Summary: Cyber risk continues to rise as geopolitical tensions mount, and governments and industries are taking action to reduce cyber exposure. Regulations tightening cybersecurity requirements in industry and increasing demand for cyber insurance are two of the significant global policy trends expected in the coming year, according to the 2023 Cyber Risk Global Outlook from Moody’s Investors Service. How will these efforts affect businesses and their credit in 2023?

Ransomware attacks shift away from the US

By far, the majority of ransomware attacks—49% of all attacks worldwide in 2021—have been directed against the US. However, ransomware groups are beginning to diversify their geographic attack patterns in response to recently increased pressure from the US government through sanctions, arrests, and cryptocurrency seizures. While the US still has the most attacks, its significance is dwindling.

According to Moody’s report, between 2020 and 2022, the global percentage of ransomware attacks in North America decreased from 65% to 46%. While this is happening, there are further attacks in other areas. For instance, the cybersecurity company SonicWall reports that in the first half of 2022, attacks in Europe increased by 63%. The change will be favorable for US issuers’ credit but detrimental for businesses in areas where ransomware instances are on the rise.

Incident reporting mandates are growing

A significant positive is that the US, EU, Canadian, and Indian governments have taken steps to tighten cybersecurity and disclosure obligations. Standardized disclosure frameworks will boost transparency and probably encourage businesses to prioritize cybersecurity.

Disclosure requirements are beneficial to credit for several reasons. They first give market participants more transparency. Participants could compare businesses based on how well they are managing their cyber risk under the proposed guidelines. Governments also gain from disclosures because they need data to gauge the scope of cyber hazards and create effective countermeasures.

Disclosure requirements aid in creating defense benchmarks that businesses can utilize to strengthen their cybersecurity. They also lessen systemic risk since corporations are given access to information about attack efforts, which they can employ to stop attacks or spot malicious activity on their networks. The Cybersecurity and Infrastructure Security Agency (CISA), for instance, gathers cyber event reports from targeted firms, studies patterns, and disseminates anonymized data to assist organizations in managing risk.

However, measures with tight reporting deadlines and public disclosure will increase the risk for their members. “Short timelines for disclosure are one such challenge because public reporting on an attack still in progress could arm hackers with real-time feedback allowing them to make the attack more effective. A disclosure that takes place too soon could hamper an ongoing investigation into an attack. Disclosure mandates add operational burdens, too, especially for entities that report to more than one regulator. The resources required for complying with these measures can be considerable,” writes Leroy Terrelonge, Vice President – Senior Analyst at Moody’s Investors Service.

Cyber insurance demand outweighs supply

Insurance firms continue to be wary of their exposure to systemic cyber risk as the number, size, and sophistication of cyberattacks increase globally. As a result, insurers are boosting costs and limiting their cyberattack coverage. These steps will lessen the risk that insurers face from significant losses. On the other hand, organizations will need to invest more in enhancing their cyber preparedness in order to get cyber insurance or develop alternate techniques for shifting cyber risks as coverage becomes more limited and expensive.

Six key takeaways

The report, available to Moody’s subscribers, includes six major takeaways:

  • Attacks involving ransomware will diverge from the US, posing hazards to issuers abroad. The US has intensified its hunt for cyber criminals through sanctions, arrests, and the confiscation of Cryptocurrency. Thus, cybercriminals are shifting their focus to less resistant targets outside of the United States.
  • Government and regulatory scrutiny will rise. A baseline collection of data concerning the scope of cyberattacks is raised as a result of cybersecurity requirements aimed at tightening disclosure mandates. However, disclosures of attacks could provide hackers with the information they can use to make attacks more efficient.
  • The adoption of passwordless technology will be delayed, but it will offer a robust cyber defense. Organizations will be able to almost eradicate successful phishing assaults with passwordless solutions. Slow adoption, however, will offer attackers a base to work from.
  • Deepfake-enabled fraud will increase, and hacktivism will become more active. Hacktivism was virtually absent for a decade and a half, but it has recently made a comeback with more advanced technology and government backing, increasing the threat. Attacks that use deep learning are also developing, and con artists will exploit this technology to increase the credibility of their frauds.
  • The supply of cyber insurance will not keep up with demand. A credit positive for insurers seeking to lessen their exposure to losses is increasing premiums and narrowing coverage. On the other hand, issuers will need to invest in better cyber hygiene or develop alternate risk transfer methods, including using the cloud. Organizations can shift some of their risk to the cloud, but they must also maintain excellent security and keep an eye on their cloud providers’ IT policies.
  • Risk mitigation will increasingly involve estimating the expected financial loss from a cyberattack. Managers will be able to make better decisions and communicate risk exposure and risk mitigation measures through a more data-driven approach.

Do you want to discuss this topic with one of our experts? Please visit our Contact Us page to request more information or connect with a Subject Matter Expert (SME).