Ransomware, Compliance Management, Data Security

After ransomware hits Colombian energy firm, Moody’s says low patch rate suggests inadequacies in cyber practices

A Colombian energy company was recently hit with a ransomware attack. (iStock via Getty Images)

A ransomware attack at top Colombian energy company Empresas Publicas de Medellin (EPM) may damage its credit quality, setting an alarm clock for the critical infrastructure industry to develop efficient mitigation practices and vulnerability management programs, Moody’s said.  

EPM, one of Colombia’s largest public energy, water, and gas providers suffered from a ransomware attack reported on Dec. 13. The incident threatens operational disruptions to the Colombian utility’s website, mobile application, payment gateway, and intranet, which Moody’s said the company is struggling to resolve and therefore may impact its credit score.  

“While EPM has not commented on the severity of the attack, ransomware attacks can cause operational disruptions, often resulting in costlier and slower manual workarounds for normal automated processes — a detriment to credit quality,” the rating agency said in a report published on Dec.20.  

EPM’s credit concern set an alert for critical infrastructure sectors, such as electric, gas, and water utilities, as Moody’s identified them as having Very High risk for cyberattacks in the 2022 Cyber Heat Map.

“These companies [in critical infrastructure sectors] have a significant systemic role within the broader economy, rapidly adopt digital technologies across all of their services, and yet practice only average cyber defense compared to other highly attractive sectors such as banking and telecommunications,” Moody’s said in the report.

According to Moody’s, one of the critical measures of sound cyber defense practices is patching cadence — the rate at which an issuer remediates exposure to known vulnerabilities during security incidents like ransomware.  

Specifically, there is a strong correlation between Patching Cadence performance and the likelihood of experiencing a ransomware incident, said Derek Vadala, chief risk officer at BitSight, a cybersecurity rating and analytics company and Moody’s partner. Marsh McLennan, the world’s largest insurance broker, also validated this correlation in a recent independent study.  

In terms of EPM’s defense practices, BitSight most recently scored it a “C,” which indicates that the company is nearly seven times more likely to fall victim to those organizations graded an “A.”  

“While the attackers’ method for infiltrating EPM’s network is still unknown, and attackers may not have exploited unpatched systems, a low score in patching cadence does suggest some inadequacies in terms of prevailing cyber practices,” Moody’s noted.  

Moody’s has not yet taken any rating action against EPM due to the ransomware attack.  

Moody’s always looks at the long-term impacts of cyber risk and may downgrade an organization if the risk produces sustained pressure on business operations, Gerry Granovsky, senior vice president at Moody’s, told SC Media in an interview. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.