© The Indian Express Pvt Ltd
Tags:
Journalism of Courage
Cyberattacks have surged in recent years, posing a risk to the creditworthiness of debt issuers rated by Moody’s, according to a new report released by the credit rating agency. A survey of cybersecurity incidents affecting 9,600 rated debt issuers globally by Moody’s showed that the number of organisations experiencing cyber incidents has steadily increased, from an annual rate of 4-5% before 2019 to approximately 7% since 2020.
This surge, which poses a rising risk to creditworthiness, is primarily driven by indirect attacks originating from third-party software providers. With advancements in artificial intelligence expected to increase the volume and sophistication of attacks, coupled with increasingly intricate supply chain dependencies, Moody’s projects that this trend could persist.
While direct impacts on credit ratings have been limited to 14 organisations, three of these occurred in the past year alone, affecting prominent entities such as Mount Sinai Hospital, Financiere Verdi I S.A.S. (Ethypharm), and Ascension Health Alliance due to disruptions in operations or collections stemming from ransomware attacks. These entities received a lower revised rating from Moody’s after facing cyberattacks.
The Moody’s analysis underscored a troubling pattern: a past cyber incident significantly correlates with an increased likelihood of future breaches. Since 2015, one in three organisations examined had experienced at least one incident. Crucially, for those affected, one in four encountered another incident within a year, and one in three within two years.
Organisations experiencing a cyber incident in one year are four to five times more likely to face another in subsequent years compared to those previously unaffected, Moody’s said.
The agency said that several interconnected factors were contributing to this persistent vulnerability. Organisations may fail to adequately address initial root causes, implement insufficient remediation, or delay critical patching after a breach. Further, media attention following an incident can inadvertently highlight vulnerabilities, attracting repeat attacks.
Sectoral hotspots
The study identifies significant variation in incident frequency and recurrence across different sectors. Not-for-profit hospitals exhibited the highest rates, with 42% experiencing at least one incident since 2022, and 14% suffering multiple incidents within a year. This is largely attributed to the critical nature of their services, the sensitive healthcare data they manage, and often constrained cybersecurity resources.
Public-sector housing ranked second in frequency, yet led in recurrence, with 26% of entities facing more than one incident within a year, likely due to ongoing challenges in modernising legacy IT systems.
Education and not-for-profit organisations, along with the telecommunications sector, also witnessed high attack rates, presumably due to their handling of critical data and sometimes weaker cyber defences. For example, 31% of telecommunications issuers in the study experienced a cyber incident since 2022, with 11% facing repeat attacks.
Despite often stronger cyber diligence and governance, banks also display one of the highest recurrence rates relative to impact, suggesting either highly targeted attacks or stringent disclosure requirements that increase visibility.
