Moody's will begin to place more weight on considerations related to cyber risks when issuing credit ratings. The company released a report, “Cross Sector – Global: Cyber Risk of Growing Importance to Credit Analysis,” outlining their plans to assess cyber issues as part of the credit rating process.
The report is the latest indicator that it has becoming increasingly important that companies view cybersecurity in financial terms, not simply in terms of reputational risk.
“More cyber security expertise is being added to boards and trustee governance,” said associate managing director Jim Hempstead, in a release. “We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”
S&P issued a similar warning in September, stating that it would downgrade credit ratings of financial institutions that have poor cybersecurity protections.
Information security professionals regularly mention the challenge of facing pushback from management teams when requesting budget for products or staff. An increased focus on cybersecurity among rating agencies may cause a shift in that dynamic.
Mike Buratowski, vice president of cybersecurity services at Fidelis Cybersecurity, told SCMagazine.com, “This is another thing that will incentivize boards of director to invest in cybersecurity.”
The report highlighted risks faced by “organizations that house significant amounts of personal data”, although Moody's did not closely distinguish between risk levels faced by financial, healthcare, education, and retail sectors.
Buratowski said he doesn't see evidence that rating agencies “are looking at the individuality of companies or how much they have invested in technologies to secure information.”
The report focused on large-scale data theft attacks that have generated the most attention, such as large retail breaches. The effect of these attacks has been profound, but more subtle cyberthreats, such as cybertheft of a company's intellectual property “can mean the end of that business,” Buratowski said.