Credit risk rises as cyber attackers hit bigger companies: Moody’s

Diving:

• Credit risk is likely to increase in 2025 as cyber attackers evade artificial intelligence defenses and increasingly target large companies with the resources to pay large ransoms, Moody’s Ratings said on Monday.
• “In response to declining revenue per victim, cyber attackers are looking to extract higher profits from their attacks by demanding higher ransoms,” Moody’s said in a report. “We believe they are achieving this by targeting larger companies that can afford higher buyout payments, and we expect this to increase cyber risk for Moody’s-rated debt issuers.”
• At the same time, cybercriminals may face weaker opposition in 2025 from the Trump administration, which is likely to roll back cyber defense regulations, Moody’s said.

Diving Perspective:

TThe FBI’s Internet Crime Complaint Center received a record 880,418 reports from the public last year — a nearly 10 percent increase from 2022 — with estimated losses exceeding $12.5 billion, the enforcement agency said of the law. Only a fraction of such crimes are reported, the FBI said.

The number of ransomware attacks reported by the US public rose 18% last year to 2,825, with losses increasing by 74%the FBI said.

““Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends, such as deploying multiple ransomware variants against the same victim and using data destruction tactics to increase pressure on victims to negotiate,” said FBI in a statement. report.

Cybercriminals are increasingly deploying generative artificial intelligence tools in their ransomware and fraud efforts, Moody’s said.

“Phishing attacks, which aim to lure a user into clicking on a malicious link, will be superpowered by GenAI,” the ratings company said. “GenAI tools will allow attackers to create personalized and convincing text, audio and video content that mimics legitimate communications from trusted entities.”

Cybercriminals can increasingly penetrate a large company’s defenses by compromising the defenses of third-party software vendors, Moody’s said. A successful attack on a vendor can create openings for ransomware and other crimes at many of the vendor’s customers.

Spoofing employee credentials is also the most favored technique by cybercriminals, Moody’s said. The use of stolen credentials grew 71 percent last year compared to 2022 and ranked as the most commonly used tactic to gain unauthorized access to company systems, Moody’s said, citing IBM data.

The Trump administration will likely remove some regulatory hurdles for criminals, Moody’s said.

“The administration will likely roll back cybersecurity mandates and possibly curtail the activities of the US Cybersecurity and Infrastructure Agency,” Moody’s said. “This could expose issuers to an increased risk of cyber attack.”

Companies can use AI to mitigate cyber threats, according to Leroy Terrelonge, a Moody’s Ratings vice president focused on cyber credit risk.

Chief information security officers can use AI tools to translate cybersecurity risks into financial risks for company boards to evaluate, Terrelonge said Monday in an emailed response to questions.

“Cybersecurity professionals will be able to assess threats faster by using generative AI to quickly examine suspicious activity to determine critical details such as the type of attack used, information about the origin of the attack, and maybe even get more information about what the attack is targeting. he said.

“Today, these analyzes require skilled practitioners to use multiple tools and often require translation between the lexicon of one tool to another to get the job done,” Terrelonge said.

Cybersecurity staff will also be able to use generative AI to build customized security training programs, email campaigns and other resources to inform employees about risks, he said.