Moody’s to consider CyberDefense in its Credit Ratings

Moody’s Investors Services recently noted that In today’s interconnected and digital world, business leaders must be aware of the diverse cyber threats their business faces and be proactive in protecting their clients, data, networks and operations from theft, disruption and destruction. These threats range from criminals seeking financial gain to nation states committing corporate espionage or seeking to dislocate markets.  Additionally, cyber threat actors are becoming more sophisticated in their attack methods, making cybersecurity an area of risk that must be actively managed by firms similar to other areas of risks.

To address this reality,  Moody’s Investors Service announced that the credit implications associated with cyber defense, detection, prevention and response will  take a higher priority within its credit assessments and analysis.

“While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those scenarios,” said Jim Hempstead, Moody’s associate managing director, in a statement. “As cyber risk becomes more pervasive, it will take a higher priority within our analysis.”

The IT infrastructure in financial services serves as “technology leverage”, as the Atlantic Council puts it – creating tremendous efficiencies but with increasing risk. The destruction of financial data or the disruption of markets would have a rippling effect on other domestic sectors and industries, as well as global markets. In that light, President Obama has expressed that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”

Moody’s is still working to fully understand the scale and scope of cyber risks as “The credit implications for a business or organization can vary widely, so incorporating cyber risk in our credit analysis consistently and transparently across all sectors and regions can be challenging,” according to Moody’s.

In the recently released report titled, “Cyber Risk of Growing Importance to Credit Analysis,” Moody identified three key factors that it will examine when determining a credit impact associated with a cyber event.

  • Nature of the affected assets or businesses – “The more critical an asset or business to a society or economy, the greater the credit implication,” according to the report.
  • Duration of service disruption and expected time to restore – “The duration of an event is difficult to measure, since many emerging cyber events start months in advance of their detection. The longer an attack lasts, the higher its severity,” the report states.
  • Scope of the affected assets or businesses – “We see a big difference between a cyber attack concentrated on a single issuer and a widespread attack that affects a large geographical region, specific sector, or infrastructure asset,” the report states.