I don’t give Moody’s a very high rating

Note from Tom: If you’re only looking for today’s pandemic post, please go to my new blog. If you’re looking for my cyber/NERC CIP posts, you’ve come to the right place.

Yesterday, I wrote about a report from Moody’s – which formed the backbone of a story in E&E News – that said the recent Executive Order was “credit positive” for the electric power industry, since it would force those nincompoops to do something that they’re not doing now: taking steps to ensure the products they buy to run the Bulk Power System are safe from a cyber security point of view.

My objection to that report was that it’s completely untrue – and it’s disturbing that Moody’s didn’t seem to have even tried to talk to any real electric utilities about their practices when they wrote it. Moody’s is in the business of rating credit, so a lot of people will take this very seriously. I’ll admit I thought the fact that they made these statements. without any real attempt to verify with a few utilities about whether this was true or not, was more funny/sad than anything else.

But Dick Brooks of Reliable Energy Analytics emailed me this morning to point out that Moody’s might have had another reason to issue this report. They have a new company called Cyber Assessments that rates companies – like electric utilities - for cyber risk! So maybe the statements from Moody’s in the E&E News article can be understood as spreading some FUD that they hope will lead management of electric utilities to believe they need to hire them to assess their cyber posture – although I’ll say that I’ve never believed FUD was a good way to sell anything having to do with security.

However, this isn’t all. Remember, Moody’s is a credit rating company, and the report said the EO is “credit positive” for the power industry – meaning, of course, that electric utilities can expect higher ratings from Moody’s on bond issues, etc. if they get their cyber act together (and the EO will help them do this, in some way – although as I pointed out yesterday, exactly how is very unclear). This leads to an interesting question: If a large utility company hires Cyber Assessments to assess their security risk, might that lead to Moody’s itself (which in theory is a completely separate company, although the speaker in the video I linked above seemed to have no problem mentioning the two organizations almost in the same breath) giving the utility a higher rating for the bond markets than they otherwise would have?

Of course, this is a very serious question, and I certainly don’t know the answer to it. However, I’ll remind you (in case you’d forgotten) that Moody’s paid $864 million to the US government in 2017 to settle the claim that they had deliberately rated a lot of mortgage securities much higher than they should have, given the fact that they mostly ended up being near-worthless when the 2008-9 meltdown hit. Was this just the result of Moody’s having a lot of bad analysts? Not at all. Moody’s was being paid by financial companies to rate their mortgage-backed securities, and – lo and behold! – their ratings turned out to be very good, even though the actual securities ended up being toxic junk.

Of course, I’m sure the brochures for Cyber Assessments won’t say this explicitly – and there will be all sorts of legal disclaimers – but utilities can put two and two together. I certainly hope utilities won’t do business with Cyber Assessments for this reason. But if it turns out that these people have a great handle on the state of cyber security in the power industry, and they’re just very anxious to share that knowledge with individual utilities, then yes – utilities should seriously consider hiring them. But if Moody’s does have such great knowledge of the power industry’s cyber practices, they sure didn’t exhibit it in their statements reported in the news article. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!