The Business Roundtable, a group of CEOs of nearly 200 major U.S. corporations, gave a new definition of the "purpose of a corporation."Marketsread more
Stocks rose sharply on Monday as Treasury yields rebounded, quelling fears of a possible recessionUS Marketsread more
J.P. Morgan estimates the average annual tariff cost per household will be $1,000 with the new round of Trump's tariffs.Marketsread more
Since its IPO 15 years ago, Google has become more and more powerful. Today, that power is being highly scrutinized.Technologyread more
Sequoia's Michael Moritz says that direct listings worked for Spotify and Slack and will become more common for companies with "courage and intelligence."Technologyread more
Shares of embattled utility PG&E plummeted after a judge ruled that a jury can decided whether it should pay up to $18 billion in damages.Marketsread more
The attacks come after state and local ransomware attacks in New York, Louisiana, Maryland and Florida resulted in the loss of significant sums.Technologyread more
In a statement Monday, Barr named Kathleen Hawk Sawyer the new director of the Federal Bureau of Prisons.Politicsread more
Lobbying disclosure reports show that Maria Ressa, who founded news website Rappler Inc. in the Philippines, has tapped two partners out of Covington & Burling to help her...Politicsread more
The New York City police officer who used a chokehold on Eric Garner in an encounter that ended with Garner's death has been fired, New York City Police Commissioner James...Politicsread more
The president said the Fed has been hampered by a "horrendous lack of vision" and said it should institute 100 basis points worth of reductions to its benchmark rate.Marketsread more
Moody's will soon start using its credit-rating expertise to evaluate organizations on their risk to a major impact from a cyberattack.
That move might be a game-changer for many institutional and individual investors, who often struggle to quantify the potential impact of a significant cybersecurity incident into a meaningful rating. Ratings agencies including Moody's have been warning for years that cyber issues, including lax controls or a meaningful breach, could lead to a downgrade. But this is a first real step toward codifying those predictions.
"For us, it's not something we view as a totally new idea," said Derek Vadala, who was named Oct. 17 to a new role heading Moody's Investors Services Cyber Risk Group. "We've been in the risk management business for a very long time. This is to enhance our thinking about credit as cyber becomes more and more important."
Moody's gives ratings — ranging from AAA to C — that are used to determine creditworthiness for companies, bonds, sovereign countries, structured finance transactions and issuers of infrastructure and project finance. Initially, the company will incorporate cyber risk into its existing credit ratings. After that, Vadala said, Moody's is considering a stand-alone cyber risk rating separate from the credit rank.
"We haven't yet moved a credit rating due to cyber risk or a cyber event, but we see the likelihood of credit-rating impact as steadily increasing," Vadala said. "Different sectors have different levels of credit sensitivity to cyber risk. For those higher-risk sectors, there will be impact down to the individual issuer-level over time."
Though they aren't yet saying which sectors will get scrutiny first, several stand out as especially exposed to risk from a cybersecurity crisis: The defense-industrial industry, financial sector, health care and critical infrastructure operators like energy, water, waste management and first responders all are considered high-risk categories.
Risks related to cyberattacks today aren't as linear as simple costs associated with cleaning up a breach, paying for credit monitoring or replacing fried computers. Companies that don't fall into these categories — for instance, Equifax — can see their core businesses heavily damaged, which is why the Cyber Risk Group also will focus assessments on reputational hazards.
"We're looking into different types of scenarios, to get into the details of what might affect certain companies," he said.
"If you look at the history of data breach and data disclosure issues, they're not quite as impactful as the business disruption events," Vadala said. "There are very specific scenarios that could apply to different companies in different sectors. An organization, for instance, that is involved in manufacturing has a much higher exposure to ransomware than another sector."
Quantifying cyber risk is a crowded marketplace, but it lacks a clear leader.
One of the better-known players is Fair Isaac, which launched its Cyber Risk Score in 2017. They have marketed the product, which resembles the familiar consumer credit rating scale, toward businesses facing regulatory oversight for cybersecurity that want a quick way to rate the security risk of their third-party providers.
and Fitch have also released guidance on how companies can view cyber risk. Most of the biggest insurance companies (with the notable exception of those managed by Warren Buffet) have cyber policies, alongside a variety of risk assessment and risk management services.
The demand for quantifying risk will increase as attacks move from fairly benign to to those that could break down a business entirely, Vadala said.
"When you think back to the early days of this cyber era, dating back to the Target and Home Depot breaches, this is where [cyber risk] became much more top-of-mind for pros outside the cybersecurity industry. But these weren't business-ending incidents, " he said.
"When you flash forward a few years, to the ransomware events that occurred, the financial impact of that is much more significant. It's still not business-ending at that point, but certainly as that financial impact continues to rise, the probability of one of these events creating a deep financial impact also rises."