S&P Global Inc. (SPGI) Earnings Call Transcript & Summary

Hello. Welcome to S&P Global Ratings' first product spotlight. Today, we'll be talking about the growing importance of cyber risk and C-suite planning and a new cyber risk assessment that we, S&P Global Ratings, are delivering to our clients through a partnership with Guidewire. I'm joined today by members of the S&P Global Ratings' commercial team and a member of the Guidewire leadership team. I'll invite them all to join me now. There we go. From S&P, we have Glen Fernandes, the Global Head of Product Development; Trent Ottoson, a Relationship Manager on our North America commercial team; and from Guidewire, Dr. Michael Dobrovolsky, Head of Financial Services and Strategic Analytics. Before we get started, I'll run through a couple of quick housekeeping items. The content of this webinar is not open to analytical members of S&P Global Ratings. At this time, we'll ask that if you are a member of S&P Global's analytical team, that you exit the call. Next, the session is being recorded and will be available for replay. And third, please use the Q&A box on the bottom of your screen at any time to submit questions for our speakers that we can address at the end of today's session. Most of you have historically looked to S&P Global Ratings for insight and analytics related to credit ratings. Our credit ratings have always been our independent assessment of an entity or a financial instrument's creditworthiness. We've always looked at any and all risks that could implicate creditworthiness. And over the past century and a half, we've seen that list of risks evolve along with the world in financial markets. In more recent years, we've begun to consider how cyber risk could implicate an organization's credit rating, and it was through our work there that we realized there may be more we can offer the market on a stand-alone basis, meaning an independent view of an organization's cyber risk not through the lens of credit. We realize that this information could be valuable to C-sute-level executives as they seek to identify their own cyber risk from the outside in, direct investment and financially planned for adverse scenarios. As we began to think about developing a product that was within the spirit of what S&P Global Ratings does, which is to deliver our independent insight to help our stakeholders make strategic decisions of conviction, we have to consider the enormous amount of data and expertise that would underpin this effort. Because we'd only considered cyber risk through the lens of credit, we knew partnering with an outside party would take this to the next level. Guidewire was a natural fit for S&P because they take an advanced data-driven approach to helping companies better quantify the financial impact of cyber risk. So now with all that background, let's shift to our panelists for a deeper discussion about the importance of cyber risk and S&P Global's partnership with Guidewire. To kick things off, Michael, as someone who has spent their career working with organizations to understand the cyber risk landscape, what are some of the key shifts you've seen in the past few years?

Sorry for that. The realities of global economy, they enforce digitalization over the last 2 years. And the necessary consideration of enterprise financial and operation and acuity and relative position among thousands of supply chains, materials, digital and logistics, are forcing enterprises, full sizes and the likes, into realm of the public domain, into open and the search lights of many. Adding new variables to enterprise this baseline by multiple and shifting the business cyber conversation from cybersecurity to the cyber risk. Cybersecurity by design is a [indiscernible]-focused space. For many years, the risk associated with cyber has been considered exotic and [ clock ] under unique jargon compared to all other financial reasons. That status quo is no longer acceptable by the executive leadership responsible for enterprise financial stability and operation financial risk controls. The topic of cyber risk is elevated and promoted from being exotic into the regular member category of enterprise financial risk management payment. That promotion requires a transparent, objective, scalable quantification of the cyber risk baseline. The quantification must be rigorous and validated and tested by the same standards that apply to any financial controls and quantification legals that regulators can trust. And that is a new reality.

Got it. Thanks, Michael. Knowing that regulation continues to play an important role in how our clients are managing risk, whether it be credit-related, sustainability and now fiber, Michael and Glen, can you both comment on how you're seeing regulations start to address cyber risk?

Sure. Michael, why don't I kick things off here, if I may? First, due to the severity of cyber governing bodies such as CESA in the U.S. have defined cyber risk to be a business risk based on significant impact it's had and will continue to have with our clients and the balance sheet of our client base. That said, draft rules have been proposed by the SEC in partnership with CESA, requiring companies to provide a greater level of disclosure and transparency around several risk factors, including how is the company specifically managing cyber risk and the level of Board oversight and experience when it comes to cyber risk as a whole. These roles are in addition to existing levels of disclosure for cyber events for the 16 critical infrastructure sectors. The proposal is being viewed by other countries and regions as a benchmark to enforce greater level of transparency and disclosures in managing cyber risk. Overall, I view the draft rules as a means to ensure companies have the proper levels of oversight from their respective Boards to evidence and have a strong active engagement as to understanding cyber risk as a whole.

