Hundreds of millions of dollars are being spent by Moody’s to better assess the cybersecurity risks that America’s largest corporations face.
The company’s announcement comes as Biden administration officials urge major corporations to be more transparent about the security of their software. Several high-profile supply-chain hacks and ransomware attacks have shaken businesses and other organizations in the last year, costing millions of dollars and jeopardizing operations.
Moody’s is investing $250 million in BitSight, which uses an algorithm to assess the likelihood of an organization being breached, to better assess the risks that ransomware and other digital threats pose to Fortune 500 companies and government agencies. CNN Business was the first to report the news, which came from Moody’s.
Moody’s will become Bitsight’s largest minority shareholder as part of the deal. BitSight will also acquire a Moody’s cyber risk rating system as well as Team8, a company that describes itself as a “think tank” focused on global cybersecurity issues.
“There’s just a lot of opacity around cyber risk,” Moody’s CEO Rob Fauber told CNN Business. “You have compromises that have serious operational and organizational implications. It’s affecting a broader range of industries and the stakes are higher than they’ve ever been.”
The $250 million will be used to improve BitSight’s data and risk-management offerings, among other things, according to Fauber. BitSight will be able to make more detailed risk assessments and “more clearly translate [that] to the risk of financial loss,” according to Fauber, whose customers include 20% of Fortune 500 companies.
Understanding the threat of cybercrime has become a national security and economic necessity.
Ransomware attacks have caught US businesses and government officials off guard in recent months, knocking critical infrastructure offline and exposing massive amounts of personal data.
The Colonial Pipeline, one of the country’s largest fuel pipelines, was shut down for days this spring, causing widespread gas shortages along the east coast. To resolve the incident, the company paid millions to a hacking group, though some of that money was later recovered by authorities.
According to Chainalysis, a cryptocurrency tracking firm, ransomware victims paid $350 million in ransoms in 2020. However, this is only a fraction of the total ransoms paid, and those who refuse to pay may have to spend millions of dollars rebuilding their computer infrastructure.
Hacks can also be difficult to detect, and US officials have expressed concern that a lack of transparency about how attacks spread could allow a single breach to spread across multiple industries.
For example, alleged Russian spies used software developed by federal contractor SolarWinds to infiltrate at least nine US agencies and approximately 100 businesses last year. Hundreds of electric utilities in North America also downloaded the malicious software update used by the Russian hackers, giving the hackers a potential backdoor into those organizations. However, there is no evidence that the hackers used the backdoor at those utilities to conduct further intrusions.
The SolarWinds hacks, according to Fauber, were a major factor in Moody’s decision to invest more heavily in cybersecurity risk programs.
The data breaches also prompted President Joe Biden to issue an executive order in May requiring federal contractors to adhere to a set of minimum security standards for data management and incident reporting.
Officials in the United States see the executive order as a first step toward pressuring some private companies to provide more secure software and a scoring system for assessing it. The directive directs the Commerce Department to establish a program to assign a cybersecurity rating to consumer electronics devices such as wireless routers.
“You’re seeing increased focus from government and regulatory bodies in the United States and elsewhere on making sure that companies are sufficiently focused on identifying, measuring and managing their exposure to cyber risk,” Fauber said.