About $22 trillion of global debt rated by Moody’s Investors Service has “high,” or “very high” cyber-risk exposure, with electric, gas and water utilities, as well as hospitals, among the sectors facing the highest risk of cyberattacks.
That’s more than one-quarter (28 percent) of the $80 trillion in Moody’s rated debt across 71 global sectors, and it represents a $1 trillion jump from the firm’s 2019 numbers, according to the credit rating biz.
For its Cyber Heatmap, Moody’s looks at two factors, exposure and mitigation, and weighs both across all of the sectors it rates.
Exposure includes the industry’s “systemic role” — its attractiveness as a target from an attacker’s perspective looking to trigger maximum disruption, along with its interconnectedness to other sectors — and “digitatization” or its digital footprint, which expands the potential attack surface.
Mitigation includes perimeter vulnerability, basic cybersecurity practices and estimated financial losses. In determining perimeter vulnerability, Moody’s takes into account at-risk open ports and patching cadence, which it gleans from data and metrics provided by cyber-ratings company BitSight, of which Moody’s owns a minority stake.
“Poor patching cadence, for example, is strongly correlated with a significantly higher risk of ransomware,” BitSight chief risk officer Derek Vadala said in a statement.
Based on exposure and mitigation, Moody’s scores each of the 71 sectors and rates them “low,” “moderate,” “high” or “very-high risk.” According to this year’s Heatmap, and perhaps unsurprisingly, utilities rated the highest for cyber risk.
This sector, with $2.5 billion collective debt rated by Moody’s, includes regulated and self-regulated electric utilities with generation, electricity and gas transmission and distribution businesses, unregulated electric and power companies, and water and wastewater operations. As Moody’s noted, “this does not mean the issuers within these sectors have weak cybersecurity practices.”
Instead, it’s more about the “multiplier effect across an economy,” according to the report. For example, a cyberattack that knocks a regional power grid offline will impact more than just the utility itself, with potentially devastating consequences for hospitals that can’t perform life-saving surgeries or access critical medicine for patients, or assisted living centers that can’t turn on heat or air conditioning for their elderly residents in the middle of a heat wave or cold snap.
This, of course, is what makes critical infrastructure so attractive for cybercriminals looking to inflict maximum damage, as seen by the seemingly constant barrage of government warnings about nation-state threat groups targeting power and infrastructure facilities.
Not-for-profit hospitals also ranked “very high” in terms of their cyber risk. “We view not for profit hospitals as being highly attractive, data rich targets with average mitigation measures in place to reduce the impact of a potential cyber event,” according to Moody’s. The rise in ransomware attacks against hospitals and healthcare organizations support this finding.
High-risk sectors include banks, technology, telecommunications and midstream energy, while the Heatmap lists advanced economy and emerging countries, regional and local governments, manufacturing, retail and apparel, and integrated oil as moderate-risk.
Finally, low-risk sectors include structured finance, real estate, independent exploration and production, mining, and public-sector housing. ®