Cyber security risks could factor higher in credit analysis: Moody’s

Industries that house significant amounts of personal data, such as financial institutions, health care organizations, educational facilities, and retail companies are at greatest risk to experience large-scale data thefts that result in serious reputational and financial damage, the Moody’s report says.

Other sectors that are considered critical infrastructure, such as electric utilities, power plants, and water or sewer systems, are more exposed to attacks that could lead to large-scale service disruption, causing substantial damage to sovereign, state and local governments or utilities. However, this type of attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk, the Moody’s report says.

Currently, Moody’s views material cyber threats as similar to other extraordinary event risks, such as natural disasters, with any credit impact depending on the duration and severity of the event.

“Cyber risk means different things for different sectors,” says Jim Hempstead, Moody’s associate managing director, in a statement “While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”

The Moody’s report says it expects corporations and organizations will prioritize mitigating cyber risk through enhanced governance and investments in cyber defenses, but that security challenges will remain due to the constantly evolving threat.”More cyber security expertise is being added to boards and trustee governance,” says Hempstead. “We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”