Dive Brief:
- Moody's Investor's Service new report, "Cyber Risk of Growing Importance to Credit Analysis," found the increase of cybercrime is increasing healthcare institutions' risk of a drop in their credit ratings.
- Cyberattacks don't directly drive ratings, but rather are viewed as event risks because "timing and consequences of a successful attack are uncertain," the report authors wrote. Healthcare providers are highly susceptible to those risks as interoperability efforts continue.
- The report showed organizations are increasing security measures and the addition of cybersecurity subcommittees is a "material credit positive." Assessment of an organization's cyber preparedness is "challenging because the risk is complex and evolving very quickly."
Dive Insight:
This year saw a record number of healthcare data breaches, including Anthem's massive cyberattack where almost 80 million patients' personal information was hacked. As previously reported by Healthcare Dive, an estimated 81% of healthcare executives reported their organizations have experienced a cyberattack in the past two years.
These mega-size cyberattacks damage a company's reputation and finances. Furthermore, the attacks may not be included in a hospital's medical malpractice insurance. However, the extent and severity of an attack is key to how it affects credit ratings and analysis.
"We do not explicitly incorporate the risk of cyberattacks into our credit analysis as a principal ratings driver," the report authors wrote. "But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event, like other event risks, could be the trigger for those stress scenarios."
In the report, Moody's identifies several key factors to examine when determining a credit impact associated with a cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions, and the expected time to restore operations.
Healthcare Dive wrote about a report by Accenture last month, which estimated cyberattacks will cost the nation's healthcare systems $305 billion.