A ransomware attack at top Colombian energy company Empresas Publicas de Medellin (EPM) may damage its credit quality, setting an alarm clock for the critical infrastructure industry to develop efficient mitigation practices and vulnerability management programs, Moody’s said.
EPM, one of Colombia’s largest public energy, water, and gas providers suffered from a ransomware attack reported on Dec. 13. The incident threatens operational disruptions to the Colombian utility’s website, mobile application, payment gateway, and intranet, which Moody’s said the company is struggling to resolve and therefore may impact its credit score.
“While EPM has not commented on the severity of the attack, ransomware attacks can cause operational disruptions, often resulting in costlier and slower manual workarounds for normal automated processes — a detriment to credit quality,” the rating agency said in a report published on Dec.20.
EPM’s credit concern set an alert for critical infrastructure sectors, such as electric, gas, and water utilities, as Moody’s identified them as having Very High risk for cyberattacks in the 2022 Cyber Heat Map.
“These companies [in critical infrastructure sectors] have a significant systemic role within the broader economy, rapidly adopt digital technologies across all of their services, and yet practice only average cyber defense compared to other highly attractive sectors such as banking and telecommunications,” Moody’s said in the report. According to Moody’s, one of the critical measures of sound cyber defense practices is patching cadence — the rate at which an issuer remediates exposure to known vulnerabilities during security incidents like ransomware.
Specifically, there is a strong correlation between Patching Cadence performance and the likelihood of experiencing a ransomware incident, said Derek Vadala, chief risk officer at BitSight, a cybersecurity rating and analytics company and Moody’s partner. Marsh McLennan, the world’s largest insurance broker, also validated this correlation in a recent independent study.
In terms of EPM’s defense practices, BitSight most recently scored it a “C,” which indicates that the company is nearly seven times more likely to fall victim to those organizations graded an “A.”
“While the attackers’ method for infiltrating EPM’s network is still unknown, and attackers may not have exploited unpatched systems, a low score in patching cadence does suggest some inadequacies in terms of prevailing cyber practices,” Moody’s noted.
Moody’s has not yet taken any rating action against EPM due to the ransomware attack.
Moody’s always looks at the long-term impacts of cyber risk and may downgrade an organization if the risk produces sustained pressure on business operations, Gerry Granovsky, senior vice president at Moody’s, told SC Media in an interview.