Moody's will soon start using its credit-rating expertise to evaluate organizations on their risk to a major impact from a cyberattack.
That move might be a game-changer for many institutional and individual investors, who often struggle to quantify the potential impact of a significant cybersecurity incident into a meaningful rating. Ratings agencies including Moody's have been warning for years that cyber issues, including lax controls or a meaningful breach, could lead to a downgrade. But this is a first real step toward codifying those predictions.
"For us, it's not something we view as a totally new idea," said Derek Vadala, who was named Oct. 17 to a new role heading Moody's Investors Services Cyber Risk Group. "We've been in the risk management business for a very long time. This is to enhance our thinking about credit as cyber becomes more and more important."
Moody's gives ratings — ranging from AAA to C — that are used to determine creditworthiness for companies, bonds, sovereign countries, structured finance transactions and issuers of infrastructure and project finance. Initially, the company will incorporate cyber risk into its existing credit ratings. After that, Vadala said, Moody's is considering a stand-alone cyber risk rating separate from the credit rank.
"We haven't yet moved a credit rating due to cyber risk or a cyber event, but we see the likelihood of credit-rating impact as steadily increasing," Vadala said. "Different sectors have different levels of credit sensitivity to cyber risk. For those higher-risk sectors, there will be impact down to the individual issuer-level over time."