• The credit ratings agency places the telecom sector in ‘very high’ category for cyber risk, up from ‘high’ two years previously
• Increased digitalisation and weak risk-mitigation are among the contributory factors    
• Recently reported data security breaches at AT&T, Optus and T-Mobile US “underscore” the heightened security risk assessment, according to Moody’s
• The latest news regarding breaches of US telco networks by Chinese hackers gives credence to the reassessment by the Moody’s team  

What do telecoms, airlines and the power-generation industry have in common? Each sector has been shunted up into the ‘very high’ risk category in the latest ‘cyber heat map’ compiled by respected credit ratings agency Moody’s. In its 2022 cyber heat map (there was no 2023 version), Moody’s placed the telecom sector in the ‘high’ risk bracket, so this is an unwelcome promotion through the cyber risk ranks.

Among the main factors adding cyber risk to telecom, says Moody’s, is greater digitalisation. This is especially true when telcos are migrating “significant portions” of their operations to the cloud. Although cloud services can reduce some cyber risks tied to the business, acknowledges the credit ratings agency, they may also introduce new vulnerabilities. A good (or bad?) example of this, it says, was a recent AT&T breach where malicious actors gained access to data stored on a third-party cloud platform.

Aside from AT&T, Moody’s cites a growing list of costly cyberattacks on telcos, including Australia’s Optus and T-Mobile US, a favourite target for cyberhackers it seems: Since the Moody’s report was published, T-Mobile US has been cited by The Wall Street Journal as a key target for Chinese hackers during a recent cyberattack campaign. For the credit ratings agency, these security mishaps “underscore” the ‘very high’ risk categorisation for telecoms.

Telcos also get their hands slapped for poor risk mitigation, even though they appear to be investing heavily in cybersecurity. “Their efforts have yet to counteract their heightened risk exposure,” says Moody’s. This is in stark contrast to the “very highly exposed” banking sector which, despite facing similar risks, “has more effectively mitigated the threat through implementation of top-tier cybersecurity measures”.

Data from Bitsight Technologies, a Moody’s affiliate, goes so far as quantifying how much weaker mitigation practices are in the telecom sector compared with banking. It makes for alarming reading: Bitsight reckons telecoms is 2.5 times more likely to have unaddressed ‘known exploited vulnerabilities’ affecting their networks than banks.

Moody’s methodology

The credit ratings agency determines its cyber risk designation to each sector – from ‘low’ through to ‘moderate’, ‘high’ and ‘very high’ – by assessing both exposure to cyber risk (60% weighting) and readiness to mitigate the risk (40%).

Two components make up the exposure factor: Systemic role and levels of digitisation. The telecom sector is deemed as having an important systemic role because of its high level of interconnectivity with other sectors. The mitigation factor has three components: Perimeter integrity; cyber diligence; and cyber governance (telecom is ‘very high’ risk in the first two and ‘moderate’ in the last).

Moody’s has identified other industries as having a more acute cyber risk profile compared to its 2022 heat map, including manufacturing, education, medical products, mass transit and ports, either due to rising exposure or weaker oversight than in other industries.

Together with telecom, airlines and the power-generation industry, Moody’s – looking through its credit ratings’ lens – calculates all these sectors (those with heightened cyber risk) as having a total debt of $7.1tn, of which telecoms makes up $1.42tn.

- Ken Wieland, Contributing Editor, TelecomTV