Credit Rating Agency: New EU Laws Will Improve Firms’ Cyber Resilience Globally 

Increased reliance on a limited number of major U.S. cloud service providers is driving regulatory activity from Europe that will make public and private-sector issuers of bonds more resistant to cyber attacks, Moody Investor Service reported. 

The credit rating agency said cybersecurity requirements emerging from the European Union—under an update to the Network Information Security Directive, or NIS2, and the Digital Operational Resilience Act, or DORA—are “credit positive” for firms across the globe which leverage their debt by offering it up to be traded as securities on the stock market. 

“NIS2 will force companies in key economic sectors to meet stricter cybersecurity requirements, making them better able to manage cyberattacks. This will improve their resilience as digitalization accelerates, and as geopolitical tensions mount,” reads one of three reports Moody’s published Tuesday and Wednesday. 

As Moody’s noted in its report on the implications of the new EU regulations, a crucial aspect of DORA will be its applicability to information and communications technology—including that provided by the three main providers of cloud infrastructure: Microsoft, AWS and Google—in addition to entities in the critical financial services sector.

According to Moody’s, under the DORA legislation, “non-EU ICT service companies with a significant European presence will need to establish EU subsidiaries so that the EU authorities can supervise them. The legislation will also apply to a wide range of sub-sectors within the financial services industry, including investment firms, crypto-asset service providers, central counterparties, trading companies, insurers and reinsurers.”

“The financial sector's reliance on third party ICT service providers is emerging as a potential weakness,” Moody’s wrote. “This is because in some ICT sub sectors, such as cloud computing, the number of providers that can meet the complex requirements of financial institutions can be limited. As a result, a high proportion of financial firms may rely on a small number of ICT providers. This creates a tail risk of spillover problems in the financial services industry if one of these providers were to experience serious cyber issues.”

In a separate report on the implications of increased cloud adoption, Moody’s said, on balance, shifting to the cloud for infrastructure-as-a-service, could improve cybersecurity despite the concentration of risk in such a small number of providers, which adversaries continue to target due to the potential for sweeping impacts. 

“In our view, the security benefits of public cloud adoption outweigh the systemic risks inherent from the concentration in a handful of major public cloud vendors predominant in advanced economies,” that report reads. “The major public cloud providers go to great lengths to effectively mitigate the systemic risks. Public cloud providers are built to be resilient given the global distribution of their data centers and connection nodes, which, in essence, mirrors the Internet at large.”

Moody’s assessment comes with the caveat, “this shift [to cloud services] introduces new complexity,” particularly for those with legacy systems architectures. Enterprise cloud customers’ “need to implement greater controls to manage their own network and cloud connections, as well as related security protocols,” also increases, according to the report.

The third report Moody’s released this week highlights cyber insurance firms exercising greater scrutiny of prospective policy holders amid the Russia-Ukraine conflict, an issue Nextgov flagged after talking to cyber professionals in March. 

Back in February, Moody’s reported on the implications of a proposal from the Securities and Exchange Commission for investors’ own cybersecurity posture. New incident reporting rules would also strengthen the industry’s cyber resilience, the credit reporting agency said.