Understanding the Link Between Cybersecurity and ESG

Speaker 1:

Welcome to Markets Plus. We're leading experts from across BMO discuss factors shaping the markets, economy, industry sectors, and much more. Visit bmocm.com/marketsplus for more episodes. The views expressed here, are those of the participants and not those of BMO Capital Markets, its affiliates or subsidiaries.

John Uhren:

Welcome to another episode of Markets Plus. I'm John Uhren, head of Sustainable Finance product Strategy on BMO sustainable finance team. Today we're going to dive into the topic of cybersecurity and how it's a key environmental, social and governance or ESG concern. Cybercrime cost over 3 trillion last year with a cyberattack occurring every 11 seconds. The average cost of a cyberattack is around 150K, a number that's grown substantially over the last several years. Now these are costs associated with remediating the cybersecurity breach, but there's additional costs related to lost goodwill and lost consumer confidence.

When Facebook had a major cybersecurity incident in 2021 where over 500 million user records were lost, that impacted their customer's confidence. And as companies continue to digitalize in business model shift to incorporate a complex mix of technology and data supply chains, coupled with attackers getting smarter and more sophisticated, it's clear that companies and governments cannot afford to ignore cybersecurity.

Joining me today is Andrew Matheou, head of BMO Capital Markets Global Transaction Banking. Andrew works with companies to, among other things, help them minimize financial losses that are caused by cybersecurity breaches. Thanks for being here today, Andrew.

Andrew Matheou:

You're welcome.

John Uhren:

So to start, why don't you tell us a little bit about yourself and your role at BMO?

Andrew Matheou:

Yeah, sure. So I'm managing director for global transaction banking for BMO capital markets. So that means we work with large corporates predominantly in the United States, but also globally to help with their treasury and payment needs. So I helped to oversee this for BMO and my prior life was working in the consulting industry for 10 years, consulting with CFOs for Fortune 500 firms on strategy and finance transformation. My experience with cyber is that given our client base, I tend to get a lot of calls from senior executives when bad things happen. So have seen firsthand when breaches occur with our clients and have worked hand in hand with our clients to remediate the breach and put some structures in place to prevent it from happening in the future. So pleasure to be here today and I think this is incredibly important topic for us all.

John Uhren:

Great. Thanks, Andrew. So let's dive in then on the topic of cybersecurity. And at high level, what's the risk to companies? What's the risk to investors? Is it purely financial or is there more at stake here?

Andrew Matheou:

Yeah. From my perspective, the risk is existential. This is an existential threat to many an organization, including ours. So taking our organization as an example, our main business historically is to hold and secure people's money. This is money for groceries, money for rent, money for college funds, money for retirement, money to acquire another company and so on. So we are a trust-based business, and if a bank is incapacitated due to a cyberattack and a customer cannot access their money for these groceries or to fund an acquisition closing on a specific date, we have a problem. And the problem is not one of inconvenience, but it's one of existence. We just might not exist in the future if this persists. And the same story permeates other businesses across the United States. So for me, this is not just another threat, but this is an existential threat. And the risks to organizations globally is grave.

John Uhren:

I like the way you put, I mean, don't like it insofar as it terrifies me, but an existential risk and threat. I mean, we've seen over 200% rise in attacks against financial companies specifically annually over the last several years. So just a dramatic impact on financial companies, financial institutions in particular. And that aligns with what you are talking about in that it's not just our balance sheet, our treasury and payment solutions group that are being attacked. It's literally the money that our clients rely on for their operations, for their business as usual to keep their lights on. So it impacts all of our customers in a way that very other sectors that are impacted to have such long reach vis-a-vis their customers the way that financial institutions do. So it is existential. That's scary, but a good way of putting it. What are you seeing and hearing from clients around the risk of cybersecurity and the threats to their business?

Andrew Matheou:

Yeah, sure. Like the pandemic now, it's endemic phase, so it's everywhere. It's ubiquitous. Every company in America or globally for that matter, I think has dealt with this or will have to deal with it in the future. So it's everywhere. And for my seat, we mostly get involved with clients when money has left their organization, it's a reactive involvement for us. I wish it wasn't, but I would say nine times out of 10, we work with clients or we get the calls from clients only after something bad has happened. And that usually is when money has left the door and they want it back. I wished nine times out of 10 I was called proactively. And I wish I worked with those clients to get ahead of those measures and I wish that they're thinking about that. So we can flip the script there a little bit, but what we're seeing is an increase in external threat, actors, hackers, and organized crime.

