Story image

Cyber security could come to affect your credit rating

01 Dec 15

The growing threat of an imminent cyber security breach is becoming more important to credit analysis, according to a new report from Moody’s Investors Service, the bond credit rating business.

According to Moody’s, eventually cyber threats will be seen in a similar vein as other extraordinary event risks, such as a natural disaster, and as such any subsequent credit impact will depend on the duration and severity of the event.

"Cyber risk means different things for different sectors," says Jim Hempstead, Moody's associate managing director and lead author of the report.

"While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios,” he says.

As computer networks and internet connectivity expand into new devices and services, and as more data becomes mobile, corporations and organisations will prioritise cyber risk mitigation through enhanced governance activities and investment in cyber defence, Hempstead says.

According to the report, security challenges will be an ongoing consideration due to the constant evolution of cyber threats.

Hempstead says assessing how prepared an issuer or organisation is for a cyber threat presents challenges, due to the complexity of the problem. Across all sectors, however, cyber risk is becoming an important priority.

Moody's says that industries which house significant amounts of personal data, such as financial institutions, health care entities, higher education organisations and retail companies are at greatest risk to experience large-scale data theft attacks resulting in serious reputational and financial damage.

Other sectors considered critical infrastructure such as electric utilities, power plants, or water and sewer systems are more exposed to attacks that could lead to large-scale service disruption, causing substantial economic, and possibly environmental, damages to sovereign, state and local governments or utilities.

However, Moody's believes such an attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.

In the report, Moody's identifies several key factors to examine when determining a credit impact associated with a cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions and the expected time to restore operations.

"More cyber security expertise is being added to boards and trustee governance. We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive,” says Hempstead.

The report also looks at varying types of cyber threat actors and their motives, including nation state espionage groups, criminal enterprises, hacktivists and terrorists.

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Kiwis concerned about being scammed – survey
This unease is warranted given the growing sophistication of scammers and their activities, and numbers of attempted fraud.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Interview: Aruba’s NZ country manager talks channel strategy
“What we're taking to market is that message around simplification and having everything in one place.”
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.