Moody’s Investors Service may start giving the implications of cyber attacks a higher priority in its credit analysis.
The ratings agency said in a report that it views material cyber threats in a similar light as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event.
“Cyber risk means different things for different sectors,” Jim Hempstead, Moody’s associate managing director and lead author of the report, said in a news release. “While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”
The report lists several key criteria that Moody’s would likely examine to determine the credit impact of a cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions, and the expected time to restore operations.
“More cyber security expertise is being added to boards and trustee governance,” Hempstead noted. “We expect many issuers will create distinct cyber-security subcommittees, which is a material credit positive.”
As PwC recently reported, detected cyber incidents increased to more than 40 million in 2014 from less than five million in 2009. The losses attributed to those incidents are also on the rise, ThinkAdvisor said, citing Corporate Board Member magazine: the average annualized cost of a cyber breach is approximately $12 million per year, per company.
“Globally, corporate spending on cybersecurity … is likely to rise to over $120 billion by 2017 from $64 billion in 2011,” Moody’s said.