Home Tell a Friend! Contact ICFE Link Exchange Search ICFE Subscribe ICFE About the ICFE
ICFE News Releases ICFE in the News Children and Money Financial Education Personal Financial Counseling with Paul S. Richard, RFC Credit Card Tips Credit File Correction Mending Spending Links and Resources Order Options

ICFE eNEWS #19-14 - April 8th  2019

Moody's Warns Cyber Risks Could Impact Credit Ratings
By Yan Ross, Director of Special Projects, ICFE

Credit rating agency Moody's Corp. warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services.

"Moody's views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event," according to a new report from Moody's Investors Services. As the threat of cyberattacks continues to rise across all sectors, "the implications could start taking a higher priority in credit analysis," the credit ratings company says.

"We do not explicitly incorporate the risk of cyberattacks into our credit analysis as a principal ratings driver," the report notes. "But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event, like other event risks, could be the trigger for those stress scenarios. A successful cyber event's severity and duration will be key to determining any credit impact."

Moody's says that organizations that house significant amounts of personal data, including financial institutions, healthcare entities, higher education organizations and retail companies, are at greatest risk to experience large-scale data theft attacks resulting in serious reputational and financial damage.

Other sectors considered part of the nation's critical infrastructure, such as electric utilities, power plants, or water and sewer systems, are more exposed to attacks that could lead to large-scale service disruption, causing substantial economic - and possibly environmental - damage, the report notes. "However, Moody's believes such an attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk."

S&P Offers Similar Warning
The Moody's report comes after another ratings agency, Standards & Poors, issued a report with a similar warning for the banking industry. S&P said in its September report that it could issue a downgrade if a bank looked ill-prepared for dealing with a cyberattack or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages (see S&P's Cyberwarning: Late to the Game).

S&P is also assessing the potential impact of cyber risks in the healthcare sector, Joseph Marinucci, S&P's senior director of insurance ratings, tells Information Security Media Group.

"An emergent risk for the health sector relates to cyberattacks - data breaches that have escalated during the past few years in connection with the rise in the value of medical data," he says. "Thus far, credit implications have been muted for U.S. health insurers. But the emergent risk has contributed to the growing list of operational challenges, which could result in diluted brand strength and greater earnings volatility in the absence of more robust countermeasures."

Business Impact
One security expert says that the potential for lower credit ratings could be eye-opening for many organizations in healthcare and other sectors.

"This is very important because credit ratings and bond ratings for hospitals and other healthcare companies could be greatly impacted," says Mac McMillan, CEO of security consulting firm CynergisTek. "This is a big issue not just for the healthcare sector but for all industries."

Considering cyber risks when setting credit ratings of companies "is a natural evolution, another set of risks that impacts the business and its costs," he adds. "If a hospital's credit rating or bond rating drops due to cyber issues, when these hospitals need to borrow money to cover revenue shortfalls, this could be very damaging."

These potential added costs could put a brighter spotlight on the need to thoroughly assess and mitigate cyber risks, he says. "Long term, the impact of credit ratings, bond ratings and insurance on the healthcare sector in their cyber due diligence could be greater than the impact of regulatory and government authorities," McMillan says.

Key Factors
In the report, Moody's identifies several key factors to examine when determining a credit impact associated with a cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions and the expected time to restore operations.

"More cybersecurity expertise is being added to boards and trustee governance," writes the report's lead author, Jim Hempstead, Moody's associate managing director. "We expect many [organizations] will create distinct cyber security subcommittees, which is a material credit positive."

The report notes the Moody's sees cyber risk rising "at a steep trajectory." The credit rating agency says it's "still working toward fully understanding the scale and scope of cyber risks, in part because the risk is evolving."

Healthcare Risk Assessment
While the healthcare sector is facing increasing cyber risks, "we believe the sector's risk awareness is high," the report notes. Most hospitals have implemented or are in the process of installing new patient information systems, which likely have better safeguarding features than earlier technology, the report says. As hospitals increasingly share data with various third parties, such as health insurance exchanges and other payers, they must implement strong internal protocols, Moody's says.

