Cyber security and credit risk in the age of artificial intelligence. Leroy Terrelonge, Vice President – Cyber Risk Senior Analyst at Moody’s Ratings
How does Moody’s view the growth in cybercrime?
Cyber-attacks are growing in both number and sophistication. Moody’s research shows that organizations have increased their cyber security budgets by 70% globally between 2019 and 2023 to deal with the growing threat.
What are the potential damages?
Cyber-attacks can cause business interruption, loss of customers or theft of intellectual property. Business disruption tops other cost categories. Ransomware payments are the next largest expense. The impact of reputational damage and intellectual property theft is more difficult to measure, but can also be significant. At the same time, the costs of attack mitigation, regulatory penalties or legal settlements, and other measures may also increase.
How difficult is it to estimate the cost of a cyber-attack?
The total cost may take many years to reveal itself. In the immediate aftermath of an attack, liquidity may be strained and debt may rise as issuers respond to the costs associated with a cyber incident. Later, regulatory penalties and legal settlements can strain profitability and cash flow.
How will all of this affect credit quality?
Debt issuers with low liquidity and high debt levels are more susceptible to the negative credit effects of a cyber-attack. In contrast, issuers with diversified revenue streams, greater financial resources and high liquidity, such as highly diversified companies, states and regional and local governments, are generally better protected.
Consequently, what are organizations doing to reduce their risks?
They are investing in good cyber security, which is costly, but preparation can significantly reduce the likelihood, scale, severity and cost of cyber-attacks. Security measures such as AI-enabled automation and incident response planning have proven particularly effective, identifying and stopping attacks faster and reducing the cost of data breaches. Integration of security testing into the software development process is also recommended.
What are the most common security measures?
These include configuration reinforcement to avoid weak device default settings or misconfigurations; proper access privileges management; logging and analysing network and system activity; and email filtering.
Does artificial intelligence bring new threats?
Yes, we are seeing AI turbocharged attacks. AI is already creating better phishing emails, and writing malware and fraud in general have become a bigger problem. For example, an AI-generated deepfake in February tricked a junior financial worker in Hong Kong into transferring more than $25 million to accounts controlled by the attackers.
What is the role of cyber insurance?
Cyber insurance mitigates the financial aspects of attacks and links organizations to resources that can help them recover more effectively. This takes into account, for example, issues such as forensic analysis – finding out who carried out the cyber-attack and removing them from the system – and, in some cases, helping organizations deal with ransom demands.
Leroy Terrelonge, Vice President – Cyber Risk Senior Analyst at Moody’s Ratings Cyber Risk Group, is responsible for creating and executing cyber security analyses.
Read also: Prof. Artur Ekert: the future applications of quantum technologies are beyond our imagination
Last Updated on April 22, 2025 by Krzysztof Kotlarski