Nearly $22 trillion in collective rated debt associated with more than 70 global rating sectors has high or very high exposure to cyber risks in 2022, with critical infrastructure experiencing the highest risk, a new report from Moody's Investors Service has found.
This represents almost 28 per cent of the $80tn in debt and a rise of about $2tn from the previous study, a cyber heat map report conducted by the rating agency in 2019.
Sector significantly relying on data, most notably utilities, are the most attractive targets for cyber attacks, according to Moody's.
However, the rise in risks has also prompted these sectors to increase their defences against cyber threats, the report said.
“This does not mean the issuers within these sectors have weak cyber security practices … our 2022 cyber heat map points to rising risks for many sectors, while mitigation and other defensive measures are also becoming more prevalent,” Moody's said.
“We point to the critical nature of their capital intensive and long-lived assets and services, the growing reliance on digitisation and the improvements needed for selected cyber practices relative to other sectors.”
Cyber criminals continue to look for lucrative opportunities and tend to be where digital activity is most apparent, having increased their efforts to be a step ahead of organisations as digital adoption continues to rise.
Online criminal activity cost the world about $6tn last year, according to a study by research company Cybersecurity Ventures. If that were to be measured as a country, it would be the world's third-largest economy after the US and China, it said.
By 2025, such crimes are expected to cost the world about $10.5tn, up 250 per cent from 2015's $3tn, it added.
What is cyber crime and how can I protect myself online?
The Moody's report showed that sectors with very high risk include critical infrastructure such as electric, gas and water utilities, as well as not-for-profit hospitals — all of which heavily rely on data to power their operations.
“We point to the critical nature of their capital intensive and long-lived assets and services, the growing reliance on digitisation, and the improvements needed for selected cyber practices relative to other sectors,” it said.
Banks, technology, telecommunications and midstream energy industries are at high risk. Financial institutions, in particular, have a very high systemic role given the central function the broader banking system plays within a functioning economy, Moody's said.
Advanced economies and emerging market sovereigns, regional and local governments, manufacturing, retail and integrated oil sectors have moderate risk, it added.
Specifically, integrated oil companies, technology and chemicals have a high systemic role, in part reflecting their interdependencies with sectors that Moody's identified as having “very high systemic role”, such as utilities and banks.
The rating agency cited the May 2021 cyber attack on Colonial Pipeline, which disrupted fuel deliveries to a large region across the South Eastern US and illustrates why the midstream energy sector has a high systemic role score.
“If sustained, the Colonial Pipeline shutdown could have had worse contagion effects across the region, but it was resolved in a timely manner, thereby limiting any lasting effects,” Moody's said.
Meanwhile, low risk sectors include structured finance, real estate, independent exploration and production, mining and public sector housing.
Given these sectors have a localised nature, any successful attack on one would be unlikely to impact the rest of the economy, Moody's said.
“Most also have a low reliance on technology and data to maintain business operations or an ability to easily revert to manual operations,” it added.
Moody's stressed that the scale of a sector plays a role in how much damage a cyber attack can bring, and the potential domino effect that can spread throughout a range of ecosystems.
“Digitisation risk can affect one company and spread to numerous other global organisations,” the rating agency said, specifically referring to the attack on US IT company SolarWinds, which came to light in December 2020.
In what is considered one of the worst cyber espionage cases in history, the attackers exploited software credentials from SolarWinds and other US companies, including Microsoft and VMware, and used them to infiltrate several American federal departments, including defence, state, homeland security, treasury and commerce, while also affecting global organisations such as the UK government, the European Parliament and Nato.
“The primary difference between sectors that scored high compared to very high is the former's more advanced form of mitigation practices, which partially offsets their high level of exposure to cyber risk,” Moody's said.
