Moody’s – Cybersecurity disclosures vary greatly in high-risk industries

DOWNLOAD REPORT: Moodys – Cyber disclosures – 10.19

Moody’s – Cybersecurity disclosures vary greatly in high-risk industries

  • Corporate cyber disclosures vary greatly among companies in high-risk sectors
  • Poor transparency could undermine investor confidence and negatively impact credit quality

The level of transparency and detail provided in corporate cyber risk disclosures varies greatly across sectors facing heightened cyber risk, said Moody’s Investors Service in a report published today.

“The absence of detailed disclosures makes it more difficult to analyze a company’s cyber posture, and as cyberattacks increase in frequency, could hurt investor confidence and complicate efforts by companies to raise capital and access liquidity,” said Lesley Ritter, VP-Senior Cyber Risk Analyst at Moody’s Investors Service.

The sectors deemed most exposed to cyber risk are banks, securities firms & market infrastructure providers as well as hospitals & other healthcare providers. Of these sectors, bank disclosures are the most extensive and detailed, addressing cyber risk oversight and mitigation strategies, while hospitals are the least transparent.

Across the sectors analyzed, banks and telecommunications & media companies had the most thorough disclosures, discussing their specific cybersecurity risk management strategies in a fair amount of detail. US and European companies were more transparent than their Asian peers, but US-based companies appeared more reliant on insurance to manage the financial impact of cyber risk, while their European counterparts offered more information about their strategy to mitigate the operational impact of a cyber event.

Apart from healthcare, retail, lodging, health insurance, medical devices, and transportation services were among the sectors that provide the least amount of information, despite having experienced some of the most well-publicized cyber attacks to date. In these industries, cybersecurity was not consistently cited in the companies’ risk discussions, the disclosures around the governance structure of this risk were less robust, and few referenced any form of cyber risk mitigation.

“The level of transparency of a company’s cybersecurity disclosures does not necessarily reflect the degree to which the company is prepared to deal with such threats. From a credit perspective, disclosure is less important than actual defense in depth measures and an impactful mitigation strategy. That said, cybersecurity public disclosures are a useful tool to compare and contrast how companies in sectors with elevated risk are addressing these challenges,” said Brendan Sheehan, VP-Senior Corporate Governance Analyst at Moody’s.

Moody’s analysis was based on public disclosures from 125 North American, EMEA, and Asian companies. These companies comprise the largest rated debt issuers in the sectors identified as having high or medium-high cybersecurity risk.