The announcement from the company — whose credit ratings can influence global markets — comes as Biden administration officials are urging major firms to be more transparent about the security of their software. Several high-profile supply-chain hacks and ransomware attacks have rattled businesses and other organizations over the past year, costing companies millions of dollars and compromising their operations.
To better assess the risks that ransomware and other digital threats pose to Fortune 500 firms and government agencies, Moody’s is investing $250 million in BitSight, which uses an algorithm to assess the likelihood that an organization will be breached. Moody’s shared the news first with CNN Business.
As part of the deal, Moody’s will become the largest minority shareholder in Bitsight. In addition, BitSight will acquire a cyber risk rating system created by Moody’s and Team8, a company which bills itself as a “think tank” focused on global cybersecurity issues.
“There’s just a lot of opacity around cyber risk,” Moody’s CEO Rob Fauber told CNN Business. “You have compromises that have serious operational and organizational implications. It’s affecting a broader range of industries and the stakes are higher than they’ve ever been.”
Fauber said the $250 million would be used to improve BitSight’s data and risk-management offerings, among other products. BitSight, which says its customers include 20% of Fortune 500 firms, will be able to make more detailed risk assessments and “more clearly translate [that] to the risk of financial loss,” Fauber said.
Understanding cybersecurity risk has become a national security and economic imperative.
US corporate and government officials have been blindsided by ransomware attacks in recent months that forced critical infrastructure offline and compromised massive amounts of private information.
Victims of ransomware attacks paid some $350 million in ransoms in 2020, according to Chainalysis, a firm that tracks cryptocurrency. But that’s only a partial view of total ransoms paid, and those who don’t pay can spend millions of dollars rebuilding their computer infrastructure.
Hacks can also be difficult to detect, and US officials have worried that a lack of transparency about how attacks spread can mean that a single breach has the ability to ripple across many industries.
Fauber said that the SolarWinds compromises were a big reason for Moody’s to invest more heavily in cybersecurity risk programs.
The breaches also inspired President Joe Biden to issue an executive order in May requiring federal contractors to meet a minimum set of security standards around data management and the reporting of attacks.
US officials see the executive order as a step toward prodding some private firms to provide more secure software and a scoring system for measuring that security. The directive tasks the Commerce Department with setting up a program to label consumer electronics devices, like wireless routers, with a cybersecurity rating.
“You’re seeing increased focus from government and regulatory bodies in the United States and elsewhere on making sure that companies are sufficiently focused on identifying, measuring and managing their exposure to cyber risk,” Fauber said.