Moody's: Cyber Risk Quantification Is Credit Positive

We are excited to announce the availability of the Moody’s Investor Services 2022 Cyber Risk Outlook. The report, which leverages data provided by Bitsight, outlines factors shaping the landscape for cyber risk in 2022. Bitsight is proud to partner with Moody’s on this important research.

According to the report, cybersecurity is no longer simply an IT task—instead, it is now a broad, enterprise-wide issue, national security, and a critical infrastructure cybersecurity challenge. As a result, Moody’s believes that organizations will increasingly adopt cyber risk quantification (CRQ) to provide a common language for cyber risk stakeholders and prioritize security spending initiatives. The use of CRQ practices is credit positive, according to Moody’s, allowing issuers to more accurately allocate resources to defend against cyber incidents and improve resilience.

Moody’s also found that the pandemic-driven surge in ransomware attacks is responsible for increased cyber insurance premiums across all sectors globally, as well as shrinking coverage for heavily targeted industries. This increases the financial burden associated with attacks for issuers in high-risk sectors, disrupting a key component of risk transfer. Attacks have also drawn increased attention from regulators and legislators. 

Key findings of the report (registration required) include:

• Remote and hybrid work arrangements have made cyber attacks easier and more attractive to cybercriminals, as companies can no longer rely on a traditional network security perimeter. Bitsight research shows that insecure work-from-home networks are more than 3.5x more likely to have malware present than the traditional corporate network.
   
• Insurance claims related to ransomware continue to increase, leading to higher cyber insurance costs. Heavily targeted sectors especially will contend with less comprehensive coverage. “The cyber insurance underwriting process has fundamentally changed,” said Stephanie Snyder Frenier, ​​Vice President and General Manager, Insurance at Bitsight. “While self-attested applications still play a part in the underwriting process, real-time data analytics are being recognized as critical to determine an applicant’s overall cyber security posture—and hence insurability.” 
   
• Cyber risk and regulatory mandates will increase, as ransomware attacks become a greater national security issue. Governments will continue to increase cybersecurity baselines to manage threats. 
   
• Organizations will move to CRQ to provide a common language for cyber risk stakeholders. By translating cybersecurity risks into financial losses, CRQ helps security and risk leaders make better cyber investment decisions leading to improved risk outcomes.

“This report provides critical insights into what organizations should expect in 2022 and further links cyber risk to business impact and financial loss,” said Derek Vadala, SVP and Head of Risk at Bitsight. “This is the first of many reports that will join together Bitsight research and data with Moody’s deep and critical insights into macro risks that face organizations worldwide. Moody’s and Bitsight are excited about what the future holds for our partnership.”