Cyber attacks are growing in number and scope due to rapid increases in interconnectivity and mobile data.
In response, Moody's Investors Service announced that the credit implications associated with cyber defense, detection, prevention and response should start to take a higher priority within its credit assessments and analysis.
"While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those scenarios," said Jim Hempstead, Moody's associate managing director, in a statement. "As cyber risk becomes more pervasive, it will take a higher priority within our analysis."
Though not a principal credit factor in assessing a rating, Moody's now treats cyber threat as an event risk. "Event risks" are extraordinary events that fall into the stress-testing scenarios Moody's uses for its fundamental credit analyses.
An event risk that Moody's considers similar to a cyber attack is a natural disaster or a huge storm. In line with major storms or natural disasters, cyber attacks have a similar unpredictability of duration and severity and also depend on the nature of the targeted assets or businesses.
When Moody's downgrades a company's rating it can be attributed to countless different rationales, which could include a lack of cyber preparedness or a cyber attack that weakens an company's finances or business model.
Moody's is still working to fully understand the scale and scope of cyber risks.
"The credit implications for a business or organization can vary widely, so incorporating cyber risk in our credit analysis consistently and transparently across all sectors and regions can be challenging," according to Moody's.
Moody's released a report on Monday, "Cyber Risk of Growing Importance to Credit Analysis," that identified three key factors that it will examine when determining a credit impact associated with a cyber event.
- Nature of the affected assets or businesses – "The more critical an asset or business to a society or economy, the greater the credit implication," according to the report.
- Duration of service disruption and expected time to restore – "The duration of an event is difficult to measure, since many emerging cyber events start months in advance of their detection. The longer an attack lasts, the higher its severity," the report states.
- Scope of the affected assets or businesses – "We see a big difference between a cyber attack concentrated on a single issuer and a widespread attack that affects a large geographical region, specific sector, or infrastructure asset," the report states.
The probability of a successful cyber attack is rising given that the total number of incidents is rising, Moody's says.
A PWC report titled "Managing Cyber Risk in an Interconnected World" finds that detected cyber incidents are rising at a fast pace. According to PWC, there were less than 5 million detected cyber incidents in 2009 compared with more than 40 million in 2014.
The losses attributed to those incidents are also on the rise. According to Corporate Board Member magazine, the average annualized cost of a cyber breach is approximately $12 million per year, per company – "a relatively small sum for most companies, but severe attacks can cost many times more," Moody's says.
The number of reported incidents and the losses attributed to those incidents continue to rise, despite heavier spending on cyber security.
Moody's points to research from the U.S. Homeland Security and Governmental Affairs Committee and the Congressional Research Service that shows annual U.S. federal spending on cyber security has hovered around $10 billion to $15 billion over the past few years, roughly twice the $6.5 billion spent in 2006.
"Globally, corporate spending on cyber security (according to public sources such as CNN, Ponemon Institute and Market Realist) is likely to rise to over $120 billion by 2017 from $64 billion in 2011," Moody's says.
________________________
How can you transform your risk management preparedness and response strategy into a competitive advantage?
Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Emily Zulz
Emily joined the ThinkAdvisor team as a reporter in the summer of 2014. She previously worked as a reporter for The Daily Journal in Kankakee, Illinois for a year and as a reporter and editor for The Daily Eastern News in Charleston, Illinois for two and a half years. Prior to joining ThinkAdvisor, Emily worked on Groupon’s editorial team in Chicago as a fact checker for three years. She graduated cum laude with a BA in journalism from Eastern Illinois University, and she has been the recipient of two journalism awards for her news reporting at daily newspapers.
