Cyber risk figures into the credit rating for many companies and organizations, said Moody’s Investors Service analysts in a recent cross sector global report. Assessing cyber preparedness for credit rating purposes “is challenging because the risk is complex and evolving very quickly.” Moody’s considers the risk of a widespread, material cyber event similar to how it views major storms or natural disasters, in that the timing and consequences of a successful attack are uncertain.
The National Institute for Standards and Technology defines a cyber incident as:
“ . . . an occurrence that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.”
The analysts noted that for some sectors, including the not-for-profit healthcare sector, cyber risk is not explicitly incorporated into Moody’s credit analysis because hospitals tend to tend to:
- Maintain large absolute and relative cash positions for unexpected events
- Have high risk awareness (considered a credit positive)
- Have already installed or are in the process of installing new, expansive patient information systems that likely have better safeguarding features than prior technology
- Have a growing portion of the budget dedicated to IT needs including upgrades, warranties, security and training
- Have a heightened priority for strong internal protocols
Areas of Risk for Hospitals
Not-for-profit hospitals face cyber risk in two particular areas: breach of patient information/data such as social security numbers, date of birth, insurance information and medical records; and disruption of medical technology that could lead to harmful clinical events.
An information breach would likely not materially disrupt services and the financial impact would be limited, according to the report’s authors. However, a breach in medical technology security would present more immediate risk and impair the hospital’s reputation, volumes and financial performance. At this time, it isn’t clear whether such a cyber-event would be covered by a hospital’s medical malpractice insurance.
Moody’s noted that it considers cyber risk “an enterprise-wide strategic issue,” so mitigation and defense resides with the organization’s board of directors or trustees. Health system boards should consider steps such as:
- Hiring a chief information security officer who reports directly to senior management
- Incorporating cyber security into the organization’s enterprise-risk management plan
- Ensuring the organization has adequate systems and controls in place to safeguard their own data and that of their patients
(Source: Cyber Risk of Growing Importance to Credit Analysis, Moody’s Investors Service Sector In-Depth, November 3, 2015.)
iProtean again thanks Moody’s Investors Service for allowing us to provide this information to our subscribers.
iProtean subscribers, the advanced Finance course, Integrating Population Health Management into Your Strategic and Financial Plans, Part Two is in your library. This course continues the discussion by experts Marian Jennings, Mark Grube and Nathan Kaufman and covers whether population health management should be a priority for all hospitals/systems, transitioning and success indicators, risks and benefits of partnering for population health initiatives, and the population health hierarchy.
For a complete list of iProtean courses, click here.
For more information about iProtean, click here.