Moody's and Standard & Poor to Factor Cybersecurity into Creditworthiness Determinations
Following an earlier announcement by Standard & Poor, Moody's recently announced that it will take companies' information security preparedness into account in its analysis of creditworthiness. Moody's announced that breach prevention, detection, and response, as well as cyber defense capabilities, are going to become higher priorities.
In a press release issued in connection with the release of its recent report, "Cross Sector-Global: Cyber Risk of Growing Importance to Credit Analysis," Moody's noted that, while it does not explicitly incorporate cyber risk as a principal credit factor at this time, its analysis incorporates a number of stress-testing scenarios, of which a cyber event could be a trigger.
Moody's report identifies several factors it examines when determining the credit risk associated with a cyber event, including the nature and extent of targeted assets and businesses, the likely duration of potential disruptions in service, and the timeframe required to reinstate operations.
Industries likely to pose the highest risk include those which store large amounts of personal information, such as financial institutions, health care companies, retail companies, and educational institutions, which have the highest potential risk of reputational and financial damage resulting from large-scale data theft.
Moody's press release also discussed industry segments it expects to pose a lower credit risk, including critical infrastructure, such as electric utilities, power plants, and water and sewer systems. While it acknowledged that cyberattacks on such industries could cause significant economic turmoil, it anticipates that such losses would be offset by immediate government intervention to restore operations.
Moody's announcement comes on the heels of a similar announcement by ratings company Standard & Poor, which indicated in September 2015 that it views financial organizations as susceptible to reputational and monetary damage from cyber events and would consider downgrades for institutions which fail to implement appropriate security measures.
If you have any questions regarding this update, please contact John Hines at firstname.lastname@example.org | (312) 985-5927 or Jennifer Woods at email@example.com | (312) 985-5931.
Clark Hill PLC's Cybersecurity, Data Protection and Privacy team provides the legal expertise to work with financial institutions as they adjust to the requirements of the new cybersecurity era. Clark Hill's team approach to cybersecurity preparedness brings together attorneys from our core practice groups that are experienced in bank regulatory issues as well as information technology transactions.