Written by Kevin McDonald, COO and CISO of Alvaka Networks. Originally published December 2018 on TechTarget. Kevin explores what Moody’s new cyber-risk ratings could mean for enterprises and the infosec industry.
Having access to credit is critical for any healthy company, whether it’s for acquisitions, funding organic expansion or even keeping the company afloat during hard times. Credit ratings take many factors into consideration, such as payment history, forms and levels of indebtedness, vertical industry, geography, business longevity, and many other financial factors.
But credit ratings also take other risks into account. The list of risks being considered by Moody’s Investors Service Inc., which “provides credit ratings and research covering debt instruments and securities,” just took a quantum leap forward into the world of cybersecurity.
Moody’s recently announced that it will now consider cyber-risks and breaches in their coveted ratings. The company’s decision to consider cyber-risks will have global impacts across all sectors and could have a significant long-term impact on the behavior of rated organizations as the concept spreads to other rating systems and beyond the scope of Moody’s reach.
While Moody’s cyber-risk ratings will be limited to the organizations and industries they chose, in the very near future, any business asking to borrow money could face questions about their cyber-risks.
In fact, other businesses that rely on risk ratings are already designing ways to do just that within their own context. There are already cyber-risk ratings out there from credit groups like FICO; however, there are no clear leaders in the space, and that may change with Moody’s cyber-risk ratings.
If you consider that credit ratings are a measure of whether a business will actually pay back the money it borrows, then cyberattacks are an important class of risk to consider. Let’s look at ransomware, for example.
I have personally seen the devastation that ransomware can cause. In its “Second Annual State of Ransomware Report: US Survey Results,” MalwareBytes last year reported that 20% of companies surveyed had to “cease business operations immediately” following a ransomware infection. Even when companies do survive a breach, they are often seriously injured in both a financial and reputational sense.
So why would we not expect an organization lending money to be concerned about such serious risks? If a company that is dependent on its internet presence sees its connectivity crippled long term by a denial-of-service attack, it can be devastating and potentially fatal. When a company gets an infection of unknown, or particularly persistent, malware, it often results in that business being taken offline for extended periods of time.