Moody’s is spending hundreds of millions of dollars to better evaluate the cybersecurity risks that face America’s largest corporations.
The announcement from the company — whose credit ratings can influence global markets — comes as Biden administration officials are urging major firms to be more transparent about the security of their software. Several high-profile supply-chain hacks and ransomware attacks have rattled businesses and other organizations over the past year, costing companies millions of dollars and compromising their operations.
To better assess the risks that ransomware and other digital threats pose to Fortune 500 firms and government agencies, Moody’s is investing $250 million in BitSight, which uses an algorithm to assess the likelihood that an organization will be breached. Moody’s shared the news first with CNN Business.
As part of the deal, Moody’s will become the largest minority shareholder in Bitsight. In addition, BitSight will acquire a cyber risk rating system created by Moody’s and Team8, a company which bills itself as a “think tank” focused on global cybersecurity issues.
“There’s just a lot of opacity around cyber risk,” Moody’s CEO Rob Fauber told CNN Business. “You have compromises that have serious operational and organizational implications. It’s affecting a broader range of industries and the stakes are higher than they’ve ever been.”
Fauber said the $250 million would be used to improve BitSight’s data and risk-management offerings, among other products. BitSight, which says its customers include 20% of Fortune 500 firms, will be able to make more detailed risk assessments and “more clearly translate [that] to the risk of financial loss,” Fauber said.
Understanding cybersecurity risk has become a national security and economic imperative.
US corporate and government officials have been blindsided by ransomware attacks in recent months that forced critical infrastructure offline and compromised massive amounts of private information.
Colonial Pipeline, one of the largest fuel pipelines in the United States, was forced offline for days this spring, leading to widespread shortages at gas stations along the east coast. The company paid millions to a hacking group to resolve the incident, though some of that money was later recovered by authorities.
Victims of ransomware attacks paid some $350 million in ransoms in 2020, according to Chainalysis, a firm that tracks cryptocurrency. But that’s only a partial view of total ransoms paid, and those who don’t pay can spend millions of dollars rebuilding their computer infrastructure.
Hacks can also be difficult to detect, and US officials have worried that a lack of transparency about how attacks spread can mean that a single breach has the ability to ripple across many industries.
Last year, for example, alleged Russian spies exploited software made by federal contractor SolarWinds to infiltrate at least nine US agencies and about 100 companies. Hundreds of electric utilities in North America also downloaded the malicious software update used by the Russian hackers, offering a potential foothold into those organizations, though there is no evidence that the hackers took advantage of the backdoor at those utilities to conduct further intrusions.
Fauber said that the SolarWinds compromises were a big reason for Moody’s to invest more heavily in cybersecurity risk programs.
The breaches also inspired President Joe Biden to issue an executive order in May requiring federal contractors to meet a minimum set of security standards around data management and the reporting of attacks.
US officials see the executive order as a step toward prodding some private firms to provide more secure software and a scoring system for measuring that security. The directive tasks the Commerce Department with setting up a program to label consumer electronics devices, like wireless routers, with a cybersecurity rating.
“You’re seeing increased focus from government and regulatory bodies in the United States and elsewhere on making sure that companies are sufficiently focused on identifying, measuring and managing their exposure to cyber risk,” Fauber said.