Cyber risks will surge for debt issuers in 2021, Moody’s says

Key focus areas include vulnerabilities of supply chains, the rise in remote work and the growing risk from state-sponsored actors

The global cyber security market is forecast to be worth $363.05 billion over the next five years. Getty 
Powered by automated translation

Cyber security threats will increase for debt issuers this year, a new report by Moody’s Investors Service warns.

Coronavirus-induced changes at workplaces as well as homes have increased the risk of cyber threats this year. These could impact the creditworthiness of companies, the US ratings agency said.

The increased risk of cyber threats has also boosted the cyber security market, which is forecast to be worth $363.05 billion in 2025 – almost 125 per cent more than the amount spent in 2019, according to Mordor Intelligence, a research consultancy. The industry is projected to grow at an annual 14.5 per cent rate over the next five years.

The National looks at seven key risk factors and trends outlined by Moody's.

Attacks on hospitals and Covid-19 vaccine supply chains

Credit risks for hospitals arise when cyber attacks compromise Covid-19 vaccine supply chains and patients’ confidential data, making them vulnerable to financial threat and lawsuits. These risks are likely to surge and could disrupt vaccination programmes, prolonging the pandemic and its economic effects.

Geopolitical cyber concerns pose growing risks

Some state actors will launch cyber attacks because they are “cheap, reliable, portable, easily hidden and hard to detect”. The state-sponsored attacks threaten reputational damage, disruption of work flow and loss of intellectual property. “Entities that find themselves the targets of these attacks could experience substantial credit damage,” Moody’s said.

Cyber crime
Cyber crime

Cyber insurance providers to revise plans

The increasing cases of ransomware attacks are credit-negative for insurers since it exposes them to higher claim costs.

“Insurers have responded to rising financial losses by raising premium rates and narrowing terms and conditions … including lowering policy limits … higher insurance costs could weigh on the finances of some organisations, causing them to rethink the purchases of these products,” the agency said.

California-based cyber insurance provider Coalition said ransom demands among its policy holders grew 100 per cent from 2019 during the first quarter of last year.

More governments to enact data privacy laws

Governments will tighten data security laws and offer more incentives to companies that implement robust cyber risk management in 2021.

This will expose more companies to potential data privacy fines, Moody’s said, adding that authorities had reduced penalty amounts in 2020 for companies that showed their intention to improve cyber resilience.

“The fine reductions signal that regulators are not taking an all-or-nothing approach, but are instead giving credit to companies for incremental improvements … this approach [will] encourage higher levels of cyber preparedness,” Moody’s said.

Boards becoming more sensitised to cyber risk governance

Company boards are expected to make governance of cyber risks a higher priority in 2021 as these threats intensify. Stronger awareness and management of enterprise risks is credit positive, Moody’s said.

“The increasing volume of cyber incidents places directors at greater risk of personal liability for cyber incidents,” it added.

Remote working brings new challenges

Remote working spurred by the Covid-19 pandemic could compound cyber threats in 2021. Home devices that employees use to access office networks are usually not subject to the same security restrictions as corporate devices. This complicates efforts to control and monitor employees’ digital behaviour, applications and data outside traditional firewalls.

Rise in software supply chain attacks

As companies improve their network defences, attackers will turn to software supply chain vulnerabilities. They will take advantage of the trust between vendor and customer and the privileged access many vendors have to customers’ networks. Such incidents have spiked in recent years.

Out of the 619 debt issuers polled in a Moody's survey, 80 per cent said that a review from their own cyber security team is required before allowing a vendor an access to the core network.

More than 70 per cent said there should be a periodic review of vendors and 41 per cent of respondents said that they require vendors to carry cyber insurance.

“We expect these percentages to rise as issuers work to mitigate the risk of cyber supply chain attacks,” Moody’s said.