Cyberattacks are growing in number and scope due to rapid increases in interconnectivity and mobile data.
In response, Moody’s Investors Service announced that the credit implications associated with cyber defense, detection, prevention and response should start to take a higher priority within its credit assessments and analysis.
“While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those scenarios,” said Jim Hempstead, Moody’s associate managing director, in a statement. “As cyber risk becomes more pervasive, it will take a higher priority within our analysis.”
Though not a principal credit factor in assessing a rating, Moody’s now treats cyber threat as an event risk. “Event risks” are extraordinary events that fall into the stress-testing scenarios Moody’s uses for its fundamental credit analyses.
An event risk that Moody’s considers similar to a cyberattack is a natural disaster or a huge storm. In line with major storms or natural disasters, cyber attacks have a similar unpredictability of duration and severity and also depend on the nature of the targeted assets or businesses.
When Moody’s downgrades a company’s rating it can be attributed to countless different rationales, which could include a lack of cyber preparedness or a cyberattack that weakens an company’s finances or business model.
Moody’s is still working to fully understand the scale and scope of cyber risks.