Great. Shifting gears a little back to the S&P perspective. Trent, as part of S&P Global Ratings, you and members of your team have historically spent most of your time speaking with treasury and finance teams talking about credit risk and their funding plans. Tell us a little bit about how those conversations -- the shift in those conversations has led S&P to explore cyber risk through this unique lens.

Yes. Thanks, Suzanne. As you know, S&P has a long-standing history of being a trusted partner to treasury and IR teams as they rely on our ratings and our thought leadership to help them tell their story to their stakeholders in the market. S&P is ultimately a risk benchmarking company. We just happen to have over a 100-year head start in the credit space. That benchmarking work has expanded to include ESG and sustainability and now more recently, cyber risk. Our issuers and other market participants have been telling us for a while now that cyber risk is one of, if not the biggest risk to their business that they don't have a good handle on. It is probably the #1 thing keeping these leaders up at night. We hear this feedback from clients across all sectors and business sizes. No one is immune to cyber risk. Cyber risk is already a topic we discussed with issuers through our credit rating and ESG analysis, but only with the lens of how cyber risk could impact credit or ESG. The cyber risk assessment allows us to go much deeper and provide a more holistic view of cyber risk for our clients and help them quantify that risk.

Great. Thanks, Trent. Digging a little bit more into the Guidewire data. Michael, can you share more with us about how you and your team have historically derived the data you use and how the partnership with S&P Global helps it come to the next level?

Pleasure. We harvest technographical data on approximately 1 million companies daily. Petabytes of data continuously collected from hundreds of individual sources and about 10,000 data attributes are curated and assembled into model-ready format using data science, machine learning techniques and cyber-specific expertise. S&P, on another hand, is a well-established firehouse and financial domain, assessing, evaluating and quantifying the financial risks for enterprises across the globe over the last 100 years. That unique expertise increased now through dynamics of the global market, combined with our expertise in [ evolutionalized ] speed dynamics of cyber risk landscape elevates our [ visual ] value to a new cutting-edge level.

Great. Thanks so much. We'll now shift gears a bit to discuss the cyber risk assessment, which is now being delivered by S&P Global Ratings in partnership with Guidewire. Our cyber risk assessment is a confidential tool that our clients can use to help them identify their cyber risk factors, do peer benchmarking and leverage financial risk quantification to ensure against cyber events and direct their investment. The cyber risk assessment is completed using an outside-in approach to a company's cyber risk profile and is delivered to clients via Ratings360, our issuer-centric web-based portal. The information is auditable and refreshed monthly, so that organizations can not only identify emerging risks but also measure their own risk mitigation success over time. So Glen, as you and your team were tasked to work with Guidewire to create a product that filled the void that was uncovered in the market, who did you see as your key audience?

Sure. Thanks, Suzanne. So our target persona has and continues to be the Board of Directors and C-suite executives. Our goal was to develop a solution that would demystify typical technical cyber discussions with the Board, such as the number of phishing attacks prevented or software remediation rates. We want to develop a tool that speaks to Boards in terms that they understand. When you look at the vast levels of business experience that a Board has, you're talking about 20-plus years of business experience. So we needed to frame the conversations in manners that they could understand, and that's really about business impact at the end of the day. That said, we found that there were 2 fundamental questions that Boards were looking to better understand when it comes to cyber risk. One, what factors are driving my overall cyber risk? And two, what's the value at risk based on my current cyber exposure? In addition, we're also seeing regulators taking more active roles with Boards by demanding greater level of transparency and oversight that I talked about earlier. This, in turn, is creating a demand for tools to fully understand and enterprise a cyber risk from top to bottom.

Great. I think it would be helpful for us to provide a little more color on the analytics. Michael, can you walk us through the key cyber risk factors that the tool uses?

Thank you. Apology for that. We collect purely technical information in combination with thermographic data, dark web feeds, spy on blacklist, social media debt and many others. We have taken this large pool of historical data and comparative set of historical events. And we run this enormous data collection operation, not because we think we can find some interesting insights or curious discovery items, we do and we can, but everything what we do is a laser focus to drive our modeling framework to predict and statistically calculate 3 things mainly: the specific chance of a company having several events over the next 12 months; the frequency and potential severity of the event, what could financially impact your company; and the loss estimates for individual and combination risk events, what are based on stochastic model using event frequency and severity relative to your enterprise. Our probability modeling framework is based on the following sub-modeling components, behavioral science and modeling, catastrophic modeling and actuarial science. That is the main pillars of our analysis.

Great. That's really helpful. Thanks, Michael. Glen, could you walk us through some of the key features of the tool to help us better understand its functionality?

