Cybersecurity managers with a direct line to executive boards set the tone for investment: Study

Moody's examines how incident response and defense have implications for the market.
Written by Charlie Osborne, Contributing Writer

A new report examines how an organization's approach to cyberattack incident and response strategies can have implications for investment in the broader cybersecurity market. 

On Thursday, financial services and credit rating provider Moody's published new research, including a survey of financial services, enterprise firms, infrastructure providers, public sector organizations, and government entities.

Out of roughly 5,000 issuers asked to complete the survey, conducted between April 2020 and April 2021, 1,300 responded. 

According to the researchers, many organizations involved in the market today -- including global debt issuers -- are increasing their investments in cybersecurity, but their "preparedness levels and defensive capabilities vary widely."

It only takes one successful cyberattack to severely damage an organization's reputation, finances, and share price. One incident alone can open up a company to scrutiny by shareholders and regulators, and lawsuits are also a factor, whether launched by investors or class-action consumers impacted by a breach. 

Moody's researchers say that "cybersecurity governance sets the tone for an issuer's overall cyber strategy." The report states:

"To date, the cost of cyber events has generally been manageable for issuers we rate and has only rarely resulted in lasting financial harm or reputational damage. However, as the cost of these attacks continues to rise, the importance of cyber preparedness grows."

Out of those surveyed, 93% now have a cybersecurity manager who reports directly to the board. However, their importance in a company varies. 

Managers in financial companies were far more likely to report directly to business leaders (71%) than corporates, infrastructure firms, or public entities, at 61%, 57%, and 50%, respectively. 

"A direct line to the CEO supports more frequent interactions between the cyber manager and the executive team," Moody's noted. "This fosters greater awareness and understanding of cyber risk within an organization and typically translates into more support for an enterprise-wide risk management approach."

In addition, when a breach occurs, disparities in data breach transparency and guidelines "can leave key stakeholders with little information about a matter of growing importance."

Recent high-profile supply chain attacks, including one experienced by Kaseya, have prompted a focus on addressing vulnerabilities and risk factors associated with these types of security incidents

Moody's expects "this matter to remain a top priority."

However, while survey data shows that basic defense practices appear to be rising, the use of more 'advanced' and robust solutions is "lagging."

"Our survey results show a strong correlation between the closeness of the reporting structure between the cyber manager and the executive suite, and the amount of budget and resource allocation to cybersecurity," Moody's says. "Survey responses also show that more cyber expertise at the board of directors level correlates well with the adoption of more advanced cyber defense practices."

Cybersecurity insurance is now becoming a more common investment in today's businesses. In the US, standalone cybersecurity insurance is held by roughly 57% of issuer organizations, slightly above those in the EMEA region at 54%. Approximately 41% of those surveyed said they held these insurance policies in other regions. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards