Moody’s will include cybersecurity risks in corporate credit ratings

The rating agency will evaluate the propensity of large organizations to suffer information security incidents

A data breach, depending on the magnitude of the incident, and its corresponding fines or infringements, could sentence to death an organization, commented experts in network security and ethical hacking from the International Institute of Cyber Security.

Moody’s, the investment rating agency, recently announced the inclusion of cybersecurity risks for its credit ratings process, through which the risks of massive data breach any organization could face will be measured. This measure could not come at a better time, and there is an expectation of the role the rating agency can play.

In this new mission it will be critical for Moody’s to create a system that collects complete and reliable data, including information taken from the companies themselves, as well as from external sources.

According to experts in network security, there are two ways to get this information. First, the qualifier can rely on data from external providers to undertake cybersecurity assessments. As a second method of information gathering, there is the data protected by the companies themselves, obtained through internal tools and monitoring.

External data will be more valuable to some companies than to others. A large chain of retailers, for example, with an important market presence, will be more likely to encompass a larger area of cyberthreats.

In an ideal world, Moody’s could require companies to have any internal information they need as part of their scope of work. Although in practice, there is no guarantee that a company will provide a complete picture of its operations. A company could deny Moody’s access to certain information because of its own security policies.

However, Moody’s must solve these constraints with creativity. External data provides coverage for a crucial segment of a company’s network and serves to verify the possibility that it is not providing clear and complete information to the qualifier. On the other hand, internal information is the main source of detailed information about a company.

The next challenge for Moody’s will be to develop these data sources, since they will originate from multiple sources working with different concepts and formats that are not necessarily consistent with each other, so the unification of criteria to analyze the cyber risks in organizations of different branches will be critical to Moody’s, consider network security experts.

Finally, the quality of the information that Moody’s can collect will have a direct impact on the quality of their ratings. If Moody’s can build a platform that integrates data from internal and external vendors, it can create a reliable rating much faster and more reliably.

For many experts in fields such as finance or cybersecurity, Moody’s decision could not come at a better time. We have reached the point where we are no longer surprised by incidents of massive data breaches, so it is necessary for organizations to consider the consequences that an incident of this magnitude can generate.