ICFE eNEWS #19-14 - April 8th 2019
Moody's Warns Cyber Risks Could Impact Credit Ratings
By Yan Ross, Director of Special Projects, ICFE
Credit rating agency Moody's Corp. warns that cyber defenses as
well as breach detection, prevention and response will be higher
priorities in its analysis of the creditworthiness of companies
across all sectors, including healthcare and financial services.
"Moody's views material cyber threats in a similar vein as other
extraordinary event risks, such as a natural disaster, with any
subsequent credit impact depending on the duration and severity
of the event," according to a new report from Moody's Investors
Services. As the threat of cyberattacks continues to rise across
all sectors, "the implications could start taking a higher
priority in credit analysis," the credit ratings company says.
"We do not explicitly incorporate the risk of cyberattacks into
our credit analysis as a principal ratings driver," the report
notes. "But across all sectors, our fundamental credit analysis
incorporates numerous stress-testing scenarios, and a cyber
event, like other event risks, could be the trigger for those
stress scenarios. A successful cyber event's severity and
duration will be key to determining any credit impact."
Moody's says that organizations that house significant amounts
of personal data, including financial institutions, healthcare
entities, higher education organizations and retail companies,
are at greatest risk to experience large-scale data theft
attacks resulting in serious reputational and financial damage.
Other sectors considered part of the nation's critical
infrastructure, such as electric utilities, power plants, or
water and sewer systems, are more exposed to attacks that could
lead to large-scale service disruption, causing substantial
economic - and possibly environmental - damage, the report
notes. "However, Moody's believes such an attack would elicit
immediate government intervention to restore operations,
resulting in lower potential credit risk."
S&P Offers Similar Warning
The Moody's report comes after another ratings agency, Standards
& Poors, issued a report with a similar warning for the banking
industry. S&P said in its September report that it could issue a
downgrade if a bank looked ill-prepared for dealing with a
cyberattack or following a breach that causes significant damage
to a bank's reputation or which leads to substantial monetary
losses or legal damages (see S&P's Cyberwarning: Late to the
S&P is also assessing the potential impact of cyber risks in the
healthcare sector, Joseph Marinucci, S&P's senior director of
insurance ratings, tells Information Security Media Group.
"An emergent risk for the health sector relates to cyberattacks
- data breaches that have escalated during the past few years in
connection with the rise in the value of medical data," he says.
"Thus far, credit implications have been muted for U.S. health
insurers. But the emergent risk has contributed to the growing
list of operational challenges, which could result in diluted
brand strength and greater earnings volatility in the absence of
more robust countermeasures."
One security expert says that the potential for lower credit
ratings could be eye-opening for many organizations in
healthcare and other sectors.
"This is very important because credit ratings and bond ratings
for hospitals and other healthcare companies could be greatly
impacted," says Mac McMillan, CEO of security consulting firm
CynergisTek. "This is a big issue not just for the healthcare
sector but for all industries."
Considering cyber risks when setting credit ratings of companies
"is a natural evolution, another set of risks that impacts the
business and its costs," he adds. "If a hospital's credit rating
or bond rating drops due to cyber issues, when these hospitals
need to borrow money to cover revenue shortfalls, this could be
These potential added costs could put a brighter spotlight on
the need to thoroughly assess and mitigate cyber risks, he says.
"Long term, the impact of credit ratings, bond ratings and
insurance on the healthcare sector in their cyber due diligence
could be greater than the impact of regulatory and government
authorities," McMillan says.
In the report, Moody's identifies several key factors to examine
when determining a credit impact associated with a cyber event,
including the nature and scope of the targeted assets or
businesses, the duration of potential service disruptions and
the expected time to restore operations.
"More cybersecurity expertise is being added to boards and
trustee governance," writes the report's lead author, Jim
Hempstead, Moody's associate managing director. "We expect many
[organizations] will create distinct cyber security
subcommittees, which is a material credit positive."
The report notes the Moody's sees cyber risk rising "at a steep
trajectory." The credit rating agency says it's "still working
toward fully understanding the scale and scope of cyber risks,
in part because the risk is evolving."
Healthcare Risk Assessment
While the healthcare sector is facing increasing cyber risks,
"we believe the sector's risk awareness is high," the report
notes. Most hospitals have implemented or are in the process of
installing new patient information systems, which likely have
better safeguarding features than earlier technology, the report
says. As hospitals increasingly share data with various third
parties, such as health insurance exchanges and other payers,
they must implement strong internal protocols, Moody's says.
Hospitals are at increasing risk of an cyberattack targeting
records systems or medical devices, Moody's notes. "An
information breach would likely not materially disrupt services
and the financial impact would be limited. A breach in medical
technology security would present more immediate risk and impair
the hospital's reputation, volumes and financial performance."
Whether a cyber-event would be covered by a hospital's medical
malpractice insurance is "untested," the report notes.
As for the banking sector, Moody's says, "From a credit
perspective, cyber risk is an ongoing concern for financial
institutions, with cyber threat actors regularly attempting
attacks and a tremendous amount of phishing occurring across the
sector. The implications of cyberattacks range from low-severity
disruptions, for example from an isolated data breach, to
high-severity scenarios resulting in lost customer confidence or
loss of funds."
Cyberattacks on high-profile institutions pose systemwide risk,
Moody's notes. "An attack that impaired the functioning of
payment systems and processes ... would cause major disruption
to the payments infrastructure and likely unsettle the entire
economy. Attacks on highly interconnected financial institutions
- including global banks, exchanges and clearing houses with
considerable reliance on technology platforms - could cause
major market disruptions. Since many of these institutions are
largely technology-driven firms, the management of cyber risk is
integral to their operations and franchise security."
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.
The ICFE's Certified Identity
Theft Risk Management Specialist ® XV CITRMS® course is now available
both in printed format and online.
The Textbook and Desk
Reference edition of the course book is also available online. Bulk
pricing and discounts for veterans and students available. Inquire