Moody’s: $22 Trillion of Debt has Significant Cyber Risk Exposure

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Moody’s Investor Services published new research indicating worldwide cyber risk is rising, particularly among critical infrastructure entities. Among other findings, the research reports that $22 trillion of Moody’s-scored debt is associated with sectors having High or Very High cyber risk exposure, an increase of $1 trillion compared to a similar study performed in 2019. Quantitative cyber performance data from Bitsight helped provide a strong foundation for this data-driven analysis, which reaffirms that cyber risk is a credit issue worthy of market participants’ close consideration.

Key Findings

Leveraging Bitsight data and other quantitative and qualitative measures, Moody’s conducted an analysis bridging the gap between credit analysis and cybersecurity performance. Here are some of the key findings from the research:

The monetary value of high-cyber-risk debt is rising

The updated research reveals that $22 trillion, or nearly one-third of all Moody’s-scored debt, is associated with sectors having High or Very High cyber risk levels. This represents a $1 trillion rise in the value of high-cyber-risk rated debt relative to the 2019 Moody’s report. This finding should alert all global credit market participants to the importance of cyber risk as it relates to credit markets.

Critical infrastructure sectors have the highest cyber risk exposure

Moody’s reports that outstanding debt associated with critical infrastructure sectors – telecommunications, utilities, and others – has the highest cyber risk exposure. Moody’s also found nonprofit hospitals to be at very high risk, with earlier research confirming this assessment. University researchers found that hospitals significantly underperform Fortune 1000 firms in terms of cybersecurity; and that hospitals with low Bitsight Security Ratings face a higher risk of data breach compared to higher rated organizations.

Particularly relevant to critical infrastructure sectors, Moody’s emphasizes cyber incident disclosure among debt issuers as a key challenge. This focus comes shortly after President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring owners and operators of critical infrastructure to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments within 24 hours.

Earlier Bitsight research suggests critical infrastructure sectors may have difficulty meeting these disclosure requirements. It takes the average organization 105 days to discover and disclose an incident from the date the incident occurred; this is well beyond the 72 hour disclosure requirement enacted by policymakers.

BitSight Security Ratings Correlate to Ransomware Datasheet Cover

Learn your risk of becoming a ransomware victim. Download our datasheet to find out what Security Rating makes you 6.4 times more likely to be a victim, and 3 ways you can take action to prevent it.

20% of sector debt is associated with High or Very High perimeter vulnerability risk

Leveraging Bitsight data insights related to sector patching cadence and open-ports, Moody’s created a “perimeter vulnerability” metric for sectors with rated debt. Approximately 20% of the covered sectors, as measured by debt outstanding, scored High or Very High risk with respect to the Moody’s “perimeter vulnerability” subcategory. Moody’s focused on several of these areas because earlier studies have shown these analytics to have a strong correlation with an increased risk of experiencing a ransomware incident.

Moody’s found that utilities, media/entertainment, education, and government/politics are at Very High risk with respect to overall perimeter vulnerability. These sectors may be more at risk of operational disruptions and outages rather than information technology vulnerabilities.

The Moody’s and Bitsight Partnership

This research is the latest in a series of Moody's presentations showcasing Bitsight data. Bitsight contributed proprietary data to this research initiative, including:

  • Security data collected and analyzed on over 300,000 companies
  • Aggregate, anonymized loss data on over 10 years of cyber loss events
  • Graded open ports and patching cadence datasets

Bitsight is proud to continue partnering with Moody’s on future research initiatives with the goal of helping the market communicate cyber data in the credit analysis process.

To read the full report, please visit Moody’s Investors Services at: https://www.moodys.com/researchdocumentcontentpage.aspx?docid=PBC_1261061