And what we've seen most recently and read about in various studies is collusion between external and internal threat actors. And that's a scary prospect because it increases the strength and effectiveness of the attack because you've got someone on the inside and someone on the outside collaborating, colluding, et cetera, which just makes the threat even more serious.

Ultimately, these bad actors are looking to monetize their efforts. They're just trying to perpetuate payment fraud. And I know we stereotype organized crime or bad actors as a bunch of middle-aged men sitting in a smoky back room scheming on how to lift a tractor trailer of razor blades or something. But it's not like that. The reality is organized crime has gone online and they're seeking to commit fraud from the comforts of their living room, armed with blazing fast computers and the latest equipment. So they've gone online just like we've gone online throughout the pandemic.

And probably the most frequent and toughest thing that we get calls from clients on is wire fraud. It's usually through business email compromise. It's usually the easiest thing to mitigate, but the hardest thing to remediate because we have to work with the clients to get the money back, which is hard to do, and usually the size of the money that's left is quite significant. And I was reading one stat from the FBI that said something like 2.4 billion was lost last year just through business email compromise. So it's a significant risk. A lot of money moves out of the rightful owners, so definitely something that we see continue to be on the rise.

John Uhren:

Interesting. I mean that comment you made around the rise in both internal and external threat actors. So I think I always thought of a lot of the bad actors being outside of organizations, but they're even more effective if they have some form of collusion with internal actors as well. That's really interesting. And I think that just hits home again for the different companies and financial institutions, the requirements and the importance of having really thoughtful and forward-thinking compliance programs within the organization to not only catch external bad actors, but to be reviewing different emails, suspicious emails that are sent, fraudulent behavior and activities that occur within the organization. And the good news is that's within an organization's control. The bad news is it's never going to be easy to be in front of, like you said, you're more reactive than proactive in trying to prevent some of these activities from happening.

So you're always reacting to the next incident, the next plan, the next activity that could be fraudulent in nature. So it's just an interesting way and to think about cybersecurity in terms of that internal threat as well. So let me switch gears a little bit, Andrew, because you've explained to me in very real terms what the threat we're facing is and how it's an existential crisis in many ways and a threat to the entire economic ecosystem that we live in.

But let's talk a little bit about ways that BMO is looking to partner and support our clients. What are some of the initiatives that we have within our bank that are looking to support our clients in that reactive state so that we can help them either get the money back or prevent it from happening altogether?

Andrew Matheou:

Sure, yeah. And we've been here as an institution for over 200 years, and it behooves us to do everything and anything we possibly can to last another 200 years. And as mentioned, it's all about having people trust in us with their money. So we do a lot. One of the big things that we do is fund and operate a world-class financial crimes unit. And this unit combines world-class expertise from the cyber world, from the fraud world, physical security world, crisis management, world law enforcement world. And that team works together globally to detect, prevent, respond to and help recover from security threats that is the frontline, so to speak. And we invest a heck of a lot in that because we need to protect our reputation, protect our regulatory ratings, and ensure that we last another 200 years.

We also develop a lot of internal practices and technologies for our own needs, and sometimes we make those available to the marketplace as well. One of the tools that was recently developed was called OLI, it's active for Operational Loss Intelligence tool. And this is a tool that ingests internal and external data, flows it through some machine modeling and AI and signals when operational losses are likely to happen. So that's been a useful tool that the bank has developed and is now making available to the market. We're doing lots, and I think the best place to take a look at that for any of our clients that are interested in what we're doing and what they can do is to go to bmo.com/security and they can see what we're up to and download resources that they can use.

John Uhren:

I have to imagine machine learning and AI is critical to the response to a lot of these bad actors in terms of how can we understand at a machine or technology level around what the risks is, but importantly around how to trace where the money has been funneled to and ultimately where it resides so that we can try and retrieve it. I think trying to do things manually, like you talked a lot about wire fraud as an example, I would have to assume 30 years ago it was literally trying to trace that wire and retrace the steps to find out which island that money was residing in. But now I have to assume using ALI, and you mentioned the OLI, the operational loss intelligence tool. I have to think these are critical to the ways in which we are assessing both the activity that occurred, but importantly how we can actually try and mitigate some of the loss or risk associated from the action.

Andrew Matheou:

Yeah, it is, and what I will say is the new technology helps the old process and procedures and technology is still incredibly relevant because the first thing that you should absolutely do the wire happens is pick up the phone and call your banker, and then that banker will use its relationships, the processes, the technologies, and maybe even pick up the phone too to that bank that received that money to try to get it back. So it is a blend of new technology, but also proven practices and technologies that have worked in the past too. And I would say that speed is critical, so technology's fantastic, but the speed element of reacting to something is hyper important, and that only comes with humans changing the way they respond.

