Moody’s and S&P warn cyber risks can affect credit ratings – what does this mean to critical infrastructure

Nov. 29, 2015

Moody’s, S&P, and insurance companies are starting to consider cyber risk strongly implying the Board of Directors of industrial companies and ICS vendors can be expected to have to explicitly address ICS cyber security.

November 23, 2015, Moody’s Investor Services issued the report, “Cyber Risk of Growing Importance to Credit Analysis”. Moody’s considers the risk of a widespread, material cyber event in a manner similar to the way they view major storms or natural disasters, in that the timing – and consequences – of a successful attack are uncertain. According to the report, Moody’s feels that cyber risk is best viewed as being similar to these types of extraordinary events, for which the credit impact would most likely fall within those common stress test boundaries. “This means the credit implications associated with cyber defense, detection, prevention and response should start to take a higher priority within our credit assessments and analysis. From a credit perspective, we are still working towards fully understanding the scale and scope of cyber risks, in part because the risk is evolving”. As the threat of cyberattacks continues to rise across all sectors, "the implications could start taking a higher priority in credit analysis," Moody’s says. "We do not explicitly incorporate the risk of cyberattacks into our credit analysis as a principal ratings driver," the report notes. "But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event, like other event risks, could be the trigger for those stress scenarios. A successful cyber event's severity and duration will be key to determining any credit impact." Other sectors considered part of the nation's critical infrastructure, such as electric utilities, power plants, or water and sewer systems, are more exposed to attacks that could lead to large-scale service disruption, causing substantial economic - and possibly environmental - damage, the report notes. "However, Moody's believes such an attack would elicit immediate government intervention to restore operations, resulting in lower potential credit risk." However, after discussions with the author of the report, I believe that Moody’s may want to reconsider their assumptions about government intervention and the resultant “lower” credit risk.

The Moody's report comes after another ratings agency, Standards & Poors (S&P), issued a report with a similar warning for the banking industry. S&P said in its September report that it could issue a downgrade if a bank looked ill-prepared for dealing with a cyberattack or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages (see S&P's Cyberwarning: Late to the Game). S&P is also assessing the potential impact of cyber risks in other sectors. The questions that S&P is asking the banking sector in the article are not necessarily applicable to industrial critical infrastructures.

Additionally, Moody’s and S&P should assess the cyber risk to the ICS suppliers as they may also be held partially liable from a cyber incident affecting their equipment not to mention the loss of reputation in the industry (look what Siemens has had to overcome because of Stuxnet).

The fact that Moody’s, S&P, and insurance companies are starting to consider cyber risk strongly implies the Board of Directors of industrial companies and ICS vendors can be expected to have to explicitly address ICS cyber security. For utilities it means that stock and bond ratings can be affected by REAL cyber risk, not by meeting industry-established criteria (NERC CIPS) which don’t result in actual comprehensive cyber security. As identified at the October ICS Cyber Security Conference, a utility meeting the NERC CIP standards was compromised in less than 30 minutes without detection. To Moody’s, S&P, and the insurance companies that are focused on risk, the NERC CIPs provide little comfort. The same may be said of ICS vendors that don’t provide adequate cyber security of their products such as lack of Aurora mitigation capabilities.

Joe Weiss