Written by Kevin McDonald, COO and CISO of Alvaka Networks. Originally published December 2018 on TechTarget. Kevin explores what Moody’s new cyber-risk ratings could mean for enterprises and the infosec industry.

Moody’s Cyber-Risk Ratings webpage screenshotHaving access to credit is critical for any healthy company, whether it’s for acquisitions, funding organic expansion or even keeping the company afloat during hard times. Credit ratings take many factors into consideration, such as payment history, forms and levels of indebtedness, vertical industry, geography, business longevity, and many other financial factors.

But credit ratings also take other risks into account. The list of risks being considered by Moody’s Investors Service Inc., which “provides credit ratings and research covering debt instruments and securities,” just took a quantum leap forward into the world of cybersecurity.

Moody’s recently announced that it will now consider cyber-risks and breaches in their coveted ratings. The company’s decision to consider cyber-risks will have global impacts across all sectors and could have a significant long-term impact on the behavior of rated organizations as the concept spreads to other rating systems and beyond the scope of Moody’s reach.

While Moody’s cyber-risk ratings will be limited to the organizations and industries they chose, in the very near future, any business asking to borrow money could face questions about their cyber-risks.

In fact, other businesses that rely on risk ratings are already designing ways to do just that within their own context. There are already cyber-risk ratings out there from credit groups like FICO; however, there are no clear leaders in the space, and that may change with Moody’s cyber-risk ratings.

If you consider that credit ratings are a measure of whether a business will actually pay back the money it borrows, then cyberattacks are an important class of risk to consider. Let’s look at ransomware, for example.

I have personally seen the devastation that ransomware can cause. In its “Second Annual State of Ransomware Report: US Survey Results,” MalwareBytes last year reported that 20% of companies surveyed had to “cease business operations immediately” following a ransomware infection. Even when companies do survive a breach, they are often seriously injured in both a financial and reputational sense.

So why would we not expect an organization lending money to be concerned about such serious risks? If a company that is dependent on its internet presence sees its connectivity crippled long term by a denial-of-service attack, it can be devastating and potentially fatal. When a company gets an infection of unknown, or particularly persistent, malware, it often results in that business being taken offline for extended periods of time.

Click here to read the full article at TechTarget Search Security.


Kevin McDonald, COO & CISO – Alvaka Networks

Kevin B. McDonald is the chief operating officer and chief information security officer at Alvaka Networks. Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.

Chairman, Orange County Sheriff/Coroner’s Technology Advisory Council (T.A.C)
Member, OC Shield
Member, FBI InfraGard
Member, O.C. Homeland Security Advisory Council (OCHSAC)
Member, US Secret Service’s LA Electronic Crimes Task Force (LAECTF)

ransomware resources
Contact Alvaka