feet is really, really important. Otherwise, I'm sure there's a dollar that's associated with it and as a CISO and deputy, I don't care. But really getting us back on our feet is what's important and getting those services back.
Omid Rahmani (40:56):
That's correct.
Robert White (40:59):
I would say for my kind of final takeaways or statements would be, I think there's two red flags to pay attention to. One is if you look internally at your organization and you don't see a lot of security, it's a pretty big red flag for your organization. And then the other is if you're putting new processes out there that are more secure and you hit a wall with the people you do business with because they don't want the new security method, they want to stick to the old methods of doing stuff, it is also a red flag. Some organizations out there will choose, Hey, if we just don't allow our employees on the internet at all, then we won't have a problem. If they don't open an email until it goes through our IT department, we won't have a problem. And so they put together a castle and a fortress that kind of prevents you from interacting. And then you come into the industry with a new solution and you hit a brick wall and they want you to just go back to the old way. It's a red flag and something I think we got to pay attention to.
Ted Chapman (42:08):
I think the takeaway is, I mean everybody is vulnerable. It doesn't matter how big, what type of issuer you are, everybody is vulnerable. The smaller ones, maybe they tend to be a little bit less. They don't have the human resources, the bells, the whistles, the fancy tools. That's why they are more vulnerable but not necessarily more vulnerable. Equally vulnerable I guess is maybe a better way to say it because a larger issuers, they have deeper pockets. They may be just a juicier target. There are folks out there, depending on your level of financial resources among others that can at least do sort of a cursory audit. Is it homeland that does those?
(42:44):
It's a very long lead time.
Omid Rahmani (42:45):
We'll see if they continue because that program is,
Ted Chapman (42:48):
Who knows if the website's even still up. But there are tools because technical assistance, resources available at the federal government who knows the current status. But there are folks out there that can at least give you sort of a checklist, real brief, not a deep in dived up in depth dive, but can at least say you should be doing this or maybe think about doing that. At least it provides the decision makers at that local level. Some additional considerations of where to deploy very limited resources because everyone knows we have limited resources, financial, human capital, and otherwise.
Ed Fierro (43:24):
Great. Thank you. I think what I thank our panelists and thank you all for joining us today. There's a lot of risk out there, whether it be reputational, whether it be legal or regulatory. You all are going to face it in your transactions and while you're working within your organization. So just keep that in mind as you go through your career. Alright, thank you.
Breakout 2: Keeping Cybersecurity Top of Mind for the Market
April 23, 2025 2:14 PM
43:50