I had Jim Hempstead of Moody’s Investors Service on a recent episode of the Unsolicited Response Show. There are two items related to Moody’s reports this fall that are worth a deeper look. This week’s article is on the Moody’s Cyber Risk Cyber Heat Map and next week’s article will be on cyber insurance financials.
Moody’s Cyber Heat Map (Published 28 September 2022)
Moody’s ranked electric utilities (regulated generation and all transmission & distribution), oil/gas pipelines (transmission & distribution), water and wastewater utilities and hospitals as the only sectors, out of the 71 considered, in the Very High overall cyber risk category in their cyber heat map.
Moody’s looks at Cyber Risk as a component in a company’s Credit Risk. Setting aside hospitals, outside my area of knowledge, I contend that by Moody’s own criteria they got these Very High overall cyber risk ratings dramatically wrong. And there are some issues with the Moody’s criteria. The Cyber Risk component of a company’s Credit Risk in these utility sectors is lower than many of the 71 other sectors. They belong in the Moderate Cyber Risk rating.
The Moody’s overall cyber risk rating was based on two factors each representing 50% of the score: Exposure and Mitigation.
Exposure
Exposure is 50% of the overall cyber risk rating and is broken down into two factors.
Systemic Role: The attractiveness to a sophisticated adversary and its interconnectedness
By this criteria, the electric power, pipeline and water/wastewater are rightly labeled as Very High in Systemic Role. I’m not contending the rating, it’s the definition and weighting of 25% of the overall cyber risk rating I disagree with. If Moody’s was developing a rating for a sector’s cyber risk for national security, this would be appropriate. The Moody’s Cyber Risk rating is a component of the credit rating used by the financial community to understand Credit Risk.
Yes, the fact that a state actor might be inclined to attack critical infrastructure should rightly be considered. As is the fact that criminals have been less inclined, to date, to attack these utilities in a way that would affect Credit Risk.
Digitization: The size of the digital footprint, particularly the Internet exposed footprint
The utilities were rated High risk for Digitization. They should be rated at most Moderate and I’d make the case for Low as compared to other sectors. The critical digital systems that produce and deliver the power/oil&gas/water are not airgapped, but they are much smaller and much more isolated than most other sectors. There isn’t email. There isn’t web surfing. These are much more isolated, special purpose systems.
Digitization is 25% of the overall cyber risk rating so this mistake has a large impact.
Mitigation
Mitigation is 50% of the overall cyber risk rating and is further broken down into three factors.
Estimated Financial Loss: based on historical financial losses and simulations
The utilities mentioned above were rated Moderate in this category. This seems fair, although based on historical financial losses due to a cyber incident a more accurate rating would be Low.
Perimeter Vulnerability: defined as Cyber Hygiene
This is a funny name for patching cadence and other cyber hygiene measures. Unsurprisingly, all the utilities discussed in this article rated Very High risk in this category. If it was really a perimeter vulnerability rating the utilities would warrant a Moderate or Low rating. Perimeters is the one security control that is done well in the OT systems buried a few levels down in the organization.
The broader look at Cyber Hygiene warrants a Very High rating, and since it represents 16.7% of the overall cyber risk rating I wouldn’t argue with this.
Basic Cyber Practices: defined as response to and recovery from a cyber event
Another strange name for the ability to recover and resume operations after a cyber event. Electric and oil/gas pipeline were rated High and water/wastewater rated Very High. This is another big miss.
- It ignores safety and protection systems that will limit damage due to a cyber incident
- It ignores there are many ways, including partial or full manual operations, to recover the ability to produce the product and service
- Of the three utility sectors, water has the best ability to recover and should be rated Moderate or Low. Counterintuitively, the cyber poor water actually are the least impacted by a cyber attack.
My guess is Moody’s was looking at the ability to recover the cyber systems rather than the ability to recover the purpose of the cyber systems.
If I followed the Moody’s methodology I would rate these utilities:
Exposure
- Systemic Role – Very High
- Digitization – Low
Mitigation
- Estimated Financial Loss – Low
- Perimeter Vulnerability – Very High
- Basic Cyber Practices – Moderate
Overall Cyber Risk – Moderate (high end of moderate)
If we adjusted the Systemic Role definition to be more appropriate for Credit Risk, it would put these utilities squarely in the Moderate overall cyber risk rating.
One last thought, the amount of contribution of Cyber Risk to overall organizational Credit Risk is important. I’m constantly amazed after Covid, hurricanes, wildfires and other weather events, old infrastructure (such as Jackson, MS), … that we hear in content and surveys that “cyber” is the biggest risk and most in the executives’ minds.
Importantly Moody’s is not saying this, and Moody’s will need to figure out how much or how little Cyber Risk factors into Credit Risk. It’s a hard problem. While I disagree in some areas on how Moody’s did this, I’m glad they did. We need organizations like Moody’s digging into this and they will get better.
Next Week: What Moody’s financial statistics on cyber insurance tell us.