Why Moody’s said rated organisations are seeing increasing cyber threats

While direct impacts on credit ratings have been limited to 14 organisations, three of these occurred in the past year alone, affecting prominent entities such as Mount Sinai Hospital, Financiere Verdi I S.A.S. (Ethypharm), and Ascension Health Alliance due to disruptions in operations or collections stemming from ransomware attacks. These entities received a lower revised rating from Moody’s after facing cyberattacks.

The persistent nature of cyber vulnerability

The Moody’s analysis underscored a troubling pattern: a past cyber incident significantly correlates with an increased likelihood of future breaches. Since 2015, one in three organisations examined had experienced at least one incident. Crucially, for those affected, one in four encountered another incident within a year, and one in three within two years.

Organisations experiencing a cyber incident in one year are four to five times more likely to face another in subsequent years compared to those previously unaffected, Moody’s said.

The agency said that several interconnected factors were contributing to this persistent vulnerability. Organisations may fail to adequately address initial root causes, implement insufficient remediation, or delay critical patching after a breach. Further, media attention following an incident can inadvertently highlight vulnerabilities, attracting repeat attacks.

Sectoral hotspots

The study identifies significant variation in incident frequency and recurrence across different sectors. Not-for-profit hospitals exhibited the highest rates, with 42% experiencing at least one incident since 2022, and 14% suffering multiple incidents within a year. This is largely attributed to the critical nature of their services, the sensitive healthcare data they manage, and often constrained cybersecurity resources.

Public-sector housing ranked second in frequency, yet led in recurrence, with 26% of entities facing more than one incident within a year, likely due to ongoing challenges in modernising legacy IT systems.

Education and not-for-profit organisations, along with the telecommunications sector, also witnessed high attack rates, presumably due to their handling of critical data and sometimes weaker cyber defences. For example, 31% of telecommunications issuers in the study experienced a cyber incident since 2022, with 11% facing repeat attacks.

Despite often stronger cyber diligence and governance, banks also display one of the highest recurrence rates relative to impact, suggesting either highly targeted attacks or stringent disclosure requirements that increase visibility.