In a recent comprehensive survey conducted by Moody’s Investors Service, involving over 1,700 global respondents, key insights into cybersecurity practices among global debt issuers have come to light.
The findings not only shed light on the evolving landscape of cybersecurity but also underscore the potential impact of emerging risks on the credit profiles of debt issuers.
Cybersecurity budgets have experienced a significant uptick, with a noteworthy increase in C-suite executives’ awareness of cyber risks. Between 2019 and 2023, cyber budgets skyrocketed by 70%, exhibiting substantial growth across various sectors.
Notably, corporate entities witnessed the most substantial growth in budgets, with a staggering 100% increase. Overall, survey participants indicated that they allocated a median of 8% of their technology budgets to cybersecurity, compared to 5% in 2019.
While budgets are on the rise, growing cybersecurity costs are putting pressure on financial resources. Some survey responses have raised doubts about the effectiveness of certain cybersecurity practices.
The survey revealed that cyber insurance premiums surged by a median of 50% across all sectors between 2020 and 2022. Healthcare, housing, and higher education issuers reported an even higher increase of 94%, likely influenced by the surge in ransomware attacks during the pandemic.
A substantial 66% of respondents reported that they are obligated to report cyber incidents, even if no personally identifiable information was compromised. This figure is expected to rise as global legislators and regulators tighten disclosure rules.
Additionally, 56% of survey participants stated that they have implemented vulnerability disclosure programs, but only 18% have introduced financial awards for disclosing vulnerabilities.
The role of cyber managers within organisations has gained prominence. While in the 2020 survey, only 61% of cyber managers reported to C-suite individuals like CEOs, CFOs, or CIOs, the 2023 survey indicated a significant shift, with 90% of issuers reporting such organisational hierarchy.
Despite a significant influx of 464,000 professionals into the cybersecurity field between 2022 and 2023, the survey highlights a persistent shortage of cybersecurity talent.
This shortage has resulted in a global cybersecurity workforce gap of approximately 3.4 million, posing an ongoing challenge for organisations worldwide.
Leroy Terrelonge, VP-Analyst, Cyber Credit Risk at Moody’s Investors Service, emphasised the evolving landscape of cybersecurity: “Cybersecurity’s enterprise-wide visibility has improved while budgets have grown 70% in the last five years, according to Moody’s 2023 cyber survey. But advanced cyber practices remain out of reach for many issuers, and survey responses raise questions about the effectiveness of some cyber initiatives. Companies and organisations also face lurking challenges, including a growing cybersecurity talent shortage and the advent of generative AI, which will introduce new risks.”
Terrelonge further highlighted the increasing importance of cyber managers and the surge in requirements: “While cyber budgets have risen, so have requirements. For example, cyber insurance premiums rose by a median of 50% between 2020 and 2022, according to respondents, after a steep increase in ransomware attacks during the pandemic.”
The survey also underlines the need for continuous vigilance, with Terrelonge noting that “66% of respondents said they are required to report cyber incidents that do not lead to a breach of personally identifiable information… A high share of respondents (80%) said that new vendors whose personnel or products had access to their in-house computer systems required a risk assessment from the cybersecurity team in all or most cases. However, the number dropped to 63% for the regular monitoring of existing vendors – indicating a potential area of vulnerability.”
