In a report released November 23, Moody’s Investors Service announced that the implications of cyber threats could start taking a higher priority in its credit analysis. Moody’s said it views cyber threats as similar to other extraordinary event risks, such as a natural disaster.
“While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios,” said Jim Hempstead, Moody’s Associate Managing Director and lead author of the report.
Moody’s report identifies several key areas it would examine when looking at the impact of a potential cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions and the expected time to restore operations. Moody’s cited industries that collect and store significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies as those at a greater risk of a cyber attack, as well as sectors considered critical infrastructure such as electric utilities, power plants, or water and sewer systems. However, for the latter group of companies, Moody’s said it “believes such an attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk.”
Moody’s report is yet another reminder of the growing importance of cyber risk management to an organization’s overall governance. The emphasis arguably began in late 2011, when the SEC published guidance on disclosure of cybersecurity risks and cyber incidents. More recently, the FFIEC recently issued a warning encouraging financial institutions to “develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from” extortion attacks. In addition, the SEC’s Office of Compliance Inspections and Examinations stated in September that its upcoming examinations of regulated companies would focus on areas including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.