Moody's Warns Cyber Risks Could Impact Credit RatingsStresses the Importance of Defenses, as Well as Breach Prevention, Response
Credit rating agency Moody's Corp. warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services.
"Moody's views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event," according to a new report from Moody's Investors Services. As the threat of cyberattacks continues to rise across all sectors, "the implications could start taking a higher priority in credit analysis," the credit ratings company says.
"We do not explicitly incorporate the risk of cyberattacks into our credit analysis as a principal ratings driver," the report notes. "But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event, like other event risks, could be the trigger for those stress scenarios. A successful cyber event's severity and duration will be key to determining any credit impact."
Moody's says that organizations that house significant amounts of personal data, including financial institutions, healthcare entities, higher education organizations and retail companies, are at greatest risk to experience large-scale data theft attacks resulting in serious reputational and financial damage.
Other sectors considered part of the nation's critical infrastructure, such as electric utilities, power plants, or water and sewer systems, are more exposed to attacks that could lead to large-scale service disruption, causing substantial economic - and possibly environmental - damage, the report notes. "However, Moody's believes such an attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk."
S&P Offers Similar Warning
The Moody's report comes after another ratings agency, Standards & Poors, issued a report with a similar warning for the banking industry. S&P said in its September report that it could issue a downgrade if a bank looked ill-prepared for dealing with a cyberattack or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages (see S&P's Cyberwarning: Late to the Game).
S&P is also assessing the potential impact of cyber risks in the healthcare sector, Joseph Marinucci, S&P's senior director of insurance ratings, tells Information Security Media Group.
"An emergent risk for the health sector relates to cyberattacks - data breaches that have escalated during the past few years in connection with the rise in the value of medical data," he says. "Thus far, credit implications have been muted for U.S. health insurers. But the emergent risk has contributed to the growing list of operational challenges, which could result in diluted brand strength and greater earnings volatility in the absence of more robust countermeasures."
One security expert says that the potential for lower credit ratings could be eye-opening for many organizations in healthcare and other sectors.
"This is very important because credit ratings and bond ratings for hospitals and other healthcare companies could be greatly impacted," says Mac McMillan, CEO of security consulting firm CynergisTek. "This is a big issue not just for the healthcare sector but for all industries."
Considering cyber risks when setting credit ratings of companies "is a natural evolution, another set of risks that impacts the business and its costs," he adds. "If a hospital's credit rating or bond rating drops due to cyber issues, when these hospitals need to borrow money to cover revenue shortfalls, this could be very damaging."
These potential added costs could put a brighter spotlight on the need to thoroughly assess and mitigate cyber risks, he says. "Long term, the impact of credit ratings, bond ratings and insurance on the healthcare sector in their cyber due diligence could be greater than the impact of regulatory and government authorities," McMillan says.
In the report, Moody's identifies several key factors to examine when determining a credit impact associated with a cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions and the expected time to restore operations.
"More cybersecurity expertise is being added to boards and trustee governance," writes the report's lead author, Jim Hempstead, Moody's associate managing director. "We expect many [organizations] will create distinct cyber security subcommittees, which is a material credit positive."
The report notes the Moody's sees cyber risk rising "at a steep trajectory." The credit rating agency says it's "still working toward fully understanding the scale and scope of cyber risks, in part because the risk is evolving."
Healthcare Risk Assessment
While the healthcare sector is facing increasing cyber risks, "we believe the sector's risk awareness is high," the report notes. Most hospitals have implemented or are in the process of installing new patient information systems, which likely have better safeguarding features than earlier technology, the report says. As hospitals increasingly share data with various third parties, such as health insurance exchanges and other payers, they must implement strong internal protocols, Moody's says.
Hospitals are at increasing risk of an cyberattack targeting records systems or medical devices, Moody's notes. "An information breach would likely not materially disrupt services and the financial impact would be limited. A breach in medical technology security would present more immediate risk and impair the hospital's reputation, volumes and financial performance."
Whether a cyber-event would be covered by a hospital's medical malpractice insurance is "untested," the report notes.
As for the banking sector, Moody's says, "From a credit perspective, cyber risk is an ongoing concern for financial institutions, with cyber threat actors regularly attempting attacks and a tremendous amount of phishing occurring across the sector. The implications of cyberattacks range from low-severity disruptions, for example from an isolated data breach, to high-severity scenarios resulting in lost customer confidence or loss of funds."
Cyberattacks on high-profile institutions pose systemwide risk, Moody's notes. "An attack that impaired the functioning of payment systems and processes ... would cause major disruption to the payments infrastructure and likely unsettle the entire economy. Attacks on highly interconnected financial institutions - including global banks, exchanges and clearing houses with considerable reliance on technology platforms - could cause major market disruptions. Since many of these institutions are largely technology-driven firms, the management of cyber risk is integral to their operations and franchise security."