The rating agency will evaluate the propensity of large organizations to suffer information security incidents
A data
breach, depending on the magnitude of the incident, and its
corresponding fines or infringements, could sentence to death an organization,
commented experts in network security and ethical hacking from the International
Institute of Cyber Security.
Moody’s, the investment rating agency, recently
announced the inclusion of cybersecurity risks for its credit ratings process,
through which the risks of massive data breach any organization could face will
be measured. This measure could not come at a better time, and there is an
expectation of the role the rating agency can play.
In this new mission it will be critical for
Moody’s to create a system that collects complete and reliable data, including
information taken from the companies themselves, as well as from external
sources.
According to experts in network
security, there are two ways to get this information. First, the
qualifier can rely on data from external providers to undertake cybersecurity
assessments. As a second method of information gathering, there is the data protected
by the companies themselves, obtained through internal tools and monitoring.
External data will be more valuable to some
companies than to others. A large chain of retailers, for example, with an
important market presence, will be more likely to encompass a larger area of
cyberthreats.
In an ideal world, Moody’s could require
companies to have any internal information they need as part of their scope of
work. Although in practice, there is no guarantee that a company will provide a
complete picture of its operations. A company could deny Moody’s access to
certain information because of its own security policies.
However, Moody’s must solve these constraints
with creativity. External data provides coverage for a crucial segment of a
company’s network and serves to verify the possibility that it is not providing
clear and complete information to the qualifier. On the other hand, internal
information is the main source of detailed information about a company.
The next challenge for Moody’s will be to develop
these data sources, since they will originate from multiple sources working
with different concepts and formats that are not necessarily consistent with
each other, so the unification of criteria to analyze the cyber risks in
organizations of different branches will be critical to Moody’s, consider
network security experts.
Finally, the quality of the information that
Moody’s can collect will have a direct impact on the quality of their ratings.
If Moody’s can build a platform that integrates data from internal and external
vendors, it can create a reliable rating much faster and more reliably.
For many experts in fields such as finance or
cybersecurity, Moody’s decision could not come at a better time. We have
reached the point where we are no longer surprised by incidents of massive data
breaches, so it is necessary for organizations to consider the consequences
that an incident of this magnitude can generate.