Hospitals are at increasing risk of an cyberattack targeting records systems or medical devices, Moody's notes. "An information breach would likely not materially disrupt services and the financial impact would be limited. A breach in medical technology security would present more immediate risk and impair the hospital's reputation, volumes and financial performance."

Whether a cyber-event would be covered by a hospital's medical malpractice insurance is "untested," the report notes.

Banking Risks
As for the banking sector, Moody's says, "From a credit perspective, cyber risk is an ongoing concern for financial institutions, with cyber threat actors regularly attempting attacks and a tremendous amount of phishing occurring across the sector. The implications of cyberattacks range from low-severity disruptions, for example from an isolated data breach, to high-severity scenarios resulting in lost customer confidence or loss of funds."

Cyberattacks on high-profile institutions pose systemwide risk, Moody's notes. "An attack that impaired the functioning of payment systems and processes ... would cause major disruption to the payments infrastructure and likely unsettle the entire economy. Attacks on highly interconnected financial institutions - including global banks, exchanges and clearing houses with considerable reliance on technology platforms - could cause major market disruptions. Since many of these institutions are largely technology-driven firms, the management of cyber risk is integral to their operations and franchise security."

Yan Ross Bio PhotoYan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.

The ICFE's Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now available both in printed format and online.

The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at yan.ross@icfe.info

Paul S Richard PhotoICFE eNEWS is available FREE upon request by visiting our Web site and filling out the contact form, and selecting "Yes" for "Add to Mailing List. Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org

Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

About the ICFE:

The Institute of Consumer Financial Education (ICFE) was founded in 1982 by the late Loren Dunton (creator of the Certified Financial Planner (CFP) designation and founder of the College for Financial Planning in Denver, CO.) The ICFE is dedicated to helping consumers of all ages to improve their spending practices, increase savings and use credit more wisely.

The ICFE is an award winning, nonprofit, consumer education organization that has helped millions of people through its financial continuing education courses programs and resources. In addition to eight Certification courses covering identity theft, credit files, credit repair and credit scoring, among others, it also publishes the Do-It-Yourself Credit File correction Guide, which is updated annually. The ICFE has distributed over one million Credit/Debit Card Warning Labels and Credit/Debit Card Sleeves world wide.

The ICFE is a partner with the national Jump$tart Coalition for Financial Literacy and the California Jump$tart chapter. The ICFE staff is also active with San Diego Saves and Military Saves, both offshoots of America Saves.

The ICFE is also an on-line help for consumers who spend too much. ICFE's spending help was featured in PARADE Magazine in the Intelligence Report section. The money helps and tips are from the ICFE's Money Instruction Book, our course in personal finance.

The ICFE helps consumers and students with mending spending, learning about the proper use of credit, budget and expense guidelines, how to set up and implement a spending-plan and also how to access financial education courses and how to teach children about money. Other ICFE services include: Ask Mr. G library, a free eNews service, and an online resource center for students, parents and educators, plus financial education learning tools in the ICFE Book Store.

Home ] ICFE News Releases ] ICFE in the News ] Children and Money ] Financial Education ] Resource Center ] Credit Card Tips ][ Credit File Correction ] Mending Spending ] Links and Resources ]  [ Online Store ]


Copyright ©  1997 - by Paul S. Richard
and the Institute of Consumer Financial Education, All Rights Reserved.
View our
Privacy Policy Our Terms and Conditions

Institute of Consumer Financial Education
PO Box 34070
San Diego, Ca 92163
Paul S. Richard, Executive Director
Phone 619-239-1401

FAX 619-923-3284

Questions for www.financial-education-icfe.org Click to go to Website Contact Us or 

Website Design Donated by Daniel G Hughes Fresno and Half Price Toner Refills

Please Tell An Associate, Friend or Family Member About the ICFE