The level of transparency and detail provided in corporate cyber risk disclosures varies greatly across sectors facing heightened cyber risk, said Moody's Investors Service in a report published recently.
Moody's report was based on public disclosures from 125 North American, EMEA, and Asian companies, the company said, adding that these companies comprise the largest rated debt issuers in the sectors identified as having high or medium-high cybersecurity risk.
"The absence of detailed disclosures makes it more difficult to analyze a company's cyber posture, and as cyberattacks increase in frequency, could hurt investor confidence and complicate efforts by companies to raise capital and access liquidity," said Lesley Ritter, VP-Senior Cyber Risk Analyst at Moody's Investors Service.
The sectors deemed most exposed to cyber risk are banks, securities firms & market infrastructure providers as well as hospitals & other healthcare providers, Moody’s noted.
Of these sectors, bank disclosures are the most extensive and detailed, addressing cyber risk oversight and mitigation strategies, while hospitals are the least transparent, the company added.
Across the sectors analyzed, banks and telecommunications & media companies had the most thorough disclosures, discussing their specific cybersecurity risk management strategies in a fair amount of detail.
US, European firms more transparent than Asia peers
US and European companies were more transparent than their Asian peers, but US-based companies appeared more reliant on insurance to manage the financial impact of cyber risk, while their European counterparts offered more information about their strategy to mitigate the operational impact of a cyber event, according to Moody’s.
Apart from healthcare, retail, lodging, health insurance, medical devices, and transportation services were among the sectors that provide the least amount of information, despite having experienced some of the most well-publicized cyber attacks to date, according to the report.
In these industries, cybersecurity was not consistently cited in the companies' risk discussions, the disclosures around the governance structure of this risk were less robust, and few referenced any form of cyber risk mitigation, the report says.
"The level of transparency of a company's cybersecurity disclosures does not necessarily reflect the degree to which the company is prepared to deal with such threats,” said Brendan Sheehan, VP-Senior Corporate Governance Analyst at Moody's.
“From a credit perspective, disclosure is less important than actual defense in depth measures and an impactful mitigation strategy. That said, cybersecurity public disclosures are a useful tool to compare and contrast how companies in sectors with elevated risk are addressing these challenges.”