Moody's to consider data breach risk in healthcare credit ratings

Moody's Investor Services will start factoring a healthcare providers' cybersecurity strength into their credit ratings, the agency said this week, as hackers continue to infiltrate the sector.

Moody's says they think of cyberthreats the same way as other "extraordinary event risks" like natural disasters. Any impact to the company's credit depends on how long the attack went on and how bad it was. The greater the severity and impact to the company and consumers, the greater the chance it could impact credit.

[Also: Healthcare top sector for data breaches in first half 2015, Gemalto says]

"While we do not explicitly incorporate cyberrisk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios," Jim Hempstead, Moody's associate managing director and lead author of the report, said in a statement.

The report, "Cross Sector -- Global: Cyber Risk of Growing Importance to Credit Analysis," points out several influential factors Moody's uses when evaluating credit impact due to a cyberattack: nature and scope of the targeted institution or assets, how long services were interrupted, and the length of time it took to restore operations to normal.

[Also: Sutter Health says data on 2,500 patients involved in potential breach]

"More cyber security expertise is being added to boards and trustee governance," said Hempstead. "We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive."

The report also examines varying types of cyber attackers, and their motives, and says the more personal data you handle, the greater the risk of a serious cyberattack.

The news comes after digital security firm Gemalto said healthcare providers outpaced retail for the most security breaches in the first half of 2015, with 84.4 million records lost.

Twitter: @BethJSanborn