Advanced cyber practices remain out of reach for many issuers, and survey responses raise questions about the effectiveness of some cyber initiatives. Analysts expect cybersecurity spending to continue its run of sustained growth, a trend fueled by the persistent threat of cyberattacks, the demands of hybrid work and increased data privacy and governance regulations, according to Moody’s Cyber survey. Beinsure Media collected the most important trends.
Moody’s 90-question survey of more than 1,700 respondents gauges cybersecurity practices among global debt issuers and collects data on an emerging risk that carries the potential to influence the credit profile of all debt issuers.
Spending on cyber risk has risen fast and attention paid to the issue by top management has markedly increased. As cyberattacks continue to proliferate and their credit effects increase, our best way of understanding how issuers manage these risks is to ask themLeroy Terrelonge, VP – Cyber Credit Risk, Moody’s Investors Service
IDC forecasts low double-digit spending increases across all industries and company size segments in the next three years. Industries expected to increase spending at the fastest rate through 2026 include securities and investment services, telecommunications, banking and insurance (see Challenges for Cyber Insurance Market).
The survey’s findings are summarized, and the responses are categorized based on seven broad sector types: financial services; structured finance entities; nonfinancial companies (“corporates”); infrastructure entities; hospitals, housing, and higher education (HHH); regional and local governments (RLGs); and sovereigns.
Due to the nature of structured finance, most respondents in the structured finance sector also belong to other sectors (most often, to financial services).
66% of respondents said they are, but this figure will likely rise as authorities enact additional disclosure requirements.
Moody’s asked issuers whether they are required to report cyber incidents that do not lead to a breach of personally identifiable information, such as names, passport data or biometric records.
The US Securities and Exchange Commission voted in July, for example, to adopt rules requiring SEC registrants and foreign private issuers to disclose material cyber incidents they experience and to report annually on their cybersecurity risk management, strategy, and governance. Legislators and regulators in Canada, the EU and other countries have introduced similar measures.
Growth in cyber reporting
According to Gartner, 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026.
In this survey, respondents were asked the question a bit differently. Moody’s wanted to know not only if the chief executive had cyber performance objectives, but also if their compensation depended on meeting these cyber objectives.
Globally, the cyber insurance market is projected to grow to $33 bn in premiums by 2027, up from roughly $12 bn in premiums currently, according to Munich Re.
Despite the high premiums, new insurance signups are increasing, with 76% of respondents saying they had taken out specialized cyber insurance in the latest survey, up from 71% in 2020 (see about Cyber Insurance Market Dynamics).
The share of issuers with cyber insurance grew by eight percentage points in the Americas, where cyber insurance is most common, while in EMEA and APAC, which have less mature cyber insurance markets, growth was 11 and 20 percentage points, respectively.
Software, the fastest-growing segment, will capture 47% of all cybersecurity spending this year, followed by services at 39% and hardware at 13%, according to IDC’s forecast.
Global security spending will reach $220 bn this year and grow to nearly $300 bn in 2026. Investments in cybersecurity software, hardware and services will jump 15% from 2023 and outperform growth in overall IT spending.
The biggest security spenders this year will include organizations in banking, manufacturing, professional services and federal governments.
Cyber risk exposure
The more mature industries, and largest spenders, will grow faster than average as they continue to invest in cutting edge security solutions to prevent and fend off ransomware attacks on their distributed workforce and to protect critical infrastructure, which is increasingly connected to the IT network.
23 sectors with about $22 trln — or 28% of the $80 trln in collective Moody’s rated debt associated with 71 global sectors — have High or Very High cyber risk exposure, according to Moody’s.
Cyber risk continues to grow and evolve
The number of cyber breaches soared between 2014 and 2020, and has plateaued at a high level since then, according to cybersecurity ratings company Bitsight, a Moody’s minority-owned affiliate. A small but increasing number of rating actions are tied to cyber incidents (see How Insurers Can Expand the Cyber Insurance Market?).
Reported cyber attacks by region
Companies and organizations are also facing other looming challenges, including a growing cybersecurity talent shortage and the advent of generative AI, which will introduce new risks (see Cyber Insurance Risks & Cyberattacs in the Russia-Ukraine War).
Cyber budgets are increasing
How much did budgets increase over those four years?
- Cybersecurity spending rose by 70%, over the past four years (response rate: 27%). There was considerable variance in growth rates among respondents, but budgets were up overall, and significantly for most sectors. Budgets for corporates grew the most — up 100%.
- Overall, issuers say they devoted a median of 8% of their technology budgets to cybersecurity in the survey (response rate of 36% to 47%), up from 5%. The increase is likely a response to rapid digitalization and an accompanying rise in cyber risk in recent years. A shift to remote work during the COVID-19 pandemic has also broadened issuers’ digital footprints and opened new channels for cyberattacks.
Cybersecurity is typically more resilient to economic pressure than other technology-related budget items because companies must often meet certain compliance and regulatory requirements or minimum spending levels to qualify for cyber insurance. In Moody’s cyber survey, only 27 respondents reported a drop in their spending between 2019 and 2023.
Cybersecurity spending as a share of technology budget
But there are signs that organizations are tightening their belts. Since late 2022, a growing number of cybersecurity companies have announced layoffs, citing worsening economic conditions that have shrunk budgets and delayed purchasing decisions, according to WSJ Pro Cybersecurity.
A trio of cybersecurity companies said this month that they plan to lay off hundreds of employees, adding to concerns of further squeezes on an industry that has already been rocked by changing economic conditions.
The most recent layoffs pile onto several other cyber companies’ announcements that they would reduce staff this year. Cybersecurity companies have largely been seen as shielded from economic turbulence, and high-profile hacks have spurred investments in startups offering protective tools and consulting services. But the new layoffs reflect how cyber companies’ rapid growth has met a harsh climate as the economy has worsened, analysts say.
Global increase in cybersecurity spending
Cybersecurity is now a far higher priority in the C-suite and board level than it used to be, given the intensifying threat landscape
Particularly at the board level, the mindset has shifted dramatically in the past few years.
The massive influx of venture investment into cybersecurity in recent years also means that some security startups — especially those that have done a lot of hiring on the back of limited revenue — would likely see a greater impact than more-established players during an economic slowdown.
Cyber insurance premiums trends
While cyber budgets have increased, so have the demands made on them. Cyber insurance has become an indispensable tool in the risk management toolkit for many issuers, and premiums increased by a median of 50% across the board between 2020 and 2022 (response rate: 33%).
Attacks proliferated because the pandemic forced employees to work from home on their home computer networks that had weaker controls.
Increased employee distractibility in remote environments also led to security mistakes. On top of that, cyber criminals targeted virtual private network (VPN) software that employees use to access their employers’ networks.
Growth in cyber insurance pricing
According to Marsh, the rates for its US-based cyber insurance customers increased an average of 130% in December 2021 but fell for the first time in at least 3 years by 4% in Q2 2023. Other regions continued to experience small increases in Q2 2023. Nevertheless, the significant increase in premiums and their sustained high levels put pressure on cyber budgets.
The higher cost of cyber insurance
Despite the higher cost of cyber insurance, only 3% of issuers said they planned to buy less cyber coverage in 2023 than in 2022. The vast majority (82%) plan to purchase about the same amount, and 16% said they would buy more. These numbers hold even for those that have faced substantial increases in cyber insurance premiums.
Among those whose premiums increased 100% or more, 89% said that in 2023 they would purchase about the same amount of coverage, 8% planned to purchase more coverage, and only 3% said they would purchase less coverage (response rate: 57%).
Notably, 30% of respondents in Asia-Pacific (APAC), where penetration of cyber insurance is much lower than in Europe, Middle East and Africa (EMEA), and the Americas, said they would purchase more cyber insurance in 2023 compared with 14% and 15% for the Americas and EMEA, respectively.
Cyber insurance is not routinely required of vendors
Supply chain cybersecurity attacks continue to cause high profile breaches. Attacks by the Clop ransomware group against customers using MOVEit file transfer software are ongoing.
Thousands of organizations around the world use MOVEit to send large amounts of sensitive data, but a security flaw in the software has allowed Clop to attack over 1,000 organizations, causing up to $65 billion in losses and potentially netting the criminals $100 million.
Ongoing assessment of vendors’ cybersecurity preparedness and resiliency is an effective way to defend against supply chain cyberattacks.
Lack of a “cyber risk appetite” can crimp risk planning
In its 2023 cyber outlook report, Moody’s forecasted that private and public sector boards and trustees would increasingly seek to financially quantify cyber risk, because a more rigorous, data-driven approach can identify material cyber incident scenarios and lead to better risk prioritization.
64% of respondents said that they assessed cyber risk in terms of financial impact, allowing them to communicate to boards and other stakeholders in ways that are more widely understandable and actionable
At the same time, only 41% of respondents said they had determined an acceptable monetary loss amount from a cyber incident, also known as “cyber risk appetite” (response rate: 75%).
The cyber risk appetite defines for an organization how much risk it is willing to take on to achieve its operational goals. It allows issuers to take measured risks that are less likely to harm the organization, and it affects important decisions, such as how much cyber insurance an issuer should purchase. The absence of an acceptable monetary loss amount can hamper risk planning.
AUTHORS: Leroy Terrelonge – VP – Cyber Risk Senior Analyst at Moody’s Investors Service, CEH | Security+ | CISSP, Steven Libretti – Cyber Credit Risk Analyst at Moody’s Investors Services, Lesley Ritter – Vice President – Senior Credit Officer – Cyber Risk Group Moody’s Investors Service, Fabian Astic – MD Global Head of DeFi & Digital Assets at Moody’s Investors Service