Cyberattacks are growing in number and scope due to rapid increases in interconnectivity and mobile data.
In response, Moody’s Investors Service announced that the credit implications associated with cyber defense, detection, prevention and response should start to take a higher priority within its credit assessments and analysis.
“While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those scenarios,” said Jim Hempstead, Moody’s associate managing director, in a statement. “As cyber risk becomes more pervasive, it will take a higher priority within our analysis.”
Though not a principal credit factor in assessing a rating, Moody’s now treats cyber threat as an event risk. “Event risks” are extraordinary events that fall into the stress-testing scenarios Moody’s uses for its fundamental credit analyses.
An event risk that Moody’s considers similar to a cyberattack is a natural disaster or a huge storm. In line with major storms or natural disasters, cyber attacks have a similar unpredictability of duration and severity and also depend on the nature of the targeted assets or businesses.
When Moody’s downgrades a company’s rating it can be attributed to countless different rationales, which could include a lack of cyber preparedness or a cyberattack that weakens an company’s finances or business model.
Moody’s is still working to fully understand the scale and scope of cyber risks.
“The credit implications for a business or organization can vary widely, so incorporating cyber risk in our credit analysis consistently and transparently across all sectors and regions can be challenging,” according to Moody’s.
Moody’s released a report on Monday, “Cyber Risk of Growing Importance to Credit Analysis,” that identified three key factors that it will examine when determining a credit impact associated with a cyber event.
- Nature of the affected assets or businesses – “The more critical an asset or business to a society or economy, the greater the credit implication,” according to the report.
- Duration of service disruption and expected time to restore – “The duration of an event is difficult to measure, since many emerging cyber events start months in advance of their detection. The longer an attack lasts, the higher its severity,” the report states.
- Scope of the affected assets or businesses – “We see a big difference between a cyber attack concentrated on a single issuer and a widespread attack that affects a large geographical region, specific sector, or infrastructure asset,” the report states.
The probability of a successful cyberattack is rising given that the total number of incidents is rising, Moody’s says. A PWC report titled “Managing Cyber Risk in an Interconnected World” finds that detected cyber incidents are rising at a fast pace. According to PWC, there were less than 5 million detected cyber incidents in 2009 compared with more than 40 million in 2014.
The losses attributed to those incidents are also on the rise. According to Corporate Board Member magazine, the average annualized cost of a cyber breach is approximately $12 million per year, per company – “a relatively small sum for most companies, but severe attacks can cost many times more,” Moody’s says.
The number of reported incidents and the losses attributed to those incidents continue to rise, despite heavier spending on cybersecurity.
Moody’s points to research from the U.S. Homeland Security and Governmental Affairs Committee and the Congressional Research Service that shows annual U.S. federal spending on cybersecurity has hovered around $10 billion to $15 billion over the past few years, roughly twice the $6.5 billion spent in 2006.
“Globally, corporate spending on cybersecurity (according to public sources such as CNN, Ponemon Institute and Market Realist) is likely to rise to over $120 billion by 2017 from $64 billion in 2011,” Moody’s says.
—Related on ThinkAdvisor: