Will credit ratings finally get Board of Directors' attention about control system cyber threats?

Per https://www.cnbc.com/amp/2018/11/12/moodys-to-build-business-hacking-risk-into-credit-ratings.html, Moody's will soon start using its credit-rating expertise to evaluate organizations on their risk to a major impact from a cyberattack. Moody's gives ratings — ranging from AAA to C — that are used to determine creditworthiness for companies, bonds, sovereign countries, structured finance transactions and issuers of infrastructure and project finance. Initially, the company will incorporate cyber risk into its existing credit ratings. Moody's is considering a stand-alone cyber risk rating separate from the credit rank. Though they aren't yet saying which sectors will get scrutiny first, several stand out as especially exposed to risk from a cybersecurity crisis: The defense-industrial industry, financial sector, health care and critical infrastructure operators like energy, water, waste management and first responders all are considered high-risk categories.

There have already been companies that have declared bankruptcy because of control system cyber incidents and others that have experienced multi-billion dollar impacts. Consequently, I expect Moody's would be skeptical about the adequacy of compliance approaches such as the North American Electric Corporation (NERC) Critical Infrastructure Protection (CIP) standards that don't lower actual facility risk.

Joe Weiss