Moody's will soon start using its credit-rating expertise to evaluate organizations on their risk to a major impact from a cyberattack.
That move might be a game-changer for many institutional and individual investors, who often struggle to quantify the potential impact of a significant cybersecurity incident into a meaningful rating. Ratings agencies including Moody's have been warning for years that cyber issues, including lax controls or a meaningful breach, could lead to a downgrade. But this is a first real step toward codifying those predictions.
"For us, it's not something we view as a totally new idea," said Derek Vadala, who was named Oct. 17 to a new role heading Moody's Investors Services Cyber Risk Group. "We've been in the risk management business for a very long time. This is to enhance our thinking about credit as cyber becomes more and more important."
Moody's gives ratings — ranging from AAA to C — that are used to determine creditworthiness for companies, bonds, sovereign countries, structured finance transactions and issuers of infrastructure and project finance. Initially, the company will incorporate cyber risk into its existing credit ratings. After that, Vadala said, Moody's is considering a stand-alone cyber risk rating separate from the credit rank.
"We haven't yet moved a credit rating due to cyber risk or a cyber event, but we see the likelihood of credit-rating impact as steadily increasing," Vadala said. "Different sectors have different levels of credit sensitivity to cyber risk. For those higher-risk sectors, there will be impact down to the individual issuer-level over time."
Moving closer to a 'business-ending' event
Though they aren't yet saying which sectors will get scrutiny first, several stand out as especially exposed to risk from a cybersecurity crisis: The defense-industrial industry, financial sector, health care and critical infrastructure operators like energy, water, waste management and first responders all are considered high-risk categories.
Risks related to cyberattacks today aren't as linear as simple costs associated with cleaning up a breach, paying for credit monitoring or replacing fried computers. Companies that don't fall into these categories — for instance, Equifax — can see their core businesses heavily damaged, which is why the Cyber Risk Group also will focus assessments on reputational hazards.
"We're looking into different types of scenarios, to get into the details of what might affect certain companies," he said.
"If you look at the history of data breach and data disclosure issues, they're not quite as impactful as the business disruption events," Vadala said. "There are very specific scenarios that could apply to different companies in different sectors. An organization, for instance, that is involved in manufacturing has a much higher exposure to ransomware than another sector."
Quantifying cyber risk is a crowded marketplace, but it lacks a clear leader.
One of the better-known players is Fair Isaac, which launched its Cyber Risk Score in 2017. They have marketed the product, which resembles the familiar consumer credit rating scale, toward businesses facing regulatory oversight for cybersecurity that want a quick way to rate the security risk of their third-party providers.
Standard & Poor's and Fitch have also released guidance on how companies can view cyber risk. Most of the biggest insurance companies (with the notable exception of those managed by Warren Buffet) have cyber policies, alongside a variety of risk assessment and risk management services.
The demand for quantifying risk will increase as attacks move from fairly benign to to those that could break down a business entirely, Vadala said.
"When you think back to the early days of this cyber era, dating back to the Target and Home Depot breaches, this is where [cyber risk] became much more top-of-mind for pros outside the cybersecurity industry. But these weren't business-ending incidents," he said.
"When you flash forward a few years, to the ransomware events that occurred, the financial impact of that is much more significant. It's still not business-ending at that point, but certainly as that financial impact continues to rise, the probability of one of these events creating a deep financial impact also rises."