John Uhren:

So I'm going to switch gears a little bit here and touch on cybersecurity from an ESG perspective. So I dabble in the world of ESG and sustainable finance. We talk a lot to both investors and companies around different ESG risks, opportunities, threats that they see that are critical for both sides of the investment ledger. And obviously the E in ESG from an environmental perspective gets a lot of attention. I've heard that being called an existential risk that we all face in terms of global warming and climate change, and understandably so, as we see some of the major-

Andrew Matheou:

Yeah, literally.

John Uhren:

Literally, yeah. So we're dealing with a couple of big risks on this podcast, it's a light one. But equally important and if not more important, arguably in the near term is the social and governance type risks that don't get taken for granted per se, but that are critical to the overall success and just operations of a company on a daily basis. And when we think about cybersecurity, we think immediately, what's the impact that a major breach can have on your customers? And that's a social risk. So what is the company doing to try and mitigate against those materials, cybersecurity risks. From a governance perspective, what policies, procedures, oversight does a company have in place to try and prevent these types of threats from materializing or trying to mitigate them from becoming something much larger than that Facebook threat that I talked about earlier in 2021?

And it's critical because not only does a company care about it from an ESG perspective and in the light of what their customers think of, but investors and particularly institutional investors have told us time and again that cybersecurity threats are critically important in their investment decision-making. So when they're thinking about different companies to invest in, one of the screens a lot of institutional investors are putting on their investment is cybersecurity. It is how is a company mitigating cybersecurity? And yes, it deals directly with some of the cybersecurity type risks, but it's also almost a proxy for other major risks that a company may face as well to say, okay, if they've been thoughtful around these major social and governance type risks, it's likely the case that they're also thoughtful in approaching different environmental and other social and governance risks as well.

You have most fortune 100 companies anyway, disclosing cybersecurity as a material risk now in annual reports, disclosing how they're mitigating this risk in great detail. To investors, it's clear that it's important to companies, and I think this is a trend that we'll continue to see into the future. As I alluded to in my opening comments, this isn't something where we've seen something historical as it relates to these threats and some of the losses associated with some of the major cybersecurity attacks. I think they're only going to get more pronounced as we move forward.

So from an ESG perspective, both on the investment as well as the issuance side, I think this is critical on top of mind and probably the type of topic that keeps a lot of CEOs, CFOs, C-suite position type actors up at night thinking about this risk, this existential risk to their business, and really how to prevent a serious fraud on their books. But I wanted to ask you, Andrew, investors or companies, how should they be thinking about achieving privacy or enhancing privacy and security within their organization in today's increasingly online world?

Andrew Matheou:

The way I would think about it would be three things. The single most important thing you can be doing as a board member, the senior executive as an employee is helping to establish a culture around fraud prevention. It seems simple. It's incredibly difficult to do that. And it includes things like leaders holding regular discussions with employees about fraud, implementing, processing procedures to mitigate your exposure and so on. It's all the basics, but you got to do them and you got to do them day in, day out, and you got to do them well. It takes a village to combat these risks. So job number one is creating a culture around that.

Then and only then you can augment this culture with IT solutions, antivirus software, malware software tools that monitor your systems versus behavior. They all exist, they're all out there. There's great solutions for you, but you got to build that on top of culture. And then finally, practice organizations should work through scenarios on what they would do for fraudulent event happens. They should seek to learn from that experience, document it, do it again and again and again. It seems a simple thing to do, but organizations can really learn a lot by putting themselves into the situation and seeing how they would react. So from my vantage point, you got to first build that culture layer on the IT solutions and then practice to see what you would do when an event happens.

John Uhren:

I think that's good, Andrew, because especially in changing culture or building culture around fraud prevention, I mean, we talked about a lot of threats being both internally as well as externally developed. And if you have that internal culture as of one where there's an acknowledgement and understanding of the existential risk to the business that this could present, then you have all employees bought in on the importance of taking these types of risks seriously. The importance of flagging different suspicious behaviors and actions internally when they're seeing them. Once you layer on that IT solution and then build it out and test it through the scenario analysis, it's almost like any good risk management practice where it starts with people, but ultimately you need to understand and quantify and qualify what are the risks that you're facing and how would you appropriately deal with a variety of risks before they happen and do that in a test scenario or test basis.

