Who Faces Biggest Financial Risks From Cyberattacks?Moody's Says Hospitals, Banks Among Those That Have the Most Significant Potential Impact
Four business sectors - hospitals, banks, securities firms and market infrastructure providers - potentially face the most significant financial impact from cyberattacks that could lead to a weakened credit profile, according to a new report from Moody's Investors Service.
"In our view, cyber risk is event risk, and we see a rising tide," according to the report from Moody's, a U.S. credit ratings agency. "Digitization continues to increase, supply chains are becoming more complex and attacker sophistication is improving. However, the universe of cyber threat actors remains the same: socially motivated attackers - hacktivists - criminals and nation-states."
Moody's research assessed the inherent cyber risk exposure of 35 broad sectors based on two factors: vulnerability to a cyber event or attack and impact in terms of potential disruption of critical business processes, data disclosure and reputational effects.
Four sectors - banks, securities firms, market infrastructure providers and hospitals - were classified as having the highest overall cyber risk due to their significant reliance on technology and confidential information for their operations, the Moody's report notes.
Collectively, the companies in those four sectors have total rated debt outstanding of $11.7 trillion, the report says.
In explaining its assessment, Moody says: "We consider the likelihood and potential impact of cyberattacks at the sector level without taking into account existing cyber defenses of individual issuers, such as firewalls, monitoring capabilities and system backups. However, we consider mitigants that apply uniformly across an entire sector, such as monopolies or supply chain diversity."
The financial impact of a cyberattack could include the cost of insurance, the effect on customer behavior, litigation costs, fines and impact on technology infrastructure and R&D spending, according to Moody's. "Therefore, robust sources of liquidity remain a key mitigant," the report notes.
The report notes that the highest-profile cyber events - including a breach in November 2018 at Marriott International that exposed data of 383 million Starwood guests and a cyberattack on Equifax in September 2017 that compromised information of 143 million U.S, consumers - have yet to result in any material deterioration in the creditworthiness of the affected companies.
"However, the frequency and magnitude of attacks could weaken the credit quality of the most exposed entities in the coming years," Moody's writes.
So far, Moody's has downgraded at least one company - Altegrity, Inc. in September 2014 - as the result of a data breach.
Alegrity, a global risk and information services firm, subsequently filed for bankruptcy in 2015. Its security background check subsidiary, U.S. Investigative Services, in 2014 suffered a breach that exposed personal information of more than 25,000 government contractors.
USIS also came under fire for its work that ultimately gave security clearances to National Security Agency leaker Edward Snowden and Aaron Alexis, who fatally shot 12 people at the Naval Sea Systems Command at the Washington Navy Yard in September 2013.
Among other companies that Moody's cites in its report as being financially impacted by breaches and cyberattacks are FedEx and Merck & Co., which were among companies hit by the NotPetya ransomware attack in 2017, which collectively resulted in an estimated $10 billion in global financial impact across all of the affected entities.
Banks are at high risk because they hold the data and funds of private clients and they provide access to their services through multiple online and digital channels, Moody's writes.
"Securities firms, including capital markets firms, are also at high risk," the Moody's report notes. "They are appealing targets for cybercriminals aiming to carry out large-scale theft as well as sophisticated attacks designed to create operational disruption or garner publicity. A successful attack on large, systemic banks could pose a systemwide risk, reflecting their high degree of interconnectedness."
Similarly, successful cyberattacks against market infrastructure providers, such as exchanges and clearinghouses, or counterparties such as large securities or capital markets firms, could impair the booking, clearing and settlement of financial transactions, the report says.
Moody's assesses three main subsectors in healthcare: hospitals, pharmaceutical companies and medical device manufacturers. "Each industry has somewhat different cyber risk profiles that reflect their relative vulnerability to an attack and the impact of a successful attack," Moody's notes.
"For hospitals, our assessment primarily reflects the sensitive and essential nature of the data collected and used by these entities and its attractiveness to hackers, as well as vulnerabilities emanating from increasingly connected medical devices."
Hospitals of all sizes are vulnerable to cyberattacks and the subsequent financial impact, the report notes. "Although hospitals with more financial resources will be better able to avoid threats or recover from an attack, size does not provide immunity."
Electronic medical records systems are the primary tool used to collect clinical and billing-related data, the report notes. "The EMR is critical to nearly all hospitals' infrastructure, and any disruption can impact operations and impair financial performance."
Moody's research also found that only "a small number of rated hospitals" reported having cyber insurance due to its "high cost."
Attorney Laura Hammargren of the law firm Mayer Brown's healthcare, cybersecurity and data privacy practices says it's not surprising that Moody's portrays hospitals and banks as being at high risk of financial impact as a result of cyberattacks.
"Such institutions have a huge volume of valuable personal information and so have been identified as clear targets for attack for a long time," she notes. "Hospitals may not have the same resources, infrastructure and technology that a financial institution might have, and thus may be seen as more vulnerable. These are also services that generally people cannot abstain from utilizing, therefore ensuring that new users' data is constantly being provided."
The Moody's report also appears to be the first of its kind that directly ties the creditworthiness of entire industries to their risk for cyberattacks, Hammargren adds.
"The report does not account for steps that particular hospitals may have taken to combat security risks, so investors doing diligence may not decide that this is particularly telling as to specific investments," she notes.
"However, it does start to highlight that significant breaches can have lasting impacts in a multitude of areas for hospitals and must be an issue in which resources are invested. It's also clear that the industry continues to be viewed as a target by many key stakeholders, again encouraging institutions to put combatting cyberthreats high on their priority list."