Freely subscribe to our NEWSLETTER

“Ransomware perpetrators are now targeting larger organizations in search of higher ransom demands, leading to greater credit impact. This shift is likely to increase the cyber risk for entities rated by Moody’s and could lead to increased loss ratios for cyber insurers, impacting premium rates in the US," said Leroy Terrelonge, Moody’s Ratings Vice President and author of the Outlook report.

Key points:
• Ransomware attackers will shift to targeting larger organizations, leading to greater credit impact. In response to declining revenue per victim, cyber attackers are seeking to wring greater returns from their attacks by demanding higher ransoms. We believe they are accomplishing this by targeting larger businesses that can afford higher ransom payments, increasing cyber risk for organizations that are more likely to have credit ratings. We expect this to increase cyber risk for Moody’s rated debt issuers.

• Moody’s research, utilizing data from its affiliate Bitsight, reveals a negative correlation between company size and cybersecurity performance, with larger companies exhibiting lower scores. While larger businesses tend to have more advanced cybersecurity defenses, their risk is not necessarily diminished. Their networks are generally more complex, making it easier to overlook vulnerabilities, and when they have grown in size over time, they are more likely to have older systems that are more difficult to secure.

• Generative AI will fuel fraud. Phishing attacks, aiming to entice a user into clicking a malicious link, will be turbocharged by GenAI. GenAI tools will enable attackers to craft personalized, compelling messages that mimic legitimate communications from trusted entities.

• Supply chain attacks will increase. Cybercriminals often find the easiest attack path is through third-party software suppliers that are typically not as well protected as large companies. Moreover, by compromising one supplier, they can attack a wide swath of that supplier’s customers.

• Stolen credentials will remain a top means of access. IBM researchers found that attacks using stolen credentials increased 71% between 2022 and 2023 and were the main way cybercriminals gained initial unauthorized access to companies’ systems last year. Passkeys, an easier and safer alternative to passwords, are one solution. They will become a powerful defense against cyberattacks, though hurdles for enterprise adoption persist, delaying implementation.

• A new Republican administration will likely soften US cyber regulations. The administration will likely roll back cybersecurity mandates and potentially curtail the activities of the US Cybersecurity and Infrastructure Security Agency (CISA). This would expose issuers to a heightened risk of cyberattack.

• The UN’s cyber crime treaty will strengthen the fight against cybercrime. An upcoming vote on a new UN cybercrime treaty will expand international cooperation in the fight against cybercrime