- Cyberattacks on the software supply chain are raising the threat of damaging reputational trust, according to a Moody's cyber risk outlook report. Companies may start to search for rival providers that are perceived as safer alternatives.
- The continued rise of ransomware attacks against companies may force changes in cyber insurance policies and coverage, with insurers raising premiums and modifying coverage to make sure companies take preventative measures.
- Moody's warned that corporate boards are becoming more sensitized to cybersecurity risks and governance policies are shifting as personal liability of directors becomes a bigger risk.
The 2021 outlook warns the threat of supply chain attacks may lead companies to carefully review any software security vendors that have access to their internal IT systems, as a precaution against future supply chain attacks.
"Issuers will likely implement more stringent vetting of vendors that have access to their computer networks in light of the rising number of cyber supply chain attacks," Leroy Terrelonge, assistant vice president at Moody's said via email.
In a December 2020 cyber risk survey, 80% of respondents indicated that bringing in a vendor with access to a company network required a review from a company's cybersecurity team, he said. About 73% of respondents said these vendors were subject to periodic review, according to the report.
Moody's cited data from Bitdefender showing a 715% rise in cyber incidents during the first half of 2020, compared with the year before. Data from cyber insurance provider Coalition showed ransom demands on its policyholders rose 100% from 2019 through the first quarter 2020 and 50% from the first to the second quarter 2020, according to Moody's.
Only 41% of respondents said that vendors were required to carry cyber insurance, according to Moody's.
"We expect these percentages to rise as issuers work to mitigate the risks of cyber supply chain attacks," he said.
Cyber insurers are more frequently adjusting policies to limit claims by companies that don't follow strong cyber hygiene guidelines.
Other potential impacts on corporations, involve the increased involvement of boards of directors in monitoring cybersecurity and growing risk of personal liability for individual directors.
"Cyber is an enterprise wide risk that falls under the responsibility of the board of directors, trustees or other executives," Terrelonge said. "There are many cyber risk management practices these executives can implement that serve to reduce or mitigate their exposure to cyber risks."
The report noted that Yahoo and Equifax were forced to pay millions of dollars to settle legal claims related to data breaches due to actions of board members and other top executives. A number of prior legal actions against top executives and corporate boards had fallen short, however these recent cases have raised the risk of board inaction.