And I think that third part is really important because scenario analysis is something that... That takes time focus efforts for organizations to do. It's not easy to necessarily run through the world of potential scenarios that you don't even know what they could be, but you are trying to best position yourself to deal with them or mitigate them in future. But it's an important practice because yes, you may not have the exact scenario in the future, but the way your team, through the culture you developed, responds to that risk will be something that will be able to be replicated, or at least the processes will, and hopefully that prevents maximum exposure from the risk.

Andrew Matheou:

Well said, yeah.

John Uhren:

So I wanted to just leave, if you could leave our listeners with one more thought, one main finding, one idea that you have that you wanted to impart on the listeners around the risk of cybersecurity and how different organizations should be thinking about it. What would that be?

Andrew Matheou:

I would leave listeners with this. Cybersecurity is now a boardroom issue undoubtedly, and it's been a boardroom issue for some time now. The board has a fiduciary obligation to its shareholders to protect the organization from risks, and this is a grave risk. And if they fail to meet those responsibilities, there's liability for the institution but there's also business risk. If you just look at some regulatory enforcement actions, regulators are looking at how data is properly collected, maintained, secured, just look at some of the FTC investigations that have gone on.

And equally as importantly, when there is a failure, it can disrupt an organization's ability to deliver on its commitments to shareholders and to its employees, which typically fall into S. So business operations loss happens, loss of brand recognition happens. Legal actions, as I mentioned happens, loss of shareholders, stock price happens, and these are all very serious repercussions. We're talking about money, we're talking about businesses, we're talking about lies, we're talking about employment.

So you got to take this seriously, and frankly, I don't care if cyber sits in an S or a G or both. It's just got to be in your framework somewhere. It's just an integral part of modern accountability in the world that we live in. There's really no way around it. So that would be my parting thread here is, it's irresponsible not to have cyber in your framework. So just put it in there and be serious about it and look for ways to measure how you're doing in this area.

John Uhren:

Well said. Well, thanks very much, Andrew, for joining the pod today. Really appreciate it.

Andrew Matheou:

Yeah, you're welcome. This has been fun.

Speaker 1:

Thanks for listening. You can follow this podcast on Apple Podcasts, Spotify, or your favorite podcast app. For more episodes, visit bmocm.com/marketsplus. This podcast has been prepared with the assistance of employees of Bank of Montreal, BMO Nesbitt Burns, and BMO Capital Markets Corporation, together BMO.

Notwithstanding the foregoing, this podcast should not be construed as an offer or the solicitation of an offer to sell or to buy or subscribe for any particular product or services, including without limitation any commodities, securities, or other financial instruments. We are not soliciting any specific action based on this podcast. It is for the general information of our clients. It does not constitute a recommendation or a suggestion that any investment or strategy referenced herein may be suitable for you. It does not take into account the particular investment objectives, financial conditions, or needs of individual clients. Nothing in this podcast constitutes investment, legal, accounting, or tax advice, or a representation that any investment or strategy is suitable or appropriate to your unique circumstances or otherwise constitutes an opinion or a recommendation to you.

BMO is not providing advice regarding the value or advisability of trading and commodity interests, including futures contracts, and commodity options, or any other activity which would cause BMO or any of its affiliates to be considered a commodity trading advisor under the US Commodity Exchange Act. BMO is not undertaking to act as a swap advisor to you or in your best interests, and you to the extent applicable, will rely solely on advice from your qualified, independent representative in making hedging or trading decisions. This podcast is not to be relied upon in substitution for the exercise of independent judgment. You should conduct your own independent analysis of the matters referred to herein together with your qualified independent representative if applicable.

BMO assumes no responsibility for verification of the information in this podcast. No representation or warranties made as to the accuracy or completeness of such information. And BMO accepts no liability whatsoever for any loss arising for any use of or reliance on this podcast. BMO assumes no obligation to correct or update this podcast. This podcast does not contain all information that may be required to evaluate any transaction or matter. And information may be available to BMO and or its affiliates that is not reflected herein.

BMO and its affiliates may have positions long or short and effect transactions or make markets insecurities mentioned herein, or provide advice or loans to, or participate in the underwriting or restructuring of the obligations of issuers and companies mentioned herein. Moreover, be BMO's trading desks may have acted on the basis of the information in this podcast.

For full legal disclosure, please visit bmocm.com/legal. To access our full disclosures for equity research reports, please visit researchglobalzero.bmocapitalmarkets.com/public-disclosure/.