Cyber attacks are growing in number and scope due to rapidincreases in interconnectivity and mobile data.

In response, Moody's Investors Service announced that the creditimplications associated with cyber defense, detection, preventionand response should start to take a higher priority within itscredit assessments and analysis.

"While we do not explicitly incorporate cyber risk as aprincipal credit factor today, our fundamental credit analysisincorporates numerous stress-testing scenarios, and a cyber eventcould be the trigger for one of those scenarios," said JimHempstead, Moody's associate managing director, in a statement. "Ascyber risk becomes more pervasive, it will take a higher prioritywithin our analysis."

Though not a principal credit factor in assessing a rating,Moody's now treats cyber threat as an event risk. "Event risks" areextraordinary events that fall into the stress-testing scenariosMoody's uses for its fundamental credit analyses.

An event risk that Moody's considers similar to a cyber attackis a natural disaster or a huge storm. In line with major storms ornatural disasters, cyber attacks have a similar unpredictability ofduration and severity and also depend on the nature of the targetedassets or businesses.

When Moody's downgrades a company's rating it can be attributedto countless different rationales, which could include a lack ofcyber preparedness or a cyber attack that weakens an company'sfinances or business model.

Moody's is still working to fully understand the scale and scopeof cyber risks.

"The credit implications for a business or organization can varywidely, so incorporating cyber risk in our credit analysisconsistently and transparently across all sectors and regions canbe challenging," according to Moody's.

Moody's released a report on Monday, "Cyber Risk of Growing Importance to CreditAnalysis," that identified three key factors that it willexamine when determining a credit impact associated with a cyberevent.

• Nature of the affected assets or businesses –"The more critical an asset or business to a society or economy,the greater the credit implication," according to the report.
• Duration of service disruption and expected time torestore – "The duration of an event is difficult tomeasure, since many emerging cyber events start months in advanceof their detection. The longer an attack lasts, the higher itsseverity," the report states.
• Scope of the affected assets or businesses –"We see a big difference between a cyber attack concentrated on asingle issuer and a widespread attack that affects a largegeographical region, specific sector, or infrastructure asset," thereport states.

The probability of a successful cyber attack is rising giventhat the total number of incidents is rising, Moody's says.

A PWC report titled "Managing Cyber Risk in an Interconnected World"finds that detected cyber incidents are rising at a fast pace.According to PWC, there were less than 5 million detected cyberincidents in 2009 compared with more than 40 million in 2014.

The losses attributed to those incidents are also on the rise.According to Corporate Board Member magazine, the averageannualized cost of a cyber breach is approximately $12 million peryear, per company – "a relatively small sum for most companies, butsevere attacks can cost many times more," Moody's says.

The number of reported incidents and the losses attributed tothose incidents continue to rise, despite heavier spending on cybersecurity.

Moody's points to research from the U.S. Homeland Security andGovernmental Affairs Committee and the Congressional ResearchService that shows annual U.S. federal spending on cyber securityhas hovered around $10 billion to $15 billion over the past fewyears, roughly twice the $6.5 billion spent in 2006.

"Globally, corporate spending on cyber security (according topublic sources such as CNN, Ponemon Institute and Market Realist)is likely to rise to over $120 billion by 2017 from $64 billion in2011," Moody's says.

________________________

How can you transform your risk management preparednessand response strategy into a competitive advantage?

Introducing ALM'scyberSecure — A two-day event designed toprovide the insights and connections necessary to implement apreparedness and response strategy that changes the conversationfrom financial risk to competitive advantage. Learn more about howthis inaugural event can help you reduce risk and add businessvalue.