European Cyber Risk is Rising: Moody’s

Cyber risk is rising in Europe, the Middle East and Africa (EMEA), according to the latest analysis from Moody’s Investors Service (“Moody’s”). The report, which leverages BitSight cybersecurity performance data and insights, details findings ranging from public sector versus private sector performance, overall cybersecurity posture of the region, differences in industry/sector performance, and the impact of cybersecurity on corporate profitability and credit markets.

Key Findings

Accelerating EMEA cyber attacks could soon impact credit

Cyber attacks in EMEA are accelerating, both related and unrelated to the Russia-Ukraine war. Moody’s found that 38% of all EMEA cyber attacks in 2022 were “directly related” to the conflict, while the remainder of attacks were broad-based. Adding to already strong asymmetry in security posture, the report details a stark difference in public versus private sector exposure. Moody’s found that public sector organizations have suffered a greater number of cyber attacks compared to their private sector counterparts.

Moody’s found that while cyber attacks have not “yet severely damaged credit quality in Europe,” there may still be unavoidable challenges arising in the future. One of these challenges is a clear and significant rise in cybersecurity budgets alongside a lagging rise in cybersecurity performance.

Cyber defense costs will hurt profitability

Organizations have responded to a rise in cyber attacks by increasing their cybersecurity budgets, but that’s no panacea for today’s threats. The truth is many organizations inefficiently allocate cybersecurity resources, leading to ballooning budgets alongside lagging cybersecurity performance. Moody’s found that 67% of EMEA organizations have either basic or intermediate cybersecurity performance, as measured by BitSight. This means organizations may not be spending resources effectively.

Public sector organizations are weaker cybersecurity performers

Moody’s found that legal, insurance, and financial organizations in EMEA have the strongest cybersecurity performance, while government/politics, education, and telecommunications organizations in the region score the lowest. This finding reveals a commonality between the United States and EMEA – public sector organizations in both regions tend to have poor cybersecurity performance.

Cyber incident disclosure remains a top challenge

Cyber incident disclosure promises to create a more transparent and accountable cyber order, but serious challenges remain in EMEA. The research found that 54% of European companies have reported a cyber attack to the board while only 11% publicly reported the incident. This asymmetry is a dangerous one – disclosures help alert others to serious cyber threats, while enabling government and law enforcement agencies to effectively combat these threats on the global stage.

Two sectors came out on top in terms of the overall number of publicly disclosed cyber incidents in EMEA. Finance and technology firms took the top two spots, while sectors like retail, government/politics, and education lagged behind. The world of cyber incident disclosure remains an opaque place but there continues to be a strong push to make the landscape more transparent.

The Moody’s and BitSight Partnership

This research is the latest in a series of Moody's reports showcasing BitSight data. BitSight contributed proprietary data to this research initiative, including:

  • Security data collected and analyzed on over 300,000 companies
  • Aggregate, anonymized loss data on over 10 years of cyber loss events
  • Graded open ports and patching cadence datasets

In 2021, Moody’s announced a $250 million investment in BitSight. BitSight is proud to partner with Moody’s on research initiatives with the goal of helping the market communicate cyber data in the credit analysis process.

To read the full report, please visit Moody’s Investors Service here.

Can New Regulations Accelerate the Cyber Incident Disclosure Process

New legislation requires critical infrastructure organizations to disclose cyber incidents to the government within 72 hours. BitSight research shows that might be easier said than done.

Read Report
Button Arrow