NeuGroup members want to know how the credit rating agency will use survey responses about cyber risk.
High-profile corporate cyberattacks have many companies reevaluating how they mitigate cyber risk. And over the past few months, some NeuGroup members have received a lengthy survey from Moody’s asking questions about their companies’ approaches to cybersecurity.
- The survey, which Moody’s says has about 60 questions, has raised questions—and a few concerns—about what Moody’s will do with the answers.
- Below is some of what members said about the survey at recent meetings and, where appropriate, the responses NeuGroup Insights received from Jim Hempstead, managing director of cyber risk at Moody’s.
What’s in it? One member said the survey includes questions about the amount of money the company spends on cybersecurity, about cyber risk governance, how much oversight the board has and whether someone reports to the board on cyber risk.
- One treasurer who received the survey said she had to collaborate with many different teams in the company to ensure accurate answers, in what ended up as a time-consuming process.
- “Treasury contributed to questions about risk insurance,” the member said. “The bulk of [the survey] had to go to other offices, it was quite wide-ranging. I had to farm it out to several people.”
What happens with the answers? Moody’s, some members said, told corporates their answers would not affect their credit ratings. But one member said she was told that if the company’s cyber risk protocols or structures were “way out of line” with others, it might have an impact.
- Moody’s purpose for collecting this data is to provide anonymized and aggregated information, so analysts at the agency can ask better questions of companies they cover and understand the answers better, Mr. Hempstead said.
- Consistent with Moody’s best practices, if a company reveals something important in its survey responses that Moody’s did not know, the company’s credit rating will surely come up, he said. But he emphasized that the survey is only research and a starting point for more in-depth discussions with companies.
- It is not meant to result in an overall cyber score, and Moody’s is not changing its rating methodology as it did with ESG.
- Moody’s views cyber risk as rising, and says analysts need to deepen their understanding of the critical ways it impacts credit quality. And to also understand the practices used to mitigate the impact of cyber risk on credit— beyond the limited information companies disclose.
- He also said that for issuers, the surveys are meant to raise awareness on cyber risk and how it relates to credit.
Voluntary or obligatory? Two members said the rating agency told them the survey was obligatory, while two were told it was voluntary. Mr. Hempstead said completing the survey is entirely optional, but the data will be more useful as more corporates complete the survey.
- Moody’s sent the survey to thousands of global issuers over nearly a year, and has received well over a thousand responses, covering a wide range of companies by size, regional and industry sector, he said.
What’s next? After distributing the survey to electric utilities early last year, Moody’s published its findings. When the remaining surveys are collected by March, Moody’s plans to publish its findings for other sectors as well, provided that a diverse and large enough group of companies respond, Mr. Hempstead said.
- After the sector data is analyzed, analysts will have metrics so they can compare the risk posed by individual companies’ cybersecurity policies and practices to other companies and a broader universe of peers.