Sure. Happy to. First, the cyber risk assessment is confidential, as you mentioned earlier, and designed to be shared within a company's enterprise to understand and quantify their cyber risk. The report has 3 distinct areas: one, risk factors; two, gross loss analysis; and three, benchmarking. If we could show on the screen the first one, great. Perfect. Okay. For risk factors, the assessment covers a breadth of 48 risk factors and categories, which can be bucketed as either technical or nontechnical factors. These risk factors have been curated from over 1,000 data points across 400 sources. What you see on the first slide here is our risk factor dashboard, which highlights risk -- highlights the 8 risk categories up top and further down below the top positive -- 3 negative and positive risk factors that are actually driving your overall score. If we flip to the next slide, we could dig in a little bit more deeper. So as an example, with dark web here as a risk category, we could see what the trend line looks like over the past 12 months, either a factor has been detected or it hasn't been detected. And you could, based on that, determine how you're doing or if there are opportunities to improve, such as deploying new cybersecurity tools or strategies. If we move to the next slide, we can talk a little bit about our gross loss analysis. And this is, in my opinion, is where we could really tie together the conversation for a Board and be able to financially quantify cyber risk in financial terms. The data can be sliced into multiple factors. What you see up top is being able to slice it into various different loss types and then also look at it across various different severity levels. And then lastly, be able to look at it across the pie chart around what portion makes up one piece -- what piece of your overall -- your loss analysis. Lastly, if we can move to the next slide, we could hit upon the peer benchmarking. This is where we could help leadership assess areas of strength and areas of opportunity versus industry peers based on a customized, selected peer group, all anonymized. As you mentioned earlier, all these analytics and insights are available to our clients via our online portal, Ratings360.

Thanks, Glen. That was really helpful to be able to see all of that. It's clear that the cyber risk assessment is a really valuable tool for identifying risks and peer benchmarking and the financial quantification of that risk. But Glen, can you continue to elaborate on how the cyber risk assessment will complement a cybersecurity tool that maybe some of the organizations who are listening are already using?

Sure. Happy to. First, let's take a step back and make an important distinction between cyber risk and cybersecurity. We define cyber risk as a measure of inherent or baseline risk of the business from the perspective of malicious actors. We see cyber risk to be broken down into 2 distinct areas: technical and nontechnical factors. Technical factors include items such as your network footprint, patching cadence, misconfiguration, while nontechnical factors include topics like your overall company size, your reputation, business profile as well as employee sentiment and social media presence. Both the technical and nontechnical factors must absolutely be considered to really understand your inherent baseline cyber risk. On the other hand, when you define cybersecurity, that fundamentally is the practice of defending your computers, servers, networks from these malicious attacks. It's important to note that our offering delivers analytics on cyber risks and is not designed to be a tool to manage day in and day out cybersecurity operations and programs. Our cyber risk assessment helps organizations to objectively quantify the drivers of their cyber risk posture. Our solution can complement cybersecurity tools by mapping these risk drivers that we talked about earlier to a company's overall cybersecurity controls, which results in a more informed approach towards cybersecurity.

Great. Thanks so much. Shifting gears back to the perspective of the S&P Global Ratings clients. Trent, as we've rolled this out to the market, can you share some of the feedback that our existing clients have shared with you about our cyber risk assessment?

Sure, Suzanne. Feedback thus far has been overwhelmingly positive for the cyber risk assessment. It helps to address a very important potential blind spot that our clients are facing, which is a great assist for them as they manage their business. From the perspective of the risk managers, the peer comparison table is quickly being adopted as a tool to easily communicate relative risk exposure to their Board of Directors and other senior leadership. They're gleaning new insights from the report that helps provide an opportunity to negotiate better terms with insurance providers, lower premiums, higher coverages and lower their deductibles. From the CFO and treasurer's perspective, it helps to ensure that they have the right level of financial controls, whether those be cyber insurance or cash reserves, to help them manage through various levels of a cyber event. And then at the Board level gives clear visibility and transparency into the what and how much question. So what is my cyber risk and then how much is my financial exposure to the cyber risk through our value at risk analysis that Glen walked through. The last group that's really benefiting from this analysis would be the CISOs. So they have the ability to now map these drivers of risk back to their internal controls and evidence through an objective and independent third party that the tools that they're putting in place are helping to mitigate the overall risks of the business. And then the last thing that I would add there is, since this platform -- since this tool is being delivered on our Ratings360 platform, it's a space that our finance customers are already very familiar and used to operating through. We've heavily invested in that platform over the past few years, and they found it easy and intuitive to use on that site. So excited to continue that deployment for all of our customers moving forward.

