santiago silver - Fotolia


What Moody's cyber-risk ratings mean for enterprises

Moody's announced it will soon begin composing cyber-risk ratings for enterprises. Kevin McDonald explores the move and what it could mean for enterprises and the infosec industry.

Having access to credit is critical for any healthy company, whether it's for acquisitions, funding organic expansion or even keeping the company afloat during hard times. Credit ratings take many factors into consideration, such as payment history, forms and levels of indebtedness, vertical industry, geography, business longevity, and many other financial factors.

But credit ratings also take other risks into account. The list of risks being considered by Moody's Investors Service Inc., which "provides credit ratings and research covering debt instruments and securities," just took a quantum leap forward into the world of cybersecurity.

Moody's recently announced that it will now consider cyber-risks and breaches in their coveted ratings. The company's decision to consider cyber-risks will have global impacts across all sectors and could have a significant long-term impact on the behavior of rated organizations as the concept spreads to other rating systems and beyond the scope of Moody's reach.

While Moody's cyber-risk ratings will be limited to the organizations and industries they chose, in the very near future, any business asking to borrow money could face questions about their cyber-risks.

In fact, other businesses that rely on risk ratings are already designing ways to do just that within their own context. There are already cyber-risk ratings out there from credit groups like FICO; however, there are no clear leaders in the space, and that may change with Moody's cyber-risk ratings.

If you consider that credit ratings are a measure of whether a business will actually pay back the money it borrows, then cyberattacks are an important class of risk to consider. Let's look at ransomware, for example.

I have personally seen the devastation that ransomware can cause. In its "Second Annual State of Ransomware Report: US Survey Results," MalwareBytes last year reported that 20% of companies surveyed had to "cease business operations immediately" following a ransomware infection. Even when companies do survive a breach, they are often seriously injured in both a financial and reputational sense.

So why would we not expect an organization lending money to be concerned about such serious risks? If a company that is dependent on its internet presence sees its connectivity crippled long term by a denial-of-service attack, it can be devastating and potentially fatal. When a company gets an infection of unknown, or particularly persistent, malware, it often results in that business being taken offline for extended periods of time.

Let's consider the frequently reported breaches of confidential information. Depending on the type of industry and the severity of the incident, a data breach can have far-reaching and long-lasting effects.

From the initial costs of investigations and cleanup to paying for customer communication, credit reporting, and legal fees, breaches can financially tax any company and even destroy some. Lingering issues like lost business and customer trust, penalties from both industry compliance and government regulatory bodies, and lawsuits from legitimately aggrieved customers and opportunistic lawyers are often troublesome for long periods after a security event.

How will this all be managed? Will Moody's expect companies to publicly announce the efforts they are taking? Will it simply rate across the board based on averages? Will it specifically inquire or ask companies to share privately how they are mitigating risks? If it is anything like other credit rating mysteries, it could be a while before we know.

Much is left to be seen, but as with any program surrounding the assessment of cybersecurity, a recognized and measurable risk framework will be required. It's unclear if Moody's cyber-risk ratings will go to the depth of compliance assessments or whether they will take a broader brush approach.

No matter what Moody's chooses, the company's decision will likely need to line up with a reputable framework that a majority of organizations already use or are at least comfortable using. Picking an unknown framework could cause significant overlap in effort and ultimately lead to a failure to meet the goals of such a program.

For example, Moody's might consider the NIST Cybersecurity Framework. The NIST Cybersecurity Framework is leveraged by many regulatory bodies, and it is supported by readily available materials, training and other factors that make it attainable to a wide range of companies. Following a framework is not the only answer -- or a complete solution -- but it is certainly a critical part of both.

Should value-added resellers, vendors and managed security service providers celebrate or be concerned? That depends on your perspective, as well as the condition and size of your clients. If your clients or their industries potentially fall under the purview of Moody's cyber-risk ratings, you may want to take the initiative to get ahead of this by asking the right questions. Moody's announced that it will outline the list of industries it considers to be high-risk in the first quarter of 2019.

Regardless of what industries Moody's chooses, everyone in the tech sector should take notice; they will need to seriously step up their game to guide enterprises through this process and help them address whatever risks Moody's cites.

Unfortunately, Moody's might not share its algorithms or plans on how it will measure cyber-risks. It's likely that most companies don't even know this is coming. However, it's going to be another opportunity for the infosec industry to be a leader for its clients, whether they are directly affected or not, as Moody's cyber-risk rating could significantly impact lending and security in the very near future.

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing