Moody’s: Electric utilities’ cybersecurity readiness tied to scale and business model

04 November 2020

New York, November 04, 2020 —

• Amid growing cyberattacks, survey results reveal disparities in levels of preparedness across electric utility types.
• Cybersecurity readiness tends to be stronger among large, privately owned regulated utilities than among state-owned or unregulated and not-for-profit power providers

Cybersecurity preparedness is an increasingly important component of credit analysis for electric utilities globally, says Moody’s Investors Service. In the first of a series of cyber themed research reports, Moody’s looks at the results of a survey it conducted across various industry sectors this year. Based on the 115 responses received from utility companies across North America, Europe and the Asia Pacific region from March to September 2020, the larger, more highly regulated, privately owned firms appear best able to manage this growing risk.

“Our survey of global electric utilities shows that large, privately owned regulated utilities have more robust cyber risk governance and management practices in place than state-owned or unregulated and not-for-profit peers,” said Moody’s analyst Lesley Ritter. “Smaller utilities, not-for-profits in particular, favor a risk transfer approach to cyber risk mitigation”.

For example, survey results show a closer alignment between cyber risk managers and the C-Suite, where 80% of cyber risk managers report directly to a company executive, against about 60% for smaller peers. The chief executive officers of large utilities are also more likely to have cyber objectives written into their compensation package, making the company leadership directly responsible for managing the risk. Use of sophisticated cyber defense practices like red team testing also closely correlate with size.

Amongst the regulated electric utilities, Moody’s survey also reveals that cybersecurity preparedness is stronger among vertically integrated utilities (those that own both generation and transmission assets) than at transmission networks.

“We see closer links between cyber managers and the corporate executive team, a more diverse and sophisticated arsenal of cyber management practices, better management of supply chain risk, and more prevalent adoption of cyber insurance,” says Moody’s analyst Cintia Nazima. “This is likely a reflection of how cyberattacks pose a greater risk of severe operational disruption for utilities that operate capital intensive equipment”, adds Nazima.

From a rating level and regional perspective, survey results show few differences among survey responses except for select key areas such as adoption of stand-alone cyber insurance and pace of cloud adoption.

Subscribers can access the report at: http://www.moodys.com/researchdocumentcontentpage.aspx?docid=PBC_1244322