Great. Thanks so much. So we're going to shift gears a little as I see there's a lot of questions that have already come in through the Q&A box, and I'll encourage everyone to continue to send them in as we work our way through the first Q. First question that we're going to put up there, will my rating analysts have access to the information in my cyber risk assessment and possibly use it against us? I'll take that question for everyone. It's important to underscore the fact that this is a separate product from our credit ratings. Credit ratings have always looked at any risk factors that could implicate an entity or a financial instrument's creditworthiness, cyber included, ESG included, along with any other emerging risks. But the cyber risk assessment looks at cyber risk in a vacuum. It is an entity's cyber risk posture from the outside in separate and apart from any sort of creditworthiness. So it's important to remember the distinction between the 2. The next question that we will look through, I'm just looking through, how is S&P able to get all of this information about our companies without our involvement? Michael, do you want to take that question for us?

Sure. Absolutely. Everything, what we're collecting, everything, are based only on what is already legally exist in the public domain. That allows us to constantly collect and process the data sets that are large enough to draw a meaningful and statistically sound inferences about the enterprise inherited cyber risk. Enterprises can apply the same computation methodology to compute the compensated side of cyber security controls deployed by enterprises, getting the complete tactical and strategical upper end of the enterprise residual cyber risk. And that is why fidelity of our signals and predictive power of our signals is so strong and statistically sound.

Great. Thanks, Michael. Next, can you further expand on other solutions you are working on to help clients manage cyber risk? Glen, do you want to jump in here?

Sure. Happy to. So we're excited that we -- to have recently launched our cyber M&A tool, which helps our customers perform an added level of cyber due diligence on prospective target clients. We feel we have a differentiated product by being able to project what the combined entities, postmergers, cyber risk and financial value at risk will look like based on various integration scenarios. With our cyber M&A tool, our clients can now factor this critical insight into other due diligence factors when they target companies for M&A activities. We also -- beyond the M&A product, we have several other product development ideas that are underway and are being piloted with customers based on the overall market demand.

Great. Thanks, Glen. Next question. I work at a smaller organization where many of us wear multiple hats. Would this product have as much value for us as it would for a Fortune 500 company? Glen, do you want to just keep at it?

Sure. I'll take that one. Sure. No problem. So overall, I would say that no company or sector is immune from a cyber event. Bad actors will focus on getting whatever data they want for whatever objective they have at the end of the day, whether it's financial gain or to render a business inoperable. In respect towards the applicability of this offering to smaller companies and for the ones we've spoken to, we think it's an ideal solution because they just don't have the same level of resources as a Fortune 100 or 500 company has. So being able to deploy another set of eyes and ears and quantify the risk all through one platform has resonated really well with smaller companies.

Great. Thanks so much. Next question. How would my company's information remain confidential if we are able to do peer benchmarking? Glen, I think this one's for you, too.

Sure. So overall, we absolutely respect our customers' data, especially cyber risk data, which is why we've anonymized the data in the peer benchmarking tool. We set a minimum limit of peers that you could add to your peer benchmarking portfolio so that you can't really back into finding out who is who within your overall peer group. So we've got the right safeguards in place, and we've anonymized all the data so that you could just get an overall view of how you stack up versus the rest of your peer group.

Great. Thanks so much. So I think we have time for one more quick question so that we can wrap up at the 5 mark. The question is, how are the loss costs calculated? The estimates are based on generic numbers/public financial data? Or do you need more information from the company? Glen or Michael, do you want to jump in there? Michael maybe?

Sure. Absolutely. I can start, and Glen, you can add if you think. So as I mentioned before, we collect this information on the more than 1 million companies plus. So we have data samples, which statistically sound enough for us to do certain inferences. So based on the historical information, we can predict and we can calculate and we can calibrate with actual data all our models. Certain input, if you would like to be more precise, may require from your company when we do calibration. But in majority of our cases, in majority of our interaction with clients, our prediction and our loss estimation are precise enough to hold the predictive power. So it all depends on our relation with the clients. If clients want to run special or customized scenarios, we're open to that. We work closely with this and beyond that. But again, for today's case, we don't need any input information from your company.

Great. Thanks so much. Well, we are at the end of our time. I'd like to take a moment to thank all of the panelists from S&P Global Ratings and from Guidewire today. We appreciate your time and insight. As a reminder for our audience, today's call will be available for replay and will be e-mailed to everyone who registered for it. Your feedback is also really important to us. So if you could take a moment just to get your thoughts on in a brief survey, we would appreciate it. Last, if there are any questions we did not get to today that you would like to ask, you can follow up with any of us via e-mail for answers to those questions. Thank you all so much for attending and for your questions. We look forward to working with you and speaking with all of you again soon. Thanks so much. Bye.